Government as well as private sector organizations’ productivity has already been larger because of the Internet and computer networks. Even our social behavior has been influenced by the Internet and has become a part of our daily lives. Not only personal changes have been observed but also business models and consumer shopping has been affected by the dot com industry. Although the Internet greatly influenced communication, e-commerce and information dissemination, business process reengineering still received the most impact from the emergence of computer networks. Automated processes, databases and network information systems have become the core in enterprise and business. This significantly increased productivity but it also presented risks on anomalies and network attacks to organizations dependent on these information systems, especially for their critical operations. Since the dependence of corporations and the government on information systems is increasing, security failures resulting in financial loss also increases.
Security risk posture are handled using guidelines and alerts from third party groups and government for most organizations. But without a formal risk analysis, it will difficult to get a concise security posture. This kind of analysis is commonly used in finance, engineering, etc. but is seldom applied for information security discipline. This is due to the shortage of processes to evaluate assets, ways to measure a threat’s impact and enough data to create a concise risk estimate. It is difficult to gather data on vulnerabilities and threats since organizations are afraid that if they reveal their system’s weaknesses, more hackers will try to infiltrate their system. Checklists and guidelines are weak techniques for information risk analysis while extensive collection of internal data is very costly. Drawbacks of using risk assessment tasks from an outside source are assessment is not done continually but periodically and organizations have no way of determining the assessment’s quality.
In this study, a method is proposed to organizations to enable them to internally use a risk assessment with an initially small set of data and progressively increase the data to produce more accurate analysis. Qualitative analysis on a wide range may also be performed as well as a more detailed analysis depending on the problem.
Many have conducted studies with regards to information security risk analysis but most of it is through evaluation and personal judgment based on checklist (Cerullo & Cerullo, 1994). Baskerville (1993) has identified checklists for tools used for risk analysis to help design the information system’s security measures. Risk analysis has also been used as an essential security design in information systems by Parker (1981) and Fisher (1984) through the use of extensive checklists. But these tools and checklists become obsolete within a short period of time and require constant updating.
Instead of standard checklists for information security, Backhouse and Dhillon (1996) tried to develop a logical model as an organization of responsibility. Another model was developed by Anderson, Longley and Kwok (1994) and based it on the recognition and assessment of the threats encountered during operation. Suh and Han (2003) identified an asset’s value based on its importance to operations and how critical an asset is and developed an approach that has operational continuity. Most models that have been developed focused on identifying and assessing weaknesses of systems and specifying countermeasures for these weaknesses (Weiss, 1991).
This methodology focuses on four major components of an organization: assets, vulnerabilities, threats and controls. The relevance of various controls with respect to the assets is also determined. Assets are the valuable things an organization wants to protect such as data or reputation. Vulnerabilities are an asset’s weak point where threats may occur. Threats, either accidental or deliberate, may trigger unwanted events than can exploit the vulnerabilities of an asset. Controls, on the other hand, are the measures taken by an organization to control or lessen the damage of threats to their assets.
Matrices will be used to gather relevant data for risk analysis, the vulnerability matrix, threat matrix and control matrix. The vulnerability matrix contains the assets and vulnerabilities, the threat matrix contains the vulnerabilities and threats, and the control matrix contains threats and controls. Values such as low, medium or high will be placed on the intersection of the row and column, i.e. threat and control, as its relationship value.
A risk analysis will be carried out to gather an organization’s assets, vulnerabilities, threats and controls. These data will be gathered to their respective tables and later on be used to populate the three matrices. Aggregation will be done to the data from the vulnerability matrix using an equation and then cascaded to the threat matrix. The same aggregation of data will be done to the threat matrix using another equation and then cascade the data to the control matrix. The final data obtained from the control matrix will also be aggregated. This will generate the comparative importance of the various controls.
For the equation used for aggregating the vulnerability matrix’s data, let us use m assets where the relative cost of an asset aj is Cj(j = 1,…,n). Cij will be the vulnerability’s impact vi on an asset aj. With all these assumed, then vulnerability’s vi relative cumulative impact on assets will be
For the equation used for aggregating the threat matrix’s data, let us use p threats which has an impact on n vulnerabilities and dki as threat tk’s potential damage to vulnerability vi. With all these assumed, then threat Tk’s relative cumulative impact will be
For the equation used for aggregating the control matrix’s data, let us assume that there are q controls which exist to diminish the p threats and elk is the impact of control zo to threat tk. With all these assumed, then control zo’s relative cumulative impact will be
The proposed method in this study for risk analysis was applied to the General Electric Energy’s new division, the Wind Division, a newly acquired business from Enron. The structure of this division is that of a fragmented organization and its facilities are found in several countries. The processes and operations of these facilities are very diverse and a communal network does not exist between their engineering divisions. The Wind business is highly competitive since they develop new technologies constantly and manufacturers always try to get ahead of each other. Due to this, information security is highly thought of and is critical to the success of the business. For the organization, protecting their assets is a must to prevent any disturbance to their operations.
A uniform informational infrastructure was believed to be necessary so that the organization can protect their new technology, increase their profits and boost their communication and productivity. To achieve this, all business processes among all the divisions must be integrated into a single massive process that will be shared throughout the organization. For a process as monolithic as this, a high level information security must be built into the processes. A security posture analysis of the organization was carried out using the proposed method in this study to perform the risk analysis. The assets, vulnerabilities, threats and controls of the organization are presented as a comprehensive risk analysis for this case study.
The vulnerability matrix contains the impacts or assets of the organization and how it is associated with their corresponding system vulnerabilities. The matrix was constructed by computing the relative importance of the organization’s assets to the business. An example of this is the relationship between the survival of the business and its dependence on the organization’s ability to develop and protect their new technology. With this in mind, new technology will be highly ranked. After determining the important vulnerabilities for each asset, the vulnerabilities’ impacts on assets were noted in the matrix.
For the threat matrix, aggregated data from the vulnerability matrix is first obtained and sorted so that the importance of each vulnerability is determined. If one will notice, Firewalls rank high in the vulnerability matrix. This is due to the fact that firewalls need to be infiltrated first by external hackers in order to gain access to protected information. Data transmission also ranked high because of the organization’s need to constantly communicate since their facilities are scattered around the world. The corresponding threats for each aggregated vulnerability data is then placed into the threat matrix after determining the importance of vulnerabilities.
As for the control matrix, aggregated data from the threat matrix is first obtained before adding the corresponding controls for each threat. Subjective judgment was used to determine the relative impact of various controls to the identified threats. Data in the control matrix was then aggregated to obtain the prioritized list of controls. The security planning then takes its shape by using this list of controls and how much the implementation of these controls will cost. The integration of processes as well as the selection of both software and hardware will be based on the results of the risk analysis and all the aggregated data found in the three matrices.
The methodology presented in this paper is simple and can easily be used and adapted by organizations as their information security risk analysis method. The templates for matrices found in this study are easy to understand and can be refined regularly especially if new significant information becomes accessible. The analysis process for the methodology also offers transparency.
The case study of GE Wind included in this paper emphasizes the significant issues in an organization’s information security. Assets, vulnerabilities and threats are constantly changing and evolving especially for expanding businesses. Controls must be developed to mitigate the threats that an organization faces. The methodology in this paper is highly adaptive and easy to use, therefore, will be a valuable method in conducting internal risk assessments in companies. This methodology will also be favored by more companies since it is inexpensive and simple unlike most methodologies used by auditing firms.