2. About me
Vice president of the FIST Conferences
association.
www.fistconference.org
President of the ISSA Spain chapter.
www.issa-spain.org
Author of a number of articles:
Google: vaceituno wikipedia
Director of the ISM3 Consortium
The consortium promotes ISM3, an ISMS standard.
ISM3 is the main source for this presentation.
www.ism3.com
2
3. Standards
Magerit
BS 7799-3:2005
AS 4360 ISO 27005
Canadian Risk Management
ISF method
Guide
Octave
SP800-30
Marion
ISO 13335-2 Mehari
Ebios
Dutch A&K analysis
Cramm
3
4. RA Method Design
Likelihood Threats
Frequency
Weaknesses
Cost
Countermeasures
Value
Assets
Impact
Exposure
4
6. RA Method Design
Threat Taxonomy
Countermeasures Taxonomy
Model
Scope
Depth
Threat Likelihood
Asset Value
Correct? Useful?
6
7. Threat Taxonomy
Pretty Long Lists
Magerit: Accidental Natural, Accidental Industrial, Accidental Error,
Deliberada, etc…
Against Confidenciality, against Integrity, againts Availability et al.
ISM3-RA uses:
1. Destruction /Corruption /Loss of valid information or systems.
2. Aging of information &Outdated systems
3. Underperformance OR Interruption of valid system services &Failure of
authorized access
4. Failure to destroy expired information or systems &Failure to stop
systems at will
5. Unauthorized access, eavesdropping, theft and disclosure of information
or systems AND Improper use of authorized access to information or
systems
6. Improper recording of access to information or systems / (anon or
otherwise)
7
8. Countermeasures Taxonomy
ISO 27001 Controls
PCI DSS Controls
Cobit Controls
Custom Made Lists
Etc…
ISM3-RA uses ISM3 Processes
8
9. Model
No Model
Assets (Mostly Technical)
Servers, Databases,
Networks, etc (Purely
Technical)
ISM3-RA uses
Environments and
Business Functions
9
11. Production
ISM3-RA Business Model
Administration
Relationships
IT
Legal
Financing /
Accounting
Infrastructure
Maintenance
Logistics
Business Functions
Human
Resources
Procurement
Business
Intelligence
Advertising
Sales
Governance
Research
11
12. Scope
The more choice on the side of the
certificate aspirant, the less value in
the certification.
The wider the scope, the higher the
cost.
ISM3-RA uses the scope of whole
companies.
12
13. Depth
The higher the level of detail, the more
complex and costly.
The depth should match the kind of
decisions we want to support.
ISM3-RA uses management-level
depth.
Environments
13
14. Threat Likelihood
Normally there is no data enough to
know how likely is a threat.
The multiplicity and evolution of
threats make likelihood of threats very
difficult to model.
ISM3-RA uses a qualitative scale of
likelihood. (from very high to very low)
14
15. Asset Value
Euros
High – Medium – Low
Magerit: Disponibilidad, integridad,
confidencialidad, autenticidad,
trazabilidad.
ISM3-RA uses “The more important
Business Functions depend on
Environments, the more valuable”
15
16. Correct? Useful?
Anyone can create a “correct” RA
method.
But, is it useful?
16
19. Utility – Added Value
What are we learning that we don’t know
already? (Non-Banal Analysis)
What are important threats to the
organization?
What should I do?
How safe am I? / How likely is that an
incident will happen?
How much will I lose this year?
How much should I invest this year?
19
21. Quantitative RA
Risk = Impact * Probability
Probability
Risk
Impact
21
22. Quantitative RA
Expected Loss
[$]
Accounting
value of the
company
Last year’s
losses
$ per year
0 Probability
[% / year]
0
100
Probability of
discontinuation of
the company per
year
22
23. ISO27005
Establish Context
Risk Assessment
Risk Analysis
Risk Monitoring and Review
Risk Monitoring and Review
Risk Communication
Risk Communication
Risk Identification
Risk Estimation
Risk Evaluation
Acceptable results?
Risk Treatment
Accept risk?
Risk Acceptance
23
24. Utility Challenges
• Lack of real data
• Are opinions valid data?
• Mixing opinions with arithmetics is a bit
like mixing magic and physics.
• The higher the investment, the lower the
risk.
• Return of investment is always positive.
• Risk Assessment can be difficult and
expensive.
24
25. Production
ISM3-RA
Administration
Mobile
Users
Relationships
IT
Legal
Internal
Users
Financing /
Accounting
Infrastructure
Maintenance
Network
Internal
Logistics
Human
Resources
Procurement
Networks
Business
WiFi
Intelligence
Advertising
Sales
Governance
DMZ
Research
25
26. Production
ISM3-RA
Administration
Mobile
Users
Relationships
IT
Legal
Internal
Users
Financing /
Accounting
Infrastructure
Maintenance
Network
Internal
Logistics
Human
Resources
Procurement
Networks
Business
WiFi
Intelligence
Advertising
Sales
Governance
DMZ
Research
26
27. 27
G
ov
0
20
40
60
80
100
120
er
na
nc
e
R
es
ea
rc
h
B Ad
us ve
ine r ti
ss si
ng
In
te
H li
ge
um
an nc
In e
fo Re
rm so
at ur
io
n ce
s
Te
ch
no
log
y
Le
R ga
el
a l
tio
ns
A hip
dm s
Relative Weight of Business Functions
Fi
na in
nc is
in tra
g tio
/A n
cc
ou
nt
In in
fra g
st
ru
ct
ur
e
Lo
gi
st
M i cs
ai
nt
en
an
P ce
ro
cu
re
m
en
P t
ro
du
ct
io
n
S
al
es
Ejemplo ISM3-RA
28. Ejemplo ISM3-RA
Relative Protection per Environment
1,2000
1,0000
0,8000
0,6000
0,4000
0,2000
0,0000
Internet SSCC Oficinas Host SSAA Terceros Usuarios Personal
Mobiles
28
29. 29
G
0
5000
10000
15000
20000
25000
ov
er
na
n ce
R
es
ea
rc
h
Ad
B ve
us rti
in s in
e ss g
In
te
l li
H ge
um nc
an e
In R
fo es
rm ou
at rc
io es
n
Te
ch
no
lo
g y
Le
ga
R l
el
Relative Reliance on Environments
at
io
ns
hi
A ps
dm
F in
in i st
an ra
c in ti o
g n
/A
cc
ou
nt
in
g
In
fra
st
ru
ct
u re
Lo
gi
st
i cs
M
ai
nt
e na
nc
e
Pr
oc
ur
em
en
t
P
ro
d uc
tio
n
S
al
es
Ejemplo ISM3-RA
31. 31
G
ov
0,000000
0,000050
0,000100
0,000150
0,000200
0,000250
0,000300
0,000350
0,000400
0,000450
er
na
nc
e
R
es
ea
rc
Ad h
Bu
si ve
ne r ti
ss si n
In g
H te
um l lig
an en
In ce
fo R
rm es
at ou
io rc
n es
Te
ch
no
lo
gy
Le
R ga
el
a l
ti o
ns
Ad hi
Fi m ps
na in
nc is
in tr a
g ti o
Risk per Business Function
/A n
cc
ou
nt
In in
fra g
st
ru
ct
ur
e
Lo
gi
st
M ic s
ai
nt
en
an
P ce
ro
cu
re
m
en
P t
ro
du
ct
io
n
Sa
le
s
Host
SSAA
SSCC
Oficinas
Personal
T erceros
Usuarios Mobiles
Ejemplo ISM3-RA
32. Ejemplo ISM3-RA
Improper r ec or ding of acc es s to
Risk to Technical Environment per Threat inf or mation or sy stem /
( anon or otherw is e)
s
Unauthor ized acc ess , eav es dropping,
thef t and disc los ure of information or
0,00600000 sy stem AND
s
Improper use of author iz ed ac cess to
inf or mation or sy stem s
0,00500000 Failure to destroy expired information or
sy stem &
s
Failure to s top sy stem at w ill
s
0,00400000
Under perf or m e OR Interr uption of
anc
valid s y stem s erv ic es &
0,00300000 Failure of authorized acc es s
Aging of inf or mation &
0,00200000 Outdated s y stems
0,00100000 Des truction /
Cor ruption /
Loss of v alid information or s ys tems
0,00000000
SS CC Oficinas Host S SAA Terceros Usuarios Mobiles
32
33. References
1. Viable System Model http://en.wikipedia.org/wiki/Viable_System_Model
2. RA Method Inventory http://www.enisa.europa.eu/rmra/rm_home.html
3. EL CISNE NEGRO: EL IMPACTO DE LO ALTAMENTE IMPROBABLE, NICHOLAS
TALEB, NASSIM, ISBN: 9788449320774
4. Magerit, Canadian Risk Management Guide, SP800-30, AS 4360, Marion, Ebios,
Cramm, ISO 13335-2, ISF method, Mehari, Octave, Dutch A&K analysis
5. Scales of Measuremente - Wikipedia
33
34. Creative Commons
Attribution-NoDerivs 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:
Attribution. You must give the original author credit.
No Derivative Works. You may not alter, transform, or build upon this
work.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative
Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
34
35. @
www.fistconference.org
THANK YOU
Vicente Aceituno
Madrid, November 2008
35