Information Security Risk Analysis – a Matrix-based Approach

This paper presents an information security risk analysis methodology that links the assets, vulnerabilities, threats and controls of an organization. The approach uses a sequence of matrices that correlate the different elements in the risk analysis. The data is aggregated and cascaded across the matrices to correlate the assets with the controls such that a prioritized ranking of the controls based on the assets of the organization is obtained. The approach does not obfuscate the intermediate data in the analysis, thereby providing transparency to the risk analysis process and allowing rationalization of the data. This approach allows organizations to start with sparse data with low fidelity and the analysis can be gradually refined as additional (and high quality) data is collected over time. A sample case study based on a study at a NY State agency is presented. This methodology was applied at General Electric and some preliminary results of the case study are presented in this paper. INTRODUCTION Computer networks and the Internet have enabled greater productivity in both government and private sector organizations. The Internet is also deeply integrated into our personal lives and becoming a driver of social behavior. Use of email and instant messaging has grown exponentially over the years and is becoming the preferred mode of communication. Despite the rise and fall of the dot-com industry, the Internet is changing the way consumers shop and the business models of companies. For example, the alternate business model of distribution of music through the Internet has changed the landscape of the music industry and driving innovation in peer-to-peer systems as well as in formats of digitization and compression of music files. While the impact of the Internet on electronic commerce, communication, and dissemination of information is obvious, the major impact of computer networks has been on business process reengineering. Most routine corporate functions are now handled with automated processes anchored in databases. Networked information systems form the backbone of enterprises and are used in almost all aspects of business including: payroll, procurement, human resource management, as well as, analysis and design of engineering components. Information systems have significantly improved organizational productivity. However, total dependence on information systems for critical operations has left organizations vulnerable to anomalies and attacks on networks. Business-to-business (B2B) and business-to-consumer (B2C) commerce has fueled growth in the GDP over the last decade. In the government sector, several critical infrastructure elements such as dams, power grids, and emergency-response systems are dependent on networks and computers. As the dependence of the economy on information systems increases, the financial impact of information security failures also increases. This risk of financial loss due to a security breach is a cause for concern within corporations and government. Most organizations do not have a complete understanding of their information security risk posture. Usually, ad hoc decisions are made on security implementation based on guidelines and alerts issued by government agencies and other trusted third parties. IT departments are responsible for keeping the security in check, but it is difficult for the organizations to get a clear picture of security posture without a formal risk analysis. While IT staff may be competent in implementing security tools, they often lack the expertise in financial modeling and risk analysis. Formal risk analysis methodology is mature in several fields (finance, engineering, nuclear plants and aviation). However, it is nascent in the information security discipline. Issues with risk analysis in information security are lack of standardized metrics and processes for valuation of assets, measuring impact of threats and estimating the benefit of controls and acute shortage of data that would enable reasonable statistical analysis to estimate risks. Another problem is the poor quality of data on threats and vulnerabilities that stems from organizations fear that revealing security incidents will attract other malicious hackers to exploit vulnerabilities and lead to increased frequency of attacks. Finally, the information security risk analysis process is very weak through basis on checklists and guidelines or very expensive requiring extensive internal data collection using penetration testing and honey pots. Most organizations often outsource risk assessment tasks and often conduct these assessments periodically (annually, or bi-annually) rather than continuously. Also, organizations do not have the ability to determine the quality of assessments and have to rely on consultants’ verdicts. We present a risk assessment methodology that can be used internally, which allows organizations to start with a small data set, as well as gradually refine and improve the analysis as high fidelity data becomes available. It also allows organizations to perform qualitative analysis on a broad scope, and then perform a more detailed analysis based on a critical subset of the problem. The rest of the paper is organized as follows: section 2 provides a brief review of the risk analysis literature, section 3 provides basic methodology, section 4 supplies a sample case study, and section 5 offers conclusions for the paper. LITERATURE Information security risk analysis has been investigated from an audit perspective (Cerullo & Cerullo, 1994) for a long time. Auditors generally use checklists to verify if different elements of security are in place and base their judgment on these checklists. Baskerville (1993) has been investigating information security risk analysis since the mid-1980s. He has identified risk analysis checklists for tools used for designing security measures for information systems. Parker (1981) and Fisher (1984) have used risk analysis as a fundamental basis for security design in information systems. They provide extensive checklists for considerations in the security assessment. The problem with specific tools and checklists is that they become obsolete quickly and need to be constantly updated. Applications of such tools do not lead to scientific knowledge 701 E. Chocolate Avenue, Suite 200, Hershey PA 17033, USA Tel: 717/533-8845; Fax 717/533-8661; URL-http://www.idea-group.com ITP5169 IDEA GROUP PUBLISHING This paper appears in Managing Modern Organizations Through Information Technology, Proceedings of the 2005 Information Resources Management Association International Conference, edited by Mehdi Khosrow-Pour. Copyright 2005, Idea Group Inc. Managing Modern Organizations With Information Technology 221 Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. " # $ % # & ' ( # ) * #