What is to measure? Can you measure security?
Introduction to the O-ISM3 Risk Assessment Method and SpreadSheet. Learn how to model the Business, Model the Information Technology, the dependencies between them, the Threat level, the Protection level, arriving at a Qualitative evaluation of the Risk, using the SpreadSheet Tool.
Every time some designs a new RA method, they face the same problems and degrees of freedom. For threats, they need a Threat Taxonomy, for controls or coutermeasures, a Countermeasure Taxonomy, for the business and the information systems, a Model of the business, and a Model of the information systems, modelled with adequate Scope and Depth. Then you need a way to measure the Threat Likelihood, and the Value of the assets. The resulting method might be correct, and if it is cost effective, it might be even be useful, resulting in savings greater than performing the analysis. In order to be useful, the method should answer questions like:
- What are we learning that we don’t know already? (Non-Banal Analysis)
- What are important threats to the organisation?
- What should I do?
- How safe am I? / How likely is that an incident will happen?
- How much will I lose this year?
- How much should I invest this year?
Unfortunately there are so many degrees of freedom that almost every professional makes up his own method. Because of this multiplicity of methods, it is exceedingly difficult to compare risk between companies, or even between different points in time in the same company.
A hidden assumption of most Risk Assessment methods is the decisions taken when modelling the IT components, and the modelling (if it is performed at all) of the business that relies on the IT infrastructure
One of the first steps for a new ISMS implementation project is finding out what would be the ISMS best suited to the company goals, that the organization can afford. As an incident is an attack, accident or error that prevents a business objective to be met, it is necessary to find out what those business objectives are. Generally speaking the goals of any company are:
- Achieving a vision and mission;
- Continuing to exist;
- Maintaining and growing revenue;
- Attract, maintain and fostering talent;
- Maintaining and growing brand and reputation;
- Complying with internal ethics and social responsibility goals;
- Complying with regulations and contracts;
The more specific we can get, the better design of the ISMS will result. It is possible to add granularity to the analysis of business objectives, using the the following list business functions:
- Governance: Definition of the organisation's goals, steering of the organisation by rules, instruction and challenge rules and instructions.
- Research. Creation of new knowledge in every area of interest to the organisation.
- Advertising. Promotion of the organisation's services and products to potential customers, suppliers and investors.
- Business Intelligence. Maintenance and delivery of knowledge.
- Human Resources. Finding, selecting and procuring, promoting and releasing personnel.
- Information Technology. Finding, filtering and procuring information and communication systems.
- Legal. Claiming legally binding obligations from third parties and fulfilling the organisation's own.
- Relationships. Creating and maintaining trust, association and familiarity with customers, suppliers, and investors.
- Administration. Management of paperwork associated with all business functions..
- Financing / Accounting. Finding, selecting and procuring financial instruments like e.g. money, bonds, etc.
- Infrastructure. Management of real estate, air conditioning, heating, water supply, energy supply, furniture, food supply, waste , recycling , physical access control, etc
- Logistics. Delivery of physical products or services.
- Maintenance. Preventing and repairing faults and the general dilapidation of infrastructure, tools, etc
- Procurement. Finding, comparing, choosing, selecting and procuring information, tools, supplies, assets and professional services.
- Production. Production of products and services.
- Sales: Sale of products or services.
A top down approach (What is the business about?) can deliver superior results than the bottom up approach (How important to the business is this particular IT system? And this one? And this one?)
O-ISM3-RA uses this simplest business model, there many other, sometimes more complicated ways to model a business.
An alternative view of Threats, with a lower level of detail, and therefore more expensive and slower, lead to taxonomies of Threats and Incidents like this: