web based open risk assessment framework for iso 27001
DESCRIPTION
Although successful Risk Assessment (RA) methodologies have been developed over the years to model complex systems, Conventional Risk Management (RM) techniques are outdated, increasingly becoming daunting and complex with a steep decline in the ability to mitigate emerging or unknown threats. Much of RA conducted within an organization is based on an individual’s perception of risk and most controls are implemented with doubt and uncertainty since prediction is inherently hard.Typical RA reports are treated as classified and are self contained within Organizations as they believe that it could potentially compromise their security leverage against “Real World Threats (RWT)” or competing Organizations. A clear case of clouded uncertainty exists when assigning tolerance indicators and risk metrics leading to bad decision making among managerial authority to which we shall refer to as “Cognitive bias”. An ill-informed RM strategy could cost dearly to the organization. The problem is complex, however the solution need not be.This work aims to make Risk Management more approachable & standardized by suggesting a framework following the ISO 27001 methodology where anonymized (Privacy Preservation of public data achieved by K-anonymity) RA reports can be shared among various organizations grouped across industry sectors to enable mutual and collaborative defense against cyber crime and facilitate informed decisions about “True security risks” without the fear of specific privacy disclosure. This could potentially help managerial authority make efficient decisions that can be validated & to focus on improving security controls within organization and worry less on ball parking likelihood of probable risk, its risk factors and flawed estimates.TRANSCRIPT
![Page 1: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/1.jpg)
i
Web Based Open Risk Assessment Framework & Decision Support Tool
Madhan Raj Ramachandran
Supervised by Dr. Peter Richard Burnap
MSc Information Security & Privacy
School of Computer Science and Informatics, Cardiff University
September 2012
![Page 2: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/2.jpg)
ii
DECLARATION This work has not previously been accepted in substance for any degree and is not concurrently submitted in candidature for any degree. Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 1 This dissertation is being submitted in partial fulfilment of the requirements for the degree of MSc Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 2 This dissertation is the result of my own independent work/investigation, except where otherwise stated. Other sources are acknowledged by footnotes giving explicit references. A Bibliography is appended. Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 3 I confirm that the electronic copy is identical to the bound copy of the dissertation Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 4 I hereby give consent for my dissertation, if accepted, to be available for photocopying and for inter-library loan, and for the title and summary to be made available to outside organisations. Signed …………………………………………………………. (candidate) Date ………………………… STATEMENT 5 - BAR ON ACCESS APPROVED I hereby give consent for my dissertation, if accepted, to be available for photocopying and for inter-library loans after expiry of a bar on access approved by the Graduate Development Committee. Signed …………………………………………………………. (candidate) Date …………………………
![Page 3: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/3.jpg)
iii
Table of Contents Chapter 1 1.1 - Introduction……………………………………………………………………………………………………2 1.2 - Motivation……………………………………………………………………………………………………..3 1.3 - Aim of the Project………………………………………………………………………………………....4 1.4 - Project Idea Canvas………………………………………………………………………………………..5 1.5 - Arrangement of Report………………………………………………………………………………….6 Chapter 2 2.1 - Defining the Problem……………………………………………………………………………………..8 2.2 - Current RM & ISMS practices – Nature, challenge & Misconceptions……………8 2.2.1 Current Practices…………………………………………………………………………………………...8 2.2.2 Challenges & Flaws with Current ISMS ………………………………………………………….14 2.2.3 Misconceptions………………………………………………………………………………………………16 Chapter 3 3.1 - Literature Review…………………………………………………………………………………………..18 3.2 - Concept of Information Sharing……………………………………………………………………..19 3.3 - Key Concerns………………………………………………………………………………………………….21 Chapter 4 4.1 - Approach & development methodology……………………………………………………..….23 4.2 - The ORAF Risk Assessment Model……………………………………………………………….…24 4.3 - Comparing WARP to ORAF…………………………………………………………………………….27 4.4 - RA data stripping & anonymization algorithm…………………………………………….…30 4.4.1 Stripping technique………………………………………………………………………………………..31 4.4.2 Anonymizing RA data by K-anonymity for trend realization…………………………..32 4.4.2a Justification for using K-anon……………………………………………………………..37 4.4.2b Limitation to k-anon…………………………………………………………………………..37 4.4.2c Addressing the K-anon limitation……………………………………………………...38 4.5 - Summary……………………………………………………………………………………………………….38 Chapter 5 5.1 - Design Specification………………………………………………………………………………………40 5.2 - ORAF business Requirements………………………………………………………………………..40 5.3 - Top level Use Case Design…………………………………………………………………………….41 5.3.1 Use Case Specification…………………………………………………………………………………..45 5.4 - Activity Diagram……………………………………………………………………………………………50 5.5 - Sequence Diagram………………………………………………………………………………………..52 5.6 - Mockup of ORAF framework………………………………………………………………………...56
![Page 4: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/4.jpg)
iv
Chapter 6 6.1 - Case Scenario Validation………………………………………………………………………………..68 6.2 - How ORAF could have helped…………………………………………………………………………71 Chapter 7 7.1 - Reflective Conclusion……………………………………………………………………………………..73 7.2 - Contributions………………………………………………………………………………………………….76 7.3 - Limitation & Future Work……………………………………………………………………………….77 References Appendix A1 - ISO 27001 compliant Risk Assessment Template
![Page 5: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/5.jpg)
v
Acknowledgements
Firstly, I would like to pay homage to my God, Lord Shiva to whom I owe my life and my Late
Grandfather, Advocate K.V.Rakkan, who is the source of my inspiration & persistence. I miss you.
To my Dad, Mr.K.Ramachandran, who was ever supportive throughout my life and ensured I was on the
right path. To my Mom, Mrs.R.Rani, who reminded me of my duty each day with love & care. To my little
brother, Vinod who cares for me like an elder brother.
I would like to thank my Supervisor Dr. Peter Burnap for his guidance throughout the period of this
dissertation. Thank you for bearing my endless amount of long emails and early morning Skype calls
even when you were off duty
My heart content thanks to every single staff who handled lectures during my Masters, you guys rock!
The amount of time we spent discussing & learning was truly valuable. You made us feel at home,
especially Ms.Wendy – Thank you for those bakes & cakes!
Last but not the least, to dear Sneha Desai who kept me motivated & made me feel I’m the best. Thank
you is such a small word towards your love & care.
Dedicated to all friends & family.
To Cardiff, my second home.
