Ontology-Based Decision Support for Information Security Risk Management
[:en]As e-Business and e-Commerce applications are increasingly exposed to a variety of information security threats, corporate decision makers are increasingly forced to pay attention to security issues. Risk management provides an effective approach for measuring the security but existing risk management approaches come with major shortcomings such as the demand for very detailed knowledge about the IT security domain and the actual company environment. This paper presents the implementation of the AURUM methodology into a software solution which addresses the identified shortcomings of existing information security risk management software solutions. Thereby, the presented approach supports decision makers in risk assessment, risk mitigation, and safeguard evaluation.
Introduction
Although companies consider security as one of the most important issues on their agenda, many companies are not aware how much they spend on security and if their in- vestments in security are effective (cf. [1], [2]). Information security risk management is a crucial element for ensuring long-term business success because it provides an effective approach for measuring the security through the identification and valuation of assets, threats, and vulnerabilities and offers methods for the risk assessment, risk mitigation and evaluation. However, while existing approaches (see Section II) for implementing an adequate risk management strategy are highly accepted within the community they are requiring very detailed knowledge about the IT security domain and the actual company environment. As a consequence, organizations mostly fall back on best-practices, information security standards, or domain experts when conducting the risk assessment and are confronted with the following problems: (1) best practice guidelines such as the German IT Grundschutz Manual [3] or the French EBIOS standard [4] provide excellent knowledge about potential threats, vulnerabilities, and countermeasures, but without a domain expert the organization is usually unable to consider all the complex relationships between relevant IT security concepts, which results in a non-holistic IT security approach endangering the organization in performing its mission [5], [6], (2) to check which concrete infrastructure elements are endangered by certain threats the organization has to manually map the knowledge from best-practice guidelines to their actual infrastructure [7], (3) especially information security standards such as ISO 27001 [8] are stating only very abstract implementation suggestions for risk mitigation; concrete countermeasures or combinations thereof are mostly missing [9], (4) determining threat probabilities is mostly based on subjective perceptions, instead of objective evaluation [9], (5) while companies strive for cost-conscious solutions, they are frequently unaware of their level of IT security capital expenditure and/or, even more importantly, whether these investments are effective [10], and (6) management decision makers, such as the CPO or CIO, have to cope with a great spectrum of potential IT security investments on the one hand and the decision of selecting the most appropriate set of IT security investments on the other hand. The results of existing methods provide decision makers with inadequate or little intuitive and/or interactive decision support and, thus, do not support them in making an appropriate risk versus cost trade-off when investing in IT security solutions [11]. In order to address these reservations and demands outlined above, we developed a novel methodology for information security risk management, including objective measures of risk, risk reduction, and cost of defense, named AURUM (which is derived from “AUtomated Risk and Utility Management”). This paper presents the developed software solution for sup- porting the entire AURUM risk management methodology. Compared to existing approaches (e.g., CRISAM [12] and GSTool [3]), AURUM allows for automated information security risk management, including objective measures of risk and risk reduction by taking the entire setting of the organization into account.
Background
Risk management in the context of information technology is not a new research domain. It was 1975 when the U.S. National Bureau of Standards proposed the Annual Loss Expectancy (ALE) as a metric for measuring computer- related risks (cf. [13]). In the 1980s it was again the U.S. National Bureau of Standards, which developed an iterative process for information security risk management. Although the information security risk management approaches of the following years provided some additional steps or different process structures, they are mainly based on this approach. A combination of qualitative and quantitative risk analysis methodologies has been proposed by [14] and comprises the identification of organizational value activities. Besides general risk management frameworks, several information security investment decision support methods, which are an integral part of existing information security risk management methodologies, have been proposed (cf. [16], [17]). In 2008, the PCR (perceived composite risk) metric was introduced by [18]. Their approach extends the traditional ALE by combining it with the expected severe loss and the standard deviation of the loss, and provides organizations with an additional decision support tool for information security investments. To make these academic approaches usable to organizations, some of them have been used as a foundation for today’s information security risk management methods, standards and best-practice guidelines (e.g., CRAMM [19], NIST SP 800-30 [20], OCTAVE [21], EBIOS [4], and recently ISO 27005 [22]). Software solutions supporting entire information security risk management methodologies support users in preparing, administrating, and updating information security concepts that meet the requirements of the corresponding methodology. After having modelled the organization’s assets relevant to information security, the solutions offer predefined threats and connected controls for the various asset classes. Although these approaches are sophisticated, their underlying data structures are proprietary and thus difficult to apply in different contexts, hindering standardized and collaborative information security risk management. We assessed CRISAM Explorer by Calpana, GSTool by the German Federal Office for Information Security, CRAMM by Insight Consulting and EBIOS by the French DCSSI and identified the following shortcomings, which may result in an inadequate implementation of the corresponding information security risk management strategy: Manual and unguided inventory of the organization’s assets and no support for an automatic or semi-automatic inventory of IT assets. Problem: important assets may be simply forgotten. No vulnerability catalogue is provided to support the identification of vulnerabilities. Problem: the existence and severity of vulnerabilities determines the threat exploitation probability and therefore the risk level. The control implementation inventory is conducted by control questions which have to be answered by the user. Problem: potential side-effects of control implementations are not considered and hinder therefore a sound cost/benefit analysis of the control implementations. There are no sound calculation schemes for the threat probability determination. Problem: besides the potential impact the risk calculation relies on realistic threat probability values. Since the calculated risk is fundamental for the subsequent control implementation selection, wrong risk values render the entire information security risk management efforts useless. Insufficient or no cost/benefit analysis support regarding potential control implementations. Problem: management is not aware about what to implement in order to decrease the risk to an acceptable level.
[1] L. Gordon, M. Loeb, W. Lucyshyn, and R. Richardson, “CSI/FBI Computer Crime and Security Survey,” September 2006.
[2] M. Bishop, “What is computer security?” IEEE Sec. Priv. Mag. , vol. 1, no. 1, pp. 67–69, Jan.-Feb. 2003.
[3] BSI, “IT Grundschutz Manual,” 2004.
[Online]. Available: http://www.bsi.de/english/gshb/manual/download/index.html
[4] DCSSI, “Expression des Besoins et Identification des Objectifs de Scurit (EBIOS) – Section 2 – Approach,” General Secretariat of National Defence Central Information Systems Security Division (DCSSI), 2004.
[5] M. Vitale, “The growing risks of information systems success,” MIS Quarterly , vol. 10, no. 4, pp. 327–334, December 1986.
[6] W. Baker and L. Wallace, “Is information security under control?: In- vestigating quality in information security management,” IEEE Security and Privacy , vol. 5, no. 1, pp. 36–44, 2007.
[7] R. Baskerville, “Information systems security design methods: Implica- tions for information systems development,” ACM Computing Surveys , vol. 25, no. 4, pp. 375–414, December 1993.
[8] ISO/IEC “27001:2005, Information technology – Security techniques – Information security management systems – Requirements,” 2005.
[9] W. Baker, L. Rees, and P. Tippett, “Necessary measures: metric-driven information security risk assessment and decision making,” Communi- cations of the ACM , vol. 50, no. 10, pp. 101–106, 2007.
[10] C. D. Ittner and D. F. Larcker, “Coming Up Short On Financial Measurement,” Havard Business Review , vol. 81, no. 11, 2003.
[11] D. M. Lander and G. E. Pinches, “Challenges to the practical implemen- tation of modelling and valuing real options,” The Quarterly Review of Economics and Finance , vol. 38, pp. 537–567, 1998.
[12] M. Stallinger, “IT-Governance im Kontext Risikomanagement,” Ph.D. dissertation, Johannes Kepler Universitt Linz, 2007.
[13] FIPS, “Guideline for automatic data processing risk analysis,” National Bureau of Standards, Federal Information Processing Standards Publi- cations (FIPS PUB) 65, August 1975.
[14] R. Rainer, C. Snyder, and H. Carr, “Risk analysis for information technology,” Journal of Management Information Systems , vol. 8, no. 1, pp. 129–147, Summer 1991.
[15] T. Finne, “A conceptual framework for information security manage- ment,” Computers & Security , vol. 17, pp. 303–307, 1998.
