21.2 FORMAL RISK ANALYSIS

Team-Fly

21.2 FORMAL RISK ANALYSIS

In the past, several frameworks, models, methods, and methodologies to formally perform risk analyses have been developed and proposed [2, 3]. For example, the British Central Computer and Telecommunications Agency (CCTA) came up with a methodology called CCTA Risk Analysis and Management Methodology (CRAMM) and a tool of the same name. The tool is being marketed by Logica.[2] Similarly, a methodology called MARION—an acronym derived from the French term methodologie d'analyse des risques informatiques et d'optimation par niveau—was developed by the French club de la sécurité informatique francais (CLUSIF[3]).

Unfortunately, the performance of a formal risk analysis has turned out to be difficult in practice. There are mainly two reasons:

  1. A formal risk analysis process requires the establishment of an inventory for all assets (e.g., to decide whether they are valuable). Unfortunately, this is a very difficult and labor-intensive task. To make things worse, the inventory is a moving target that changes permanently and must be periodically updated.

  2. A formal risk analysis always requires the quantification of loss exposures based on estimated frequencies and costs of occurrence. Either value—the estimated frequencies and the costs of occurrence—is hard to quantify. How do you, for example, quantify the estimated frequency for a system being hacked? Does this value depend on the operating system in use? Does it depend on the actual configuration? Does is depend on software patches being installed or not installed? Similarly, how do you quantify the costs of occurrence? Note that-no system or network resource must be damaged during the system hack. Nevertheless, the loss of reputation and customer confidence may still be large and worrisome. It turns out that probability theory is an inappropriate approach to quantify loss exposures in the IT world. Unfortunately, we do not have an alternative approach so far.

Because of these difficulties, it is common today to perform only qualitative risk analyses. A qualitative risk analysis, in turn, differs from a (quantitative or formal) risk analysis in the quantification step. In fact, a qualitative risk analysis only addresses risks that are existent (independent from potential loss exposures). For example, if a Web site is connected to the Internet, a qualitative risk analysis would only identify the risk of being hacked (possibly specifying the risk to be low, medium, or high), whereas a (quantitative or formal) risk analysis would additionally try to quantify the estimated frequency and the costs of occurrence to eventually compute a quantitative value for the risk under consideration. In either case, risk analysis must start with an analysis of vulnerabilities and threats.

In many companies and organizations it is not even possible to perform a qualitative risk analysis, and some simpler risk management approaches and technologies must be used instead. Some alternative approaches and technologies are addressed next.

[2]http://www.logica.com

[3]http://www.clusif.asso.fr/


Team-Fly


Internet and Intranet Security
Internet & Intranet Security
ISBN: 1580531660
EAN: 2147483647
Year: 2002
Pages: 144

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net