![Page 6: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/6.jpg)
vi
List of Abbreviations used in the dissertation
API – Application Programming Interface
CSS - Cross Site Scripting
HIPAA - Health Insurance Portability and Accountability Act
HUD - Heads-Up Display
IEC - International European Council
IS – Information Security
ISMS – Information Security Management System
ORAF - Open Risk Assessment Framework
RA – Risk Assessment
RBN – Russian Business Network
RM – Risk Management
RWT – Real World Threats
SME – Subject Matter Expert
UML - Unified Modeling Language
WARP - Warning, Advice & Reporting Points
![Page 7: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/7.jpg)
vii
Glossary of terms
Assets – Could be a tangible physical property or data
Control – Mitigation measures used to address a risk
Cognitive bias - A pre-clouded judgment or preconceived inclination
System – A collection of complex processes
Lazy urge – The desire to merely copy a control measure without prior assessment or
validating it
Spearheading - A focused or targeted attack by threat sources
Territory – Spread of network, NOT the geographic territory
![Page 8: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/8.jpg)
1
ABSTRACT
Although successful Risk Assessment (RA) methodologies have been developed over the
years to model complex systems, Conventional Risk Management (RM) techniques are
outdated, increasingly becoming daunting and complex with a steep decline in the ability to
mitigate emerging or unknown threats. Much of RA conducted within an organization is based
on an individual’s perception of risk and most controls are implemented with doubt and
uncertainty since prediction is inherently hard.
Typical RA reports are treated as classified and are self contained within Organizations
as they believe that it could potentially compromise their security leverage against “Real World
Threats (RWT)” or competing Organizations. A clear case of clouded uncertainty exists when
assigning tolerance indicators and risk metrics leading to bad decision making among
managerial authority to which we shall refer to as “Cognitive bias”. An ill-informed RM strategy
could cost dearly to the organization. The problem is complex, however the solution need not
be.
This work aims to make Risk Management more approachable & standardized by
suggesting a framework following the ISO 27001 methodology where anonymized (Privacy
Preservation of public data achieved by K-anonymity) RA reports can be shared among various
organizations grouped across industry sectors to enable mutual and collaborative defense
against cyber crime and facilitate informed decisions about “True security risks” without the
fear of specific privacy disclosure. This could potentially help managerial authority make
efficient decisions that can be validated & to focus on improving security controls within
organization and worry less on ball parking likelihood of probable risk, its risk factors and
flawed estimates.
![Page 9: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/9.jpg)
2
Chapter 1
This part of chapter presents a brief introduction to the project, the motivation behind it, aim,
Scope and concludes with a report arrangement outline. There is also a project canvas that
intends to illustrate the concepts of the framework.
1.1. Introduction
Day by day, businesses around the world are increasingly becoming dependant on
technology and use Internet to stay connected and to access electronic information and data
resources across the globe over organizational networks. Almost every aspect of our day to day
lifestyle is dependent on technology and we look towards it to communicate with peers across
the globe, share ideas, and reduce barriers to trade. With our increasing dependence on
Cyberspace, there exists risks which could potentially exploit vulnerabilities in our networks,
compromising or damaging key data and systems on which businesses thrive upon (cabinet
office 2011) and could pose a major threat to the survivability of the organization. These risks
could come either intentionally or unintentionally and in worst case, unexpectedly.
A good Risk Management process involves assessing these risks caused by threats and
vulnerabilities along one of the Information Security Management Systems (ISMS) available
(ISO 27001), and recommend controls (mitigation measures) and best practices. A proper Risk
management policy covering an organization has the potential to not only prepare for an event
but also measure and control the magnitude of its impact. (Stanleigh 2010). Over the years,
various methodologies on ISMS and Risk Assessments (RA) have been developed, e.g. ISO
27001, CRAMM, Ebios, and Octave – to name a few, to model the complex organization
systems and control any possible risks.
Although these ISMS methodologies did a good job of assessing and reporting risks and
implementing safety controls, controversially, these Risk Management processes are simply
outdated. As Kearney P quotes “security is fundamentally about manipulating relevant
categories of operational risk, with controls being applied or removed to decrease or increase
the likelihood and impact of undesirable events. Unfortunately, both the assessment of risk and
![Page 10: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/10.jpg)
3
the prediction of the effects of controls are fraught with difficulties” (SecureThinking 2012).
Most RA methodology use a “rating system” where a risk analyst expert assigns “impact” and
“likelihood” ratings on a 0-3 or 0-7 point scale. (vRisk ISO 27001) Common risks are easier to
mitigate than unknown or emerging threats (Schneier 2011) and people are quite bad at
estimating risk and making decisions. Although the RA methodologies by themselves cannot be
claimed to be flawed, the current organizational practices are quite outdated and lack severely
in terms of effective risk control.
1.2. Motivation
A survey by PWC (Pricewaterhousecoopers 2010) shows that over 77% gave very high
priority to information security yet over 92% faced a security incident with an average £280k -
£690K GBP in financial and asset losses annually. The technical report also shows that 82% of its
participant large-scale organizations had Security Risk Assessments “by the book” in place, and
so did 75% of all small scale organizations. Yet the scale of financial losses being reported seems
humungous in spite of such deliberate measures. This leads us to think there is something at
fault here. Although the ISO 27001 ISMS by itself cannot be criticized, the procedures listed are
quite objective type with preset solutions in place. (vRisk ISO 27001) This is indeed effective in
mitigating known risks, to an extent, yet fails when faced with challenge of unknown or newly
emerging threats. “If it (a security incident) hasn’t happened, we have no data and no rigorous
basis for identifying all the events” says Slater D, 2012.
The cyber criminals who constantly look for new vulnerabilities to be exploited are
known to work in teams or collaborate over underground networks to exploit their target.
D33Ds (citation masked by request), a group of elite black hat hackers who published over
450,000 clear-text Yahoo! Voice (www.voice.yahoo.com) passwords recently (July 2012) agreed
to provide insights to this project. They quote that “most hackers do sell or share their hacks
and discovered vulnerabilities to other hackers in their network” and the reason they are a step
ahead is because “Most companies are compromised even before they get a chance to realize
that they could be harboring some sort of threat or risk (0-day) within their systems”. Zero-day
occurs when a threat or attack exploits previously unknown vulnerability and there is generally
![Page 11: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/11.jpg)
4
zero day of awareness leaving little or no time for the developers to patch up the flaw. (Cohen
2012) One of the largest and well organized mafia counterparts of the online world are the
Russian Business Network (RBN) who have a reputation of carrying out organized cybercrimes
on foreign soils. (Coldman 2011) “They are highly respected group of cyber criminals among
hactivists worldwide and they are incredibly persistent”, according to Granado J. of Ernst &
Young security. The RBN – the biggest and baddest of all – has branch operations in multiple
parts of the world similar to a Multinational Corporations globally and accepts out-sourced
hacking commissions from its clients.
The preceding set of facts leads us to conclude that Cyber criminals indeed work
collaboratively when the occasion calls for it, whereas organizations are quite secretive of their
efforts towards information security, the risk assessments and discovered vulnerabilities. Craig
Wright S, Exec President, Centre for Strategic Cyberspace Security Science (CSCSS)
(http://www.cscss.org/) quotes “A damn good question (Why RA reports are not shared)
and one that should be addressed. Fear of disclosure for the most part, but the end is hiding
the reality of what we are doing and helping the hackers many times." The UK Cyber Security
Strategy (cabinet office 2011) intends to nurture a “Safe haven”, where it aims to tackle cyber
crime and make UK one of the safest places to do business in cyberspace. In order for the vision
to be realized, organizations must realize the importance of treating Information Security as a
collaborative effort with every security incident being reported, documented and controls
shared with others who may face the same vulnerability.
1.3. Aim of the Project
Current RA approaches tend be divided into statistical and heuristic (based on
experience or personal judgment of an SME) which work quite well for major organizations yet
cannot be termed fault free since people are inherently bad at estimating risks. Often High
Frequency – Low Impact (HF-LI) events are assigned the same risk levels to a High Impact – Low
![Page 12: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/12.jpg)
5
or rare Frequency (HI-LF) event, which is clearly not the right way to deal with a risk, argues
Kearney P (SecureThinking 2012).
The aim of this project is to design and potentially develop a framework for a trusted
collaborative environment where organizations can develop and record risk assessments based
on ISO 27001 – the most popular RA methodology – and share anonymized versions of their RA
reports and timely information on most recent attacks or threats to collaboratively defend
themselves against cyber threats and procure help in better decision making by adopting the
“Wisdom of the crowds” approach. As Neils Bohr says, “prediction is inherently difficult,
especially if it is about future”, yet a collaborative approach where numerous heads share &
contribute opinions and expert advice with sole aim of better defense could improve the
efficiency of prediction and informed decision making capabilities. This project based its
research on ISO 27001 among other standards because it is widely advocated by practitioners
globally and has consistently received a positive recognition. (Siponen and Willison 2009) Owing
to the privacy concerns of organizations, the project proposes the use of K-anonymity
anonymization algorithm to mask identifying elements or quasi identifiers in the RA reports to
maintain confidentiality yet a fair level of transparency to participating entities. The framework
also extends as a decision support tool wherein it tries to address the “knowledge gap” &
“cognitive bias” that clouds most decision makers by employing the knowledge of the crowds.
1.4. Project Idea Canvas:
A simple visual message map has been shown below to highlight the key functionality of the
proposed framework.
![Page 13: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/13.jpg)
6
Fig.1.4 - ORAF Project canvas
1.5. Arrangement of the Report:
This work is organized as follows. The chapter 1 gives brief introduction to the research,
motivation, aims and a visual canvas of the project. Chapter 2 defines the problem with case
examples, elucidates challenges & misconceptions with current ISMS & the inability to validate
controls. Also shown is the difficulty when aligning technical assessment to business terms. In
chapter 3, we carried out a literature review & show how different researchers in the past,
although few, challenged the outdated RA process & suggested innovations. The chapter also
shows the key concerns that continually suppressed such efforts. In chapter 4 we proposed a
![Page 14: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/14.jpg)
7
RM usage model aligned with the ISO 27001 PDCA, & critically review WARP to ORAF. We also
proposed anonymization techniques to overcome the key concerns & relevant examples were
demonstrated. Chapter 5 shows UML Design specification of the ORAF framework. We have
also made a wireframe mockup of the ORAF envisioning the web application & its decision
support capabilities. Proposed along with is the hypothesis on guided probability & validation of
decision making through knowledge of crowds. The chapter 6 shows a small example scenario
where ORAF could potentially ease RA and validation. The last chapter concludes with a
reflective report in insight of subject matter learned with scope for future work.
![Page 15: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/15.jpg)
8
Chapter 2
2.1 Defining the problem
In order to fully realize the purpose of this project, it is necessary to gain an insight on the
current industry standard IS practices, effects and possible pitfalls. In this chapter we first
outline some background information on ISO 27001 discussing why traditional ISMS practices
are not a failsafe road to security. We shall also observe the potential weaknesses of this
“universally accepted” approach. This part of the chapter forms the basis to why there is a need
for an alternate approach i.e. a collaborative RM methodology.
It is to be noted that the ISO/IEC 27001 ISMS has long stood as the most widely adopted RM
process worldwide and our motive was never to belittle it, although, like with any research, all
processes and theories need to be challenged and reviewed with a motive to find simpler
alternatives which fueled a strong driving force behind the following argument.
2.2 The current RM & ISMS practice – Nature, Challenges &
misconceptions
2.2.1 Current Practices
It has been recognized that a sound RA is mandatory for an effective ISMS control within
an Organization. Ideal risk assessments (RA) and risk managements (RM) practices have always
involved identifying & assessing organizational assets, recognizing threats (internal & external)
and probable vulnerabilities, prioritizing the risks based on impact rating index and formulating
strategic decisions on minimizing and controlling these risks followed by a continual monitoring
process. Several RM methodologies have been developed to adhere to these established
standards yet abiding to the scope of this research work, the aforementioned methodology can
be closely related to the ISO/IEC 27001 ISMS as the Plan-Do-Check-Act (PDCA) model which is
applied to structure all of its processes.
![Page 16: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/16.jpg)
9
Figure2.2 - PDCA model of ISO 27001 (Source: BSI ISO/IEC 27001:2005)
The above shown figure is the PDCA process approach recommended by the ISO 27001
standards organization for ISMS. Exhaustive content explaining in detail the entire stages of a
PDCA model can be found on the ISO 27001:2005 documentation on “Information Technology –
Security Techniques – Information Security Management – Requirements” report from the BSI.
The following provides an abridged overview of the PDCA cycle:-
a. Plan – Establish the ISMS – In this phase of the ISMS process, the Organization
willing to incorporate an ISMS process must first define a scope followed by an ISMS
policy relevant to the organization itself taking into account of all legal and
regulatory obligations as approved by the management. It is in this phase where
assets of the organization as defined by the ISMS scope boundary are identified
followed by recognizing probable threats, vulnerabilities that might be exploited by
![Page 17: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/17.jpg)
10
those threats and relative impact ratings. The risks are treated by identifying
“controls” or “measures” that can used to counterweigh the identified risks.
b. Do – Implement and operate the ISMS – This phase involves the actual
implementation of control measures once approved from the management.
c. Check – Monitor and review the ISMS – Here, the ISO 27001 recommends that
organization must assess the performance of the risk treatment controls in place
against the pre-defined scope and policy and the reports to be made available to
interested parties within the organization including the management.
d. Act – Maintain and improve the ISMS – The final phase recommends that there be
continual monitor of the ISMS in place, taking corrective or preventive measures
based on variety of rigorous audit sources.
These methods were intended to be followed in order to secure an IS certification. By adopting
such an authoritative guidance of ISMS, Organizations hope to demonstrate their compliance to
security standards of business culture and practices with an aim to get certification or
accreditation by international standards. Although this standardized approach to ISMS initiates
a tipping point to Organizations that have an ill configured or disjoint security management and
risk controls, in reality, “The ISO 27001 is merely a framework and nothing more” (Wright 2012)
Although risk assessment methodology are quite complex in nature, its actual roots are
a routine in everyday life, sometimes we ourselves being unaware that we are doing so. Simple
case of crossing a road could be taken as an infamous example in this context. However, unlike
our daily routines, the Organization is a complex “System” and a mere estimate of risk impacts
will not suffice and requires identifying almost every possible threat sources, vulnerabilities and
associated risks.
