Architecture-based Qualitative Risk Analysis for Availability of IT Infrastructures

An IT risk assessment must deliver the best possible quality of results in a time-effective way. Organisations are used to customise the general-purpose standard risk assessment methods in a way that can satisfy their requirements. In this paper we present the QualTD Model and method, which is meant to be employed together with standard risk assessment methods for the qualitative assessment of availability risks of IT architectures, or parts of them. The QualTD Model is based on our previous quantitative model, but geared to industrial practice since it does not require quantitative data which is often too costly to acquire. We validate the model and method in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results w.r.t. the goals of the stakeholders of the system. We also perform a review of the most popular standard risk assessment methods and an analysis of which one can be actually integrated with our QualTD Model.

[1]  Roel Wieringa,et al.  Requirements engineering paper classification and evaluation criteria: a proposal and a discussion , 2005, Requirements Engineering.

[2]  Dongho Won,et al.  A Study on Security Risk Modeling over Information and Communication Infrastructure , 2004, Security and Management.

[3]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[4]  Fadhel Kaboub Realistic Evaluation , 2004 .

[5]  Susan Snedaker,et al.  The Best Damn IT Security Management Book Period , 2007 .

[6]  Fabrizio Baiardi,et al.  Assessing the Risk of an Information Infrastructure Through Security Dependencies , 2006, CRITIS.

[7]  Scott Cadzow,et al.  eTVRA, a Threat, Vulnerability and Risk Assessment Method and Tool for eEurope , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[8]  Saurabh Bagchi,et al.  Dependency Analysis in Distributed Systems using Fault Injection: Application to Problem Determination in an e-commerce Environment , 2001, DSOM.

[9]  Ruth Breu,et al.  Using an Enterprise Architecture for IT Risk Management , 2006, ISSA.

[10]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics , 2007 .

[11]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[12]  R. Wieringa,et al.  Designing Requirements Engineering Research , 2007, 2007 Fifth International Workshop on Comparative Evaluation in Requirements Engineering.

[13]  Aaron B. Brown,et al.  An Active Approach to Characterizing Dynamic Dependencies for Problem Determination in a Distributed Application Environment , 2000 .

[14]  Michael Jackson,et al.  A Reference Model for Requirements and Specifications , 2000, IEEE Softw..

[15]  Mark John Taylor,et al.  Risk Assessment & Success Factors for e-Government in a UK Establishment , 2002, EGOV.

[16]  S. B. Kiselev,et al.  The capability maturity model: guidelines for improving the software process , 1995 .

[17]  Sandro Etalle,et al.  Model-Based Mitigation of Availability Risks , 2007, 2007 2nd IEEE/IFIP International Workshop on Business-Driven IT Management.

[18]  Martin Gorrod The risk management challenge , 2004 .

[19]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[20]  Aaron B. Brown,et al.  An active approach to characterizing dynamic dependencies for problem determination in a distributed environment , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[21]  Hany H. Ammar,et al.  Architectural-Level Risk Analysis Using UML , 2003, IEEE Trans. Software Eng..

[22]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[23]  Alexander Keller,et al.  Managing application services over service provider networks: architecture and dependency analysis , 2000, NOMS 2000. 2000 IEEE/IFIP Network Operations and Management Symposium 'The Networked Planet: Management Beyond 2000' (Cat. No.00CB37074).

[24]  Mitchell Kb,et al.  Web references , 2007, Ship and Mobile Offshore Unit Automation.

[25]  Muninder P. Kailay,et al.  An application of qualitative risk analysis to computer security for the commercial sector , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.