Security Risk Analysis with OCTAVE
OCTAVE is focused on building an organizationwide view of information security risks. Up to this point in the evaluation you have collected data about three of the components of riskthreat, asset, and vulnerability. Your analysis activities have focused on critical assets, how they are threatened, and how they are technologically vulnerable. Now you broaden your view by considering the organization. You examine how threats to your organization's critical assets can affect its business objectives and its mission.
Process 7 begins phase 3 of the OCTAVE Method, Develop Security Strategy and Plans. This process creates the link between critical assets and what is important to your organization, putting your organization in a better position to manage the uncertainty that it faces.
9.1 Overview of Process 7
One of the evaluation attributes presented in Chapter 2 was the focus on risk. This attribute requires you to look beyond the immediate consequences (outcome) of the threat to a critical asset and place it in the context of what is important to your organization (impact). Up to this point in OCTAVE, you have collected data that will help you examine the security threats that affect your organization's mission and business objectives. In process 7 the focus shifts to risk identification and analysis.
Process 7 Workshop
The workshop for process 7 includes the core analysis team members as well as supplemental personnel, if needed. Your team, including supplemental members, should have the following skills:
Understanding of the organization's business environment
Understanding of the organization's information technology environment
Good communication skills
Good analytical skills
If you decide to supplement the skills of your analysis team, you should consider including people who understand the specific context of your business environment (e.g., people from the legal department, strategic planners, people from the business continuity office, policy managers). Your team needs these skills, because process 7 requires you to examine how threats to critical assets affect the business objectives and mission of your organization.
An experienced analysis team can complete the activities in about 4 1⁄2 to 6 hours. The activities of process 7 are summarized in Table 9-1.
TABLE 9-1 Process 7 Activities
Activity |
Description |
Identify the impact of threats to critical assets |
The analysis team defines impact descriptions for threat outcomes (disclosure, modification, loss, destruction, interruption). The impact description is a narrative statement that describes how a threat ultimately affects the organization's mission. |
Create risk evaluation criteria |
The analysis team creates evaluation criteria that will be used to evaluate the risks to the organization. Evaluation criteria define what constitutes a high, medium, and low impact. |
Evaluate the impact of threats to critical assets |
The combination of a threat and the resulting impact to the organization defines the risk to the organization. The analysis team reviews each risk and assigns it an impact value (high, medium, or low). |
Risk
Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event [Rowe 88]. It refers to a situation in which a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence.
A risk comprises an event, uncertainty, and a consequence. In information security, the basic event in which we are interested is a threat. Uncertainty is embodied in much of the information you have gathered during the evaluation. The uncertainty concerns whether a threat will develop as well as whether your organization is sufficiently protected against the threat actor. In many risk methodologies, uncertainty is represented using likelihood of occurrence, or probability. As Section 9.3 explains, there is a lack of objective data for certain types of information security threats, making it difficult to use a forecasting approach based on probability. To handle the uncertainty inherent in risk, we propose an analysis technique based on scenario planning.
Finally, the consequence that ultimately matters in information security risk is the resulting impact on the organization due to a threat. Impact describes how the organization would be affected based on the following threat outcomes:
Disclosure of a critical asset
Modification of a critical asset
Loss/destruction of a critical asset
Interruption of a critical asset
The outcomes listed above are directly related to assets and describe the effect of the threat on an asset. However, the impact is focused on the organization; it is the direct link back to the organization's mission and business objectives. This chapter shows you how to explicitly identify the risks to your organization's critical assets. We begin looking at risk in the next section, as we present an approach for describing the organizational impact of threats to critical assets.