Industry Standard Risk Methodologies

June 2, 2009

Risk methodologies of various levels of complexity already exist for different purposes.  Whilst it is prudent to evaluate industry standard security risk methodologies, stringently following an industry standard may not result in a suitable outcome for your organisation.  The objective of this post is to provide an introduction to the general concepts of risk assessment and is not to provide a comprehensive review.

STRIDE

The STRIDE method from OWASP focuses on categorising security threats as Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service and/or Elevation of privilege.

The STRIDE method is a helpful method for categorising threats when examining potential vulnerabilities in web-based applications and may also apply to vulnerabilities in software generally.

Note, that each of the threat categories documented in the STRIDE method can be easily correlated with Information Asset attributes; Confidentiality, Integrity, Availability and Non-repudiation discussed in the next post.

DREAD

The DREAD method from OWASP focuses on categorising security threats as Damage potential, Reproducibility, Exploitability, Affected users and/or Discoverability.

In addition to categorising threats similar to STRIDE, the DREAD method attempts to calculate and subsequently prioritise risk as an average of values assigned to each category.

The values assigned to each category are on a scale of 1-10 and it may become difficult to discriminate between each value on such a large scale.  The scale may be reduced to remove complexity.

Whilst DREAD is best suited to vulnerability assessment, the concept of categorising threats and assigning a value based on criteria can apply more generally to any security risk assessment.

AS/NZS 4360

The Australian and New Zealand Standard for Risk Management is a world leading standard (and its associated handbook HB:231) offers different methods for calculating the likelihood and impact of risks.

AS/NZS 4360 provides a framework for managing risk but most pertinently its associated handbook lays the foundation for the qualitative evaluations discussed in later posts about Technical and Business risk.

The disadvantage of AS/NZS 4360 is that it is not specifically designed for examining technical risk, so additional criteria are likely to be required to accurately and consistently produce technical risk valuations.

CVSS

The Common Vulnerability Scoring System (CVSS) from FIRST describes vulnerability characteristics, including impact, based on three groups; Base, Temporal and Environmental.

Complex calculations are required by the CVSS and these calculations may actually (or be perceived to) mask the detail behind the risk rating assignment and therefore hinder transparency with stakeholders.

OCTAVE

OCTAVE from Carnegie Mellon University is a thorough and complex risk methodology for Operationally Critical Threat, Asset, and Vulnerability Evaluation within large organisations.

OCTAVE would appear more suited to the implementation of an enterprise wide risk assessment methodology and requires training for those involved in order for the process to be properly understood.

SP 800-30

The National Institute of Standard and Technology has SP 800-30, a Risk Management Guide for IT Systems.  Similar to AS/NZS 4360, SP 800-30 provides an approach for establishing a risk management program and adopts the widespread approach of calculating risk as the sum of likelihood and impact.

IRAM

Information Risk Analysis Methodology (IRAM) from the Information Security Forum (ISF) is another option.  Although organisations must be a paying subscriber of the ISF and usually these are blue-chip companies or large government organisations.  Please leave a comment on IRAM if you are familiar with it.

Summary

Only the most appropriate components of industry standard risk methodologies should be adopted and adapted to suit your organisation.  By being able to link components of your risk methodology to industry standards, you will be demonstrating a level of transparency and providing stakeholders with confidence in the derived risk assessments whilst minimising duplication of effort.

For A Simple Security Risk Assessment, the STRIDE/DREAD approach of categorising technical risk is recommended, rather than thoroughly examining every possible threat exhaustively.  Although rather than categorising threats as described by STRIDE or DREAD, it is suggested that security risk be categorised according to Information Asset attributes.

These attributes are described in the next post and are the generally well understood security terms;

• Confidentiality,
• Integrity,
• Availability, and
• Non-repudiation.

Similar to the DREAD method of assigning values from a scale, and the likelihood/consequence evaluations discussed in HB231 and SP 800-30, A Simple Security Risk Assessment will use qualitative evaluation to assign values to the threat categories.  To assist these determinations, examples will be provided in a later post that are based on the STRIDE/DREAD methods for assessing technical risk.

A Simple Security Risk Assessment

This article is part of a five part series on A Simple Security Risk Assessment:

1. Evaluating Industry Standard Risk Methodologies
2. Categorising Threats by Information Asset attributes
3. Assessing Technical Risk
4. Assessing Business Risk
5. Calculating Overall Risk