![Page 18: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/18.jpg)
11
In practice, Most risk assessments can be roughly categorized into two basic approaches (Sims
2012) as follows:-
a. Qualitative assessment
b. Quantitative assessment
A qualitative assessment approach is preferred when there is lack of sufficient data – likelihood
or costs, for instance and risks are defined in a subjective manner categorized into low, medium
or high (Tregear 2001) are most likely to depend on the risk analyst individual’s expertise and
judgment relative to the Organization. This is a good approach as it overcomes the challenges
of calculating accurate figures for each of the risk elements, however, Business Organizations,
specifically industries with finance or accounting are of focus, prefer numbers and statistics to
qualitative analysis.
A quantitative approach, on the other hand, appreciates a wider audience and is the most
frequently used method (Burnap 2009) to risk analysis and involves defining a scope stating the
assets to be protected, it’s potential vulnerabilities and likelihood of threat sources exploiting
those vulnerabilities. Along with Outage costs (loss suffered estimate), these statistical
elements are combined to form a single figure (Tregear 2001) called the Annual Loss Expectancy
(ALE) scale which is used to theoretically rank prioritized risks based on their impact rating
index.
Although numerous scientific risk formulae exist, perhaps, the most widely used formula to risk
quantification is obtained by taking product of two variables – the Probability of occurrence (P)
and the Impact of the event (I) being equated to produce the risk magnitude.
The risk magnitude ‘R’ is usually taken on a scale 0 – 9 and ‘P’ and ‘I’ assumed on a 0 – 3 scale.
For instance, let us apply the calculation to a case scenario to understand the RA practice
![Page 19: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/19.jpg)
12
Case 1 – A large Organization conducts a penetration testing via trusted third party consultancy
and has identified that one of its databases is vulnerable to SQL injection attack – a famous SQL
based database vulnerability that allows unauthorized agents to gain read/write/modify access
to the underlying system. On-line Transaction Processing (OLTP) services are highly likely
(OWASP 2006) to be impacted by this vulnerability. The organization patched up the security
hole and a new RA has been carried out lists the risk impact scale as follows
For SQL injection attack, P could be assigned a value of ‘3’ and impact rating could be anywhere
from 0 – 3 since the potential losses greatly depends on the threat agent. This is due to the fact
that recent day SQL injection attacks can be carried out via automated tools and a mere “Script
kiddie” – a hacker newbie capable of wrecking havoc without his own awareness. Yet, based on
professional experience of the risk analyst, the Organization assigns a value of ‘2’ to the impact
scale.
As per the formula R = P x I, we have R = 3 x 2 ; Meaning R = 6; gaining a higher up the ladder
position on a prioritized risk magnitude scale of 9 and mitigation controls are set in place.
Case 2 – A large Organization is unaware of a potential new 0 day vulnerability that lurks in one
of its backbone applications due to a code flaw. This is a highly rare risk yet the impact can be
extreme enough to bring down the organization to its knees. No prior statistical data exists to
back up support and provide informed decisions. The expert assigns probability ‘P’ as ‘0.5’ and
impact rating as ‘3’ of the highest magnitude. We urge recalling the “cognitive bias” here.
In this case R = 0.5 x 3 ; giving us a rating index of 1.5 which according to ALE gets pushed down
the list on our prioritized risk scale of 0 – 9.
Now we might want to ask ourselves, is this intellectually the right way to categorize the risk?
Does it make sense to put a high impact risk down the scale just because the number had a
lower value? What risks are we deliberately putting ourselves into by taking such an action?
![Page 20: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/20.jpg)
13
Although business units are rather fond of numbers and statistics over names (Sims 2012) ;
using inconsistent values or estimates could prove unhealthy to the Organization.
Let us take yet another formula used widely for calculating or prioritizing risks
We know that most IS experts, plug in numbers, say, threat = 8 and vulnerability = 5 based on
personal experience, which yields a priority rating of 50;
Risk Priority = 8 x 5 = 50;
So usually formulating such calculations, gives them an index where lets say, all risk values
exceeding the 50 points threshold shall be given immediate priority, and the rest down the
scale. What if, let’s say, someone assigns a value ‘0’ to a perceived threat, but recognizes the
vulnerability to be 10? One could argue, why a value of ‘0’ to a threat, this is simply because we
might not have prior information that such a threat could even exist to that asset. As we know
by basic math, any number multiplied by a Zero is 0! Again, we have an error, where a Risk that
could potentially bring down an Organization to its knees would still get pushed down the
priority list just because of this number theory.
Let’s take a geographic location ‘X’ where our Datacenter could be placed, we know for sure
that this territory has never experienced an earthquake for the last 100 years and based on that
experience we assign Zero threat from natural disaster to our asset yet taking into
consideration of the budget cost, we overlook the option of installing earthquake
countermeasures. This leaves the datacenter vulnerable to a threat that does not exist at this
point of time and should test of time shift tectonic plates & cause earthquake, our number
theory has failed.
Risk assessment needs to be a Logical model that involves rather than merely taking decisions
on a formula based system. (Eli 2010)
![Page 21: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/21.jpg)
14
2.2.2 Challenges & Flaws with current ISMS practices:
We need to realize that risk management is simply a practice of systematically deriving best
practices and cost effective approaches to minimize threat to an Organization’s assets. The
current ISMS in place have a number of shortcomings that need to be addressed.
First, the ISO 27001 has been designed as a generalized standard and not exactly tailored to suit
specific Organizations. This is a serious flaw in cases where Organizations implement ISMS for
the very first time without proper guidance and could invariably end up with an overall flawed
ISMS since an Organization is a complex system and no two Organizations are the same even if
their industry focus is from the same background. Secondly, the ISMS guidelines have not been
validated but fostered by common industry practices which could often be an unsound basis for
an International Standard (Siponen and Willison 2009)
The controls stated in the ISO/IEC 27001 are too authoritative and the curb the openness or
flexibility to identify potentially new or unaware threats. When using the Quantitative approach
to risk assessment, calculation probability of occurrence and related outage costs are quite
difficult since there is severe lack of consistent data. Jonathan T, senior consultant from Insight
Consulting (Tregear 2001) says in his Information security technical report that “calculating
costs involved due to loss is a time consuming activity & often delays development plan by
months until the Management has finalized on the same, and yet, finalized cost figures are
often a variable and subject to constant change with changing business environment”.
Mathematically, Probability always lies between ‘0 & 1’ and calculating the probability of
occurrence with respect to threat source is very difficult as it is often a subjective conclusion
and is open to disagreement of debate.
