2010 CRC PhD Student Conference

     Using Business Process Security Requirements for IT
                  Security Ris...
2010 CRC PhD Student Conference

decomposed model elements. Additionally, the assessment results are dependent of a
2010 CRC PhD Student Conference

instincts. Therefore, risk results are biased without any indication in what direction....
2010 CRC PhD Student Conference

 [1] Richard Caralli, James Stevens, Lisa Young, and William Wilson. Introd...
Upcoming SlideShare
Loading in …5



Published on

PhD Student Conference at the OU's Centre fro Research in Computing

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. 2010 CRC PhD Student Conference Using Business Process Security Requirements for IT Security Risk Assessment Stefan Taubenberger stefan.taubenberger@web.de Supervisors Bashar Nuseibeh Jan Jürjens Charles Haley Department/Institute Computing Status Part-time Probation viva After Starting date October 2007 Companies and governmental organizations are suffering from information technology (IT) risks caused by malicious or negligent events and by inappropriate process designs related to authorization, access control or segregation of duties. Examples of such events are the loss of two data discs of 25 million child benefit records in the UK or the trading losses at Société Générale. Many quantitative and qualitative methods and toolkits for IT security risk analysis have been developed using e.g. Bayesian probability, Fuzzy theories, Courtney, the Livermore risk analysis methodology (LRAM)… all of which are based on probabilities and events as risk is defined e.g. in ISO 27002 as a “combination of the probability of an event and its consequence” ([3], p. 2). But with these traditional risk analysis approaches, IT risks often cannot be determined reliably and with precision. Because security events are difficult to identify in a way that guarantees correctness and completeness of this process, since the methods provide only general descriptions how to identify them [7]. Probabilities in practice are difficult to estimate with sufficient degree of precision and reliability as statistical data is missing or outdated [6] and influenced by perception [5]. IT security risk assessment approaches using business process models and security requirements provide a way which may overcome these limitations. The usage of security requirements as well as business or critical assets for risk assessment is not new and in general described in the ISO 27000 series as well as implemented in approaches like Octave Allegro [1]. However, existing standards and approaches like the ISO 27000 series or Octave Allegro referring to or utilizing security requirements are based on events/threats and probabilities. Threat based approaches face limitations regarding precision and reliability as they base on probabilities/impact estimates as well as on correct event identification. Furthermore, these approaches do not determine the risk of non- adherence or correct implementation of requirements. Other approaches using security requirements without threats determine best security solutions for processes [2] or analyse process security [4] but do not determine risks. Approaches that determine security solutions or analyze process security are limited as they do not evaluate the security risk of the current implementation. In addition, most risk assessment approaches omit risks originating from the business process design and data flow as well as do not consider any security dependencies as the all evaluate single Page 98 of 125
  2. 2. 2010 CRC PhD Student Conference decomposed model elements. Additionally, the assessment results are dependent of a point in time and do not consider the changing environment. In contrast to existing approaches we suggest to base a IT security risk assessment approach on business process security requirements and evaluating corresponding security controls as well as security processes. We evaluate process security requirements for a process business object including system, personnel, physical and execution requirements, we consider security dependencies between processes and evaluate IT standard security processes. An advantage of such an approach would be that events and probabilities have not to be determined, business activities sequences as well as security dependencies are considered and risk results more independent of a point in time. Furthermore, such an approach would support the understanding and definition of security requirements from a process and risk view. Research objective The objective of our research is to provide insights and knowledge how to conduct a risk assessment solely based on security requirements verification and implemented security controls. The main focus of our research is the link between security requirements and security controls and whether a risk assessment can be based completely on security requirements rather than identifying risk with events and probabilities. With our work we like to address the following research questions to achieve our objective: 1) Can IT security risks be evaluated only with security requirements without using threats and probabilities with the same quality/precision as in traditional approaches? 