As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues. Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. This project defines a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies.
Business Process-based Resource Importance Determination
Information security risk management (ISRM) heavily depends on realistic impact values representing the resources’ importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can business processes be used to determine resources’ importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Our novel business process-based resource importance determination method provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.
Verification, Validation, and Evaluation in Information Security Risk Management
Over the last four decades, various information security risk management (ISRM) approaches have emerged. However, there is a lack of sound verification, validation, and evaluation methods for these approaches. While restrictions, such as the impossibility of measuring exact values for probabilities and follow-up costs, obviously exist, verification, validation, and evaluation of research is essential in any field, and ISRM is no exception. Individual approaches exist, but so far there is no systematic overview of the available methods. We surveyed verification, validation and evaluation methods referenced in ISRM literature and discuss in which ISRM phases the methods should be applied. The selection of appropriate methods is demonstrated with a potential real-world example. This systematic analysis draws conclusions on the current status of ISRM verification, validation and evaluation and can serve as a reference for researchers and users of ISRM approaches who aim to establish trust in their results.
AURUM: Automated Risk and Utility Management
AURUM (AUtomated Risk and Utility Management) supports decision makers in selecting security measures according to technical and economical requirements. It is designed to minimize the interaction necessary between user and system and to provide decision makers with an intuitive solution that can be used without extensive knowledge about the information security domain. However, the solution is also capable of providing expert users with detailed information on different levels of granularity.
According to the requirements, the security ontology provides each AURUM module with knowledge regarding the general information security domain and the specific security status of the considered organization. The security ontology is coded in the Web Ontology Language (OWL) and the Protege ontology editor has been used to create and edit the ontology. The security ontology web service acts as an interface between the AURUM modules and the security ontology. Java has been used to code the security ontology web service and the Protege OWL API is used to read and modify the actual knowledge base. The AURUM – Inventory module incorporates interfaces to several third-party inventory and network scanning solutions to support the system characterization phase. C# and the Microsoft .NET Framework 3.5 have been used to code the AURUM – Bayes module. It uses the Norsys Netica API for generating and modifying the Bayesian network for the threat probability determination. The AURUM – Risk module is the central module which uses the Bayes module and connects to the security ontology web service to calculate the risk levels for assets. This is done by gathering probability values from the Bayesian network and multiplying those with the defined impact values, stored in the ontology. Furthermore, all changes to the ontological data repository are handled from this point. The Windows Presentation Foundation framework has been used to code the graphical user interface.
The figure above demonstrates the schematic layout of the working area. Section 1 summarizes information on (a) the business processes and its dependence on assets, and (b) the assets’s physical locations in the organization. Section 2 – the main area – provides the decision maker with (a) detailed information about the selected asset, (b) a graphical representation of the selected business process together with the assets needed for the execution of the selected business process, and (c) the graphical representation of the physical location model together with assets. Information provided in Section 2 depends on the selection the decision maker made in Section 1 (the same holds analogously for the dependence between Section 2 and 3). Section 3 displays (a) the risk level for the selected asset, (b) a list of threats and their calculated probabilities, and (c) implemented and not implemented controls with their calculated effectiveness figures.