There is very little reliable past data from which such predictions can be made, simply because
most Organizations stay quite secretive of their RM process owing to privacy and reputation
concerns. It is extremely difficult to create a mathematical model without sufficient past data
that would predict an attacker’s actions.(Stewart 2004) There is confusion among prediction
based on probability (measurable risk) and pure uncertainty – a point where we do not know
![Page 22: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/22.jpg)
15
the probability or at least lack credible sources to ball park it. Refer to the Case examples in the
previous section where case 1 and Case 2 had RA performed with controls placed on Risk index
scale. Such Naïve reliance on ALE as a definition of risk leads to high impact events being listed
down the prioritized mitigation scales or assign the same level of priority to HF-LI and LF-HI
events which again, is a faulty decision due to cognitive bias. This being said for low or rare
frequency events, how do we ensure that we are not living with a false sense of security? “The
feeling of security and the reality of security don't always match” – The security Mirage.
(Schneier 2011) If an event has never happened, we have no rigorous data nor a basis of
identifying and addressing the threat. (Slater 2012)
Though the ISO 27001 is a rigid & authoritative ISMS with strict standards for certification, it
surprisingly seems to have been over simplified to the point where the assessment seems like a
multiple choice or checklist questionnaire for raising awareness. Although this is forgiving on
most quantifiable cases, it is sacrificing on the more rigorous analysis of new risk disciplines.
(Slater 2012)
Unarguably, there are quite a number of sophisticated RA tools such as the ‘VsRisk’ from
Vigilant Software (http://www.vigilantsoftware.co.uk/) that is ISO 27001 compliant which
boasts of being an easy to use RA tool with comprehensive sections for quickly conducting risk
exercises and a host of other features, yet, this tool still would not replace the knowledge and
the skill of a risk analyst. (Tregear 2001) And this situation worsens if there is a knowledge risk -
where the risk assessment expert is subjected to lack of exposure or knowledge to the
uncertain risk. There is lack of observation of the World – the fundamental difficulty in RA is
how do we determine the rate of occurrence of an event if it has never ever surfaced before?
There are 100% probability events which could be ignored due to lack of knowledge.
A traditionally plaguing inconvenience is what we shall refer to as the “Technologist VS Business
Personnel” warfare where there is inconsistency & difficulty in expressing a complex IS
Technical assessment alongside of Business orientation and this is extremely important since
ultimately it’s the manager’s decision to comprehend the data and approve mitigation controls.
![Page 23: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/23.jpg)
16
Fig 2.2 - RA report requirement
We need a way to align the technical assessments in terms of business concept since “Risk”
usually translates to loss of business. They may have a direct or indirect impact, for instance, in
medical industry, compromise of sensitive Patient information does NOT bring in direct impact
& loss of business to the Organization, yet, since a confidential customer information has been
breached and violated HIPAA data privacy rule, the Organization is liable to be sued for a
substantial amount of money which will impact normal business. A way to address such
complications between technical issues or legal issues needs to be identified.
2.2.3 Misconceptions
First Organizations need to realize that being ISO 27001 certified does NOT necessarily
mean they are secure! There is always something vulnerable or at fault, especially if the
“System” has a Human element involved. Any disagreement on this fact can be nullified by
having a look at the bigger picture, that all though over 82% of large Organizations (>250 staff)
had carried out regular Risk assessments, over 62% of them had faced serious security incident.
![Page 24: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/24.jpg)
17
(Pricewaterhousecoopers 2010) The ISO 27001 is a management standard and not necessarily a
security standard, as refuted by Price D. (Security & Investigations, UK. 2011).
The current ISO 27001 practices are seemingly outdated, (SecureThinking 2012) rigid and are
not sustainable, neither can they be validated for each of the individual Organizations. The risk
controls are seldom clouded with fear, uncertainty and doubt. (Stewart 2004)
On risk perception & direction, Stewart A (Stewart 2004) agrees that in reality, it is difficult,
perhaps impossible to calculate a “real risk” for an asset as true weight of a risk is a
combination of multiple factors, many of which are subjective. In the end, we - Security
professionals are all just guessing risks.
A better realization of ISMS existing practices reveal that security incidents or events occur at
immense speed in cyberspace to which current control measures can barely keep up. The
current ways of managing risks are unable to cope up with the changing dynamic & complex
environment pressurizing us to invent alternative programs of handling the same. (cabinet
office 2011)
![Page 25: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/25.jpg)
18
Chapter 3
3.1 Literature review
In this Chapter, we analyze previously existing work relevant to our project. Seminal and recent
works relevant to the collaborative RA strategies have been critically reviewed and discussed.
We also try to show a collaborative approach to RA addressing the issues with current ISMS
practices as discussed in the previous chapter.
At the time of writing, very little research work relevant to our project surfaced. Rather to start
abruptly with a list of relevant works, we believe that it makes more sense to acknowledge the
role that the papers played in evolving IS, with an innovative effort to address the current ISMS
plague.
So far we have discussed that the biggest challenge to effective risk management has been a
potentially flawed decision clouded with fear, uncertainty and doubt, where there is
considerable amount of hindrance in deriving risk factors due to lack of consistent or reliable
data. In (Coles-Kemp 2009), the author says that Information Security Management has
become increasingly a research challenge. The author points out that there exists a greater
chance for annihilation if ISMS is designed with a faulty or wrong type of security management
decision. This could effectively impair the perception of validity that a security management
structure exhibits within the organization. Although the (Coles-Kemp 2009) information security
technical report does not abruptly propose an alternative methodology to address the pitfalls
of current ISMS systems, it lucidly elucidates the challenges in Information Security
management and shows that despite being a major field that demands attention, there is
considerably only a few progress or development supported by the works of researchers such
as (Siponen and Willison 2009); (Dhillon 1997) etc.
![Page 26: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/26.jpg)
19
3.2 The concept of Information Sharing
The (Homeland Security 2011) recognizes that there is a need for transparent security process
and adherence to “Need to share” and “Responsibility to provide” collaboration principles
would foster an efficient Cyber Security process. They show that effective mitigation of Cyber
risks greatly depends on broad awareness of risks and costs to enable informed decision making
capabilities. This statement refutes our argument that a collaborative approach to risk
assessment potentially increases awareness and mitigates uncertainty and doubt in decision
making phases. This (Homeland Security 2011) report gives an exhaustive set of proposals that
focus on free flow of information across Organizations & a distributed security innovation for a
safer cyberspace that coincides with our project motive.
The systems risk journal (Welke 1998) shows how IS decision authority managers have been
naïve and ignored the issues and challenges posed by growing threat. From their study, (Welke
1998) seem to have identified that
a. Managers are aware of only a fraction of the full spectrum of actions that needed to
be taken to reduce systems risk.
b. Managers exposed to theory ground security planning techniques will be inclined to
employ these in their planning process.
Their work elucidates how lack of IS statistical data affects effective controls and suggests a
theory-based security program to address these issues as follows:-
a. Using a security risk planning model (derived from Simon 1960)
b. Training & awareness program
c. Countermeasure Matrix analysis
In our point of view, the security risk planning model is quite straightforward and similar to
current ISMS guidelines of the PDCA model. Although the Training & awareness program is a
‘good enough’ strategy to impart knowledge to managers, it still does not compensate for the
plaguing knowledge gap of reliable information or data sources. On the other hand, (Welke
![Page 27: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/27.jpg)
20
1998) suggests use of Countermeasure Matrix Analysis (CMA) as a means of evaluating the
overall effectiveness of security controls in place. This is an interesting measure to maintain
integrity of Welke’s security countermeasures – Deterrence, Prevention, Detection, and
Remedy. Within an Organization, when Users need to be granted privileged access, it employs
multifactor authorization by the use of PINS. The cells of the CMA enable the Managers to
compare the effect of the proposed control solution to the security countermeasure factors.
Use of PINS are argued to control access and meet the goal of deterrence since they allow IS
officers to trace back the perpetrator, however, in our view, this has a limited scope when it
comes to addressing ISMS issues simply because all of these measures can be bypassed
effectively.
The authors (Elsinger et al. 2003) take a novel approach at looking into risk assessments. Rather
than looking at banks individually, they argue that there exists a correlation in banks’ assets
portfolio and it is efficient to analyze risk at the level of banking system as a whole. Although
their original study was NOT on Information Security based risks but rather credit market risk
analysis, their strategy of combining overall bank data to estimate risk analysis for individual
banks seems to draw attention to the fact that our proposal follows a similar approach of taking
in wisdom of the crowds to predict threats to assets.
In (Mandrik 2005) risk aversion strategy, they explore the concept & measurement of risk in
general as opposed to domain specific constructs. They realize that there are problems with the
current measurement approaches and decisions suffer what they call as the “Choice Dilemma”
where deficiencies exist in choices being made towards risk since each individual has his own
perception towards risk. The author (Mandrik 2005) emphasizes on “risky shift” where people
in groups tend to take risk decisions differently rather than being alone and are likely to make
riskier decisions. Although a good read on decisions & risks, their paper lacks sufficient data to
be validated against Information Security domain.
The works of (Ozkan and Karabacak 2010) state that the ISO 27001 does not recommend any
specific risk analysis method but merely guides the mandatory process required for a
systematic approach. They show the initial challenges an Organization faces when defining the
![Page 28: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/28.jpg)
21
scope of its ISMS. Their argument closely follows our argument against the current ISMS
practices that without credible data, decision making could be flawed or inconsistent and if the
risk analysis is not performed properly, the selection of countermeasures could also fail. They
propose a solution of collaborative risk assessment within the organization (between
departments), i.e. ensuring that all employees are brought into as a part of the RA process.
Since the ISO 27001 originally had no specific guidelines on the actual RA method, (Ozkan and
Karabacak 2010) suggest a systemic approach by replacing the PDCA process with Scope and
determination of modeling of the process enabling the PDCA to implement itself among
processes.
A similar idea on collaborative RM approach was from (Dyadem 2012) a recent innovation that
proposes centralizing and sharing risk assessment data across different departments within an
Organization categorized in databases. This is similar yet very different in a way that our work
proposes sharing anonymized RA data and security elements with mutually participating
Organizations. Although the report’s motive overlaps with our project ORAF as they justify their
product as ‘Next level of RA processes’ with a belief that sharing information allows better
insight on events and empowers individuals with knowledge and corporate best practices.
3.3 Key Concerns
Although preliminary research during the initial stages revealed that corporate sectors are quite
paranoid & conservative with sharing RA related data, such a serious lack of relevant work
paved way for some deeper research on why collaborative measures was never proposed so
far. In (Rak 2002) several challenges and deterring factors to information sharing are discussed.
Rak (Rak 2002) has acknowledged that the unabated maturing & our dependency on the
Internet has given rise to a growing complexity of threats. He argues that the more the
information that is available about vulnerabilities, threat sources and best practices, the sooner
can these threats be addressed and risk control measures be deployed. He further presses that
information sharing between industry and government can significantly cause an increase in
the flow of intelligence, thereby promoting a broader picture of the “Cyber landscape” and the
ability to recognize potential threats at a much faster pace.
![Page 29: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/29.jpg)
22
According to the report, it is clear that the government and the individual Organizations
understand the importance of sharing risk information, yet there are three key concerns that
hinder the success of such an initiative. They are
a. Lack of Trust
b. Concerns over protection of shared data owing to privacy
c. Failure by the Government to reciprocate in sharing (Rak 2002)
Therefore a new approach to risk assessment and management is required that should aim to
address these issues and concerns by ensuring that the ORAF remains a two-way information
share i.e. data must be contributed to be extracted.
![Page 30: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/30.jpg)
23
Chapter 4
It is clear from chapter 2 that there exists a gap in the way we perceive Risk
Management – inclusive of the complexities involved in formulating actual security controls to
reasonably address such risks. Chapter 3 has showed that although there are few research
works hinting on how structured approach to overall RM can improve the ISMS process, yet the
industry has not embraced the innovation owing to the key concerns & prejudices that exists
among rivaling Organizations & between Governments.
The purpose of this chapter is to discuss how we aim to address the issues plaguing RM process
& suggest a structured RM framework to foster collaborative defense. Here, we shall outline
the scope of the project – what it is and what is not, the choice of algorithm used and
justification for the same, any limitations & assumptions made, special constraints or
requirements needed for the proposed solution to work.
4.1 Approach & Development Methodology
Although this is project was not intended to be of passive data sourcing in nature
involving surveys, a fair share of background research on Organizational needs was carried out
and involved interviews with Information Security personnel of various concerns. With respect
to the UK cyber (cabinet office 2011) understanding that although ways to manage risks exists
currently, it still is not self sufficient in coping up with the dynamic & complex environment of
Organizations. We envision a secure cyber space where mission critical security information can
flow freely among participating entities with the sole purpose to mitigate cyber threats & risk
impact & at the very least, foster proactive defenses to inhibit wide & rapid propagation of such
attacks.
![Page 31: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/31.jpg)
24
4.2 The ORAF Risk Assessment guidance Model
By emphasizing on sharing of RA related data and strategy information, we understand
that sometimes, it is quite easy for Organizational IS decision makers to give in to “lazy urge”
syndrome – merely copying what others have implemented. There is no such nor ever will be,
“a one size fits all” risk control applicable to all Organizations since each organization (even if it
is of the same industry) is bound to be unique although certain parts of RA do overlap each
other. This strictly requires that a comprehensive RA be carried out individually and then is
recommended that it be compared for ensuring a comprehensive analysis & iteration against
data from ORAF knowledge pool rather than copying another Organization’s RA data within
one’s own domain. We must realize that “Security is always relative and never absolute. It is
only measured against another scenario, not as a measure of perfection” (Wright 2012). The
Risk Assessment model pictured below shows the “Web based ORAF decision tool” typical
usage model for a standardized RM approach.
![Page 32: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/32.jpg)
25
Fig 4.2 - ORAF risk assessment guidance model
![Page 33: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/33.jpg)
26
The Organizations following ISO 27001 may use ORAF to prepare, assess, recognize threats,
formulate efficient risk index, communicate & iterate, continual monitor of ISMS in place. The
fig 4.2 is the ORAF usage model which is a suggestive process relating the ISO 27001 PDCA cycle
to ORAF process.
The usage model can be explained as follows
1. Step 1 is the “Plan” phase where preliminary preparations are to be done. This phase
needs to be done extremely well if the rest of the process is to go smooth. Assemble a
team of Organizational Decision makers with a goal to include & represent all of your
Organization departments. (Peyton 2010) Here you prepare a plan on what needs to be
done, define an assessment boundary – scope and need to be aware of all compliance
regulations & adherence to Organizational policies. ORAF will have a consolidated set of
legal information resources under the “help” section of the webpage.
2. Step 2 to 7 is the “Do” phase where the actual risk assessment process begins. All of the
identified Organizational assets are recorded into ORAF and the risk assessment is
started. We identify threats, vulnerabilities likely to be exploited, formulate chance &
impact of such risk, and identify control objectives for treatment of risks. The ORAF
provides guided assistance on formulating “chance” or “probability of occurrence” using
knowledge of crowds.
3. Step 8 & 9 contribute to the “Check” phase of the PDCA cycle where Organization shall
use its RA report to implement & check control strategies in place. The ORAF can be
used to verify comprehensiveness of risk mitigation strategies identified for a particular
asset with the sole aim of achieving fuller measures. In this phase, Organization also
gives back to the community by providing it’s RA data to the ORAF. Such contribution of
data strengthens & fosters better decision making capability by pooling in quantitative
& qualitative risk data.
![Page 34: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/34.jpg)
27
4. Step 10 & 11 can be related to the “Act” phase wherein RM is a continual process &
Organizations need to monitor & improve the ISMS controls iteratively. To ease the
monitoring process, ORAF allows real time “Watch lists” that can be configured to
monitor & receive real-time filtered alerts on assets of special interest. The procedure of
setting up an alert & receiving alerts through ORAF dashboard has been represented
visually in figure 5.6g & 5.6h.
4.3 Comparing WARP to ORAF
In contrast, The Warning Advice & Reporting Points (WARP) is an UK based commercial
Information sharing strategy which was developed as a part of CPNI (http://www.cpni.gov.uk)
to provide cost effective methods to defend against cyber attacks (Gov 2010) and provide
personalized alerts via SMS, email, telephone based or through in person group meetings. Here,
we shall compare & contrast WARP to our ORAF in order to explain how the ORAF watch list
function is a better alternative.
In the figure 4.3a, we have tried to visually represent the IS “Problem & Solution” information
flow as adopted by WARP strategy.
![Page 35: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/35.jpg)
28
Fig 4.3a – The WARP method
A, B & C are small communities (20-100 members) that are influenced by a WARP operator who
necessarily need not be a IS expert. Periodically the facilitator sends information on IS incidents
– problems & solutions. The alerts are “Filtered Warnings” in such a way that members will
receive only relevant information i.e. Linux user will not receive Windows vulnerability
information. Should any member of the community face an incident, he reports it to the WARP
operator through a meeting or through Bulletin Boards and that information is reported to
everyone subscribed through alerts. This, in our opinion, involves higher overhead and delay
since reporting needs to go through a mediator, and sharing information relies more on BB or
passive communication and never near instant. Let us have a look at ORAF watch-list system.
![Page 36: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/36.jpg)
29
Fig 4.3b – The ORAF collaboration method
In our system, A, B, C, D, E are sample participating Organizations and the ORAF web tool is the
autonomous facilitator. Assume that each of the individual entity have already setup watch-list
alerts, say C,E,D have alerts setup for Asset ‘X’ and entity B has set up alert for asset ‘Z’ apart
from the many others but NOT for ‘X’. When any of the Participating organization faces a
security incident or a compromise, in this example, entity A, it reports the incident using ORAF
“Reporting tool” (Refer label No.9 in figure 5.6a) and all of the members within the network –
except B; are reported near instantaneously with the problem & solution (P+S) still keeping the
reporting Organization’s identity anonymous if desired. This way of reporting & sharing
information is much faster since there is no involvement of a third party facilitator, is better
streamlined since only those subscribing organizations will receive the alert, and reception of
alert is near instant as there is no delay involved to wait & organize a periodic meeting. This
way of disseminating critical information at near instant rates potentially enables participating
entities to even handle 0-day threats much efficiently.
![Page 37: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/37.jpg)
30
Now, we shall explain the underlying algorithm that ORAF will use to achieve anonymization
capability.
4.4 RA data Stripping & Anonymization algorithm
ORAF encourages collaborative sharing of sensitive RA data pertaining to individual
Organizations, hence owing to the privacy concerns of such participating entities, we
recommend using stripping & anonymization techniques within the ORAF so that all quasi
identifying factors giving away an Organization’s sensitive details can be taken out before being
submitted to the public sphere of the ORAF knowledge pool. This is done in order to prevent ill-
intent defamers or malicious threat agents from compromising or spearheading attacks on any
individual member of the ORAF system. By providing anonymity & containing within the
confidential or sensitive information of participating entities, we hope to increase the trust
placed on the system and address the key concerns that puts off Organizations from
participating in such Risk Information sharing initiatives.
Risk Assessment data are recognized as personal & confidential data since they contain a host
of information about the Organization in terms of its key personnel, assets, mitigation
strategies to specific threats & risks. Giving away the document as a whole would defeat the
very purpose of this effort since it would mean that we are providing comprehensive recon
information about a particular Organization to the public & it could prove disastrous in the
wrong hands. Therefore all public data via ORAF needs to be stripped of any identifying factors
pointing to an individual Organization & anonymized before being submitted to the knowledge
pool.
![Page 38: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/38.jpg)
31
The following table (Qi and Zong 2012) shows some of the widely practiced methods of data
anonymization.
Research Direction Demonstration
General privacy preservation technology Perturbation, Randomization, Swapping,
Encryption.
data mining privacy preservation technology
Association Rule Mining
Classification, Clustering
privacy protection data
publishing principle
k-anonymity l-diversity
m-Invariance l-Closeness
Table 4.4 - Privacy protection research direction
At the moment, ORAF has been proposed to adopt stripping (discarding certain part of
identifying data) & K-anonymity is chosen as the choice of anonymizing algorithm, a short study
of which follows below.
4.4.1 Stripping technique
This is a simple technique where data fields that are not needed or not deemed mandatory to
be available in a public risk assessment data are “stripped” away before being submitted to the
public sphere.
