web based open risk assessment framework for iso 27001

i

Web Based Open Risk Assessment Framework & Decision Support Tool

Madhan Raj Ramachandran

Supervised by Dr. Peter Richard Burnap

MSc Information Security & Privacy

School of Computer Science and Informatics, Cardiff University

September 2012

ii

DECLARATION This work has not previously been accepted in substance for any degree and is not concurrently submitted in candidature for any degree. Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 1 This dissertation is being submitted in partial fulfilment of the requirements for the degree of MSc Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 2 This dissertation is the result of my own independent work/investigation, except where otherwise stated. Other sources are acknowledged by footnotes giving explicit references. A Bibliography is appended. Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 3 I confirm that the electronic copy is identical to the bound copy of the dissertation Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 4 I hereby give consent for my dissertation, if accepted, to be available for photocopying and for inter-library loan, and for the title and summary to be made available to outside organisations. Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 5 - BAR ON ACCESS APPROVED I hereby give consent for my dissertation, if accepted, to be available for photocopying and for inter-library loans after expiry of a bar on access approved by the Graduate Development Committee. Signed …………………………………………………………. (candidate) Date …………………………

iii

Table of Contents Chapter 1 1.1 - Introduction……………………………………………………………………………………………………2 1.2 - Motivation……………………………………………………………………………………………………..3 1.3 - Aim of the Project………………………………………………………………………………………....4 1.4 - Project Idea Canvas………………………………………………………………………………………..5 1.5 - Arrangement of Report………………………………………………………………………………….6 Chapter 2 2.1 - Defining the Problem……………………………………………………………………………………..8 2.2 - Current RM & ISMS practices – Nature, challenge & Misconceptions……………8 2.2.1 Current Practices…………………………………………………………………………………………...8 2.2.2 Challenges & Flaws with Current ISMS ………………………………………………………….14 2.2.3 Misconceptions………………………………………………………………………………………………16 Chapter 3 3.1 - Literature Review…………………………………………………………………………………………..18 3.2 - Concept of Information Sharing……………………………………………………………………..19 3.3 - Key Concerns………………………………………………………………………………………………….21 Chapter 4 4.1 - Approach & development methodology……………………………………………………..….23 4.2 - The ORAF Risk Assessment Model……………………………………………………………….…24 4.3 - Comparing WARP to ORAF…………………………………………………………………………….27 4.4 - RA data stripping & anonymization algorithm…………………………………………….…30 4.4.1 Stripping technique………………………………………………………………………………………..31 4.4.2 Anonymizing RA data by K-anonymity for trend realization…………………………..32 4.4.2a Justification for using K-anon……………………………………………………………..37 4.4.2b Limitation to k-anon…………………………………………………………………………..37 4.4.2c Addressing the K-anon limitation……………………………………………………...38 4.5 - Summary……………………………………………………………………………………………………….38 Chapter 5 5.1 - Design Specification………………………………………………………………………………………40 5.2 - ORAF business Requirements………………………………………………………………………..40 5.3 - Top level Use Case Design…………………………………………………………………………….41 5.3.1 Use Case Specification…………………………………………………………………………………..45 5.4 - Activity Diagram……………………………………………………………………………………………50 5.5 - Sequence Diagram………………………………………………………………………………………..52 5.6 - Mockup of ORAF framework………………………………………………………………………...56

iv

Chapter 6 6.1 - Case Scenario Validation………………………………………………………………………………..68 6.2 - How ORAF could have helped…………………………………………………………………………71 Chapter 7 7.1 - Reflective Conclusion……………………………………………………………………………………..73 7.2 - Contributions………………………………………………………………………………………………….76 7.3 - Limitation & Future Work……………………………………………………………………………….77 References Appendix A1 - ISO 27001 compliant Risk Assessment Template

v

Acknowledgements

Firstly, I would like to pay homage to my God, Lord Shiva to whom I owe my life and my Late

Grandfather, Advocate K.V.Rakkan, who is the source of my inspiration & persistence. I miss you.

To my Dad, Mr.K.Ramachandran, who was ever supportive throughout my life and ensured I was on the

right path. To my Mom, Mrs.R.Rani, who reminded me of my duty each day with love & care. To my little

brother, Vinod who cares for me like an elder brother.

I would like to thank my Supervisor Dr. Peter Burnap for his guidance throughout the period of this

dissertation. Thank you for bearing my endless amount of long emails and early morning Skype calls

even when you were off duty

My heart content thanks to every single staff who handled lectures during my Masters, you guys rock!

The amount of time we spent discussing & learning was truly valuable. You made us feel at home,

especially Ms.Wendy – Thank you for those bakes & cakes!

Last but not the least, to dear Sneha Desai who kept me motivated & made me feel I’m the best. Thank

you is such a small word towards your love & care.

Dedicated to all friends & family.

To Cardiff, my second home.

vi

List of Abbreviations used in the dissertation

API – Application Programming Interface

CSS - Cross Site Scripting

HIPAA - Health Insurance Portability and Accountability Act

HUD - Heads-Up Display

IEC - International European Council

IS – Information Security

ISMS – Information Security Management System

ORAF - Open Risk Assessment Framework

RA – Risk Assessment

RBN – Russian Business Network

RM – Risk Management

RWT – Real World Threats

SME – Subject Matter Expert

UML - Unified Modeling Language

WARP - Warning, Advice & Reporting Points

vii

Glossary of terms

Assets – Could be a tangible physical property or data

Control – Mitigation measures used to address a risk

Cognitive bias - A pre-clouded judgment or preconceived inclination

System – A collection of complex processes

Lazy urge – The desire to merely copy a control measure without prior assessment or

validating it

Spearheading - A focused or targeted attack by threat sources

Territory – Spread of network, NOT the geographic territory

1

ABSTRACT

Although successful Risk Assessment (RA) methodologies have been developed over the

years to model complex systems, Conventional Risk Management (RM) techniques are

outdated, increasingly becoming daunting and complex with a steep decline in the ability to

mitigate emerging or unknown threats. Much of RA conducted within an organization is based

on an individual’s perception of risk and most controls are implemented with doubt and

uncertainty since prediction is inherently hard.

Typical RA reports are treated as classified and are self contained within Organizations

as they believe that it could potentially compromise their security leverage against “Real World

Threats (RWT)” or competing Organizations. A clear case of clouded uncertainty exists when

assigning tolerance indicators and risk metrics leading to bad decision making among

managerial authority to which we shall refer to as “Cognitive bias”. An ill-informed RM strategy

could cost dearly to the organization. The problem is complex, however the solution need not

be.

This work aims to make Risk Management more approachable & standardized by

suggesting a framework following the ISO 27001 methodology where anonymized (Privacy

Preservation of public data achieved by K-anonymity) RA reports can be shared among various

organizations grouped across industry sectors to enable mutual and collaborative defense

against cyber crime and facilitate informed decisions about “True security risks” without the

fear of specific privacy disclosure. This could potentially help managerial authority make

efficient decisions that can be validated & to focus on improving security controls within

organization and worry less on ball parking likelihood of probable risk, its risk factors and

flawed estimates.

2

Chapter 1

This part of chapter presents a brief introduction to the project, the motivation behind it, aim,

Scope and concludes with a report arrangement outline. There is also a project canvas that

intends to illustrate the concepts of the framework.

1.1. Introduction

Day by day, businesses around the world are increasingly becoming dependant on

technology and use Internet to stay connected and to access electronic information and data

resources across the globe over organizational networks. Almost every aspect of our day to day

lifestyle is dependent on technology and we look towards it to communicate with peers across

the globe, share ideas, and reduce barriers to trade. With our increasing dependence on

Cyberspace, there exists risks which could potentially exploit vulnerabilities in our networks,

compromising or damaging key data and systems on which businesses thrive upon (cabinet

office 2011) and could pose a major threat to the survivability of the organization. These risks

could come either intentionally or unintentionally and in worst case, unexpectedly.

A good Risk Management process involves assessing these risks caused by threats and

vulnerabilities along one of the Information Security Management Systems (ISMS) available

(ISO 27001), and recommend controls (mitigation measures) and best practices. A proper Risk

management policy covering an organization has the potential to not only prepare for an event

but also measure and control the magnitude of its impact. (Stanleigh 2010). Over the years,

various methodologies on ISMS and Risk Assessments (RA) have been developed, e.g. ISO

27001, CRAMM, Ebios, and Octave – to name a few, to model the complex organization

systems and control any possible risks.

Although these ISMS methodologies did a good job of assessing and reporting risks and

implementing safety controls, controversially, these Risk Management processes are simply

outdated. As Kearney P quotes “security is fundamentally about manipulating relevant

categories of operational risk, with controls being applied or removed to decrease or increase

the likelihood and impact of undesirable events. Unfortunately, both the assessment of risk and

3

the prediction of the effects of controls are fraught with difficulties” (SecureThinking 2012).

Most RA methodology use a “rating system” where a risk analyst expert assigns “impact” and

“likelihood” ratings on a 0-3 or 0-7 point scale. (vRisk ISO 27001) Common risks are easier to

mitigate than unknown or emerging threats (Schneier 2011) and people are quite bad at

estimating risk and making decisions. Although the RA methodologies by themselves cannot be

claimed to be flawed, the current organizational practices are quite outdated and lack severely

in terms of effective risk control.

1.2. Motivation

A survey by PWC (Pricewaterhousecoopers 2010) shows that over 77% gave very high

priority to information security yet over 92% faced a security incident with an average £280k -

£690K GBP in financial and asset losses annually. The technical report also shows that 82% of its

participant large-scale organizations had Security Risk Assessments “by the book” in place, and

so did 75% of all small scale organizations. Yet the scale of financial losses being reported seems

humungous in spite of such deliberate measures. This leads us to think there is something at

fault here. Although the ISO 27001 ISMS by itself cannot be criticized, the procedures listed are

quite objective type with preset solutions in place. (vRisk ISO 27001) This is indeed effective in

mitigating known risks, to an extent, yet fails when faced with challenge of unknown or newly

emerging threats. “If it (a security incident) hasn’t happened, we have no data and no rigorous

basis for identifying all the events” says Slater D, 2012.

The cyber criminals who constantly look for new vulnerabilities to be exploited are

known to work in teams or collaborate over underground networks to exploit their target.

D33Ds (citation masked by request), a group of elite black hat hackers who published over

450,000 clear-text Yahoo! Voice (www.voice.yahoo.com) passwords recently (July 2012) agreed

to provide insights to this project. They quote that “most hackers do sell or share their hacks

and discovered vulnerabilities to other hackers in their network” and the reason they are a step

ahead is because “Most companies are compromised even before they get a chance to realize

that they could be harboring some sort of threat or risk (0-day) within their systems”. Zero-day

occurs when a threat or attack exploits previously unknown vulnerability and there is generally

4

zero day of awareness leaving little or no time for the developers to patch up the flaw. (Cohen

2012) One of the largest and well organized mafia counterparts of the online world are the

Russian Business Network (RBN) who have a reputation of carrying out organized cybercrimes

on foreign soils. (Coldman 2011) “They are highly respected group of cyber criminals among

hactivists worldwide and they are incredibly persistent”, according to Granado J. of Ernst &

Young security. The RBN – the biggest and baddest of all – has branch operations in multiple

parts of the world similar to a Multinational Corporations globally and accepts out-sourced

hacking commissions from its clients.

The preceding set of facts leads us to conclude that Cyber criminals indeed work

collaboratively when the occasion calls for it, whereas organizations are quite secretive of their

efforts towards information security, the risk assessments and discovered vulnerabilities. Craig

Wright S, Exec President, Centre for Strategic Cyberspace Security Science (CSCSS)

(http://www.cscss.org/) quotes “A damn good question (Why RA reports are not shared)

and one that should be addressed. Fear of disclosure for the most part, but the end is hiding

the reality of what we are doing and helping the hackers many times." The UK Cyber Security

Strategy (cabinet office 2011) intends to nurture a “Safe haven”, where it aims to tackle cyber

crime and make UK one of the safest places to do business in cyberspace. In order for the vision

to be realized, organizations must realize the importance of treating Information Security as a

collaborative effort with every security incident being reported, documented and controls

shared with others who may face the same vulnerability.

1.3. Aim of the Project

Current RA approaches tend be divided into statistical and heuristic (based on

experience or personal judgment of an SME) which work quite well for major organizations yet

cannot be termed fault free since people are inherently bad at estimating risks. Often High

Frequency – Low Impact (HF-LI) events are assigned the same risk levels to a High Impact – Low

5

or rare Frequency (HI-LF) event, which is clearly not the right way to deal with a risk, argues

Kearney P (SecureThinking 2012).