[16] L. Gordon and M. Loeb, “The economics of information security investment,” ACM Transactions on Information and System Security , vol. 5, no. 4, pp. 438–457, November 2002.
[17] H. Cavusoglu, B. Mishra, and S. Raghunathan, “A model for evaluating it security investments,” Communications of the ACM , vol. 47, no. 7, pp. 87–92, 2004.
[18] L. Bodin, L. Gordon, and M. Loeb, “Information security and risk management,” Communications of the ACM , vol. 51, no. 4, pp. 64–68, April 2008.
[19] B. Farquhar, “One approach to risk assessment,” Computers and Secu- rity , vol. 10, no. 10, pp. 21–23, February 1991.
[20] G. Stoneburner, A. Goguen, and A. Feringa, “Risk management guide for information technology systems,” National Institute of Standards and Technology (NIST), Gaithersburg, MD 20899-8930, NIST Special Publication 800-30, July 2002.
[21] C. Alberts, A. Dorofee, J. Stevens, and C. Woody, “Introduction to the OCTAVE approach,” Carnegie Mellon – Software Engineering Institute, Pittsburgh, PA 15213-3890, Tech. Rep., August 2003.
[22] ISO/IEC “27005:2007, Information technology – Security techniques – Information security risk management,” 2007.
[23] A. Ekelhart, S. Fenz, T. Neubauer, and E. Weippl, “Formal threat descriptions for enhancing governmental risk assessment,” in Proceed- ings of the First International Conference on Theory and Practice of Electronic Governance . ACM Press, 2007.
[24] T. Neubauer, A. Ekelhart, and S. fenz, “Interactive selection of iso 27001 controls under multiple objectives,” in Proceedings of the 23rd International Information Security Conference , 2008.
[25] T. R. Peltier, Information Security Risk Analysis , 2nd ed. Auerbach Publications, 2005.
[26] T. Neubauer and C. Stummer, “Interactive decision support for mul- tiobjective cots selection,” in Proceedings of the 40th Annual Hawaii International Conference on System Sciences , no. 01, 2007.[:de]As e-Business and e-Commerce applications are increasingly exposed to a variety of information security threats, corporate decision makers are increasingly forced to pay attention to security issues. Risk management provides an effective approach for measuring the security but existing risk management approaches come with major shortcomings such as the demand for very detailed knowledge about the IT security domain and the actual company environment. This paper presents the implementation of the AURUM methodology into a software solution which addresses the identified shortcomings of existing information security risk management software solutions. Thereby, the presented approach supports decision makers in risk assessment, risk mitigation, and safeguard evaluation.
Introduction
Although companies consider security as one of the most important issues on their agenda, many companies are not aware how much they spend on security and if their in- vestments in security are effective (cf. [1], [2]). Information security risk management is a crucial element for ensuring long-term business success because it provides an effective approach for measuring the security through the identification and valuation of assets, threats, and vulnerabilities and offers methods for the risk assessment, risk mitigation and evaluation. However, while existing approaches (see Section II) for implementing an adequate risk management strategy are highly accepted within the community they are requiring very detailed knowledge about the IT security domain and the actual company environment. As a consequence, organizations mostly fall back on best-practices, information security standards, or domain experts when conducting the risk assessment and are confronted with the following problems: (1) best practice guidelines such as the German IT Grundschutz Manual [3] or the French EBIOS standard [4] provide excellent knowledge about potential threats, vulnerabilities, and countermeasures, but without a domain expert the organization is usually unable to consider all the complex relationships between relevant IT security concepts, which results in a non-holistic IT security approach endangering the organization in performing its mission [5], [6], (2) to check which concrete infrastructure elements are endangered by certain threats the organization has to manually map the knowledge from best-practice guidelines to their actual infrastructure [7], (3) especially information security standards such as ISO 27001 [8] are stating only very abstract implementation suggestions for risk mitigation; concrete countermeasures or combinations thereof are mostly missing [9], (4) determining threat probabilities is mostly based on subjective perceptions, instead of objective evaluation [9], (5) while companies strive for cost-conscious solutions, they are frequently unaware of their level of IT security capital expenditure and/or, even more importantly, whether these investments are effective [10], and (6) management decision makers, such as the CPO or CIO, have to cope with a great spectrum of potential IT security investments on the one hand and the decision of selecting the most appropriate set of IT security investments on the other hand. The results of existing methods provide decision makers with inadequate or little intuitive and/or interactive decision support and, thus, do not support them in making an appropriate risk versus cost trade-off when investing in IT security solutions [11]. In order to address these reservations and demands outlined above, we developed a novel methodology for information security risk management, including objective measures of risk, risk reduction, and cost of defense, named AURUM (which is derived from “AUtomated Risk and Utility Management”). This paper presents the developed software solution for sup- porting the entire AURUM risk management methodology. Compared to existing approaches (e.g., CRISAM [12] and GSTool [3]), AURUM allows for automated information security risk management, including objective measures of risk and risk reduction by taking the entire setting of the organization into account.
Background
Risk management in the context of information technology is not a new research domain. It was 1975 when the U.S. National Bureau of Standards proposed the Annual Loss Expectancy (ALE) as a metric for measuring computer- related risks (cf. [13]). In the 1980s it was again the U.S. National Bureau of Standards, which developed an iterative process for information security risk management. Although the information security risk management approaches of the following years provided some additional steps or different process structures, they are mainly based on this approach. A combination of qualitative and quantitative risk analysis methodologies has been proposed by [14] and comprises the identification of organizational value activities. Besides general risk management frameworks, several information security investment decision support methods, which are an integral part of existing information security risk management methodologies, have been proposed (cf. [16], [17]). In 2008, the PCR (perceived composite risk) metric was introduced by [18]. Their approach extends the traditional ALE by combining it with the expected severe loss and the standard deviation of the loss, and provides organizations with an additional decision support tool for information security investments. To make these academic approaches usable to organizations, some of them have been used as a foundation for today’s information security risk management methods, standards and best-practice guidelines (e.g., CRAMM [19], NIST SP 800-30 [20], OCTAVE [21], EBIOS [4], and recently ISO 27005 [22]). Software solutions supporting entire information security risk management methodologies support users in preparing, administrating, and updating information security concepts that meet the requirements of the corresponding methodology. After having modelled the organization’s assets relevant to information security, the solutions offer predefined threats and connected controls for the various asset classes. Although these approaches are sophisticated, their underlying data structures are proprietary and thus difficult to apply in different contexts, hindering standardized and collaborative information security risk management. We assessed CRISAM Explorer by Calpana, GSTool by the German Federal Office for Information Security, CRAMM by Insight Consulting and EBIOS by the French DCSSI and identified the following shortcomings, which may result in an inadequate implementation of the corresponding information security risk management strategy: Manual and unguided inventory of the organization’s assets and no support for an automatic or semi-automatic inventory of IT assets. Problem: important assets may be simply forgotten. No vulnerability catalogue is provided to support the identification of vulnerabilities. Problem: the existence and severity of vulnerabilities determines the threat exploitation probability and therefore the risk level. The control implementation inventory is conducted by control questions which have to be answered by the user. Problem: potential side-effects of control implementations are not considered and hinder therefore a sound cost/benefit analysis of the control implementations. There are no sound calculation schemes for the threat probability determination. Problem: besides the potential impact the risk calculation relies on realistic threat probability values. Since the calculated risk is fundamental for the subsequent control implementation selection, wrong risk values render the entire information security risk management efforts useless. Insufficient or no cost/benefit analysis support regarding potential control implementations. Problem: management is not aware about what to implement in order to decrease the risk to an acceptable level.
[1] L. Gordon, M. Loeb, W. Lucyshyn, and R. Richardson, “CSI/FBI Computer Crime and Security Survey,” September 2006.
[2] M. Bishop, “What is computer security?” IEEE Sec. Priv. Mag. , vol. 1, no. 1, pp. 67–69, Jan.-Feb. 2003.
[3] BSI, “IT Grundschutz Manual,” 2004.
[Online]. Available: http://www.bsi.de/english/gshb/manual/download/index.html
[4] DCSSI, “Expression des Besoins et Identification des Objectifs de Scurit (EBIOS) – Section 2 – Approach,” General Secretariat of National Defence Central Information Systems Security Division (DCSSI), 2004.
[5] M. Vitale, “The growing risks of information systems success,” MIS Quarterly , vol. 10, no. 4, pp. 327–334, December 1986.
[6] W. Baker and L. Wallace, “Is information security under control?: In- vestigating quality in information security management,” IEEE Security and Privacy , vol. 5, no. 1, pp. 36–44, 2007.
[7] R. Baskerville, “Information systems security design methods: Implica- tions for information systems development,” ACM Computing Surveys , vol. 25, no. 4, pp. 375–414, December 1993.
[8] ISO/IEC “27001:2005, Information technology – Security techniques – Information security management systems – Requirements,” 2005.
[9] W. Baker, L. Rees, and P. Tippett, “Necessary measures: metric-driven information security risk assessment and decision making,” Communi- cations of the ACM , vol. 50, no. 10, pp. 101–106, 2007.
[10] C. D. Ittner and D. F. Larcker, “Coming Up Short On Financial Measurement,” Havard Business Review , vol. 81, no. 11, 2003.
[11] D. M. Lander and G. E. Pinches, “Challenges to the practical implemen- tation of modelling and valuing real options,” The Quarterly Review of Economics and Finance , vol. 38, pp. 537–567, 1998.
[12] M. Stallinger, “IT-Governance im Kontext Risikomanagement,” Ph.D. dissertation, Johannes Kepler Universitt Linz, 2007.
[13] FIPS, “Guideline for automatic data processing risk analysis,” National Bureau of Standards, Federal Information Processing Standards Publi- cations (FIPS PUB) 65, August 1975.
[14] R. Rainer, C. Snyder, and H. Carr, “Risk analysis for information technology,” Journal of Management Information Systems , vol. 8, no. 1, pp. 129–147, Summer 1991.
[15] T. Finne, “A conceptual framework for information security manage- ment,” Computers & Security , vol. 17, pp. 303–307, 1998.
[16] L. Gordon and M. Loeb, “The economics of information security investment,” ACM Transactions on Information and System Security , vol. 5, no. 4, pp. 438–457, November 2002.
[17] H. Cavusoglu, B. Mishra, and S. Raghunathan, “A model for evaluating it security investments,” Communications of the ACM , vol. 47, no. 7, pp. 87–92, 2004.
[18] L. Bodin, L. Gordon, and M. Loeb, “Information security and risk management,” Communications of the ACM , vol. 51, no. 4, pp. 64–68, April 2008.
[19] B. Farquhar, “One approach to risk assessment,” Computers and Secu- rity , vol. 10, no. 10, pp. 21–23, February 1991.
[20] G. Stoneburner, A. Goguen, and A. Feringa, “Risk management guide for information technology systems,” National Institute of Standards and Technology (NIST), Gaithersburg, MD 20899-8930, NIST Special Publication 800-30, July 2002.
[21] C. Alberts, A. Dorofee, J. Stevens, and C. Woody, “Introduction to the OCTAVE approach,” Carnegie Mellon – Software Engineering Institute, Pittsburgh, PA 15213-3890, Tech. Rep., August 2003.
[22] ISO/IEC “27005:2007, Information technology – Security techniques – Information security risk management,” 2007.
[23] A. Ekelhart, S. Fenz, T. Neubauer, and E. Weippl, “Formal threat descriptions for enhancing governmental risk assessment,” in Proceed- ings of the First International Conference on Theory and Practice of Electronic Governance . ACM Press, 2007.
[24] T. Neubauer, A. Ekelhart, and S. fenz, “Interactive selection of iso 27001 controls under multiple objectives,” in Proceedings of the 23rd International Information Security Conference , 2008.
[25] T. R. Peltier, Information Security Risk Analysis , 2nd ed. Auerbach Publications, 2005.
[26] T. Neubauer and C. Stummer, “Interactive decision support for mul- tiobjective cots selection,” in Proceedings of the 40th Annual Hawaii International Conference on System Sciences , no. 01, 2007.[:]