Analysis of common methods for Network Information Risk Assessment

Author: Netlinking
Multiple operation methods can be used in risk assessment, including Knowledge-based analysis, Model-based analysis, and Qualitative) in either case, Quantitative analysis aims to identify the risks and impacts of the Organization's information assets and the gaps between the current security level and the security requirements of the Organization.

Knowledge-based Analysis

In baseline risk assessment, organizations can use knowledge-based analysis methods to identify gaps between current security conditions and baseline security standards.

The knowledge-based analysis method is also known as the empirical method. It involves the reuse of "best practices" from similar organizations (including the scale, business objectives, and markets, suitable for general information security organizations.

Using a knowledge-based analysis method, organizations do not need to spend a lot of energy, time, and resources. As long as they collect relevant information in multiple ways to identify the risks of the organization and the current security measures, compare with specific standards or best practices to find out the non-conformities and recommend security measures according to the standards or best practices to reduce and control risks.

The most important part of knowledge-based analysis is the collection of evaluation information, which includes:

· Meeting discussion;

· Review the current information security policies and related documents;

· Prepare a questionnaire for investigation;

· Interview with relevant personnel;

· Conduct on-site inspections.

To simplify the evaluation process, the Organization may adopt auxiliary automated tools that help the organization prepare a questionnaire meeting the requirements of specific standards and then conduct a comprehensive analysis of the answer results, the final recommendation report is provided after comparison with specific standards. There are multiple types of such tools available on the market, and Cobra is a typical one.

Model-Based Analysis

In January 2001, a project named CORAS, Platform for Risk Analysis of Security Critical Systems, was jointly developed by a number of commercial companies and research institutions in Greece, Germany, the UK, Norway and other countries. The purpose of this project is to develop a risk assessment framework based on object-oriented modeling, especially UML technology. Its evaluation object is a general system with high security requirements, especially the security of 99 v systems. CORAS uses CORAS risk assessment to take into account technical, personnel, and all aspects related to organizational security, organizations can define, acquire, and maintain the confidentiality, integrity, availability, anti-repudiation, traceability, authenticity, and reliability of the 99 v system.

Similar to traditional qualitative and quantitative analysis, CORAS Risk Evaluation follows the process of identifying, analyzing, evaluating, and processing risks, but its risk measurement methods are completely different, all the analysis processes are based on the object-oriented model. CORAS has the following advantages: it improves the accuracy of security-related feature description and the quality of analysis results. The graphical modeling mechanism facilitates communication and reduces understanding deviations; enhances the efficiency of interoperability between different evaluation methods.

Currently, CORAS is in the experimental stage. For more information, see:

Http://www.bitd.clrc.ac.uk/Activity/CORAS

Quantitative Analysis

For detailed risk analysis, in addition to the knowledge-based evaluation method, the most traditional method is quantitative and qualitative analysis.

The idea of the quantitative analysis method is very clear: assign a value or monetary amount to each element that constitutes a risk and the level of potential losses, when all elements of a risk are assigned a value (asset value, threat frequency, weakness utilization, security measure efficiency, and cost, the whole process and results of risk assessment can be quantified.

In short, quantitative analysis is a method that attempts to analyze and evaluate security risks in numbers.

There are several important concepts in quantitative risk analysis:

Exposure Factor (EF)-the percentage or extent to which a specific threat causes losses to a specific asset.

Single Loss Expectancy, or SOC (Single OccuranceCosts), which is the total potential Loss caused by a specific threat.

Annualized Rate of Occurrence (ARO)-an estimate of threats within one year

The frequency of occurrence.

Annual Loss expectation (Annualized Loss Expectancy, ALE)-or EAC (Estimated

Annual Cost), indicating the expected loss of a specific asset within one year.

The quantitative analysis process shows the relationship between these concepts:

(1) first, identify and assign values to assets;

(2) Evaluate the impact of a specific threat on a specific asset through threat and weakness assessment, that is, EF (Value

In 0% ~ Between 100% );

(3) Calculate the frequency of occurrence of a specific threat, that is, ARO;

(4) Calculating the assets of the systemic memory OPERATOR:

Lupus = Asset Value × EF

(5) ALE of computing assets:

ALE = lupus × ARO

Here is an example: Assume that a company has invested $500,000 to build a network operation center. The biggest threat is fire. In the event of a fire, the estimated loss of the network operation center is 45%. According to the fire department's inference, the network operation center is located in the region where a fire occurs every five years, so we get the result of ARO 0.20. Based on the above data, the company's network operation center's ALE will be $45,000.

We can see that for quantitative analysis, two indicators are the most critical. One is the possibility of an event (which can be expressed by ARO ), the other is the possible loss caused by a threat event (expressed by EF ).

Theoretically, security risks can be accurately classified through quantitative analysis. However, there is a premise that the data indicators available for reference are accurate. In fact, in today's increasingly complex information systems, the reliability of the data on which quantitative analysis is based is hard to guarantee. coupled with the lack of long-term data statistics, the computing process is prone to errors, this makes it very difficult to refine the analysis. Therefore, the current information security risk analysis uses quantitative analysis or pure quantitative analysis methods.

Qualitative Analysis

Qualitative analysis is the most widely used method. It is subjective and often requires the experience and intuition of analysts, or industry standards and practices, qualitative Classification of the size or level of risk management elements (asset value, threat possibility, vulnerability exploits, effectiveness of existing control measures, etc, for example, "high", "medium", and "low.

Qualitative analysis can be performed in a variety of ways, including group discussions (such as the Delphi method), Checklist, Questionnaire, Interview, and Survey).

Operations are relatively easy, but the analysis results may also be inaccurate due to the deviation of operator experience and intuition.

Compared with quantitative analysis, qualitative analysis is more accurate than quantitative analysis, but less accurate than quantitative analysis, however, analysts are required to have certain experience and capabilities. Quantitative analysis relies on a large amount of statistical data, but qualitative analysis does not have such requirements. Qualitative analysis is subjective and quantitative analysis is based on objective analysis;

In addition, the quantitative analysis results are intuitive and easy to understand, while the qualitative analysis results are difficult to have a unified explanation.

The Organization can select a qualitative or quantitative analysis method based on the specific situation.