Menu
homeTechnique

Methods for calculating information security risk. Analysis of existing methods for assessing risks of IB and development of our own methodology for the banking sector

NRU ITMO, *****@***com

Scientific supervisor - Doctor of Technical Sciences, Professor NRU ITMO, *****@

annotation

The article discusses methods for calculating information security risk and makes a comparison indicating critical deficiencies. A proposal is presented to use our own risk assessment method.

Keywords: risk, information system, information security, risk calculation method, risk assessment, information asset.

Introduction

The information security (IS) risk management system is a pressing task at all stages of the information security complex. At the same time, it is impossible to manage risks without first assessing them, which in turn must be done using some method. At the risk assessment stage, the greatest interest is directly in the formulas and input data for calculating the risk value. The article analyzes several different methods for calculating risk and presents its own methodology. The goal of the work is to derive a formula for calculating information security risk, which allows us to obtain an array of current risks and estimate losses in monetary terms.

Information security risk in its classical form is defined as a function of three variables:

    the likelihood of a threat; the likelihood of vulnerability (insecurity); potential impact.

If any of these variables approaches zero, the total risk also approaches zero.

Risk assessment methods

ISO/IEC 27001 Regarding the methodology for calculating the risk value, it states that the methodology chosen should ensure that the risk assessments produce comparable and reproducible results. However, the standard does not provide a specific calculation formula.

NIST 800-30 offers a classic risk calculation formula:

where R is the risk value;

P(t) - probability of an information security threat being realized (a mixture of qualitative and quantitative scales is used);

S is the degree of influence of the threat on the asset (the price of the asset in a qualitative and quantitative scale).

As a result, the risk value is calculated in relative units, which can be ranked according to the degree of significance for the information security risk management procedure.

GOST R ISO/IEC TO 7. Risk calculation, in contrast to the NIST 800-30 standard, is based on three factors:

R = P(t) * P(v) * S,

where R is the risk value;

P(t) - probability of implementation of an information security threat;

P(v) - probability of vulnerability;

S is the value of the asset.

As an example of the probability values ​​P(t) and P(v), a qualitative scale with three levels is given: low, medium and high. To assess the value of the asset S, numerical values ​​are presented in the range from 0 to 4. The comparison of qualitative values ​​with them should be carried out by the organization in which the information security risks are assessed.

BS 7799. The level of risk is calculated taking into account three indicators - the value of the resource, the level of threat and the degree of vulnerability. As the values ​​of these three parameters increase, the risk increases, so the formula can be presented as follows:

R = S * L(t) * L(v),

where R is the risk value;

S is the value of the asset/resource;

L(t) - threat level;

L(v) - level/degree of vulnerability.

In practice, calculation of information security risks occurs according to a table of positioning values ​​of the threat level, the degree of probability of exploitation of the vulnerability and the value of the asset. The risk value can vary from 0 to 8, resulting in a list of threats with different risk values ​​for each asset. The standard also offers a risk ranking scale: low (0-2), medium (3-5) and high (6-8), which allows you to determine the most critical risks.

STO BR IBBS. According to the standard, the assessment of the degree of possibility of an information security threat being realized is carried out on a qualitative-quantitative scale, an unrealized threat is 0%, an average threat is from 21% to 50%, etc. Determining the severity of the consequences for different types of information assets is also proposed to be assessed using qualitative -quantitative scale, i.e. minimum - 0.5% of the bank’s capital, high - from 1.5% to 3% of the bank’s capital.

To perform a qualitative assessment of information security risks, a table of correspondence between the severity of the consequences and the likelihood of the threat being realized is used. If it is necessary to make a quantitative assessment, the formula can be presented as:

where R is the risk value;

P(v) - probability of implementation of an information security threat;

S is the value of the asset (the severity of the consequences).

Suggested method

Having considered all of the above risk assessment methods in terms of calculating the value of information security risk, it is worth noting that the risk calculation is made using the value of threats and the value of the asset. A significant drawback is the assessment of the value of assets (the amount of damage) in the form of conditional values. Conventional values ​​do not have units of measurement applicable in practice, in particular, they are not a monetary equivalent. As a result, this does not give a real idea of ​​the level of risk that can be transferred to the real assets of the protected object.

Thus, it is proposed to divide the risk calculation procedure into two stages:

1. Calculation of the technical risk value.

2. Calculation of potential damage.

Technical risk is understood as the value of information security risk consisting of the likelihood of threats being realized and the vulnerabilities of each component of the information infrastructure being exploited, taking into account the level of their confidentiality, integrity and availability. For the first stage we have the following 3 formulas:

Rc = Kc * P(T) * P(V), Ri = Ki * P(T) * P(V),

Ra = Ka * P(T) * P(V),

where Rс is the confidentiality risk value;

Ri - integrity risk value;

Ra - availability risk value;

Kс - coefficient of confidentiality of an information asset;

Ki is the integrity coefficient of the information asset;

Ka is the coefficient of availability of an information asset;

P(T) - probability of threat implementation;

P(V) - probability of vulnerability exploitation.

The use of this algorithm will make it possible to make a more detailed risk assessment, obtaining at the output a dimensionless value of the probability of the risk of compromise of each information asset separately.

Subsequently, it is possible to calculate the value of damage; for this, the average risk value of each information asset and the amount of potential losses are used:

where L is the value of damage;

Rav - average risk value;

S - losses (in monetary terms).

The proposed methodology allows you to correctly assess the value of information security risk and calculate monetary losses in the event of security incidents.

Literature

1. ISO/IEC 27001. The international standard contains requirements in the field of information security for the establishment, development and maintenance of an information security management system. 20s.

2. GOST R ISO/IEC TO 7. National standard of the Russian Federation. Methods and means of ensuring security. Part 3. Information technology security management methods. Moscow. 20s.

3. BS 7799-2:2005 Information security management system specification. England. 20s.

4. RS BR IBBS-2.2-200. Ensuring information security of organizations of the banking system of the Russian Federation. Methodology for assessing the risks of information security violations. Moscow. 20s.

5. Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology. USA. 20s.

6. Electronic source Wikipedia, article “Risk”.

When implementing an information security management system (ISMS) in an organization, one of the main stumbling points is usually the risk management system. Discussions about information security risk management are akin to the UFO problem. On the one hand, no one around seemed to have seen this and the event itself seems unlikely, on the other hand, there is a lot of evidence, hundreds of books have been written, there are even relevant scientific disciplines and associations of pundits involved in this research process and, as usual, the intelligence services have in this area with special secret knowledge.

Alexander Astakhov, CISA, 2006

Introduction

There is no consensus among information security specialists on risk management issues. Someone denies quantitative methods of risk assessment, someone denies qualitative methods, someone generally denies the feasibility and the very possibility of risk assessment, someone accuses the organization's management of insufficient awareness of the importance of safety issues or complains about the difficulties associated with obtaining an objective assessment of value certain assets, such as the organization's reputation. Others, not seeing the possibility of justifying the costs of safety, propose treating this as some kind of hygienic procedure and spending as much money on this procedure as is not a pity, or as much as is left in the budget.

Whatever opinions exist on the issue of information security risk management and no matter how we treat these risks, one thing is clear that this issue contains the essence of the multifaceted activities of information security specialists, directly connecting it with business, giving it reasonable meaning and expediency. This article outlines one possible approach to risk management and answers the question of why different organizations view and manage information security risks differently.

Fixed and auxiliary assets

When we talk about business risks, we mean the possibility of suffering certain damage with a certain probability. This can be either direct material damage or indirect damage, expressed, for example, in lost profits, up to exit from the business, because if the risk is not managed, then the business can be lost.

Actually, the essence of the issue is that the organization has and uses several main categories of resources to achieve the results of its activities (its business goals) (hereinafter we will use the concept of an asset directly related to business). An asset is anything that has value for an organization and generates its income (in other words, it is something that creates a positive financial flow or saves money)

There are material, financial, human and information assets. Modern international standards also define another category of assets – processes. A process is an aggregated asset that operates all other company assets to achieve business goals. The company's image and reputation are also considered one of the most important assets. These key assets for any organization are nothing more than a special type of information assets, since the image and reputation of a company is nothing more than the content of open and widely disseminated information about it. Information security deals with image issues insofar as problems with the security of the organization, as well as the leakage of confidential information, have an extremely negative impact on the image.

Business results are influenced by various external and internal factors classified as risk. This influence is expressed in a negative impact on one or simultaneously several groups of assets of the organization. For example, a server failure affects the availability of information and applications stored on it, and its repair distracts human resources, creating a shortage of them in a certain area of ​​work and causing disorganization of business processes, while the temporary unavailability of client services can negatively affect the company's image.

By definition, all types of assets are important to an organization. However, every organization has core vital assets and supporting assets. It is very easy to determine which assets are the main ones, because... These are the assets around which the organization's business is built. Thus, the business of an organization can be based on the ownership and use of tangible assets (for example, land, real estate, equipment, minerals), the business can also be built on the management of financial assets (credit activities, insurance, investing), the business can be based on competence and the authority of specific specialists (consulting, auditing, training, high-tech and knowledge-intensive industries) or a business can revolve around information assets (software development, information products, e-commerce, Internet business). The risks of fixed assets are fraught with loss of business and irreparable losses for the organization, therefore, the attention of business owners is primarily focused on these risks and the management of the organization deals with them personally. Risks to supporting assets typically result in recoverable damage and are not a major priority in the organization's management system. Typically, such risks are managed by specially appointed people, or these risks are transferred to a third party, for example, an outsourcer or an insurance company. For an organization, this is more a matter of management efficiency than survival.

Existing approaches to risk management

Since information security risks are not the main ones for all organizations, three main approaches to managing these risks are practiced, differing in depth and level of formalism.

For non-critical systems, when information assets are auxiliary and the level of informatization is not high, which is typical for most modern Russian companies, there is a minimal need for risk assessment. In such organizations, we should talk about some basic level of information security, determined by existing regulations and standards, best practices, experience, as well as how this is done in most other organizations. However, existing standards, describing a certain basic set of requirements and security mechanisms, always stipulate the need to assess the risks and economic feasibility of using certain control mechanisms in order to select from the general set of requirements and mechanisms those that are applicable in a particular organization.

For critical systems in which information assets are not the main ones, but the level of informatization of business processes is very high and information risks can significantly affect the main business processes, risk assessment must be applied, however in this case it is advisable to limit ourselves to informal qualitative approaches to solving this problem, paying attention to special attention to the most critical systems.

When an organization’s business is built around information assets and information security risks are the main ones, a formal approach and quantitative methods must be used to assess these risks.

