Model-based qualitative risk assessment for availability of IT infrastructures

For today’s organisations, having a reliable information system is crucial to safeguard enterprise revenues (think of on-line banking, reservations for e-tickets etc.). Such a system must often offer high guarantees in terms of its availability; in other words, to guarantee business continuity, IT systems can afford very little downtime. Unfortunately, making an assessment of IT availability risks is difficult: incidents affecting the availability of a marginal component of the system may propagate in unexpected ways to other more essential components that functionally depend on them. General-purpose risk assessment (RA) methods do not provide technical solutions to deal with this problem. In this paper we present the qualitative time dependency (QualTD) model and technique, which is meant to be employed together with standard RA methods for the qualitative assessment of availability risks based on the propagation of availability incidents in an IT architecture. The QualTD model is based on our previous quantitative time dependency (TD) model (Zambon et al. in BDIM ’07: Second IEEE/IFIP international workshop on business-driven IT management. IEEE Computer Society Press, pp 75–83, 2007), but provides more flexible modelling capabilities for the target of assessment. Furthermore, the previous model required quantitative data which is often too costly to acquire, whereas QualTD applies only qualitative scales, making it more applicable to industrial practice. We validate our model and technique in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results with respect to the goals of the stakeholders of the system. We also perform a review of the most popular standard RA methods and discuss which type of method can be combined with our technique.

[1]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[2]  R. Wieringa,et al.  Designing Requirements Engineering Research , 2007, 2007 Fifth International Workshop on Comparative Evaluation in Requirements Engineering.

[3]  Fabrizio Baiardi,et al.  Assessing the Risk of an Information Infrastructure Through Security Dependencies , 2006, CRITIS.

[4]  Aaron B. Brown,et al.  An Active Approach to Characterizing Dynamic Dependencies for Problem Determination in a Distributed Application Environment , 2000 .

[5]  Michael Jackson,et al.  A Reference Model for Requirements and Specifications , 2000, IEEE Softw..

[6]  Dongho Won,et al.  A Study on Security Risk Modeling over Information and Communication Infrastructure , 2004, Security and Management.

[7]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[8]  Richard R. Muntz,et al.  Bounding Availability of Repairable Computer Systems , 1989, IEEE Trans. Computers.

[9]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[10]  Susan Snedaker,et al.  The Best Damn IT Security Management Book Period , 2007 .

[11]  日本規格協会 情報セキュリティマネジメントシステム : 仕様及び利用の手引 : 英国規格 : BS7799-2:2002 = Information security management systems : specification with guidance for use : british standards : BS 7799-2:2002 , 2002 .

[12]  Sandro Etalle,et al.  Model-Based Mitigation of Availability Risks , 2007, 2007 2nd IEEE/IFIP International Workshop on Business-Driven IT Management.

[13]  Ruth Breu,et al.  Using an Enterprise Architecture for IT Risk Management , 2006, ISSA.

[14]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[15]  Muninder P. Kailay,et al.  An application of qualitative risk analysis to computer security for the commercial sector , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[16]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[17]  Alexander Keller,et al.  Managing application services over service provider networks: architecture and dependency analysis , 2000, NOMS 2000. 2000 IEEE/IFIP Network Operations and Management Symposium 'The Networked Planet: Management Beyond 2000' (Cat. No.00CB37074).

[18]  Mitchell Kb,et al.  Web references , 2007, Ship and Mobile Offshore Unit Automation.

[19]  Mark John Taylor,et al.  Risk Assessment & Success Factors for e-Government in a UK Establishment , 2002, EGOV.

[20]  Richard R. Muntz,et al.  Bounding availability of repairable computer systems , 1989, SIGMETRICS '89.

[21]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[22]  Sandro Etalle,et al.  Extended eTVRA vs. security checklist: Experiences in a value-web , 2009, 2009 31st International Conference on Software Engineering - Companion Volume.

[23]  S. M. Mousavi Development strategies of the Information Security Management Systems (ISMS) standards for organizations , 2005 .

[24]  Aaron B. Brown,et al.  An active approach to characterizing dynamic dependencies for problem determination in a distributed environment , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[25]  Jan Trobitius,et al.  Anwendung der "Common Criteria for Information Technology Security Evaluation" (CC) / ISO 15408 auf ein SOA Registry-Repository , 2007, Informatiktage.

[26]  Scott Cadzow,et al.  eTVRA, a Threat, Vulnerability and Risk Assessment Method and Tool for eEurope , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[27]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics , 2007 .

[28]  Hany H. Ammar,et al.  Architectural-Level Risk Analysis Using UML , 2003, IEEE Trans. Software Eng..

[29]  Fadhel Kaboub Realistic Evaluation , 2004 .

[30]  Saurabh Bagchi,et al.  Dependency Analysis in Distributed Systems using Fault Injection: Application to Problem Determination in an e-commerce Environment , 2001, DSOM.

[31]  Debra Herrmann,et al.  Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI , 2007 .

[32]  Martin Gorrod The risk management challenge , 2004 .

[33]  Roel Wieringa,et al.  Requirements engineering paper classification and evaluation criteria: a proposal and a discussion , 2005, Requirements Engineering.

[34]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .