Risk Assessment in Information Security - An Alternative Approach

Risk assessment is a systematic method of analyzing risk. It started in the nuclear and aeronautical industries, and has now spread to many other industries including the finance, transportation, power system, public health, shipping and fishing industries. 

Risk assessment tries to answer three questions:

  1. What can go wrong?
  2. How likely is it?
  3. How serious are the consequences?

Risk assessment has different roles in different industries. For instance, system adequacy and system security are two basic tasks in power system risk assessment, but enterprise risk assessment tries to identify and evaluate events that could affect the achievement of business objectives.

According to ISO27005, information security risk assessment (ISRA) is “the overall process of risk identification, risk analysis and risk evaluation”. In fact, ISRA provides a complete framework of assessing the risk levels of information security assets. 

ISRA is a widely used method in industries which require keeping information secure. In fact, information exists everywhere and has a very close relationship to our lives. Private and public sectors collect personal information. More and more individuals share their daily life on social networks such as Facebook and Instagram.

Maintaining the security of all users' information becomes a hot issue for network and platform providers. ISRA helps the providers to identify risks associated with information systems and to implement security controls by following information security standards and regulations. 

Risk analysis is an important part of ISRA. Its methods can be divided into three categories: quantitative, qualitative and synthetic. A quantitative approach constructs complicated mathematical models to obtain more accurate results, but it is not easy to collect historical data to support the models.

In a qualitative method, it is easy to collect data based on experts' opinions or questionnaires but this can be too subjective. Synthetic risk analysis methods can overcome the limitations of traditional quantitative and qualitative approaches by applying fuzzy and Analytic Hierarchy Process theory, which provides a decision making model.

However, synthetic approaches still have the shortcomings of traditional risk analysis methods. First of all, they are designed to deal with general information security risks rather than specific threats such as cyber-attacks. Second, the risk scores given by experts’ opinions are not sufficiently intuitive for many managers to understand. The risk level of an asset are scored from 1 to 5, the higher the score, the riskier the level. The total risk levels of all information security assets are then presented by a summed score such as 59 or 75.

However, we haven't a clear picture of what the real difference is between 59 and 75 to an organization. Furthermore, these scores can't be compared across different companies due to the nature of the subjectivity of experts' opinions.

An alternative approach uses Value-at-risk (VaR). VaR is a classical financial risk model which computes the worst case loss over a target time horizon. If VaR can be applied to ISRA then it may be feasible to make comparisons among companies. The ISRA VaR method evaluates the risk levels of information assets by estimating the worst loss value instead of a simple summed score.

As an example, CyberVaR focuses on cyber threats and analyses the risk level of information assets, such as intellectual property. However, the CyberVaR model can't be used to compare different companies due to varying values of the same asset. For example, personal information may have higher sensitivity for a bank and consequently assigned a higher value compared with that of, perhaps, a supermarket. 

MVaR is a new model we propose that can be used to analyze malware attacks from the standpoint of portfolio VaR theory. The portfolio VaR is constructed from a combination of the risks of underlying securities.  The computers, and the data held on them, are the underlying securities and a company consisting of all computers is the portfolio in the MVaR model. Thus, the MVaR model assesses the worst case loss of computers in a company portfolio due to the risk of malware. 

The most important reason for applying the concept of financial VaR to ISRA is that the ISRA VaR model provides a monetary figure which makes it easier for managers to understand the consequences of cyber-attacks. Thus, managers can have a basis for making decisions such as whether to increase their security investments by buying cyber insurance or improving the defense systems.

What’s Hot on Infosecurity Magazine?