In many companies, several types of assets can be vital at the same time, for example, when the business is diversified or the company is engaged in the creation of information products and both human and information resources can be equally important for it. In this case, the rational approach is to conduct a high-level risk assessment to determine which systems are highly exposed to risk and which are critical to business operations, followed by a detailed risk assessment of the identified systems. For all other non-critical systems, it is advisable to limit yourself to using a basic approach, making risk management decisions based on existing experience, expert opinions and best practice.

Levels of maturity

The choice of approach to risk assessment in an organization, in addition to the nature of its business and the level of informatization of business processes, is also influenced by its level of maturity. Information security risk management is a business task initiated by the management of an organization due to its awareness and degree of awareness of information security problems, the meaning of which is to protect the business from real existing information security threats. According to the degree of awareness, several levels of maturity of organizations can be traced, which to a certain extent correlate with the maturity levels defined in COBIT and other standards:

  1. At the initial level, there is no awareness as such; the organization takes fragmented measures to ensure information security, initiated and implemented by IT specialists under their own responsibility.
  2. At the second level, the organization defines responsibility for information security; attempts are made to use integrated solutions with centralized management and implement separate information security management processes.
  3. The third level is characterized by the application of a process approach to information security management described in the standards. The information security management system becomes so important for the organization that it is considered as a necessary component of the organization's management system. However, a full-fledged information security management system does not yet exist, because the basic element of this system – risk management processes – is missing.
  4. Organizations with the highest degree of awareness of information security problems are characterized by the use of a formalized approach to information security risk management, characterized by the presence of documented processes for planning, implementation, monitoring and improvement.

Risk management process model

In March this year, a new British standard, BS 7799 Part 3 – Information security management systems - Information security risk management practice, was adopted. ISO expects that this document will be approved as an International Standard by the end of 2007. BS 7799-3 defines risk assessment and management processes as an integral element of an organization's management system, using the same process model as other management standards, which includes four process groups: plan, do, review, act (PDA), which reflects standard cycle of any management processes. While ISO 27001 describes the overall end-to-end security management cycle, BS 7799-3 extends it to information security risk management processes.

In the information security risk management system, at the Planning stage, the policy and methodology for risk management are determined, and a risk assessment is performed, which includes an inventory of assets, compilation of threat and vulnerability profiles, assessment of the effectiveness of countermeasures and potential damage, and determination of the acceptable level of residual risks.

At the Implementation stage, risks are processed and control mechanisms are introduced to minimize them. The organization's management makes one of four decisions for each identified risk: ignore, avoid, transfer to an external party, or minimize. After this, a risk treatment plan is developed and implemented.

At the Verification stage, the functioning of control mechanisms is monitored, changes in risk factors (assets, threats, vulnerabilities) are monitored, audits are conducted and various control procedures are performed.

At the Action stage, based on the results of continuous monitoring and ongoing audits, the necessary corrective actions are carried out, which may include, in particular, a reassessment of the magnitude of risks, adjustments to the risk management policy and methodology, as well as the risk treatment plan.

Risk factors

The essence of any risk management approach is to analyze risk factors and make adequate decisions to treat risks. Risk factors are the main parameters that we use when assessing risks. There are only seven such parameters:

  • Asset
  • Damage (Loss)
  • Threat
  • Vulnerability
  • Control mechanism
  • Average annual loss (ALE)
  • Return on Investment (ROI)

How these parameters are analyzed and assessed is determined by the risk assessment methodology used in the organization. At the same time, the general approach and pattern of reasoning are approximately the same, no matter what methodology is used. The risk assessment process includes two phases. In the first phase, which is defined in the standards as risk analysis, it is necessary to answer the following questions:

  • What is the company's main asset?
  • What is the real value of this asset?
  • What threats exist to this asset?
  • What are the consequences of these threats and the damage to the business?
  • How likely are these threats?
  • How vulnerable is the business to these threats?
  • What is the expected average annual loss?

In the second phase, which is defined by the standards as risk assessment, it is necessary to answer the question: What level of risk (the amount of average annual losses) is acceptable for the organization and, based on this, what risks exceed this level.

Thus, based on the results of the risk assessment, we obtain a description of the risks exceeding the acceptable level and an assessment of the magnitude of these risks, which is determined by the size of the average annual losses. Next, you need to make a decision on risk treatment, i.e. answer the following questions:

  • Which risk treatment option do we choose?
  • If a decision is made to minimize risk, what control mechanisms should be used?
  • How effective are these controls and what return on investment will they provide?

The output of this process is a risk treatment plan that determines how risks are treated, the cost of countermeasures, as well as the timing and responsibility for implementing countermeasures.

Deciding on Risk Treatment

Making a decision on risk treatment is the key and most critical moment in the risk management process. In order for management to make the right decision, the person responsible for risk management in the organization must provide him with relevant information. The form of presentation of such information is determined by the standard business communication algorithm, which includes four main points:

  • Problem reporting: What is the threat to the business (source, object, method of implementation) and what is the reason for its existence?
  • Severity of the problem: How does this threaten the organization, its management and shareholders?
  • Proposed solution: What is proposed to be done to correct the situation, how much will it cost, who should do it, and what is required directly from management?
  • Alternative solutions: What other ways to solve the problem exist (there are always alternatives and management should have the opportunity to choose).

Points 1 and 2, as well as 3 and 4 may be interchanged, depending on the specific situation.

Risk management methods

There are a sufficient number of well-proven and widely used risk assessment and management methods. One such method is OCTAVE, developed at Carnegie Melon University for internal use in organizations. OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation (Operationally Critical Threat, Asset, and Vulnerability Evaluation) has a number of modifications designed for organizations of different sizes and areas of activity. The essence of this method is that a sequence of appropriately organized internal workshops is used to assess risks. Risk assessment is carried out in three stages, which are preceded by a set of preparatory activities, including coordination of the schedule of seminars, assignment of roles, planning, and coordination of the actions of project team members.

At the first stage, during practical workshops, threat profiles are developed, including an inventory and assessment of the value of assets, identification of applicable legal and regulatory requirements, identification of threats and assessment of their likelihood, as well as determination of a system of organizational measures to maintain the information security regime.

At the second stage, a technical analysis of the vulnerabilities of the organization’s information systems in relation to threats whose profiles were developed at the previous stage is carried out, which includes the identification of existing vulnerabilities of the organization’s information systems and an assessment of their magnitude.

At the third stage, information security risks are assessed and processed, which includes determining the magnitude and likelihood of causing damage as a result of security threats using vulnerabilities that were identified in the previous stages, determining a protection strategy, as well as selecting options and making decisions on risk treatment. The magnitude of the risk is defined as the average annual loss of the organization as a result of the implementation of security threats.

A similar approach is used in the well-known CRAMM risk assessment method, developed at one time by order of the British government. CRAMM's primary method of risk assessment is through carefully planned interviews using detailed questionnaires. CRAMM is used in thousands of organizations around the world, thanks, among other things, to the availability of highly developed software tools that contain a knowledge base on risks and mechanisms for minimizing them, tools for collecting information, generating reports, and also implementing algorithms for calculating the magnitude of risks.

Unlike the OCTAVE method, CRAMM uses a slightly different sequence of actions and methods for determining the magnitude of risks. First, the feasibility of assessing risks in general is determined, and if the organization’s information system is not critical enough, then a standard set of control mechanisms described in international standards and contained in the CRAMM knowledge base will be applied to it.

At the first stage, the CRAMM method builds a model of information system resources that describes the relationships between information, software and technical resources, and also evaluates the value of resources based on the possible damage that an organization may suffer as a result of their compromise.

At the second stage, a risk assessment is carried out, which includes identifying and assessing the likelihood of threats, assessing the magnitude of vulnerabilities and calculating risks for each triple: resource - threat - vulnerability. CRAMM evaluates “pure” risks, regardless of the control mechanisms implemented in the system. At the risk assessment stage, it is assumed that no countermeasures are applied at all, and a set of recommended countermeasures to minimize risks is formed based on this assumption.

At the final stage, the CRAMM toolkit generates a set of countermeasures to minimize identified risks and compares recommended and existing countermeasures, after which a risk treatment plan is formed.

Risk Management Toolkit

In the process of risk assessment, we go through a number of successive stages, periodically rolling back to previous stages, for example, re-evaluating a certain risk after choosing a specific countermeasure to minimize it. At each stage, it is necessary to have on hand questionnaires, lists of threats and vulnerabilities, registers of resources and risks, documentation, minutes of meetings, standards and guidelines. In this regard, we need some kind of programmed algorithm, database and interface to work with these various data.

To manage information security risks, you can use tools, for example, as in the CRAMM method, or RA2 (shown in the figure), but this is not mandatory. The BS 7799-3 standard says much the same. The usefulness of using the toolkit may lie in the fact that it contains a programmed algorithm for the risk assessment and risk management workflow, which simplifies the work for an inexperienced specialist.

The use of tools allows you to unify the methodology and simplify the use of results to reassess risks, even if it is performed by other specialists. Thanks to the use of tools, it is possible to streamline data storage and work with resource models, threat profiles, lists of vulnerabilities and risks.

In addition to the risk assessment and management tools themselves, the software tools may also contain additional tools for documenting the ISMS, analyzing discrepancies with standard requirements, developing a resource register, as well as other tools necessary for the implementation and operation of the ISMS.

conclusions

The choice of qualitative or quantitative approaches to risk assessment is determined by the nature of the organization’s business and the level of its informatization, i.e. the importance of information assets to him, as well as the level of maturity of the organization.

When implementing a formal approach to risk management in an organization, it is necessary to rely primarily on common sense, existing standards (eg BS 7799-3) and well-established methodologies (eg OCTAVE or CRAMM). It may be useful to use software tools for these purposes that implement the appropriate methodologies and meet the requirements of the standards to the maximum extent possible (for example, RA2).

The effectiveness of the information security risk management process is determined by the accuracy and completeness of the analysis and assessment of risk factors, as well as the effectiveness of the mechanisms used in the organization for making management decisions and monitoring their implementation.

Links

  • Astakhov A.M., “History of the BS 7799 standard”, http://www.globaltrust.ru/shop/osnov.php?idstat=61&idcatstat=12
  • Astakhov A.M., “How to build and certify an information security management system?”,

At the moment, information security risks pose a great threat to the normal activities of many enterprises and institutions. In our age of information technology, obtaining any data is practically not difficult. On the one hand, this, of course, brings many positive aspects, but it becomes a problem for the face and brand of many companies.

Protecting information in enterprises is now becoming almost a top priority. Experts believe that only by developing a certain conscious sequence of actions can this goal be achieved. In this case, it is possible to be guided only by reliable facts and use advanced analytical methods. The development of intuition and experience of the specialist responsible for this division in the enterprise makes a certain contribution.

This material will tell you about managing information security risks of a business entity.

What types of possible threats exist in the information environment?

There can be many types of threats. Analysis of enterprise information security risks begins with consideration of all possible potential threats. This is necessary in order to decide on verification methods in the event of these unforeseen situations, as well as to create an appropriate protection system. Information security risks are divided into certain categories depending on various classification criteria. They come in the following types:

  • physical sources;
  • inappropriate use of the computer network and the World Wide Web;
  • leakage from sealed sources;
  • leakage by technical means;
  • unauthorized entry;
  • attack of information assets;
  • violation of the integrity of data modification;
  • emergencies;
  • legal violations.

What is included in the concept of “physical threats to information security”?

Types of information security risks are determined depending on the sources of their occurrence, the method of implementation of the illegal intrusion and the purpose. The simplest technically, but still requiring professional execution, are physical threats. They represent unauthorized access to closed sources. That is, this process is in fact an ordinary theft. Information can be obtained personally, with your own hands, by simply invading the territory of the institution, offices, archives to gain access to technical equipment, documentation and other information media.

The theft may not even involve the data itself, but the place where it is stored, that is, the computer equipment itself. In order to disrupt the normal activities of an organization, attackers can simply cause storage media or technical equipment to malfunction.

The purpose of a physical intrusion may also be to gain access to a system on which information protection depends. An attacker can change network options responsible for information security in order to further facilitate the implementation of illegal methods.

The possibility of a physical threat can also be provided by members of various groups who have access to classified information that is not made public. Their goal is valuable documentation. Such persons are called insiders.

The activity of external attackers may be directed at the same object.

How can company employees themselves become the cause of threats?

Information security risks often arise due to inappropriate use by employees of the Internet and internal computer systems. Attackers are great at taking advantage of the inexperience, carelessness and lack of education of some people regarding information security. In order to exclude this option of stealing confidential data, the management of many organizations pursues a special policy among their staff. Its goal is to teach people the rules of behavior and use of networks. This is a fairly common practice, since the threats that arise in this way are quite common. Programs for acquiring information security skills for enterprise employees include the following:

  • overcoming ineffective use of audit tools;
  • reducing the degree to which people use special tools for data processing;
  • reducing the use of resources and assets;
  • training in gaining access to network tools only by established methods;
  • identifying zones of influence and designating the territory of responsibility.

When each employee understands that the fate of the institution depends on the responsible performance of the tasks assigned to him, he tries to adhere to all the rules. It is necessary to set specific tasks for people and justify the results obtained.

How are confidentiality terms violated?

Risks and threats to information security are largely associated with the illegal acquisition of information that should not be available to unauthorized persons. The first and most common channel of leakage is all kinds of communication and communication methods. At a time when it would seem that personal correspondence is available to only two parties, it is intercepted by interested parties. Although reasonable people understand that it is necessary to convey something extremely important and secret in other ways.

Since a lot of information is now stored on portable media, attackers are actively mastering the interception of information through this type of technology. Listening to communication channels is very popular, only now all the efforts of technical geniuses are aimed at breaking the protective barriers of smartphones.

Confidential information may be unintentionally disclosed by employees of an organization. They can not directly reveal all the “appearances and passwords”, but only guide the attacker on the right path. For example, people, without knowing it, provide information about the location of important documentation.

It is not always only the subordinates who are vulnerable. Contractors may also give out confidential information during partnerships.

How is information security violated by technical means?

Ensuring information security is largely due to the use of reliable technical means of protection. If the support system is efficient and effective, at least in the equipment itself, then this is already half the success.

Basically, information leakage is thus achieved by controlling various signals. Similar methods include the creation of specialized sources of radio emission or signals. The latter can be electrical, acoustic or vibration.

Quite often, optical instruments are used that allow reading information from displays and monitors.

The variety of devices provides a wide range of methods for infiltration and extraction of information by attackers. In addition to the above methods, there are also television, photographic and visual reconnaissance.

Due to such wide possibilities, an information security audit primarily includes checking and analyzing the operation of technical means to protect confidential data.

What is considered unauthorized access to enterprise information?

Information security risk management is impossible without preventing unauthorized access threats.

One of the most prominent representatives of this method of hacking someone else's security system is the assignment of a user ID. This method is called “Masquerade”. Unauthorized access in this case involves the use of authentication data. That is, the goal of the intruder is to obtain a password or any other identifier.

Attackers can exert influence from within the object itself or from the outside. They can obtain the information they need from sources such as the audit log or audit tools.

Often the offender tries to apply the implementation policy and use seemingly completely legal methods.

Unauthorized access applies to the following sources of information:

  • website and external hosts;
  • enterprise wireless network;
  • data backups.

There are countless ways and methods of unauthorized access. Attackers look for flaws and gaps in software configuration and architecture. They obtain data by modifying the software. To neutralize and lull vigilance, violators launch malware and logic bombs.

What are the legal threats to a company's information security?

Information security risk management works in various directions, because its main goal is to ensure comprehensive and holistic protection of the enterprise from outside intrusion.

No less important than the technical direction is the legal one. In this way, which, on the contrary, it would seem, should defend interests, it turns out to obtain very useful information.

Violations on the legal side may relate to property rights, copyright and patent rights. Illegal use of software, including import and export, also falls into this category. You can violate legal requirements only by not complying with the terms of the contract or the legal framework as a whole.

How to set information security goals?

Ensuring information security begins with the establishment of the area of ​​protection. It is necessary to clearly define what needs to be protected and from whom. To do this, a portrait of a potential criminal is determined, as well as possible methods of hacking and infiltration. In order to set goals, you first need to talk to management. It will suggest priority areas of protection.

From this moment the information security audit begins. It allows you to determine in what ratio it is necessary to apply technological techniques and business methods. The result of this process is a final list of activities, which sets out the goals facing the unit to ensure protection against unauthorized intrusion. The audit procedure is aimed at identifying critical moments and weaknesses of the system that interfere with the normal activities and development of the enterprise.

After setting goals, a mechanism for their implementation is developed. Tools for monitoring and minimizing risks are being developed.

What role do assets play in risk analysis?

Organizational information security risks directly affect enterprise assets. After all, the goal of attackers is to obtain valuable information. Its loss or disclosure will certainly lead to losses. Damage caused by unauthorized intrusion may have a direct impact, or may only have an indirect impact. That is, unlawful actions against an organization can lead to a complete loss of control over the business.

The amount of damage is assessed according to the assets available to the organization. Subject resources are all resources that in any way contribute to the implementation of management goals. The assets of an enterprise mean all tangible and intangible assets that generate and help generate income.

There are several types of assets:

  • material;
  • human;
  • informational;
  • financial;
  • processes;
  • brand and authority.

The last type of asset suffers the most from unauthorized intrusion. This is due to the fact that any real information security risks affect the image. Problems with this area automatically reduce respect and trust in such an enterprise, since no one wants their confidential information to become public knowledge. Every self-respecting organization takes care of protecting its own information resources.

Various factors influence how much and which assets will suffer. They are divided into external and internal. Their complex impact, as a rule, simultaneously affects several groups of valuable resources.

The entire business of the enterprise is built on assets. They are present to some extent in the activities of any institution. It’s just that for some people some groups are more important, and others less important. Depending on what type of assets the attackers managed to influence, the result, that is, the damage caused, depends.

Assessing information security risks allows you to clearly identify the main assets, and if they were affected, this is fraught with irreparable losses for the enterprise. Management itself should pay attention to these groups of valuable resources, since their safety is in the interests of the owners.

The priority area for the information security department is occupied by auxiliary assets. A special person is responsible for their protection. The risks regarding them are not critical and only affect the management system.

What are the factors of information security?

Calculation of information security risks includes the construction of a specialized model. It represents nodes that are connected to each other by functional connections. Nodes are those same assets. The model uses the following valuable resources:

  • People;
  • strategy;
  • technologies;
  • processes.

The ribs that connect them are the very risk factors. In order to identify possible threats, it is best to contact directly the department or specialist who works with these assets. Any potential risk factor may be a prerequisite for the formation of a problem. The model highlights the main threats that may arise.

Regarding the team, the problem lies in the low educational level, lack of personnel, and lack of motivation.

Process risks include environmental variability, poor production automation, and unclear division of responsibilities.

Technologies can suffer from outdated software and lack of control over users. Problems with the heterogeneous information technology landscape may also be the cause.

The advantage of this model is that the threshold values ​​of information security risks are not clearly established, since the problem is viewed from different angles.

What is an information security audit?

An important procedure in the field of enterprise information security is audit. It is a check of the current state of the protection system against unauthorized intrusions. The audit process determines the degree of compliance with established requirements. Its implementation is mandatory for some types of institutions; for others it is advisory. The examination is carried out in relation to the documentation of the accounting and tax departments, technical equipment and financial and economic parts.

An audit is necessary in order to understand the level of security, and in case of non-compliance, optimization to normal. This procedure also allows you to assess the feasibility of financial investments in information security. Ultimately, the expert will give recommendations on the rate of financial spending to obtain maximum efficiency. An audit allows you to adjust controls.

Information security expertise is divided into several stages:

  1. Setting goals and ways to achieve them.
  2. Analysis of information necessary to reach a verdict.
  3. Processing of collected data.
  4. Expert opinion and recommendations.

Ultimately, the specialist will give his decision. The commission's recommendations are most often aimed at changing the configurations of technical equipment, as well as servers. Often, a troubled enterprise is asked to choose a different security method. Perhaps, for additional strengthening, experts will prescribe a set of protective measures.

Work after receiving the audit results is aimed at informing the team about the problems. If this is necessary, then it is worth conducting additional training in order to increase the education of employees regarding the protection of enterprise information resources.

To select the necessary IP protection methods, you need to implement a systematic approach. First you need to conduct a vulnerability and security threat analysis. The analysis procedure includes:

  • Analysis of solvable losses due to a specific AIS technology
  • Inspection of possible system threats and vulnerabilities that could lead to possible losses
  • Selection of optimal methods of protection in terms of price/quality, while reducing risk to a specific level

Vulnerability and risk analysis can be carried out in the following areas:

  • IP objects
  • Processes, procedures and data processing software
  • For communication channels
  • For spurious emissions

It often happens that analysis of the entire IS structure from an economic point of view is not always justified. Therefore, it is easier to pay attention to critical nodes, taking into account the risk assessment. IP protection must always take into account the interests of the enterprise.

Aspects to consider when analyzing IP security:

  • Value - what needs to be protected
  • Remedies - what actions are needed
  • Threats - the likelihood of a threat affecting the degree of protection
  • Impact - consequences after the threat is realized
  • Risk - reassessment of the threat with implemented protection
  • Consequence is the result of the threat being implemented.

The risk measure can be represented in the following terms. Quantitative- monetary losses. Quality— ranking scale. One-dimensional— magnitude of loss * frequency of loss. Multidimensional— includes reliability, performance and safety components.

Management of risks

Risk assessment as part of information security - risk management essentially a huge mechanism in creating protection. To effectively implement such a mechanism, it is necessary to implement a number of requirements, for example, to move from qualitative concepts to quantitative ones. For example: gaining access to critical information will lead the enterprise to a loss - this is a qualitative concept, and “access to critical information will require payment of an amount to n 1 competitors, n 2 clients, etc.” - this is a quantitative concept.

Management of risks- the process of implementing analysis and assessment, reduction or redirection of risk, where the risk process needs to answer the following questions:

  • What can happen?
  • If this happens, what will be the damage?
  • how often can this happen?
  • How confident are we in the answers to the above questions? (probability)
  • How much will it cost to eliminate or lower it?

Information asset- a set of data that is necessary for the operation of the enterprise, and may include smaller sets. The assessment must analyze information separately from the physical media. When assessing the cost of damage, the following aspects are considered:

  • information replacement price
  • software replacement price
  • the cost of violating integrity, confidentiality and availability

Risk assessment techniques

The standard risk management approach is as follows:

  • definition of risk management policy
  • identifying employees who will manage risk assessment and analysis
  • determine the methodology and means on the basis of which the risk analysis will be carried out
  • Risk identification and measurement
  • Setting risk tolerance limits
  • monitoring the work of risk management

Three risk assessment methods will be discussed here, these are qualitative assessment model, quantitative risk model, Miora's generalized value model.

Qualitative Assessment Model

Qualitative assessment traditionally comes down to implementing the table shown in Fig. 1. The table is filled with different versions of information assets or any information. The positive aspects of this model are:

  • Calculations are simplified and accelerated.
  • There is no need to give a monetary value to the asset.
  • Efficiency does not need to match the relevant measures.
  • There is no need to calculate the frequency of the exact extent of the damage and the manifestation of the threat.

Negative parameters are the subjectivity of the approach and the lack of exact matching of costs to threats.

Picture 1

Quantitative risk model

This model makes the following assumptions:

  • Annual frequency of incidents, probability of damage occurring. ARO.
  • Expected unit damage is the cost of damage from one successful attack. SLE
  • Expected annual damage - ALE = ARO * SLE;

SLE = AV * EF, where AV is the asset value and EF is the impact factor. This is the amount of damage from 0 to 100%. This is the part of the value where the result of the event is lost. The next question is determining the value of assets. They are tangible and intangible. Tangibles are IT maintenance tools - hardware/network, etc. The price of such assets is easy to calculate. The price of intangible assets takes into account two types of costs: costs for violation of integrity/confidentiality/availability and costs for restoration/replacement of software or data. It is necessary to create a channel between vulnerability, impact and threat to the asset. This is shown in Fig. 2.

Figure 2

Miora model (GCC)

This model is implemented as an alternative to the Quantitative Risk Model to facilitate and improve calculations and calculations. This model does not take into account the likelihood of catastrophic events; it takes into account the concept of downtime damage as a means of time after the event begins. Which in turn partially solves.

Below is the traditional methodology for organizing risk management tools:

  • Clarification of the risk management policy that is implemented on generally accepted information security implementation concepts (GASSP), which should be described in. The policy avoids a subjective approach.
  • It is necessary to appoint personnel who will deal with this issue and the department needs funding. It is also possible to train staff in some areas.
  • The choice and means by which risk assessment is implemented.
  • Risk identification and reduction. At the first stage, you need to determine the scope of work that has threats.
  • Determination of criteria for acceptable risks. For example, the unacceptable risk for the equivalent of $100,000 is 3/100.
  • Unacceptable risks must be reduced. You need to select a risk reduction product and describe an assessment of the effectiveness of the product.
  • It is necessary to periodically monitor the risk. In order to identify them in time and reduce or eliminate them.

Information risks are the danger of loss or damage as a result of a company's use of information technology.

In other words, IT risks are associated with the creation, transmission, storage and use of information using electronic media and other means of communication. risks are divided into two categories:

  • ? risks caused by information leakage and use by competitors or employees for purposes that could harm the business;
  • ? risks of technical failures in the operation of information transmission channels, which may lead to losses.

The work to minimize IT risks involves preventing unauthorized access to data, as well as accidents and equipment failures.

The process of minimizing IT risks is considered comprehensively: first, possible problems are identified, and then it is determined in what ways they can be solved.

Nowadays, various methods are used to assess and manage information risks of domestic companies.

An assessment of a company's information risks can be carried out in accordance with the following plan:

  • ? identification and quantitative assessment of the company’s information resources that are significant for business;
  • ? assessment of possible threats;
  • ? assessment of existing vulnerabilities;
  • ? assessing the effectiveness of information security means.

Risks characterize the danger that may threaten the components of a corporate information system.

A company's information risks depend on:

  • ? indicators of the value of information resources;
  • ? the likelihood of threats to resources being realized;
  • ? the effectiveness of existing or planned information security means.

The purpose of risk assessment is to determine the risk characteristics of a corporate information system and its resources.

After assessing the risks, you can select tools that provide the desired level of information security for the company. When assessing risks, factors such as the value of resources, the significance of threats and vulnerabilities, and the effectiveness of existing and planned means of protection are taken into account.

The possibility of a threat being implemented for a certain company resource is assessed by the probability of its implementation within a given period of time. In this case, the likelihood that the threat will be realized is determined by the following main factors:

  • ? attractiveness of the resource (taken into account when considering the threat from deliberate human influence);
  • ? the ability to use the resource to generate income (also in the event of a threat from intentional human influence);
  • ? technical capabilities to implement a threat with deliberate human influence;
  • ? the degree of ease with which a vulnerability can be exploited.

In Russia, a variety of “paper” methods are currently most often used, the advantages of which are flexibility and adaptability. As a rule, the development of these methods is carried out by companies - system and specialized integrators in the field of information security.

Specialized software that implements risk analysis techniques may be classified as software products (available on the market) or be the property of a department or organization and not for sale.

If software is developed as a software product, it must be sufficiently universal. Departmental software options are adapted to the specifics of problem statements for risk analysis and management and allow you to take into account the specifics of the organization’s information technologies.

The software offered on the market is mainly focused on a level of information security that is slightly higher than the basic level of security. Thus, the toolkit is designed mainly for the needs of organizations of 3-4 degrees of maturity, described in the first chapter.

To solve this problem, software systems for analyzing and controlling information risks were developed: CRAMM, FRAP, RiskWatch, Microsoft, GRIF. Below are brief descriptions of a number of common risk analysis techniques.

Common risk analysis techniques:

  • ? techniques that use risk assessment at a qualitative level (for example, on a scale of “high”, “medium”, “low”). Such techniques, in particular, include FRAP;
  • ? quantitative methods (risk is assessed through a numerical value, for example the size of the expected annual losses). The RiskWatch methodology belongs to this class;
  • ? methods using mixed assessments (this approach is used in CRAMM, Microsoft methods, etc.).

The CRAMM technique is one of the first foreign works on risk analysis in the field of information security, developed in the 80s.

It is based on an integrated approach to risk assessment, combining quantitative and qualitative methods of analysis. The method is universal and suitable for both large and small organizations, both government and commercial sectors. Versions of CRAMM software aimed at different types of organizations differ from each other in their knowledge bases (profiles):

  • ? commercial profile;
  • ? government profile.

When the methodology works, at the first stages, the value of the resources of the system under study is taken into account, and primary information about the system configuration is collected. Identification of resources is carried out: physical, software and information contained within the boundaries of the system.

The result of this stage is the construction of a system model with a resource connection tree. This diagram allows you to highlight critical elements. The value of physical resources in CRAMM is determined by the cost of their restoration in the event of destruction.

The value of data and software is determined in the following situations:

  • ? unavailability of a resource for a certain period of time;
  • ? resource destruction - loss of information obtained since the last backup, or its complete destruction;
  • ? violation of confidentiality in cases of unauthorized access by staff members or unauthorized persons;
  • ? modification - considered for cases of minor personnel errors (input errors), software errors, intentional errors;
  • ? errors associated with the transfer of information: refusal of delivery, non-delivery of information, delivery to the wrong address.
  • ? damage to the organization's reputation;
  • ? violation of current legislation;
  • ? damage to the health of personnel;
  • ? damage due to the disclosure of personal data of individuals;
  • ? financial losses from disclosure of information;
  • ? financial losses associated with resource recovery;
  • ? losses associated with the inability to fulfill obligations;
  • ? disorganization of activities.

The second stage considers everything that relates to identifying and assessing threat levels for groups of resources and their vulnerabilities. At the end of the stage, the customer receives identified and assessed risk levels for his system. At this stage, the dependence of user services on certain groups of resources and the existing level of threats and vulnerabilities are assessed, risk levels are calculated and the results are analyzed.

Resources are grouped by threat and vulnerability types. CRAMM software generates a list of open-ended questions for each resource group and each of the 36 threat types.

The threat level is assessed, depending on the answers, as very high, high, medium, low and very low. The level of vulnerability is assessed, depending on the answers, as high, medium and low.

Based on this information, risk levels are calculated on a discrete scale with gradations from 1 to 7. The resulting levels of threats, vulnerabilities and risks are analyzed and agreed upon with the customer.

The basic approach to solving this problem is to consider:

  • ? threat level;
  • ? level of vulnerability;
  • ? the amount of expected financial losses.

Based on estimates of the cost of resources of the protected IP, assessments of threats and vulnerabilities, “expected annual losses” are determined.

The third stage of the study is the search for a security system option that best meets the customer's requirements.

At this stage, CRAMM generates several options for countermeasures that are adequate to the identified risks and their levels.

Thus, CRAMM is an example of a calculation methodology in which initial assessments are given at a qualitative level, and then a transition is made to a quantitative assessment (in points).

Work using the CRAMM method is carried out in three stages, each of which pursues its own goal in building a risk model for the information system as a whole. Threats to the system for specific resources are considered. An analysis of both the software and technical state of the system is carried out at each step. By building a dependency tree in the system, you can see its weak points and prevent the loss of information as a result of a system crash, both due to a virus attack and hacker threats.

Disadvantages of the CRAMM method:

  • ? using the CRAMM method requires special training and high qualifications of the auditor;
  • ? CRAMM is much more suitable for auditing existing information systems at the operational stage than for information systems under development;
  • ? audit using the CRAMM method is a rather labor-intensive process and may require months of continuous work by the auditor;
  • ? CRAMM software tools generate a large amount of paper documentation, which is not always useful in practice;
  • ? CRAMM does not allow you to create your own report templates or modify existing ones;
  • ? the ability to make additions to the CRAMM knowledge base is not available to users, which causes certain difficulties in adapting this method to the needs of a particular organization;
  • ? CRAMM software is only available in English;
  • ? high license cost.