LNCS 7216 - Towards Quantitative Risk Management For Next . PDF

15d ago
261.53 KB
11 Pages

Towards Quantitative Risk Managementfor Next Generation NetworksIztok Starc and Denis TrčekFaculty of Computer and Information Science, University of Ljubljana, tract. While user dependence on ICT is rising and the information securitysituation is worsening at an alarming rate, IT industry is not able to answer accurately and in time questions like “How secure is our information system?”Consequently, information security risk management is reactive and is laggingbehind incidents. To overcome this problem, risk management paradigm has tochange from reactive to active and from qualitative to quantitative. In thissection, we present a computerized risk management approach that enables active risk management and is aligned with the leading initiative to make securitymeasurable and manageable. Furthermore, we point out qualitative methods deficiencies and argue about the importance of use of quantitative over qualitativemethods in order to improve accuracy of information security feedback information. Finally, we present two quantitative metrics, used together in the model, and enabling a quantitative risk assessment and support risk treatmentdecision making.Keywords: computer security, economics of security, risk management,security metrics, security measurement.1IntroductionInformation security risk management is still in its early stages with regards tomeasuring and quantitative assessment. Currently, risk assessment is normally basedon qualitative measurement and metrics. The consequent undesirable side-effect isthat risk assessment cannot provide answer to questions like “How safe is myinformation system (IS)?” and “How much safer is my IS then my competitors’ IS?Decision making under such uncertainty is not effective. Currently, decision makersreact on incidents rather than be proactive. This lagging reaction results in notablelosses. Risk management paradigm has to change from reactive to proactive, whererisks are identified, assessed and treated in time, before incident takes place.Furthermore, risk management is also about financial investment into securitysafeguards. Therefore, their spending should be justified as much as possible. This ispossible only when decision makers have adequate information to evaluatediscrepancy between desired and actual risk. Based on this information, appropriateand economically sound safeguards are implemented to reduce risk to a levelacceptable for organization and stakeholders.A.M. Hadjiantonis and B. Stiller (Eds.): Telecommunication Economics, LNCS 7216, pp. 229–239, 2012. The Author(s). This article is published with open access at SpringerLink.com

230I. Starc and D. TrčekNew research steps are presented in this subsection and are aiming towardscomputerized quantitative risk management for decision making support. First, wewill present basic definitions and open problems in this area. Next, we will focus onrisk assessment methodology and will address measurement and metrics issues.Finally, we will present technological architecture that enables reactive and proactiverisk management in modern IS.2Basic DefinitionsThe normative reference, which is most relevant for risk management in IS, isISO/IEC 27000-series standards for information security management systems.According to ISO/IEC 27000 [9] information security means preservation ofconfidentiality, integrity and availability of information. “Confidentiality is a property of system that information is not made available ordisclosed to unauthorized individuals, entities or socio- and/or technical processes”. “Integrity is a property of protecting accuracy and completeness of assets. Thereare many types of assets, tangible assets like (i) information, (ii) software, (iii)hardware, (iv) services, (v) people and also intangible assets like (vi) reputation”. “Availability is a property of being accessible and usable upon demand by anauthorized entity”. Furthermore, and according to ISO/IEC 27000, information security may includepreservation of other properties, such as authenticity, accountability,non-repudiation and reliability.Concepts defined above are only meaningful in practice when they are linked toorganization’s assets and selected as operational requirements. Assets are valuable toorganization and other stakeholders as well as to various threat agents. Therefore, anappropriate security assurance method has to be chosen in order to achieveorganization’s and stakeholders’ confidence that assets satisfy the stated informationsecurity requirements and consequently its security policy and/or applicable law like[6]. For example, when organization provides service to its customers, a processsecurity assurance method is chosen, like ISO/IEC 27001 [10]. Next, the method isapplied to ensure that assets (including IS and IS services) conform to securityrequirements. In this way, correct, efficient and economically sound safeguards areimplemented that protect assets from threat agents in such way that risk is reduced toa level acceptable for both organization and stakeholders. Risks have to be constantlymonitored and when any risk factor changes then the process has to be repeated againin timely manner. This continuous activity is called information security riskmanagement (risk management for short). Before we advance with risk managementand its activities some additional basic terms have to be defined.According to ISO/IEC 27000 information security risk (risk for short) meanspotential that a threat will exploit a vulnerability of an asset or group of assets andthereby cause harm to an organization and consequently cause harm to stakeholders.Vulnerability is a weakness of an asset or safeguard that can be exploited by a threat.Threat is a potential cause of an information security incident (incident for short).

Towards Quantitative Risk Management for Next Generation Networks231We can now focus on risk management, which is, according to ISO/IEC 27005[12], comprised of coordinated activities that aim to direct and control an organizationwith regard to risk. First, organization’s business context has to be established that isfoundation for further activities. Within this context, risks have to be identified. Next,risk assessment takes place where risk are qualitatively or better quantitativelydescribed and prioritized against organization’s risk evaluation criteria. Subsequently,risks have to be treated to achieve security requirements and correct, efficient andeconomically sound means of managing risk have to be implemented1. These meansare called safeguards2 which include policies, processes, procedures, organizationalstructures, and software and hardware functions. Depending upon safeguardsobjectives risk treatment can be accomplished in four different ways: (i) riskreduction, (ii) risk retention, (iii) risk avoidance and/or (iv) risk transfer. Finally, ifrisk treatment is satisfactory then any residual risk is accepted. Risk management iscontinuous “Plan-Do-Check-Act” process, because risk factors may change abruptlyand this may lead to undesirable consequences. Thus, risk and safeguards need to bemonitored, reviewed and improved, when necessary.3Open ProblemsInformation security researches are facing challenge, because current riskmanagement practice is reactive and it is lagging behind incidents. This practice hasadverse impact to the level of business objectives achieved and results in hugedamages due to following reasons. Plan and Do Problems. Safeguards may be not correct and/or effective enough toprotect assets from harm. Software (including security software) is buggy and singleattack can disable safeguards and expose assets. In addition, threat landscape is constantly changing and future threats are not anticipated in time, because (i) businesscontexts of organizations are changing, (ii) user dependence on ICT is rising and (iii)ICT grows in size and complexity and (iv) ICT interdependencies is increasing. Check and Act Problems. Incapability to provide answers to security and risk relatedquestions in time means that security cannot be managed efficiently, e.g., “How secure is the organization?” or “What is the degree of information security risk?”.Logical consequence of this incapability is wider window of vulnerability [16] and increased duration of asset exposure. Thus, probability of information security incidentis greater on average. Eventually, answer to two questions above is provided whenrisk manifests itself as incident and assets are damaged. Finally, risk managementreacts on this lagging (human perceptible) indication. At this (too late) point, organizations as well as stakeholders perceive that security requirement are not fulfilled andrisk level is unacceptable.1Other product assurance methods such as Systems Security Engineering – Capability maturityModel [8] and/or process assurance methods such as Common Criteria [7] are used to ensuresafeguard correctness and efficiency. ISO/IEC TR 15443-2 [13] lists a comprehensive list ofassurance frameworks.2Safeguards are also known as controls or countermeasures. Standard ISO/IEC 27002 [11]provides a comprehensive list of safeguards.

232I. Starc and D. TrčekHow are these problems addressed in information security research? On one hand,new security mechanisms [1] are studied to overcome brittleness of software and tosafeguard IS more effectively. In parallel with this effort, new product securityassurance methods are developed to evaluated security mechanism’s strength as wellas process assurance method to evaluate correctness of security mechanism’s design,implementation, integration with the IS and deployment.On the other hand, no security mechanism or security assurance method seems to beperfect to this point. Risk factors may change abruptly and ISs are changing, sostatistically relevant long-term data is not available to enable security forecasting andinformation security insurance practical. Therefore, risk has to be reduced and this meanssafeguards have to be constantly monitored, reviewed and last but not least, improved,when necessary. This is possible only if information security feedback is accurate and isprovided in real-time. Only then, decision makers have adequate information.Detection of security precursor before incident takes place and risk forecasting abilityis a research priority. In order to accomplish this, better security measurements methodshave to be defined that are (i) accurate, (ii) real-time, (iii) economically sound, and (iv)measure security attributes according to business requirements. Security attributemeasurement takes place on various IS objects, e.g., on routers, workstations, personalcomputer, etc. Acquired raw data can be then interpreted using metrics/indicators that arein fact analytical models, which take basic measurements as an input and returnorganization’s information security state. This feedback information should be providedto decision maker as soon as possible in order to enable pro-active risk managementrather than reactive. Thus, leading indicators should be chosen over lagging indicators, toprevent incident rather than to detect and manage incidents.The indicator output is manually or computationally compared to organization’sown risk evaluation criteria and risk management action is taken if necessary. Usingdescribed measurement and metrics as a foundation, security research aims to createalso self-adapting security information and event management systems (SIEM) [2]that take actions based upon indicators values and measurements.Before we advance towards computerized risk assessment for proactive riskmanagement, we will analyze current risk assessment practices as well as addresssecurity metrics and measurement issues and provide some problem solutions.4Current Risk Assessment MethodologyThe most elementary approach to risk assessment starts with identification of a set ofassets A {a1 , a1 ,., a n } and threats T {t1 , t2 ,., tn }. Next, a Cartesian product isformed A T {(a1 , t1 ), (a2 , t1 ),., (an , tm )} . The value of each asset v (an ) isdetermined and, for each threat, the probability of interaction with asset during certainperiod is assessed Ean (tm ) . An interaction is problematic only if asset is exposed tovulnerability Vtm (an ) [0,1] . Taking this into account, an appropriate risk estimate isobtained as following.R (a n , t m ) v (a n ) Ea n (t m ) Vt m (a n )(1)

Towards Quantitative Risk Management for Next Generation Networks233The real problem with this procedure is obtaining exact quantitative values for theabove variables in real-time for the following reasons. Old statistical data are not available, because the technological landscape and ISchange quickly to meet evolving business requirements. Within these changes, newvulnerabilities are created. In addition, different threats are attracted at differenttime, because business context and assets change over time. Consequently, likelihood of attack and number of vulnerabilities and exposures change over time. Furthermore, a substantial proportion of an organization’s assets are intangibleassets, such as information and goodwill. Identification and valuation of these assets remains a difficult issue [4]. Even worse, the most important asset is personnel. Due to the specifics of this type of assets their valuation is very hard. Forexample, none of them are recorded and valued in balance sheets.Therefore, it is hard to derive the exact value of risk. The above facts lead to the currentview that the logical alternative to quantitative IS risk assessment is a qualitativeapproach at the level of aggregates. Here, assets, threats, and vulnerabilities are eachcategorized intro certain classes. By using tables, such as one below, risks are assessedand estimated, and priorities are set by rank-ordering data on an ordinal scale.Table 1. The ISO/IEC 27005 risk assessment matrix measures risk on a scale of 0 to 8 andtakes two qualitative inputs: (i) likelihood of an incident scenario and (ii) the estimatedbusiness impact. For example, if the estimated likelihood of incident scenario is low and thecorresponding business impact is high, then the risk is described by the value 4.Likelihood of Incident ScenarioBusinessImpactVery LowLowMediumHighVery HighVery Low01234Low12345Medium23456High34567Very High45678This is also a legitimate approach according to standards, such as ISO/IEC 27005.However qualitative risk assessment approaches have significant shortcomings andsuffer from the following two major disadvantages [3]. Reversed rankings, i.e., assigning higher qualitative risk ratings to situations thathave lower quantitative risks. Uninformative ratings, i.e., (i) frequently assigning the most severe qualitative risklabel (such as “high”) to scenarios with arbitrarily small quantitative risks and (ii)assigning the same ratings to risk that differ by many orders o

el, and enabling a quantitative risk assessment and support risk treatment decision making. Keywords: computer security, economics of security, risk management, security metrics, security measurement. 1 Introduction Information security risk management is still in its early stages with regards to measuring and quantitative assessment.