The aim of this project is to design and potentially develop a framework for a trusted

collaborative environment where organizations can develop and record risk assessments based

on ISO 27001 – the most popular RA methodology – and share anonymized versions of their RA

reports and timely information on most recent attacks or threats to collaboratively defend

themselves against cyber threats and procure help in better decision making by adopting the

“Wisdom of the crowds” approach. As Neils Bohr says, “prediction is inherently difficult,

especially if it is about future”, yet a collaborative approach where numerous heads share &

contribute opinions and expert advice with sole aim of better defense could improve the

efficiency of prediction and informed decision making capabilities. This project based its

research on ISO 27001 among other standards because it is widely advocated by practitioners

globally and has consistently received a positive recognition. (Siponen and Willison 2009) Owing

to the privacy concerns of organizations, the project proposes the use of K-anonymity

anonymization algorithm to mask identifying elements or quasi identifiers in the RA reports to

maintain confidentiality yet a fair level of transparency to participating entities. The framework

also extends as a decision support tool wherein it tries to address the “knowledge gap” &

“cognitive bias” that clouds most decision makers by employing the knowledge of the crowds.

1.4. Project Idea Canvas:

A simple visual message map has been shown below to highlight the key functionality of the

proposed framework.

6

Fig.1.4 - ORAF Project canvas

1.5. Arrangement of the Report:

This work is organized as follows. The chapter 1 gives brief introduction to the research,

motivation, aims and a visual canvas of the project. Chapter 2 defines the problem with case

examples, elucidates challenges & misconceptions with current ISMS & the inability to validate

controls. Also shown is the difficulty when aligning technical assessment to business terms. In

chapter 3, we carried out a literature review & show how different researchers in the past,

although few, challenged the outdated RA process & suggested innovations. The chapter also

shows the key concerns that continually suppressed such efforts. In chapter 4 we proposed a

7

RM usage model aligned with the ISO 27001 PDCA, & critically review WARP to ORAF. We also

proposed anonymization techniques to overcome the key concerns & relevant examples were

demonstrated. Chapter 5 shows UML Design specification of the ORAF framework. We have

also made a wireframe mockup of the ORAF envisioning the web application & its decision

support capabilities. Proposed along with is the hypothesis on guided probability & validation of

decision making through knowledge of crowds. The chapter 6 shows a small example scenario

where ORAF could potentially ease RA and validation. The last chapter concludes with a

reflective report in insight of subject matter learned with scope for future work.

8

Chapter 2

2.1 Defining the problem

In order to fully realize the purpose of this project, it is necessary to gain an insight on the

current industry standard IS practices, effects and possible pitfalls. In this chapter we first

outline some background information on ISO 27001 discussing why traditional ISMS practices

are not a failsafe road to security. We shall also observe the potential weaknesses of this

“universally accepted” approach. This part of the chapter forms the basis to why there is a need

for an alternate approach i.e. a collaborative RM methodology.

It is to be noted that the ISO/IEC 27001 ISMS has long stood as the most widely adopted RM

process worldwide and our motive was never to belittle it, although, like with any research, all

processes and theories need to be challenged and reviewed with a motive to find simpler

alternatives which fueled a strong driving force behind the following argument.

2.2 The current RM & ISMS practice – Nature, Challenges &

misconceptions

2.2.1 Current Practices

It has been recognized that a sound RA is mandatory for an effective ISMS control within

an Organization. Ideal risk assessments (RA) and risk managements (RM) practices have always

involved identifying & assessing organizational assets, recognizing threats (internal & external)

and probable vulnerabilities, prioritizing the risks based on impact rating index and formulating

strategic decisions on minimizing and controlling these risks followed by a continual monitoring

process. Several RM methodologies have been developed to adhere to these established

standards yet abiding to the scope of this research work, the aforementioned methodology can

be closely related to the ISO/IEC 27001 ISMS as the Plan-Do-Check-Act (PDCA) model which is

applied to structure all of its processes.

9

Figure2.2 - PDCA model of ISO 27001 (Source: BSI ISO/IEC 27001:2005)

The above shown figure is the PDCA process approach recommended by the ISO 27001

standards organization for ISMS. Exhaustive content explaining in detail the entire stages of a

PDCA model can be found on the ISO 27001:2005 documentation on “Information Technology –

Security Techniques – Information Security Management – Requirements” report from the BSI.

The following provides an abridged overview of the PDCA cycle:-

a. Plan – Establish the ISMS – In this phase of the ISMS process, the Organization

willing to incorporate an ISMS process must first define a scope followed by an ISMS

policy relevant to the organization itself taking into account of all legal and

regulatory obligations as approved by the management. It is in this phase where

assets of the organization as defined by the ISMS scope boundary are identified

followed by recognizing probable threats, vulnerabilities that might be exploited by

10

those threats and relative impact ratings. The risks are treated by identifying

“controls” or “measures” that can used to counterweigh the identified risks.

b. Do – Implement and operate the ISMS – This phase involves the actual

implementation of control measures once approved from the management.

c. Check – Monitor and review the ISMS – Here, the ISO 27001 recommends that

organization must assess the performance of the risk treatment controls in place

against the pre-defined scope and policy and the reports to be made available to

interested parties within the organization including the management.

d. Act – Maintain and improve the ISMS – The final phase recommends that there be

continual monitor of the ISMS in place, taking corrective or preventive measures

based on variety of rigorous audit sources.

These methods were intended to be followed in order to secure an IS certification. By adopting

such an authoritative guidance of ISMS, Organizations hope to demonstrate their compliance to

security standards of business culture and practices with an aim to get certification or

accreditation by international standards. Although this standardized approach to ISMS initiates

a tipping point to Organizations that have an ill configured or disjoint security management and

risk controls, in reality, “The ISO 27001 is merely a framework and nothing more” (Wright 2012)

Although risk assessment methodology are quite complex in nature, its actual roots are

a routine in everyday life, sometimes we ourselves being unaware that we are doing so. Simple

case of crossing a road could be taken as an infamous example in this context. However, unlike

our daily routines, the Organization is a complex “System” and a mere estimate of risk impacts

will not suffice and requires identifying almost every possible threat sources, vulnerabilities and

associated risks.

11

In practice, Most risk assessments can be roughly categorized into two basic approaches (Sims

2012) as follows:-

a. Qualitative assessment

b. Quantitative assessment

A qualitative assessment approach is preferred when there is lack of sufficient data – likelihood

or costs, for instance and risks are defined in a subjective manner categorized into low, medium

or high (Tregear 2001) are most likely to depend on the risk analyst individual’s expertise and

judgment relative to the Organization. This is a good approach as it overcomes the challenges

of calculating accurate figures for each of the risk elements, however, Business Organizations,

specifically industries with finance or accounting are of focus, prefer numbers and statistics to

qualitative analysis.

A quantitative approach, on the other hand, appreciates a wider audience and is the most

frequently used method (Burnap 2009) to risk analysis and involves defining a scope stating the

assets to be protected, it’s potential vulnerabilities and likelihood of threat sources exploiting

those vulnerabilities. Along with Outage costs (loss suffered estimate), these statistical

elements are combined to form a single figure (Tregear 2001) called the Annual Loss Expectancy

(ALE) scale which is used to theoretically rank prioritized risks based on their impact rating

index.

Although numerous scientific risk formulae exist, perhaps, the most widely used formula to risk

quantification is obtained by taking product of two variables – the Probability of occurrence (P)

and the Impact of the event (I) being equated to produce the risk magnitude.

The risk magnitude ‘R’ is usually taken on a scale 0 – 9 and ‘P’ and ‘I’ assumed on a 0 – 3 scale.

For instance, let us apply the calculation to a case scenario to understand the RA practice

12

Case 1 – A large Organization conducts a penetration testing via trusted third party consultancy

and has identified that one of its databases is vulnerable to SQL injection attack – a famous SQL

based database vulnerability that allows unauthorized agents to gain read/write/modify access

to the underlying system. On-line Transaction Processing (OLTP) services are highly likely

(OWASP 2006) to be impacted by this vulnerability. The organization patched up the security

hole and a new RA has been carried out lists the risk impact scale as follows

For SQL injection attack, P could be assigned a value of ‘3’ and impact rating could be anywhere

from 0 – 3 since the potential losses greatly depends on the threat agent. This is due to the fact

that recent day SQL injection attacks can be carried out via automated tools and a mere “Script

kiddie” – a hacker newbie capable of wrecking havoc without his own awareness. Yet, based on

professional experience of the risk analyst, the Organization assigns a value of ‘2’ to the impact

scale.

As per the formula R = P x I, we have R = 3 x 2 ; Meaning R = 6; gaining a higher up the ladder

position on a prioritized risk magnitude scale of 9 and mitigation controls are set in place.

Case 2 – A large Organization is unaware of a potential new 0 day vulnerability that lurks in one

of its backbone applications due to a code flaw. This is a highly rare risk yet the impact can be

extreme enough to bring down the organization to its knees. No prior statistical data exists to

back up support and provide informed decisions. The expert assigns probability ‘P’ as ‘0.5’ and

impact rating as ‘3’ of the highest magnitude. We urge recalling the “cognitive bias” here.

In this case R = 0.5 x 3 ; giving us a rating index of 1.5 which according to ALE gets pushed down

the list on our prioritized risk scale of 0 – 9.

Now we might want to ask ourselves, is this intellectually the right way to categorize the risk?

Does it make sense to put a high impact risk down the scale just because the number had a

lower value? What risks are we deliberately putting ourselves into by taking such an action?

13

Although business units are rather fond of numbers and statistics over names (Sims 2012) ;

using inconsistent values or estimates could prove unhealthy to the Organization.

Let us take yet another formula used widely for calculating or prioritizing risks

We know that most IS experts, plug in numbers, say, threat = 8 and vulnerability = 5 based on

personal experience, which yields a priority rating of 50;

Risk Priority = 8 x 5 = 50;

So usually formulating such calculations, gives them an index where lets say, all risk values

exceeding the 50 points threshold shall be given immediate priority, and the rest down the

scale. What if, let’s say, someone assigns a value ‘0’ to a perceived threat, but recognizes the

vulnerability to be 10? One could argue, why a value of ‘0’ to a threat, this is simply because we

might not have prior information that such a threat could even exist to that asset. As we know

by basic math, any number multiplied by a Zero is 0! Again, we have an error, where a Risk that

could potentially bring down an Organization to its knees would still get pushed down the

priority list just because of this number theory.

Let’s take a geographic location ‘X’ where our Datacenter could be placed, we know for sure

that this territory has never experienced an earthquake for the last 100 years and based on that

experience we assign Zero threat from natural disaster to our asset yet taking into

consideration of the budget cost, we overlook the option of installing earthquake

countermeasures. This leaves the datacenter vulnerable to a threat that does not exist at this

point of time and should test of time shift tectonic plates & cause earthquake, our number

theory has failed.

Risk assessment needs to be a Logical model that involves rather than merely taking decisions

on a formula based system. (Eli 2010)

14

2.2.2 Challenges & Flaws with current ISMS practices:

We need to realize that risk management is simply a practice of systematically deriving best

practices and cost effective approaches to minimize threat to an Organization’s assets. The

current ISMS in place have a number of shortcomings that need to be addressed.

First, the ISO 27001 has been designed as a generalized standard and not exactly tailored to suit

specific Organizations. This is a serious flaw in cases where Organizations implement ISMS for

the very first time without proper guidance and could invariably end up with an overall flawed

ISMS since an Organization is a complex system and no two Organizations are the same even if

their industry focus is from the same background. Secondly, the ISMS guidelines have not been

validated but fostered by common industry practices which could often be an unsound basis for

an International Standard (Siponen and Willison 2009)

The controls stated in the ISO/IEC 27001 are too authoritative and the curb the openness or

flexibility to identify potentially new or unaware threats. When using the Quantitative approach

to risk assessment, calculation probability of occurrence and related outage costs are quite

difficult since there is severe lack of consistent data. Jonathan T, senior consultant from Insight

Consulting (Tregear 2001) says in his Information security technical report that “calculating

costs involved due to loss is a time consuming activity & often delays development plan by

months until the Management has finalized on the same, and yet, finalized cost figures are

often a variable and subject to constant change with changing business environment”.

Mathematically, Probability always lies between ‘0 & 1’ and calculating the probability of

occurrence with respect to threat source is very difficult as it is often a subjective conclusion

and is open to disagreement of debate.

