Tuesday, 21 January 2014

Risk Assessment Methodologies - A Comparison

There a number of risk assessment methodologies. This post defines briefly some widely accepted ones and would make a comparison of these methodologies. Different risk assessment methodologies are as follows:
 
CCTA Risk Analysis and Management Method (CRAMM):

Central Computer and Telecommunications Agency (CCTA) now renamed as Office of Government Commerce (OGC) developed this methodology for the British government. It incorporates Securing IT Hardware and Software with physical and human resource controls. 3 stages of CRAMM risk analysis are:
1. Identifying and valuing assets
2. Assessing threats and vulnerability
3. Selecting and recommending counter measures

  Failure Modes and Effect Analysis (FMEA):

It was originally developed for Hardware but can be effectively used for analysis of systems and software. Manufacturing industry has found FMEA to be useful for their risk analysis too. In this methodology potential failure of each part, process or module is identified. Modes can be the cause of the failure like man, machine, processes etc. Then effects these failures would have on immediate level, the intermediate level and across the system are examined. Total impact of failure in specific modules is calculated. A severity is assigned to it and personnel responsible for the module are identified. This has to be revised at regular intervals.

  Facilitated Risk Analysis Process (FRAP):

It enables organizations to pre-screen security related systems and processes to determine if risk analysis is needed. It is a method to help focus organizations on critical security issues. It consists of a range of tested approaches for conducting a qualitative risk assessment. It is simple and inexpensive to use hence it can be used for initial analysis.

  SP 800-30 and 800-66 by National Institute of Standards and Technology (NIST):

NIST developed 2 sets of Qualitative risk assessment techniques SP 800-30 and SP 800-66 for regulated industries like healthcare industry. SP 800-66 was written for clients who need to adhere to Health Insurance Portability and Accountability Act (HIPAA) in the US. Steps involved in this risk assessment are:
1. Characterize systems
2. Identify threats
3. Identify countermeasures
4. Determine likelihood
5. Determine impact
6. Determine risk
7. Recommend additional countermeasures
8. Document results

  Operationally Critical Threat, Assets and Vulnerability Evaluation (OCTAVE):

The OCTAVE approach was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University in 2001 to address the information security compliance challenges faced by the US Department of Defense (DoD). This methodology uses self-directed, interdisciplinary team to analyze and evaluate security risks by reviewing operational risk and security practices. Technology is examined only in relation to security practices. It outlines set of principles e.g. to use the self-directed team to evaluate risk. Based on these principles it defines required attributes or characteristics of evaluation process. It generates outputs which are required outcomes of each phase of analysis.

  PUSH:
It is an acronym for service based risk assessment solution that involves the following 4 Phases
1. Preparation - Defining the audience and purpose of risk assessment
2. Universe definition - Identifying and characterizing the most critical assets, risk and controls
3. Scoring - Choosing a consistent scale to rate the importance of assets, the impact of risks, and effectiveness of controls
4. Hitting the mark - ensuring the risk assessment fulfills the purpose set out in the planning phase using a documented methodology

  Spanning Tree Analysis Methodology

In this a map or tree of all possible threats to and Information system is created. Branches denote general categories of threats e.g. physical or network threats. More detail is added as leaves for each branch. When assessing risk, organizations prune tree branches that don't apply to their situation.

  Security Officers Management and Analysis Project (SOMAP):

It was developed by a Swiss Non-Profit Organization. They created a guide and risk assessment tool to guide in risk assessment analysis for open source systems or enterprises. It discusses both quantitative and qualitative risk assessment methods and the importance of aligning goals with the business goals of the organization.
It is a 5 Stage cyclic workflow for risk assessment as depicted below:
 
 
Value at Risk (VAR) methodology:

VAR is a theoretical quantitative measure of Information Security risk. This methodology helps create a summary of worst loss due to a security Breach and create a workable balance between cost of implementing controls and reducing risk. In this methodology both tangible and intangible assets are considered. Examples of intangible assets include copyrights, collaboration activities, IP, public perceptions, and structural activities. It requires a 4 stage cycle as depicted below.
 


Comparison of methodologies

The table below compares various methodologies mentioned above:

Features
Methodologies
Type
Industry
Characteristics
CRAMM
Qualitative
IT Hardware
Contains a very large countermeasure library consisting of over 3000 detailed countermeasures organized into over 70 logical groupings
Old methodology. Limitation of language (available in English and Dutch)
FMEA
Qualitative (Rating based formulae used)
Any
Used extensively by quality professionals
Aims at finding root cause and is used in conjunction with fish bone diagrams
Helps in early identification of single point failures
Does not deal with multiple failures in subsystems
Does not give an exact idea of how bad the risk is as it uses ordinal scales
FRAP
Qualitative (Uses expert panel opinion to identify critical risks)
Any
Used to pre-screen risks quickly and at low cost. Increases org. focus on critical issues
Can limit org. view of risks it faces
Difficult to find an efficient panel of diverse experts who can reliably come up with reliable estimates. Also prone to personal opinions and prejudices.
Multiple teams are formed to perform FRAP to counter above limitations
NIST (SP 800-30, 800-66)
Qualitative
Regulated Industries
Developed for industries regulated by HIPAA and FISMA
Extensive process and stresses on proper documentation
The complete process suggested might not be cost effective for less regulated industries with higher risk tolerance
OCTAVE
Qualitative
Any
A suite of tools, techniques, and methods for risk-based information security strategic assessment and planning
There are 3 OCTAVE methods suited to different industry needs
PUSH
Qualitative
Any Enterprise System
 
Spanning Tree
Qualitative
Any
Simple to use. Easy way to map risks and subsets of risks. Graphical method.
Cannot be used for detailed analysis purpose other than identifying and prioritizing threats.
Has to be used simultaneously with other techniques.
SOMAP
Qualitative & Quantitative
IT
It is an open source IT risk assessment and management methodology.
Freely available to customers.
Stresses on collaborative development.
Comes with a suite of tools.
VAR
Quantitative
Financial primarily. Can be used in any industry.
Capable to produce accurate results for valuation of risk.
Can be used to create simulations and predictive models of risk.
Extensive research already done on methods related to calculation of VAR.
Mathematical model dependent so errors in estimation can lead to catastrophic effects especially in financial and banking sectors.
Difficult to incorporate complex and intangible risks e.g. human behavior, political effects




 Bibliography

No comments:

Post a Comment