2) If we use a security requirements based risk assessment approach: a) How can the evaluation of security requirements be better supported helping to identify risks and evaluate risks? b) How can we consider dependencies between security objectives or security requirements influencing the risk assessment result? c) Can we provide a more time-independent risk assessment results by checking security process? Problems with risk assessments The issues of traditional risk assessments approaches are related to the definition of risk consisting of events, probabilities and impact. To identify and to determine each parameter in a risk assessment we must have comprehensive knowledge about the direct environment of the risk - e.g. a company - as well as the outside environment - all others. In reality comprehensive knowledge about the direct and outside environment is not available, may be compromised and cannot be modelled as the real world is too complex and unpredictable. Even if it would be possible to get comprehensive knowledge we currently do not know how to achieve or how to verify this knowledge. Another fallacy is that we attempt to determine risk exactly with probabilities. This would require that all parameters, corresponding probabilities as well as correlations are known, are immediately updated, base on enough statistic data and could be modelled. In practice this is not the case rather we have to deal with uncertainty which is not considered in current approaches, incomplete data and unverified data. Furthermore, risk is about people. Their behaviour is not objective or rational and may follow personal interests. Especially, in the risk estimation, evaluation and mitigation phase behavioural biases influence the assessment and decisions because of knowledge, perception, personal objectives as well as herd Page 99 of 125
  3. 3. 2010 CRC PhD Student Conference instincts. Therefore, risk results are biased without any indication in what direction. In addition, risk is taken by people and not by a company or institution. Therefore people are at risk and not companies. Not the company is at risk rather than managers or shareholders of that company. For all this various reasons developed methods can only be attempts to determine risk that we believe are imprecise, biased and never be accurate. Our approach The objective of our approach is to identify critical risks of a company based on business process models and security requirements. We assume that business process models are available as well as up-to-date and use standard methods/concepts of the software engineering domain. Our approach probably won’t be able to identify all possible risks as it concentrates on critical ones. Figure 1. SR risk assessment approach. Our approach follows in general the risk management and security requirements elicitation process: to identify assets, to identify requirements and to assess them (fig. 1). The business process model assessment (left side of figure 1) has three stages, the identification of critical business processes and business objects out of existing business process models, the definition of the business process security requirements and the assessment of the security requirements for each data process point. The second stage of the assessment stage can be restarted and is therefore iterative. The IT process assessment (right side of figure 1) consists also of three stages: the definition of the used IT security standard process model, the selection of the assessed security processes and the assessment of the process. There is a link between the requirements and the process assessment. Because results of the IT security process assessment can influence the requirements results as security objectives or requirements might be violated. Current work Currently, we are completing the validation of our approach. We have chosen to validate our approach by testing and applied our approach to several real world examples within a reinsurance company. Our results support our assertion that risks can be determined by evaluating security requirements. Further work will concentrate on discussing validation issues as well as describing how our approach could be integrated and utilized in traditional approaches. Page 100 of 125
  4. 4. 2010 CRC PhD Student Conference References [1] Richard Caralli, James Stevens, Lisa Young, and William Wilson. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. The Software Engineering Institute, 2007. [2] Peter Herrmann and Gaby Herrmann. Security requirement analysis of business processes. Electron Commerce Research, 6:305– 335, 2006. [3] International Organization of Standardization (ISO). ISO 27002 Information technology - Security techniques - Code of practice for information security management, International Organization of Standardization (ISO), 2005. [4] Alexander W. Roehm, Guenther Pernul, and Gaby Hermann. Modelling secure and fair electronic commerce. In Proceeding 14th Annual Computer Security Applications Conference, Phoenix, Arizona, Dec. 7-11, 1998. IEEE Computer Society Press, 1998. [5] Andrew Stewart. On risk: perception and direction. Computers & Security, 23:362–370, 2004. [6] Lili Sun, Rajendra Srivastava, and Theodore Mock. An information systems security risk assessment model under Dempster-Shafer theory of belief functions. Journal of Management Information Systems, 22(4):109 –142, 2006. [7] Stilianos Vidalis. A critical discussion of risk and threat analysis methods and methodologies. Technical Report CS-04-03, University of Glamorgan, Pontypridd, 2004. Page 101 of 125