There is very little reliable past data from which such predictions can be made, simply because

most Organizations stay quite secretive of their RM process owing to privacy and reputation

concerns. It is extremely difficult to create a mathematical model without sufficient past data

that would predict an attacker’s actions.(Stewart 2004) There is confusion among prediction

based on probability (measurable risk) and pure uncertainty – a point where we do not know

15

the probability or at least lack credible sources to ball park it. Refer to the Case examples in the

previous section where case 1 and Case 2 had RA performed with controls placed on Risk index

scale. Such Naïve reliance on ALE as a definition of risk leads to high impact events being listed

down the prioritized mitigation scales or assign the same level of priority to HF-LI and LF-HI

events which again, is a faulty decision due to cognitive bias. This being said for low or rare

frequency events, how do we ensure that we are not living with a false sense of security? “The

feeling of security and the reality of security don't always match” – The security Mirage.

(Schneier 2011) If an event has never happened, we have no rigorous data nor a basis of

identifying and addressing the threat. (Slater 2012)

Though the ISO 27001 is a rigid & authoritative ISMS with strict standards for certification, it

surprisingly seems to have been over simplified to the point where the assessment seems like a

multiple choice or checklist questionnaire for raising awareness. Although this is forgiving on

most quantifiable cases, it is sacrificing on the more rigorous analysis of new risk disciplines.

(Slater 2012)

Unarguably, there are quite a number of sophisticated RA tools such as the ‘VsRisk’ from

Vigilant Software (http://www.vigilantsoftware.co.uk/) that is ISO 27001 compliant which

boasts of being an easy to use RA tool with comprehensive sections for quickly conducting risk

exercises and a host of other features, yet, this tool still would not replace the knowledge and

the skill of a risk analyst. (Tregear 2001) And this situation worsens if there is a knowledge risk -

where the risk assessment expert is subjected to lack of exposure or knowledge to the

uncertain risk. There is lack of observation of the World – the fundamental difficulty in RA is

how do we determine the rate of occurrence of an event if it has never ever surfaced before?

There are 100% probability events which could be ignored due to lack of knowledge.

A traditionally plaguing inconvenience is what we shall refer to as the “Technologist VS Business

Personnel” warfare where there is inconsistency & difficulty in expressing a complex IS

Technical assessment alongside of Business orientation and this is extremely important since

ultimately it’s the manager’s decision to comprehend the data and approve mitigation controls.

http://www.vigilantsoftware.co.uk/

16

Fig 2.2 - RA report requirement

We need a way to align the technical assessments in terms of business concept since “Risk”

usually translates to loss of business. They may have a direct or indirect impact, for instance, in

medical industry, compromise of sensitive Patient information does NOT bring in direct impact

& loss of business to the Organization, yet, since a confidential customer information has been

breached and violated HIPAA data privacy rule, the Organization is liable to be sued for a

substantial amount of money which will impact normal business. A way to address such

complications between technical issues or legal issues needs to be identified.

2.2.3 Misconceptions

First Organizations need to realize that being ISO 27001 certified does NOT necessarily

mean they are secure! There is always something vulnerable or at fault, especially if the

“System” has a Human element involved. Any disagreement on this fact can be nullified by

having a look at the bigger picture, that all though over 82% of large Organizations (>250 staff)

had carried out regular Risk assessments, over 62% of them had faced serious security incident.

17

(Pricewaterhousecoopers 2010) The ISO 27001 is a management standard and not necessarily a

security standard, as refuted by Price D. (Security & Investigations, UK. 2011).

The current ISO 27001 practices are seemingly outdated, (SecureThinking 2012) rigid and are

not sustainable, neither can they be validated for each of the individual Organizations. The risk

controls are seldom clouded with fear, uncertainty and doubt. (Stewart 2004)

On risk perception & direction, Stewart A (Stewart 2004) agrees that in reality, it is difficult,

perhaps impossible to calculate a “real risk” for an asset as true weight of a risk is a

combination of multiple factors, many of which are subjective. In the end, we - Security

professionals are all just guessing risks.

A better realization of ISMS existing practices reveal that security incidents or events occur at

immense speed in cyberspace to which current control measures can barely keep up. The

current ways of managing risks are unable to cope up with the changing dynamic & complex

environment pressurizing us to invent alternative programs of handling the same. (cabinet

office 2011)

18

Chapter 3

3.1 Literature review

In this Chapter, we analyze previously existing work relevant to our project. Seminal and recent

works relevant to the collaborative RA strategies have been critically reviewed and discussed.

We also try to show a collaborative approach to RA addressing the issues with current ISMS

practices as discussed in the previous chapter.

At the time of writing, very little research work relevant to our project surfaced. Rather to start

abruptly with a list of relevant works, we believe that it makes more sense to acknowledge the

role that the papers played in evolving IS, with an innovative effort to address the current ISMS

plague.

So far we have discussed that the biggest challenge to effective risk management has been a

potentially flawed decision clouded with fear, uncertainty and doubt, where there is

considerable amount of hindrance in deriving risk factors due to lack of consistent or reliable

data. In (Coles-Kemp 2009), the author says that Information Security Management has

become increasingly a research challenge. The author points out that there exists a greater

chance for annihilation if ISMS is designed with a faulty or wrong type of security management

decision. This could effectively impair the perception of validity that a security management

structure exhibits within the organization. Although the (Coles-Kemp 2009) information security

technical report does not abruptly propose an alternative methodology to address the pitfalls

of current ISMS systems, it lucidly elucidates the challenges in Information Security

management and shows that despite being a major field that demands attention, there is

considerably only a few progress or development supported by the works of researchers such

as (Siponen and Willison 2009); (Dhillon 1997) etc.

19

3.2 The concept of Information Sharing

The (Homeland Security 2011) recognizes that there is a need for transparent security process

and adherence to “Need to share” and “Responsibility to provide” collaboration principles

would foster an efficient Cyber Security process. They show that effective mitigation of Cyber

risks greatly depends on broad awareness of risks and costs to enable informed decision making

capabilities. This statement refutes our argument that a collaborative approach to risk

assessment potentially increases awareness and mitigates uncertainty and doubt in decision

making phases. This (Homeland Security 2011) report gives an exhaustive set of proposals that

focus on free flow of information across Organizations & a distributed security innovation for a

safer cyberspace that coincides with our project motive.

The systems risk journal (Welke 1998) shows how IS decision authority managers have been

naïve and ignored the issues and challenges posed by growing threat. From their study, (Welke

1998) seem to have identified that

a. Managers are aware of only a fraction of the full spectrum of actions that needed to

be taken to reduce systems risk.

b. Managers exposed to theory ground security planning techniques will be inclined to

employ these in their planning process.

Their work elucidates how lack of IS statistical data affects effective controls and suggests a

theory-based security program to address these issues as follows:-

a. Using a security risk planning model (derived from Simon 1960)

b. Training & awareness program

c. Countermeasure Matrix analysis

In our point of view, the security risk planning model is quite straightforward and similar to

current ISMS guidelines of the PDCA model. Although the Training & awareness program is a

‘good enough’ strategy to impart knowledge to managers, it still does not compensate for the

plaguing knowledge gap of reliable information or data sources. On the other hand, (Welke

20

1998) suggests use of Countermeasure Matrix Analysis (CMA) as a means of evaluating the

overall effectiveness of security controls in place. This is an interesting measure to maintain

integrity of Welke’s security countermeasures – Deterrence, Prevention, Detection, and

Remedy. Within an Organization, when Users need to be granted privileged access, it employs

multifactor authorization by the use of PINS. The cells of the CMA enable the Managers to

compare the effect of the proposed control solution to the security countermeasure factors.

Use of PINS are argued to control access and meet the goal of deterrence since they allow IS

officers to trace back the perpetrator, however, in our view, this has a limited scope when it

comes to addressing ISMS issues simply because all of these measures can be bypassed

effectively.

The authors (Elsinger et al. 2003) take a novel approach at looking into risk assessments. Rather

than looking at banks individually, they argue that there exists a correlation in banks’ assets

portfolio and it is efficient to analyze risk at the level of banking system as a whole. Although

their original study was NOT on Information Security based risks but rather credit market risk

analysis, their strategy of combining overall bank data to estimate risk analysis for individual

banks seems to draw attention to the fact that our proposal follows a similar approach of taking

in wisdom of the crowds to predict threats to assets.

In (Mandrik 2005) risk aversion strategy, they explore the concept & measurement of risk in

general as opposed to domain specific constructs. They realize that there are problems with the

current measurement approaches and decisions suffer what they call as the “Choice Dilemma”

where deficiencies exist in choices being made towards risk since each individual has his own

perception towards risk. The author (Mandrik 2005) emphasizes on “risky shift” where people

in groups tend to take risk decisions differently rather than being alone and are likely to make

riskier decisions. Although a good read on decisions & risks, their paper lacks sufficient data to

be validated against Information Security domain.

The works of (Ozkan and Karabacak 2010) state that the ISO 27001 does not recommend any

specific risk analysis method but merely guides the mandatory process required for a

systematic approach. They show the initial challenges an Organization faces when defining the

21

scope of its ISMS. Their argument closely follows our argument against the current ISMS

practices that without credible data, decision making could be flawed or inconsistent and if the

risk analysis is not performed properly, the selection of countermeasures could also fail. They

propose a solution of collaborative risk assessment within the organization (between

departments), i.e. ensuring that all employees are brought into as a part of the RA process.

Since the ISO 27001 originally had no specific guidelines on the actual RA method, (Ozkan and

Karabacak 2010) suggest a systemic approach by replacing the PDCA process with Scope and

determination of modeling of the process enabling the PDCA to implement itself among

processes.

A similar idea on collaborative RM approach was from (Dyadem 2012) a recent innovation that

proposes centralizing and sharing risk assessment data across different departments within an

Organization categorized in databases. This is similar yet very different in a way that our work

proposes sharing anonymized RA data and security elements with mutually participating

Organizations. Although the report’s motive overlaps with our project ORAF as they justify their

product as ‘Next level of RA processes’ with a belief that sharing information allows better

insight on events and empowers individuals with knowledge and corporate best practices.

3.3 Key Concerns

Although preliminary research during the initial stages revealed that corporate sectors are quite

paranoid & conservative with sharing RA related data, such a serious lack of relevant work

paved way for some deeper research on why collaborative measures was never proposed so

far. In (Rak 2002) several challenges and deterring factors to information sharing are discussed.

Rak (Rak 2002) has acknowledged that the unabated maturing & our dependency on the

Internet has given rise to a growing complexity of threats. He argues that the more the

information that is available about vulnerabilities, threat sources and best practices, the sooner

can these threats be addressed and risk control measures be deployed. He further presses that

information sharing between industry and government can significantly cause an increase in

the flow of intelligence, thereby promoting a broader picture of the “Cyber landscape” and the

ability to recognize potential threats at a much faster pace.

22

According to the report, it is clear that the government and the individual Organizations

understand the importance of sharing risk information, yet there are three key concerns that

hinder the success of such an initiative. They are

a. Lack of Trust

b. Concerns over protection of shared data owing to privacy

c. Failure by the Government to reciprocate in sharing (Rak 2002)

Therefore a new approach to risk assessment and management is required that should aim to

address these issues and concerns by ensuring that the ORAF remains a two-way information

share i.e. data must be contributed to be extracted.

23

Chapter 4

It is clear from chapter 2 that there exists a gap in the way we perceive Risk

Management – inclusive of the complexities involved in formulating actual security controls to

reasonably address such risks. Chapter 3 has showed that although there are few research

works hinting on how structured approach to overall RM can improve the ISMS process, yet the

industry has not embraced the innovation owing to the key concerns & prejudices that exists

among rivaling Organizations & between Governments.

The purpose of this chapter is to discuss how we aim to address the issues plaguing RM process

& suggest a structured RM framework to foster collaborative defense. Here, we shall outline

the scope of the project – what it is and what is not, the choice of algorithm used and

justification for the same, any limitations & assumptions made, special constraints or

requirements needed for the proposed solution to work.

4.1 Approach & Development Methodology

Although this is project was not intended to be of passive data sourcing in nature

involving surveys, a fair share of background research on Organizational needs was carried out

and involved interviews with Information Security personnel of various concerns. With respect

to the UK cyber (cabinet office 2011) understanding that although ways to manage risks exists

currently, it still is not self sufficient in coping up with the dynamic & complex environment of

Organizations. We envision a secure cyber space where mission critical security information can

flow freely among participating entities with the sole purpose to mitigate cyber threats & risk

impact & at the very least, foster proactive defenses to inhibit wide & rapid propagation of such

attacks.

24

4.2 The ORAF Risk Assessment guidance Model

By emphasizing on sharing of RA related data and strategy information, we understand

that sometimes, it is quite easy for Organizational IS decision makers to give in to “lazy urge”

syndrome – merely copying what others have implemented. There is no such nor ever will be,

“a one size fits all” risk control applicable to all Organizations since each organization (even if it

is of the same industry) is bound to be unique although certain parts of RA do overlap each

other. This strictly requires that a comprehensive RA be carried out individually and then is

recommended that it be compared for ensuring a comprehensive analysis & iteration against

data from ORAF knowledge pool rather than copying another Organization’s RA data within

one’s own domain. We must realize that “Security is always relative and never absolute. It is

only measured against another scenario, not as a measure of perfection” (Wright 2012). The

Risk Assessment model pictured below shows the “Web based ORAF decision tool” typical

usage model for a standardized RM approach.

25

Fig 4.2 - ORAF risk assessment guidance model

26

The Organizations following ISO 27001 may use ORAF to prepare, assess, recognize threats,

formulate efficient risk index, communicate & iterate, continual monitor of ISMS in place. The

fig 4.2 is the ORAF usage model which is a suggestive process relating the ISO 27001 PDCA cycle

to ORAF process.

The usage model can be explained as follows

1. Step 1 is the “Plan” phase where preliminary preparations are to be done. This phase

needs to be done extremely well if the rest of the process is to go smooth. Assemble a

team of Organizational Decision makers with a goal to include & represent all of your

Organization departments. (Peyton 2010) Here you prepare a plan on what needs to be

done, define an assessment boundary – scope and need to be aware of all compliance

regulations & adherence to Organizational policies. ORAF will have a consolidated set of

legal information resources under the “help” section of the webpage.

2. Step 2 to 7 is the “Do” phase where the actual risk assessment process begins. All of the

identified Organizational assets are recorded into ORAF and the risk assessment is

started. We identify threats, vulnerabilities likely to be exploited, formulate chance &

impact of such risk, and identify control objectives for treatment of risks. The ORAF

provides guided assistance on formulating “chance” or “probability of occurrence” using

knowledge of crowds.

3. Step 8 & 9 contribute to the “Check” phase of the PDCA cycle where Organization shall

use its RA report to implement & check control strategies in place. The ORAF can be

used to verify comprehensiveness of risk mitigation strategies identified for a particular

asset with the sole aim of achieving fuller measures. In this phase, Organization also

gives back to the community by providing it’s RA data to the ORAF. Such contribution of

data strengthens & fosters better decision making capability by pooling in quantitative

& qualitative risk data.

27

4. Step 10 & 11 can be related to the “Act” phase wherein RM is a continual process &

Organizations need to monitor & improve the ISMS controls iteratively. To ease the

monitoring process, ORAF allows real time “Watch lists” that can be configured to

monitor & receive real-time filtered alerts on assets of special interest. The procedure of

setting up an alert & receiving alerts through ORAF dashboard has been represented

visually in figure 5.6g & 5.6h.

4.3 Comparing WARP to ORAF

In contrast, The Warning Advice & Reporting Points (WARP) is an UK based commercial

Information sharing strategy which was developed as a part of CPNI (http://www.cpni.gov.uk)

to provide cost effective methods to defend against cyber attacks (Gov 2010) and provide

personalized alerts via SMS, email, telephone based or through in person group meetings. Here,

we shall compare & contrast WARP to our ORAF in order to explain how the ORAF watch list

function is a better alternative.

In the figure 4.3a, we have tried to visually represent the IS “Problem & Solution” information

flow as adopted by WARP strategy.

28

Fig 4.3a – The WARP method

A, B & C are small communities (20-100 members) that are influenced by a WARP operator who

necessarily need not be a IS expert. Periodically the facilitator sends information on IS incidents

– problems & solutions. The alerts are “Filtered Warnings” in such a way that members will

receive only relevant information i.e. Linux user will not receive Windows vulnerability

information. Should any member of the community face an incident, he reports it to the WARP

operator through a meeting or through Bulletin Boards and that information is reported to

everyone subscribed through alerts. This, in our opinion, involves higher overhead and delay

since reporting needs to go through a mediator, and sharing information relies more on BB or

passive communication and never near instant. Let us have a look at ORAF watch-list system.

29

Fig 4.3b – The ORAF collaboration method

In our system, A, B, C, D, E are sample participating Organizations and the ORAF web tool is the

autonomous facilitator. Assume that each of the individual entity have already setup watch-list

alerts, say C,E,D have alerts setup for Asset ‘X’ and entity B has set up alert for asset ‘Z’ apart

from the many others but NOT for ‘X’. When any of the Participating organization faces a

security incident or a compromise, in this example, entity A, it reports the incident using ORAF

“Reporting tool” (Refer label No.9 in figure 5.6a) and all of the members within the network –

except B; are reported near instantaneously with the problem & solution (P+S) still keeping the

reporting Organization’s identity anonymous if desired. This way of reporting & sharing

information is much faster since there is no involvement of a third party facilitator, is better

streamlined since only those subscribing organizations will receive the alert, and reception of

alert is near instant as there is no delay involved to wait & organize a periodic meeting. This

way of disseminating critical information at near instant rates potentially enables participating

entities to even handle 0-day threats much efficiently.

30

Now, we shall explain the underlying algorithm that ORAF will use to achieve anonymization

capability.

4.4 RA data Stripping & Anonymization algorithm

ORAF encourages collaborative sharing of sensitive RA data pertaining to individual

Organizations, hence owing to the privacy concerns of such participating entities, we

recommend using stripping & anonymization techniques within the ORAF so that all quasi

identifying factors giving away an Organization’s sensitive details can be taken out before being

submitted to the public sphere of the ORAF knowledge pool. This is done in order to prevent ill-

intent defamers or malicious threat agents from compromising or spearheading attacks on any

individual member of the ORAF system. By providing anonymity & containing within the

confidential or sensitive information of participating entities, we hope to increase the trust

placed on the system and address the key concerns that puts off Organizations from

participating in such Risk Information sharing initiatives.

Risk Assessment data are recognized as personal & confidential data since they contain a host

of information about the Organization in terms of its key personnel, assets, mitigation

strategies to specific threats & risks. Giving away the document as a whole would defeat the

very purpose of this effort since it would mean that we are providing comprehensive recon

information about a particular Organization to the public & it could prove disastrous in the

wrong hands. Therefore all public data via ORAF needs to be stripped of any identifying factors

pointing to an individual Organization & anonymized before being submitted to the knowledge

pool.

31

The following table (Qi and Zong 2012) shows some of the widely practiced methods of data

anonymization.

Research Direction Demonstration

General privacy preservation technology Perturbation, Randomization, Swapping,

Encryption.

data mining privacy preservation technology

Association Rule Mining

Classification, Clustering

privacy protection data

publishing principle

k-anonymity l-diversity

m-Invariance l-Closeness

Table 4.4 - Privacy protection research direction

At the moment, ORAF has been proposed to adopt stripping (discarding certain part of

identifying data) & K-anonymity is chosen as the choice of anonymizing algorithm, a short study

of which follows below.

4.4.1 Stripping technique

This is a simple technique where data fields that are not needed or not deemed mandatory to

be available in a public risk assessment data are “stripped” away before being submitted to the

public sphere.

32

Let us consider a typical Risk assessment sheet from ORAF, it would have the following:

Version Control details

- Contains identifiers to

keep track of

document, might be

populated with Team

details, owner, version

ID, process ID etc.

Asset Registration details

- Contains information

on actual asset name,

type, asset owner,

extra comments etc.

Risk Assessment

- The actual risk

assessment section

where known threats,

vulnerabilities, risk

index & controls are

assessed.

Here, the parent Organization will want to have all of the structured data when obtaining a

printable version for itself but when it has authorized the RA data to be submitted to the

knowledge pool or the public sphere, we simply have no reason to give away information on

“version control details” or the “impact rating” from the risk assessment section since this could

potentially give away a lot of background information about the Organization itself, whereas

the other, would influence a decision negatively since “impact rating” is something dependent

greatly on the assessing Organization itself. For instance, failure of a particular service, say

‘instant messaging’ would impact customer support businesses far greater than it would to a

front end sales business. Also it is to be noted that the version control details to be stripped

here is NOT the asset version details but the risk assessment document version control details.

We discard or strip certain parts of data before being processed into k-anon & storage.

However, stripping does not sufficiently cater to our requirements as applying a stripping

algorithm to all the fields where we need obscurity will result in complete loss of information.

4.4.2 Anonymizing RA data by K-anonymity for trend realization

In the earlier section, we saw how data can be manipulated to discard sensitive information,

however, in this section, we will manipulate data in such a way that we can publish

qualitatively, representing them in a range or interval of values to aid in decision making & risk

assessment process and without the ability to distinguish uniquely any single individual from

33

the record set. For instance, let us say that an excerpt from RA data is published as

“Organization with employee size 50-100 using Asset X recommends controls Y for risk R”.

Other entities can understand that the featured Organization has probably implemented the

said controls. This is an unacceptable case even when the other entity means no harm or has

any ill intent, however, to make matters worse, should this be accessible by threat agents

themselves, we are aiding them with enough information to spearhead an attack and we do not

want this since it defeats the very purpose of our defense strategy. If we recall from section 3.3

of Chapter 3, Organizations expressed concern & feared of such obvious compromise of their

classified information by sharing RA reports detailing out what assets they own & defense

strategy adopted by each individually. In such cases where sensitive data needs to be published

discreetly, K-anon ensures that “good enough” privacy is achieved and does not discard too

much information making the data actually unusable.

K-anonymity has been a successful paradigm for privacy preservation among data mining &

algorithms community. (Nergiz & Clifton 2006) The main idea is to ensure that in a released

data set, each data record if indistinguishable from (k-1) other records. It works in such a way

that uniquely identifying attributes are Suppressed – dropping some tuples from relation to

satisfy K-anon (Lefevre et al. 2005) or Generalized until each row is identical with at least (k-1)

other rows, thus making the database k-anonymous.

A database will contain “Quasi identifiers” – a set of attributes in a public database

which can be linked with external information to identify the entity in the records. All

anonymized dataset must satisfy the K-anon property in such a way that – If ‘D’ is a database

and ‘QD’ be quasi identifier attribute, we can say that ‘D’ is K-anonymized if & only if each

values in ‘D(QD)’ appears in at least ‘K’ records of D. (Gionis 2007)

34

Let us consider an excerpt of small sample trend report record set – this is how it would

potentially look in plain text.

Organization

Name

Industry

Type

Organization

address

Employee

size

Asset Vulnerability Controls

Citca hughes Financial CF24 250 SQL v9 X12 flaw ABC1,

ABC2

Mediquick Medical CF20 55 IIS 7 Z03 flaw ABC4

Eversafe Financial CF24 130 SQL v9 X12 flaw ABC3

EZ sports Sporting CF14 50 Zen Cart F05 flaw ABC13,

ABC5

Tesco Supplies CF14 100 … … …

Table 4.4 - Sample RA trend record

The above select database entries from potential consolidated risk assessment trend

reports pinpoint that Organization “Citca hughes” is a “financial” industry with an employee

size of “250”, owns & operates an asset “SQL v9” which has “X12” type flaw. They organization

has addressed it with choice of controls “ABC1” & “ABC2”. If we are to publish this stripped

version of Risk Assessment data “as is”, we are giving away too much information and

compromising Organizational privacy concerns. “Eversafe” a financial industry similar to “Citca

hughes”, owns a similar asset yet has identified control “ABC3”. We somehow need to ensure

that Eversafe realizes that there are 2 more possible controls for the same flaw & can iterate on

their RA & update their controls. Eversafe does not ever need to know about Citca hughes’

private information or about the Organization itself. We need to be concerned only with the

asset, associated vulnerabilities, threats or risks & practiced or recommended risk controls. Yet,

discarding too much information will render the knowledge incomplete or useless & giving

away too much would mean a perfect aid to initiate spearhead attacks. To prevent this, we

either suppress or generalize using single or multidimensional K-anon to achieve “just enough”

privacy and make the RA trend data available through query from within ORAF.

35

The generalization of a data entry needs to be systematic and not random which can be

understood by the following representation.

Fig 4.4 – Generalization rule

At any point, when using a single dimension generalization, CF24 will always be generalized to

CF2* within a data entry.

The following example shows Single Dimensional Suppression (SDS) and Single Dimensional

Generalization (SDG) K-anon property applied to our sample data record.

Organization

Name

Industry

Type

Organization

address

Employee

size

Asset Vulnerability Controls

* Financial CF2* 50 – 250 SQL v9 X12 flaw ABC1,

ABC2

* Financial CF2* 50 – 250 SQL v9 X12 flaw ABC3

* Medical CF2* 50 – 250 IIS 7 Z03 flaw ABC4

* Sporting CF1* 50 – 250 ZenCart F05 flaw ABC13,

ABC5

* Supplies CF1* 50 - 250 … … …

Table: K-anonymized dataset

36

In the above example, we see that we have anonymized “just enough” of the information

where there is no way to backtrack which Organization actually owns the asset say, SQL v9, yet

we have enough obscured information to understand the asset type & it’s set of known

vulnerabilities and possible mitigation controls adopted by individual organizations.

Now when “Eversafe” queries the k-anon ORAF knowledge pool (generic flow shown in fig 5.4)

with a query, say, “mitigation controls for X12 flaw for SQL v9”, from the results, Eversafe can

realize that a financial corporation similar to theirs using the same asset & have identified

controls ABC1 & ABC2 but will have no way of identifying contributing organization. Such a

trend report can be useful to cross verify if we have achieved a comprehensive risk control.

The probability of re-identification here would be 1/K and in our case, the probability of

identifying information on “Citca hughes”, would be ½ i.e. 0.5 if considering only financial

industry or including the “industry type” entry field with the same SDG process, it would be

increased to 1/3 considering the address postcode anonymity. The probability of re-

identification also diminishes when the data record entries increases.

By sharing such an anonymized aggregate trend data, participating organizations can get a cue

that their industry counterparts have identified & used certain controls which they could have

potentially overlooked. By considering & iterating on those “slipped” control measures, we

believe overall security can be strengthened.

Fig 4.4b - Privacy & enough valid information preserved & shared

37

4.4.2a Justification on using K-anon

Although raw data anonymization techniques are fairly in development phases, K-anon has

been a popular technique especially in health information sharing environments. (El Emam and

Dankar 2008) The major advantage of K-anon over other such algorithms is accuracy of

published results & its lower computational overhead. K-anon achieves“good enough” privacy

by achieving a balance in data sacrificed to data obscured. The re-identification in a released

data set, at worst narrows down an individual entry to a group of ‘K’ individuals in a dataset

(williams and Blum 2007). Taking into consideration the nature of application & cost to

computation, K-anonymity among others proved a successful candidate.

4.4.2b Limitations to K-anon

Although K-anonymity has been long proposed as a mechanism for providing privacy in micro

data publishing (Samarati and Sweeney n.d.) and numerous re-coding models have been

considered for achieving k anonymity, it still is in early stages of perfection. K-anon poses

certain limitation in a way that it is susceptible to Homogeneity attack (Machanavajjhala et al

2006) especially in cases where all sensitive values in a K-anon group are the same. In

(Narayanan and Shmatikov 2010), the authors quote that privacy techniques used by

companies to store and anonymize data is not adequate in terms of confidentiality as always

there are attacks that can trace back the dataset to the original individual compromising his

privacy. Organizations such as credit card companies, hospitals, and real estate hold large

volume of personally identifiable data and their released anonymized data sets often are

traceable to the individual.

(Narayanan and Shmatikov 2010) argue that K-anonymity de-identifies quasi identifiers

effectively in a given data set; however, by joining enough datasets on common attributes, re-

identification of data pointing to an individual is possible. Then there is the human element

involved in re-identification process which makes the algorithm even more intelligent. The

38

author from his experience quotes that any remaining attributes can be used to re-identify as

long as they differ from individual to individual. Therefore, for instance, with respect to

published medical data, an anonymized version of Personally Identifiable Information (PII) has

no meaning even in the context of HIPAA privacy rule.(HHS 2002) And hence, an absolute de-

identified data is an un-attainable goal & further computational research is deemed necessary.

4.4.2c Addressing the K-anon limitation

ORAF has been proposed to use Single Dimensional Generalization K-anon at the time of

writing, which when following a generic approach of storing sensitive data and public release as

practiced currently by data gathering industry will also be prone to attacks & privacy

compromise. However, we tend to achieve differential privacy in a way that sensitive data that

can give away Organization Specific information is never stored to the ORAF knowledge

repository. It is to be noted that RA data by itself is a sensitive document, but only if we know

to which Organization does that RA belongs to. There are potentially lower chances of tracing

back Risk data to its parent Organization since that information will never exist in the first place.

(Narayanan and Shmatikov 2010) agree that interactive query based approach is generally superior

to the “release and forget” approach, which is exactly what ORAF will adhere to. Our knowledge

repository displays trend or information to “risk controls” to participating entities only upon query and

deters from frequent release or publishing this trend data to the naked internet sphere where we have

no access controls.

4.5 Summary

In this chapter we proposed a RA guidance model aligned with the PDCA cycle of ISO

27001 processes suggesting a typical usage scenario to users adopting the ORAF framework.

This showed how the ORAF assessment framework overlapped with the well established &

familiar PDCA model reducing fear of change in User’s mind. The ORAF’s proposed IS incident

reporting service was critically compared to WARP (Gov, 2010) & major differences were

39

highlighted. We showed how ORAF was comparatively a faster way to report incidents by

eliminating the need for human intervention to mediate reporting. Owing to the privacy &

identity concerns of participating Organizations, we suggested the use of selective data

stripping & k-anon algorithms with suppression and generalization applied to RA report data,

the anonymized versions of which were placed in the ORAF knowledge pool searchable by

queries. Illustrated sample data records shows the ‘just enough’ privacy and abstraction

attained by our process enabling free flow of critical information yet withholding compromising

attributes. Although k-anon is a widely practiced anonymization techniques, it does have

certain limitations & drawbacks. We followed a “query based approach” over the “release &

forget” approach thereby considerably addressing one of the K-anon limitations.

40

Chapter 5

5.1 Design Specification

In this chapter, from a technical architect point of view, we specify a design framework for the

web based ORAF decision tool using Unified Modeling Language (UML) to communicate a road

map or a blue print for the ORAF project.

5.2 ORAF Business Requirements

The ORAF prototype is intended to be a web based RA & decision support tool which

relies on collaborative defense against cyber threats & aims to suggest a structured yet mutual

& additive risk assessment based on the ISO 27001 standards. The web based system should

allow Organizations or relevant participating entities to work closely with each other enabling

free flow of anonymized risk assessment data coupled with recommendations for best security

practices, ability to report IS incident for proactive heads up alert & defense, gain insight on

decision making based on knowledge of crowds marching closely on the UK cyber security

strategy (cabinet office 2011) of a safer cyber space.

All participating entities must be able to conduct an assisted self risk assessment with

compliance to the ISO 27001 ISMS and an anonymized version of the report be submitted to a

repository which we shall call as the “knowledge pool” and must be retrievable by queries. The

assistance could be either proactive – the functionality of a guided probability estimation for

assigning one of the values (Probability of occurrence) for the risk index based on knowledge of

the crowds or, reactive – Insights & trends based on collective past incidents accompanied with

near instant incident report alert systems.

41

The Organizations must be able to set up & configure “watch-lists” which lets them stay up-to-

date on threat & risk alerts. The reporting systems that work in conjugation with the watch list

should have provisions to alert others in real time and maybe accompanied with “first-aid”

mitigation controls.

The insight capability API integration (depicted in fig 5.6a labels 5, 6) of ORAF at the moment is

based on aggregate unstructured report data from trusted sources such as news media, social

networks etc filtered through “Recorded future” graph analysis engine (recorded future 2012)

which tries to build a structured point in temporal space by linking past unstructured events –

people, time, location, incident itself etc. The data could be plotted over a visual map to show

the geographic distribution of threat sources & incidents. Also, the system should be able to

analyze the knowledge pool autonomously and present a visual display of Top 10 Risks based

on industry sectors to the subscribed Organizations. This serves as a gentle reminder for

Organizations to take heed & ensure those high ranked risks are addressed.

The last but not the least component is information reference space – site content where

comprehensive information on legal & legislative laws is presented. This is to serve guidance

and remind compliance of laws & data protection act to participating organizations.

5.3 Top-level Use Case design – Modeling the functional

requirement

The top level use case diagram captures “what” the system will do for the user,

capturing the functional requirement of the system in a high level generalization schema. It is to

be noted that a top level use case specification as shown in fig 5.3 does not include the “how”

or the implementation details. The conventions used are explained below.

42

Actors:

The actors could be a person, a system or a device – an external entity that interacts with a

system. In our case, we have 4 actors as explained below

a. Participating Organizations – the main actors around whom the system is to be built.

b. ORAF intelligence module – a major system component responsible for pooling &

responding to user queries, the algorithm component that processes raw data into

structured format usable in the knowledge pool and a host of other functions as

described.

c. Trusted Sources – They are external system interface that contribute data to the

ORAF for trend analysis & insight purposes. They could be news media, social

network sites etc.

d. Administrator – The well known entity responsible for overall system maintenance &

site management.

Relationships:

Interactions carried out by the actors with the system are represented by an arrow.

The use cases specified in the Top level Use Case diagram (fig 5.3) tries to capture the essence

of the ORAF business requirements.

43

Fig 5.3 Top Level Use Case diagram of ORAF system

In the figure, the administrator (actor) and connected use cases is self explanatory in the sense

that “Perform System Maintenance” & “Manage Site Content” enable the user to perform

periodic maintenance tasks on the ORAF website. “Moderate Registered Users” allows the

admin to moderate or govern over registered profiles & resolve issues should any conflict arise.

The “Participating Organization” is a primary actor and interacts with a majority of the use

cases as shown, the “Manage personal account” is a personal profile editor that allows the user

to register & maintain a personal profile. This could be say, an Organization name, the type of

44

industry they operate on, and a host of other information. This information is stored

beforehand so that at each new RA they conduct; this data can be appended into their

personally retrievable RA reports.

The “Manage risk assessment” allows user to create new RA, access/print or remove previously

conducted assessments. “Submit RA reports” lets users approve personal RA reports to be

forwarded for anonymization & being added to the ORAF knowledge pool.

The “manage threat watch list” allows users to set up an alert system for an asset of their

concern. This lets us add, remove new watch lists, receive alerts etc. The alert viewer is real

time and should display an alert when it has been reported by another participating entity. This

works in conjugation with the “Report/send Asset compromise notification” use case where

users are given the ability to report the problem & a probable solution. Additionally the use

case “view real time asset compromise notification” allows users to receive such reported

alerts. When an Organization believes one of its assets have been compromised, it does not

need to remain in the dark waiting for newspapers to report the incident next day, by which

enough time would have passed for the attack to propagate over a larger territory and claim

more victims. We are referring to area of compromised network resources as territory. The

reporting functionality allows a compromised entity to notify others of the compromise and

also lists an option to include possible mitigation controls. However, the notification would be

received only by those already subscribed to the respective alert. A watch list set up for, say

SQL v9 will not receive the alert if a compromise has occurred for a say, biometric scanner with

a faulty firmware, however, this incident does get reported to the ORAF knowledge base and

displayed in trend analysis at a later date.

“Rank Top-10 risks” use case accepts inputs from participating organizations & pre-defined

trusted sources. The ORAF module needs to interact here at this point to classify & list out Top-

10 risks based on trend data & organization industry sector.

We shall now explain what each Use Case represent and how each plays a significant role as a

part of the system with reference to each other. The individual functionality of each use case

can be understood by the Use case Specification document as shown below.

45

5.3.1 Use Case Specification

The use case specification describes each of the use in more detail to aid in the implementation

process. The specification document describes what actors interact with each use case, the

preconditions that need to be met for the use case function to be activated and the description

or scenario that can be performed on a use case.

Use Case No. 1 Use Case Name: Perform System Maintenance Rating: Essential

Purpose: To allow administrator to perform basic maintenance tasks on the ORAF system

Main Actor: Administrator Secondary Actors: NA

Pre Conditions: Requires User to be logged-in into system with admin privileges

Trigger: No special trigger.

Description:

Enable admin perform maintenance routine

Must limit task to database optimization, content moderation & other such pseudo-primary task

Must NOT allow changes to core system functionality EXT: None Post Conditions: Optimized system performance

Related Use Cases: Moderate Registered Users, Manage Site Content

Use Case No. 2 Use Case Name: Moderate registered users Rating: Essential

Purpose: Allows super admin governance over registered profiles



Trigger: The need to interact with a user profile

Description:

Enables monitor & moderation of registered user profiles

Useful to review a profile based on suspicious activity

Ability to remove, block or suspend accounts

Ability to send group messages

EXT: None Post Conditions: One of the intended purposes.

Related Use Cases: Manage Site Content, Perform System Maintenance

Use Case No. 3 Use Case Name: Manage Site Content Rating: Essential

Purpose: To manage site content



46

Trigger: A need to update/modify feeds from trusted sources. No special trigger.

Description:

Allows overall site administration – posting special announcements

Configure/modify incoming RSS & news snippet feeds (Trusted sources)

EXT: None Post Conditions: Achieve required changes.

Related Use Cases: Manage Registered users, system maintenance

Use Case No. 4 Use Case Name: Manage personal account Rating: Essential

Purpose: To allow user to review/update personal information

Main Actor: Participating Organization

Secondary Actors: NA

Pre Conditions: Requires user to be logged-in into system terminal

Trigger: changes in organization profile

Description:

Enables Add/update personal information into the database

Requests information on Organization details, industry segment and size

This information is appended to risk assessment report conducted by relevant User but is NOT shared with others and is discarded when submitting RA data to the knowledge pool.

EXT: None Post Conditions: Update changes to profile as required.

Related Use Cases: None

Use Case No. 5 Use Case Name: Manage Risk Assessment Rating: Essential

Purpose: To allow actors to manage risk assessments activities.




Trigger: No special trigger. Can be accessed when there is a need to review or perform a new risk assessment.

Description:

Allows user to perform one of the desired tasks – initiate a new risk assessment based on ISO 27001

Allows user to View or print previously performed risk assessments

Provides guided step-by-step template to perform risk assessment

Must comply to ISO 27001 requirements

RA starts with confirming/updating the organization profile, registering the Assets, the actual assessment where threats and risk factors are identified, assigning risk index etc

EXT: Print RA report Post Conditions: RA results are populated and the report is applied K-anon algorithm to anonymize the data. Submitted to the Knowledge pool and confirmation sent to parent organization

Related Use Cases: submit RA reports, Anonymize submitted reports

Use Case No. 6 Use Case Name: Submit RA report Rating: Essential

Purpose: Allows user to authorize submission of personal RA report to ORAF

47

Main Actor: Participating Organizations


Pre Conditions: None

Trigger: When a fresh Risk assessment is made

Description:

Recommends users to submit RA data

Forwards the report to anonymization module before being added to the pool.

EXT: None Post Conditions: A new anonymized RA report is made available in the pool for all to share.

Related Use Cases: Anonymize submitted RA report

Use Case No. 7 Use Case Name: Anonymize submitted RA report Rating: Essential

Purpose: Enables the ORAF to successfully anonymize user submitted risk assessment data

Main Actor: ORAF intelligent module

Secondary Actors: Participating organization

Pre Conditions: Requires successful completion of a new risk assessment

Trigger: Process started before submitting to the knowledge pool

Description:

The module takes RA report as input and anonymizes the data in line with the privacy concerns of the organization

All quasi identifiers pertaining to the organization are removed

The asset details, risk rating, industry segment & size, identified threats, risk controls are preserved

EXT: None Post Conditions: Anonymized RA data is submitted to the knowledge pool & made available to other participating organizations


Use Case No. 8 Use Case Name: Manage Threat Watch-list Rating: Essential

Purpose: To allow user to customize & receive threat alerts




Trigger: Interest to know real time update on potential vulnerabilities to a particular asset

Description:

Enables Add/Remove customized threat watch lists with real time updates

A pre registered organization’s asset needs to be assigned here

The knowledge pool is monitored continually for any reported incidents or vulnerabilities pertaining to that asset.

EXT: None Post Conditions: Submits watch list criteria to the system for real time monitoring.

48

Related Use Cases: Report/Send asset compromise notification, View asset compromise notification

Use Case No. 9 Use Case Name: Report/Send asset compromise notification

Rating: Essential

Purpose: To allow user to report any 0-day vulnerability or emerging threat outbreak to all participating organization




Trigger: Identification of a 0-day vulnerability or a security incident

Description:

Allows the participating organizations to notify all in a network of the incident

A sort of alert system

Notification sent real time along with Asset type, recorded incident & possible controls EXT: None Post Conditions: Real time alert received by participating organizations

based on their watch list.

Related Use Cases: View asset compromise notification

Use Case No. 10 Use Case Name: View asset compromise notification

Rating: Essential

Purpose: To allow user receive real time threat alerts based on watch list preference



Pre Conditions: Requires Supervisor to be logged-in into system terminal and have at least one preconfigured watch list

Trigger: Report of a prioritized threat from trusted sources

Description:

Shows visual alerts based on watch list

Does NOT show the compromised organization’s identifiers yet includes the compromised asset, vulnerability, risk and potential mitigation controls.

EXT: None Post Conditions: Update Service record once the prescribed service is done.

Related Use Cases: Report/Send asset compromise notification, Manage Threat Watch-list

Use Case No. 11 Use Case Name: show IS Trends & Insight Rating: Essential

Purpose: Allows users to obtain a graphical trend chart & keyword insight

Main Actor: Trusted Sources Secondary Actors: ORAF intelligent module

Pre Conditions: Trusted sources needs to be defined and the module configured to received RSS data feeds

Trigger: updates each time user logs in to the system

Description:

Collects data feeds from predefined trusted sources – News media, social networks etc

Plots geographic threat distribution over a graphical map

Aids in predicting advancing threat agents & propagating risks

API to be built over Google insight, trend analysis similar to “Recorded Future” intelligent

49

prediction analysis.

Enables real time Cyber threats monitoring

EXT: None Post Conditions: Enlighten Users with comprehensive knowledge and aid in informed decisions


Use Case No. 12 Use Case Name: View IS best practices & UK law compliance

Rating: medium

Purpose: Allows user to quickly refer up to date UK cyber laws & recommended practices

Main Actor: Participating Organizations

Secondary Actors: Trusted Sources

Pre Conditions: None

Trigger: No special conditions, can be accessed any time within the site navigation menu

Description:

Contains an exhaustive list of recommendations & Information Security best practices

Acts as a quick reference scheme

Updated information on UK cyber law compliance requirements

EXT: None Post Conditions: Advices Users to ensure integrity to required Law & practices.


50

5.4 Activity Diagram

In previous section we saw how use case diagram helped us in understanding what the user

wants to do with the system, here we use an activity diagram to capture the business operation

workflow, actions & activities related to it.

Fig 5.4 Activity Diagram

We have visually represented an overview of overall workflow in general with decisions &

choices affecting possible outcomes.

51

Fig 5.4b Legend

Img source: http://www.csci.csusb.edu/dick/samples/uml0.html

Let us start at the point <Register Organization>, this step can be skipped if the user is

already registered with the ORAF. Upon creating a valid user profile, the participating entity can

now log into the system as denoted by <Login> and be able to choose one of the many available

options within the site. They could now decide if they would like to <initiate a new risk

assessment> or <view/print existing RA reports> if they have already done one earlier using the

ORAF. For the sake of scenario, let us assume the user initiates a new assessment. They are

then shown the option <Register organizational Assets> where they need to input

comprehensive list of assets categorized by type. Once done, they proceed to perform the

actual assessment. When the process is complete, ORAF displays a detailed printable output of

the RA with risks categorized by risk index. The user now has an option to <print report> or use

the electronic format and <compare> self selected mitigation controls to the knowledge pool.

http://www.csci.csusb.edu/dick/samples/uml0.html

52

This can be extremely useful step where knowledge of the crowds ensures if we have

considered maximum exhaustive possibility list of risks & controls. Going one step backward,

the fork & join denote the incidence where ORAF performs background stripping &

anonymization of the RA data to be added to the knowledge pool. A <confirmation> is then

shown. The process could stop here or continue again with a new choice, say <Access

Knowledge pool>

The knowledge pool is a huge central repository where participating organization can

turn to seek guidance & validation on their risk assessment & control measures. Let us take the

first activity, <seek mitigation advice>, the ORAF prompts user to enter <Asset details> for

which the controls needed to be looked up. The knowledge pool that contains variety of RA

data from various anonymized Organization, is now queried and results are populated at the

user view. The Organization can now <Compare> the populated list of strategy with its own

mitigation control & iterate on the same.

5.5 Sequence Diagram

A sequence diagram is part of an UML diagram that illustrates sequence of messages &

interactions between “objects” over specific period of time and can be used to work out

detailed object oriented designs. A sequence diagram contains lifelines that represent

properties of any UML element that shows behavior, including actors, systems or subsystems,

classes, and components. (IBM 2005)

The sequence diagram shown below illustrates the same scenario as described in the activity

diagram, yet here we capture complicated interactions between objects which potentially add

more clarity for the project development phase.

The “Objects” that make up the system are represented with boxed heads and the dotted line

that drips vertically down is the life line segment of those objects. The vertically overlapping

white rectangular boxes show the period of time in which the object is initiated, remains active

53

and dies after an operation. Requests are represented with dark arrows whereas replies from

other objects are represented in dotted arrows as shown. These requests could sometimes

have conditions to be true in order for an action to occur, as denoted with square brackets

[condition statement]

Fig 5.5a Legend

54

There is also a recursive function where the object waits until, say a math function has been

computed which can be denoted using a half loop arrow to self as follows

Fig 5.5b Recursive notation

The activity diagram shown in fig 5.4 has been interpreted conceptually as a sequence diagram

below, starting with a conditional logon statement and the object: participating organization

calling a new risk assessment from the object: RA module. From the diagram, the steps are self

explanatory, however, if we note the “activation period” of the object: ORAF intelligence

module and object: Knowledge pool are not alive till a function is actually called for that

involves their participation.

55

Fig 5.5c – Sequence diagram

56

For illustration purposes, in the sequence diagram (fig 5.5c), let us see how a RA report

anonymization function is called by the system. Once the user has been presented with a

detailed RA report, the object “:RA module” prompts the user (Request) to submit the RA to the

knowledge pool. The user approves (reply) submission to the module which in turn passes on a

<request> to the “:ORAF intelligent Module” to initialize anonymization process & compute

filtering as required. The computed data is then submitted to the knowledge pool and an

acknowledgement is sent to the ORAF module. The module is then shown to pass the

confirmation to the end user thereby successfully completing a phase of an operation.

5.6 Mockup of ORAF framework

In this section, we present a potential User Interface (UI) and sample functionality for the

proposed web based Open Risk Assessment Framework & Decision support tool. The

framework mockup was created using trail version of Balsamiq (http://www.balsamiq.com/)

and Adobe Photoshop CS3 (http://www.adobe.com/).

In the fig 5.6a that represents the home screen of the web based framework; key controls have

been labeled numerically for easier interpretation.

http://www.balsamiq.com/

http://www.adobe.com/

57

Fig 5.6a - ORAF dashboard

The label 1 is the profile manager which stores personal information about the organization as

described in Use Case Specification No.4. This is visible only to the parent Organization & no

other participating entity can access this information.

58

The label 2 is the center for all RA related operations as described in Use Case Specification

No.5. The option “View/Print reports” lets logged in User to access their existing personal RA

reports. The “Manage assets” contains a list of assets that Organization might have added to

the RA form during one or many of the previous Risk assessments. This functionality lets users

keep tab of previously assessed assets and makes the process of configuring a watch list a

matter of choosing assets from drop down as shown in fig 5.6g. The “Access knowledge pool”

provides an interactive interface to query the ORAF knowledge pool (public sphere) where

anonymized public RA data is stored. The following decision support queries are supported

a. Guided estimation on assigning probability index in a risk matrix

b. Crowd identified threats/vulnerabilities for a particular asset

c. Possible known mitigation controls for an asset

Our hypothesis or rather a factual belief is that

1. The reliability or quality of decision making depends directly on availability & accuracy

of critical information appended with experience.

2. Risk rating must be a logical measure backed up with judgmental reasoning and not

merely relied upon numerical statistics.

Fig 5.6b decision vs. information hypothesized graph Please note the graph is not accurately plotted

59

The upward increasing curve has been used to visually express the idea that when we are

placed in a situation to make a decision, the quality of decision we make greatly depends on the

amount of relevant information we have at our disposal on the subject matter. This information

could be a personal experience, or made available through unabated information channels. This

information has to be accurate, relevant and available at the right time and/or when the

decision maker needs it. (India 2010)

In the past, we had our fair share of concern when analyzing the Risk Rating Formula (RRF),

where a single person or a small group of technical personnel assigns decisive factors (either

probability or impact). Calculating the Cost of impact is a huge debatable topic of its own which

is out of scope of this project, but we realized that by increasing accuracy of one of the two

factors, the accuracy of RRF can be improved.

Fig 5.6c Venn diagram

60

In the figure 5.6c we represent two factors of commonly used Risk Rating index to be

Probability and Impact. The impact cost varies greatly with each Organization and it is up to the

IS assessor to understand and formulate Organization’s impact cost. Furthermore, even if we

cannot directly influence the “probability of occurrence” and is often left to chances; we can

however, strive to perfect our accuracy in estimating the probability of occurrence which will

greatly give us better insight on the RRF which directly influences our risk prioritization

controls. The objective is to ensure that we are not focusing on the lesser risks & overlooking

greater ones.

The ORAF guided probability works by taking average of individually assigned probability

estimates from various RA data categorized by industry type for an Asset.

This formula is applicable only to a set of records from each category – for an asset ‘X’ (defined

by metadata or searchable by keywords within ORAF knowledge pool) being owned by

Organizations ‘O’ falling under Industry type ‘Y’ having Vulnerability ‘V’ and Threats ‘T’.

SQL database (X) used in Zydus Cadilla (O) which is a Pharma/hospital database (Y) vulnerable

to SQL injection (V) from known Threats will have higher probability of facing an attack than a

SQL database being targeted in an education industry. In this case, an IS assessor who has spent

most of his career among education industry will experience a “cognitive bias” and rate risk

probability to be on a lower scale for the Pharma industry. The lack of information has made

him commit a grave error in assessing risk index. This can potentially be addressed by ORAF

decision support queries.

61

Let us consider a sample scenario where the ORAF knowledge pool has assimilated 3 RA data

from individual organizations, 2 from finance sector and 1 from Pharma, each using more or

less overlapping assets and similarly identified threats and vulnerabilities.

From the figure we can see that since each RA was conducted by unique individuals with

varying perception towards probability of occurrence or Likelihood, the same asset with the

same vulnerability has been assigned varying likelihood values. Now, if a fourth organization

from Finance sector conducts a RA and identifies similar threats or vulnerabilities to the same

asset ‘A’ and would like to verify its accuracy, it can do so by calling ORAF guided probability

index.

62

In which case, ORAF will compute (for asset A)

In which case, recommended probability rating will be 0.3 and is advised to reiterate if self

formulated index rating & ORAF index varies greater than 2 points.

Observe that ORAF has ignored the RA data from PHARMA industry in the computation even

though all the 3 reports had a similar Asset ‘A’ with same threats & vulnerabilities; as

mentioned earlier, this is because of the varying likelihood of events based on industry sector.

Below shown is a mockup showing an excerpt from ISO 27001 compliance Risk assessment

template (Full doc attached herewith in appendix) illustrating how it could take place in ORAF

system.

63

Fig 5.6d – Asset registration window

This is the Risk assessment window, where the actual process of risk assessment takes place. A

full RA template has been created and attached herewith in appendix. Seen here in fig 5.6e is

ORAF tooltip suggesting that guidance is available for formulating priority risk index. This works

only after a value has been assigned by an assessor based on his estimate, and auto guidance

kicks in only if the values differ by a considerable margin (pre-defined range). As always, they

are accessible manually as well at any point of time.

Fig 5.6e Risk Assessment page

Figure 5.6f shows ORAF’s “guided probability” formulation where Users can query ORAF

knowledge pool for assistance on “probability of Occurrence” or “likelihood” chances. The

64

figure shows interactive “tag cloud” - a set of keywords or meta-tags relevant to the User

search query which aims to simplify the query process.

Fig 5.6f – ORAF’s probability guidance system

Such information availability in real-time enables an assessor to potentially overcome

“information gap” that plagues effectiveness or validity of decisions; and also to estimate

efficiency or comprehensiveness of a formulated mitigation technique with respect to others.

The Label 3 in fig 5.6a can be related to use case 8. The Watch list manager interfaces to the

live alert on homepage dashboard marked by label 8. Any alerts configured via watch-list

window (figure 5.6g), will be constantly monitored by ORAF and any reported incident is

displayed near instantly along with possible mitigation controls as shown in label 8 of fig 5.6a.

65

Fig 5.6g – Watch-list manager

The label 8 in figure 5.6a is the visual dashboard that receives filtered watch-list alerts. In our

case, it shows a scenario where a previously configured watch list asset “Windows 7” has been

reported compromised due to vulnerability and suggested treatment plan has been sent by a

participating organization. This alert will be received by all who have subscribed or set up such

a watch list, however, the reporting organization’s name is kept anonymous. This anonymity

however, although not recommended, can be made visible if the reporting organization wishes

to disclose it. There is also a Vote Up/down feature that sends an aggregate feedback to the

reporter of the reported incident either being positive or negative.

The label 9 is the report incident panic button, that lets the compromised Organization report

the incident to [problem + solution] filtered listening parties. (Please refer to section 4.3)

66

Fig 5.6h is a mockup of the reporting window.

Fig 5.6h – Incident reporting system

Towards the left are a list + pie chart that show all previously reported incidents by the user and

the feedback received from others. The right shows a template to report an incident.

Labels 5 & 6 in figure can be related to Use case specification number 11 are trend data

received from pre-defined trusted sources configured to send live feeds to ORAF; in our case

we show Google Trend API, and Recorded future API, which give an insight on currently trending

threat agents. Depicted here is the Google insight on trending “SQL injection” attacks, and

recorded future’s temporal analysis engine is shown to predict an event (still in experimental

phases) for Oct 2012 by structuring articles & events from the largely unstructured information

floating in the web sphere. A single page canvas view where the manager can have up-to-date

information of his preference goes a long way in helping him make that decisive choice.

Label 7 is a live scrolling alert window showing Top 10 risks for a particular industry sector

populated by aggregate risk rating index of public RA data. This data is compared with user’s

native RA data and color variations shows if the risk has been identified and addressed in one of

67

the prior recently conducted Risk Assessments. In the mockup, ORAF has recognized that risks

due to “insider actions” has not been identified or addressed in the recent most RA by current

active user and has highlighted the field in red alerting the user. This lets an Organization know

if top risks to its industry sector have been addressed comprehensively.

The label 4 is a read only page where current laws & compliance regulation information have

been provided for a read. The aim here is to provide a consolidated reference repository of UK

legal & legislative laws pertaining to Cyber Security. This serves as a reminder to enrich

Organizations with the need to adhere to compliance requirements and avoid unexpected law

suits.

68

Chapter 6

6.1 Case scenario validation

In this chapter we will simulate a case scenario comparing typical risk assessment approach

with ORAF suggested approach and validate them on basis of

a. Addressing knowledge gap & cognitive bias in risk decision making

b. Timeliness of critical information availability

c. Mutual defense against risk

We will be using a sample risk assessment report from (Security and Webcast 2004) for our

illustration purposes.

An independent Organization ‘X’ wishes to perform a risk assessment. This is going to be their

first ISMS process and they settle upon the ISO 27001 process of RM. Lacking comprehensive

knowledge on the same, they hire a third party IS assessor, John; as part of their managerial

team to steer the assessment process. Although John is not originally from Organization X’s

industry sector, assessor’s familiarity with RM was approved by the Organization’s managerial

team. After minor hiccups & a few disagreements of opinions on both sides, the team finally

lays a blueprint for the RM process. John and team begin with traditional approach of laying

down purpose, scope & document versioning with list of involved personnel. Owing to budget

& time constraints, the Organization wants John to formulate a risk model to prioritize &

implement controls only for top priority risks.

Based on John’s personal experience & skill set, John formulates a risk model as follows.

69

Fig 6.1a – Threat likelihood ; Source - (Security and Webcast 2004)

Fig 6.1b – Magnitude of impact ; source - (Security and Webcast 2004)

70

Since Organization ‘X’ liked numbers, John formulated his risk index as follows and advised his

team that risk priority can be assessed by their the overall score ranges as listed below

Fig 6.1c – Risk matrix ; source - (Security and Webcast 2004)

The risk assessment was completed and sample report was summarized as follows

Fig 6.1d – Report excerpt adapted from (Security and Webcast 2004) showing flawed risk rating

71

The populated controls seen in figure 6.1d shows John & team’s cognitive bias that the

likelihood of an event - Cross Site Scripting (CSS) attack occurring are low. John had no way of

forecasting this unless he had prior knowledge of the industry. Even with an Impact scale a

“High (100)”, that could typically bring down ‘X’ to its knees, according to John’s risk scale

matrix, the risk index would still be about (0.1*100) = 10 – classifying it a low risk category

merely because an speculative “low (0.1)” rating for likelihood due to knowledge gap. Of course

if John had enough resources & time frame to validate his number theory, this gap could have

been addressed yet owing to the project deadline & budgetary constraints, the Organizational

decision makers authorize resources for only medium to high risk controls, leaving out CSS.

Unexpectedly a CSS attack happens within first few weeks setting back the Organization by

huge resource costs and trouble.

6.2 How ORAF could have helped

As mentioned earlier, Risk ratings are not always verified by logical constructs & are being

overlooked (Eli 2010). Another major problem with ISMS is the inability to validate decisions or

distinguish between critical and non-critical assets. (Theiia n.d.)

The main purpose of ORAF is to provide a standardized approach to RM and aid in decision

making by providing structured & real-time critical information where required. Using ORAF

alongside the ISMS process would have provided a structural approach to risk assessment and

validation of controls against other “structurally similar” RA reports categorized by industry

sectors. When John had his doubts on likelihood of CSS as risk in X’s industry sector, he could

have used the “guided probability” functionality as mentioned in section 5.4 under label 2 to

validate his estimate against knowledge of the crowds thereby addressing the knowledge gap

almost instantaneously. An increased accuracy in Risk index would have meant tighter priority

checks & logical scrutiny.

Updated anonymized risk assessments being made available by various Organizations in real-

time over the knowledge pool could have potentially been used to ensure if all known threats

to an asset was identified and addressed. In cases such as CSS, knowledge of crowds could be

72

used to “figure out the odds” in spite of cumulative lower risk index ratings ensuring availability

of critical information when needed.

Even if an IS incident was to happen, even those unidentified before, the combination of

reporting & filtered Watch-list functionality could have been used to report (problem & a

solution) incident in real time and alert many others in the network preventing further

compromise of territory & subsequently minimizing area of compromise. Such selfless reporting

saves other members from facing the likelihood of such attacks or at least prepares them to

defend better against onset of such attack. All submitted RA reports are stripped and K-

anonymized and each field is referentially accessible by queries via ORAF. The HUD on ORAF

webpage constantly monitors new threats and are color coded (label 7 in fig 5.6a) to ensure

comprehensive risk assessment has been made to an asset at given point of time. These

elucidate our mutual defense strategy.

73

Chapter 7

In this chapter, we conclude our research with a reflective report on insight & learning.

7.1 Reflective Conclusion

The main aim of this Masters dissertation was to propose a framework for standardized Risk

assessment approach and decision support tool, to allow participating organizations to take

part in a mutual defense initiative against lurking cyber threats which was previously limited by

concerns for privacy & trust. The focus being on addressing risks to Organizations, we

encouraged sharing anonymized versions of partially obscured RA reports via ORAF to realize

comprehensiveness or validity of an assessment and also, to aid in Managerial decision making

by providing guidance on Probability or likelihood index, free flow of mission critical

information to address knowledge gap and the ability to validate their decisions based on

logical constructs be referring to the multitude of knowledge of crowds. The ORAF was also

designed with the ability to report an incident with solution where applicable & receive alerts in

real time near instantaneously via subscribed watch-list monitors to all in the network thereby

controlling widespread of epidemic attacks.

The very foundation of motivation to this research was laid by Dr. Burnap of Cardiff University

UK (http://burnap.org/) and was kindled by UK Gov’s cyber security goals for 2015 (cabinet

office 2011) coupled with strong personal interest in Information security. Based on assimilated

knowledge from academic & real world risk assessment practices and the complications

involved, followed by unabated breaches of security in spite of such risk controls provoked the

need to dive in depth to understand where exactly are we going wrong? With each individual

risk assessment within various organizations are we re-inventing the wheel with the same

inherent flaws of conducting an assessment for the same asset and each time missing out

important controls? The industry acknowledges that there exists knowledge gap when

identifying emerging or unknown threats. Why not share Risk related data with similar industry

sectors to challenge comprehensives of assessment & strengthen cyber space mutually?

http://burnap.org/

74

Upon research we uncovered important issues relevant to RM process

a. Organizations are quite particular & concerned for their privacy when it came to sharing

RA document and often lack trust on perception towards rivaling organizations.

b. The ISO 27001 was a document of “What” and not a “How” to actually do the RA

process.

c. There was also no way to identify a security incident until it had happened.

d. Managers, who authorized prioritized risk controls, had no trusted way of validating

their decisions and there existed knowledge gaps often pressed with cognitive biases

that clouded better decisions.

In support of the above claims, Chapter 2 shows in detail the currently existing trends, process

and misconceptions with ISMS. Although risk assessments are extremely integral parts of a RM

process, we learnt that current RA approaches are far too varied and are not suitable for

scenarios where one need to conduct rapid assessments. Also analyzed is the widely practiced

Risk index or Risk rating formula whose computed points system formed the basis of prioritizing

risks. Practically speaking, they did not seem to provide a solid basis for formulating risk

priorities and one is needed to logically examine and involve a certain degree of rational

reasoning when prioritizing risks. As always, traditional ISMS processes were rigid &

authoritative and often failed when such arguments or decisions needed to be validated. A lot

of existing RA tools available commercially restricted assessments within Organizational

boundaries. We used trail versions of vsRisk to see how it faired in terms of fluidity, but it too

was rigid, with pre-populated identifiers & little room for a comparative assessment.

Also, we learnt that security risk controls are expensive to implement and the industry was

facing difficulties in validating their security enhancements. We realized that there was clear

case of knowledge gap between The Technical assessors & The Managerial authority. Though

risk assessments did identify vulnerabilities and threats to an asset and measures of control, we

still lack a way to autonomously align these assessments in terms of business concepts.

Thus taking into consideration the key concerns, we spent a considerable amount of time

conducting interviews & background research as summarized in chapter 3. A considerable

75

amount of quality articles that were available seemed to argue the inherent flaws in traditional

ISMS – Managers lacking effective decision channel. Although there were variety of research

papers that argued in favor of cultivating free flow of information and sharing security

responses, it was surprising to see that not even a handful were implemented & many faced

resistance. Lack of trust & privacy concerns often came out as top two reasons in this issue and

we wanted to find a way to address this.

To compliment a structured approach to RA, we developed an ORAF risk assessment guidance

model with an aim to bring in collaborative defense strategy by sharing RA data with peers and

ensured that it aligned with the ISO 27001 PDCA cycle to avoid inconsistencies. Dividing

Organizations into zones based on their industry sectors, we hypothesized that an event of a

particular type is more likely to occur in certain zone than others, which partially depends on

motive of the threat entity and also the territory resources. We also suggested that ISMS being

a continual process that there be a facility to report & receive IS incidents as instantaneous as

possible with the aim to minimize threat propagation. In contrast to ORAF filtered reporting

services, the commercially available WARP service was critically examined as shown in section

4.3.

To gain trust in system and to address privacy concerns of participating organizations, we

suggested the use of K-anonymity algorithm and anonymized a sample RA data set for

demonstration purposes. We achieved a balance on compromise of loss of information to

abstraction as listed in section 4.4.2. The challenging part was deciding what part of data to

obscure and what was to be preserved. This has to be critical since we did not want to give

away sensitive information within RA report nor obscure too much information that defeats the

very purpose of our effort.

In the design specification section, we presented a technical blueprint for interested developers

to code this system. A lot of work was put in to ensure business requirements were met &

desired level of generalization was achieved in Top level Use cases followed by activity &

sequence diagrams. To give a visionary view of the ORAF framework, we used Balsamiq

Mockup to envision the system graphically. We developed and demonstrated the ORAF’s

76

guided probability functionality based on our hypothesis that by ensuring maximum accuracy to

likelihood - one of the two factors of Risk Index, and by validating it against knowledge of the

crowds, the overall accuracy could be improved considerably. We also formulated a formula to

achieve this control & validated with an example. The concluding chapter featured a scenario

validation showing how ORAF could have addressed the commonly occurring issues

experienced with traditional ISMS processes.

Due the course of research, we personally had wonderful opportunity to interact with senior IS

personnel & challenges they face in everyday risk assessments. The field of Information Security

is indeed a challenging one, yet, the thrill of diving deeper into uncovering newer controls &

techniques to address fallbacks & promote a safer Cyber space is what kept us going.

7.2 Contributions

Through our research, we believe we have taken research around collaborative IS risk

assessments & verifiable decision making one more step closer to realizing the goal of safer

cyber space. (cabinet office 2011) The proposed risk assessment guidance model in chapter 4

that we aligned around ISO 27001’s PDCA model and the formula on probability estimation

based on knowledge of crowds as defined in chapter 5, demonstrated how IS risk assessments

necessarily need not lack effective validation measures and ORAF’s capability as a decision

support tool. We also suggested the use of k-anonymity that is widely practiced in public

release data of medical records to be applied to Information Security RA reports, obscuring just

enough information to enable sharing critical information with participating Organizations

without the concern for privacy or trust issues, thereby to strengthen cyber security

collectively. The idea of reporting an IS incident with possible countermeasures near

instantaneously to participating organizations via filtered or subscriber list was suggested to

potentially suppress wide spread attacks. A standardized RA template in spreadsheet format

has also been suggested, attached herewith at appendix.

77

7.3 Limitations & Future Work

This research being a bold step to suggest collaborative cyber security defense attainable

through sharing anonymized risk related data, is still in nascent stages and has its limitations.

The major limitations of this being around our work, since the amount of time & resources

available was extremely limited by the number of individual Organizations willing to contribute

to our study and the security personnel who gave us their valuable time for an academic

research. Had we access to actual real world RA reports from various organizations & the

Managerial decision makers; we would have been able to better classify the research work in a

more detailed fashion. Being a technical architect, we were able to go so far only as to design a

framework specification for the system with UML & mockups but regrettably not actually build

it. There is a surprising amount of information available online yet most of them were highly

unstructured. We experimented with & suggested commercially available Recorded Future’s

prediction based temporal engine API in our work that intends to structure these data and

provide in-depth trends, however, we would like to develop an open source trend engine native

to ORAF in the future. If there was also a possibility to receive SMS based text notification over

mobile networks or through a mobile version of ORAF, the turnaround time of “report:

reception” can be reduced further. The future of RA & ORAF could be in a way that we develop

a “specification language” that transcends and aligns technical & business lingo together. As

with any research, we would like see this work be critically reviewed, challenged and

improvements suggested. Nonetheless the time spent on researching was fruitful and taught us

a lot about Organization risk assessments & decision making. We hope this work sets a starting

point to foster a standardized approach to RM process & of sharing critical information data

across boundaries to enable a safer cyber space & we wish this framework is considered by

developers and researchers for study in future work.

78

References

Burnap, P.R. 2009. Advanced Access Control in support of Distributed Collaborative Working and.

Cohen, D. 2012. What is a Zero-Day Exploit? - An introduction to zero-day software exploits and tips on avoiding them at home. [Online]. Available at: http://what-is-what.com/what_is/zero_day_exploit.html [Accessed: 2 August 2012].

Coldman, D. 2011. Organized cybercrime has already hacked you - Jul. 27, 2011 [Online]. Available at: http://money.cnn.com/2011/07/27/technology/organized_cybercrime/index.htm [Accessed: 17 July 2012].

Coles-Kemp, L. 2009. Information security management: An entangled research challenge. Information Security Technical Report 14(4), p.pp. 181–185. Available at: http://linkinghub.elsevier.com/retrieve/pii/S1363412710000063 [Accessed: 23 July 2012].

Dyadem 2012. Stature Risk Management : Upgrading to Stature Risk Management.

El Emam, K. and Dankar, F.K. 2008. Protecting privacy using k-anonymity. Journal of the American Medical Informatics Association : JAMIA 15(5), p.pp. 627–37. Available at: http://www.pubmedcentral.nih.gov/articlerender.fcgi?artid=2528029&tool=pmcentrez&rendertype=abstract [Accessed: 6 September 2012].

Eli 2010. Introduction to Risk Assessment [Online]. Available at: http://www.youtube.com/watch?v=EWdfovZIg2g&feature=fvwrel [Accessed: 3 August 2012].

Elsinger, H. et al. 2003. Risk Assessment for Banking Systems ∗ Risk Assessment for Banking Systems. . Available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=423985.

Gionis, A. 2007. Approximation algorithms for k-anonymity and privacy preservation in query logs.

Gov 2010. A Background to WARPs [Online]. Available at: http://www.warp.gov.uk/background.html [Accessed: 5 September 2012].

HHS 2002. HIPAA Privacy Rule. . Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html [Accessed: 29 August 2012].

Homeland Security, U. 2011. Blueprint for a Secure Cyber Future.

79

IBM 2005. Sequence Diagrams [Online]. Available at: http://publib.boulder.ibm.com/infocenter/rsdvhelp/v6r0m1/index.jsp?topic=/com.ibm.xtools.modeler.doc/topics/cseqd_m.html [Accessed: 30 August 2012].

India, T. 2010. Information accuracy and decision-making capability | eresource ERP [Online]. Available at: http://www.eresourceerp.com/Information-accuracy.html [Accessed: 3 September 2012].

Lefevre, K. et al. 2005. Incognito : Efficient Full Domain K Anonymity. In: SIGMOD.

Mandrik, C.A. 2005. Exploring the Concept and Measurement of General Risk Aversion. 32, p.pp. 531–539.

Narayanan, A. and Shmatikov, V. 2010. Myths and fallacies of “personally identifiable information.” Communications of the ACM 53(6), p.p. 24. Available at: http://portal.acm.org/citation.cfm?doid=1743546.1743558 [Accessed: 30 July 2012].

OWASP 2006. Introduction_to_OWASP. . Available at: https://www.owasp.org/index.php/File:Introduction_to_OWASP.ppt.

Ozkan, S. and Karabacak, B. 2010. Collaborative risk method for information security management practices: A case context within Turkey. International Journal of Information Management 30(6), p.pp. 567–572. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0268401210001222 [Accessed: 23 July 2012].

Peyton, E. 2010. Data Security: A 5-Step Risk Assessment Plan [Online]. Available at: http://www.smallbusinesscomputing.com/news/article.php/3896756/Data-Security-A-5Step-Risk-Assessment-Plan.htm [Accessed: 22 August 2012].

Pricewaterhousecoopers 2010. PwC UK - Research.

Qi, X. and Zong, M. 2012. An Overview of Privacy Preserving Data Mining. Procedia Environmental Sciences 12(Icese 2011), p.pp. 1341–1347. Available at: http://linkinghub.elsevier.com/retrieve/pii/S1878029612004331 [Accessed: 31 July 2012].

Rak, A. 2002. Information Sharing in the Cyber Age : a Key to Critical Infrastructure Protection.

Samarati, P. and Sweeney, L. Protecting Privacy when Disclosing Information : k -Anonymity and Its Enforcement through Generalization and Suppression 1 Introduction. , p.pp. 1–19.

Schneier, B. 2011. Bruce Schneier: The security mirage. In: TED. TED.

80

SecureThinking, B. 2012. Are Security Risk Assessments Outdated? « Secure Thinking [Online]. Available at: http://www.btsecurethinking.com/2012/02/are-security-risk-assessments-outdated/ [Accessed: 17 July 2012].

Security, C. and Webcast 2004. Detailed risk assessment report.

Sims, S. 2012. Qualitative vs. Quantitative Risk Assessment [Online]. Available at: http://www.sans.edu/research/leadership-laboratory/article/risk-assessment [Accessed: 21 July 2012].

Siponen, M. and Willison, R. 2009. Information security management standards: Problems and solutions. Information & Management 46(5), p.pp. 267–270. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0378720609000561 [Accessed: 16 July 2012].

Stanleigh, M. 2010. Risk Management...The What, Why, and How [Online]. Available at: http://www.bia.ca/articles/rm-risk-management.htm [Accessed: 25 July 2012].

Stewart, A. 2004. On risk: perception and direction. Computers & Security 23(5), p.pp. 362–370. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0167404804001233 [Accessed: 23 July 2012].

Theiia Managing_and_Auditing_IT_Vulnerabilities. . Available at: www.theiia.org/download.cfm?file=96404.

Tregear, J. 2001. Risk Assessment.

Welke, D.W.S. and R.J. 1998. Coping with Systems Risk : Security Planning Models for Management Decision Making. 22(4), p.pp. 441–469.

Wright, C.S. 2012. IS interview with Craig.

recorded future 2012. Recorded Future: Solutions for Defense & Intelligence [Online]. Available at: https://www.recordedfuture.com/.

cabinet office, U. 2011. The UK Cyber Security Strategy Protecting and promoting the UK in a digital world. (November). Available at: http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy/.

williams, R. and Blum, M. 2007. k-anonymity. , p.pp. 1–7.

81

Appendix

A1. ISO 27001 compliant Risk Assessment Template

A. Asset registration form

B. Risk assessment form

The above two forms have been developed for ORAF and are ISO 27001 complaint.

web based open risk assessment framework for iso 27001

Documents