![Page 39: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/39.jpg)
32
Let us consider a typical Risk assessment sheet from ORAF, it would have the following:
Version Control details
- Contains identifiers to
keep track of
document, might be
populated with Team
details, owner, version
ID, process ID etc.
Asset Registration details
- Contains information
on actual asset name,
type, asset owner,
extra comments etc.
Risk Assessment
- The actual risk
assessment section
where known threats,
vulnerabilities, risk
index & controls are
assessed.
Here, the parent Organization will want to have all of the structured data when obtaining a
printable version for itself but when it has authorized the RA data to be submitted to the
knowledge pool or the public sphere, we simply have no reason to give away information on
“version control details” or the “impact rating” from the risk assessment section since this could
potentially give away a lot of background information about the Organization itself, whereas
the other, would influence a decision negatively since “impact rating” is something dependent
greatly on the assessing Organization itself. For instance, failure of a particular service, say
‘instant messaging’ would impact customer support businesses far greater than it would to a
front end sales business. Also it is to be noted that the version control details to be stripped
here is NOT the asset version details but the risk assessment document version control details.
We discard or strip certain parts of data before being processed into k-anon & storage.
However, stripping does not sufficiently cater to our requirements as applying a stripping
algorithm to all the fields where we need obscurity will result in complete loss of information.
4.4.2 Anonymizing RA data by K-anonymity for trend realization
In the earlier section, we saw how data can be manipulated to discard sensitive information,
however, in this section, we will manipulate data in such a way that we can publish
qualitatively, representing them in a range or interval of values to aid in decision making & risk
assessment process and without the ability to distinguish uniquely any single individual from
![Page 40: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/40.jpg)
33
the record set. For instance, let us say that an excerpt from RA data is published as
“Organization with employee size 50-100 using Asset X recommends controls Y for risk R”.
Other entities can understand that the featured Organization has probably implemented the
said controls. This is an unacceptable case even when the other entity means no harm or has
any ill intent, however, to make matters worse, should this be accessible by threat agents
themselves, we are aiding them with enough information to spearhead an attack and we do not
want this since it defeats the very purpose of our defense strategy. If we recall from section 3.3
of Chapter 3, Organizations expressed concern & feared of such obvious compromise of their
classified information by sharing RA reports detailing out what assets they own & defense
strategy adopted by each individually. In such cases where sensitive data needs to be published
discreetly, K-anon ensures that “good enough” privacy is achieved and does not discard too
much information making the data actually unusable.
K-anonymity has been a successful paradigm for privacy preservation among data mining &
algorithms community. (Nergiz & Clifton 2006) The main idea is to ensure that in a released
data set, each data record if indistinguishable from (k-1) other records. It works in such a way
that uniquely identifying attributes are Suppressed – dropping some tuples from relation to
satisfy K-anon (Lefevre et al. 2005) or Generalized until each row is identical with at least (k-1)
other rows, thus making the database k-anonymous.
A database will contain “Quasi identifiers” – a set of attributes in a public database
which can be linked with external information to identify the entity in the records. All
anonymized dataset must satisfy the K-anon property in such a way that – If ‘D’ is a database
and ‘QD’ be quasi identifier attribute, we can say that ‘D’ is K-anonymized if & only if each
values in ‘D(QD)’ appears in at least ‘K’ records of D. (Gionis 2007)
![Page 41: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/41.jpg)
34
Let us consider an excerpt of small sample trend report record set – this is how it would
potentially look in plain text.
Organization
Name
Industry
Type
Organization
address
Employee
size
Asset Vulnerability Controls
Citca hughes Financial CF24 250 SQL v9 X12 flaw ABC1,
ABC2
Mediquick Medical CF20 55 IIS 7 Z03 flaw ABC4
Eversafe Financial CF24 130 SQL v9 X12 flaw ABC3
EZ sports Sporting CF14 50 Zen Cart F05 flaw ABC13,
ABC5
Tesco Supplies CF14 100 … … …
Table 4.4 - Sample RA trend record
The above select database entries from potential consolidated risk assessment trend
reports pinpoint that Organization “Citca hughes” is a “financial” industry with an employee
size of “250”, owns & operates an asset “SQL v9” which has “X12” type flaw. They organization
has addressed it with choice of controls “ABC1” & “ABC2”. If we are to publish this stripped
version of Risk Assessment data “as is”, we are giving away too much information and
compromising Organizational privacy concerns. “Eversafe” a financial industry similar to “Citca
hughes”, owns a similar asset yet has identified control “ABC3”. We somehow need to ensure
that Eversafe realizes that there are 2 more possible controls for the same flaw & can iterate on
their RA & update their controls. Eversafe does not ever need to know about Citca hughes’
private information or about the Organization itself. We need to be concerned only with the
asset, associated vulnerabilities, threats or risks & practiced or recommended risk controls. Yet,
discarding too much information will render the knowledge incomplete or useless & giving
away too much would mean a perfect aid to initiate spearhead attacks. To prevent this, we
either suppress or generalize using single or multidimensional K-anon to achieve “just enough”
privacy and make the RA trend data available through query from within ORAF.
![Page 42: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/42.jpg)
35
The generalization of a data entry needs to be systematic and not random which can be
understood by the following representation.
Fig 4.4 – Generalization rule
At any point, when using a single dimension generalization, CF24 will always be generalized to
CF2* within a data entry.
The following example shows Single Dimensional Suppression (SDS) and Single Dimensional
Generalization (SDG) K-anon property applied to our sample data record.
Organization
Name
Industry
Type
Organization
address
Employee
size
Asset Vulnerability Controls
* Financial CF2* 50 – 250 SQL v9 X12 flaw ABC1,
ABC2
* Financial CF2* 50 – 250 SQL v9 X12 flaw ABC3
* Medical CF2* 50 – 250 IIS 7 Z03 flaw ABC4
* Sporting CF1* 50 – 250 ZenCart F05 flaw ABC13,
ABC5
* Supplies CF1* 50 - 250 … … …
Table: K-anonymized dataset
![Page 43: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/43.jpg)
36
In the above example, we see that we have anonymized “just enough” of the information
where there is no way to backtrack which Organization actually owns the asset say, SQL v9, yet
we have enough obscured information to understand the asset type & it’s set of known
vulnerabilities and possible mitigation controls adopted by individual organizations.
Now when “Eversafe” queries the k-anon ORAF knowledge pool (generic flow shown in fig 5.4)
with a query, say, “mitigation controls for X12 flaw for SQL v9”, from the results, Eversafe can
realize that a financial corporation similar to theirs using the same asset & have identified
controls ABC1 & ABC2 but will have no way of identifying contributing organization. Such a
trend report can be useful to cross verify if we have achieved a comprehensive risk control.
The probability of re-identification here would be 1/K and in our case, the probability of
identifying information on “Citca hughes”, would be ½ i.e. 0.5 if considering only financial
industry or including the “industry type” entry field with the same SDG process, it would be
increased to 1/3 considering the address postcode anonymity. The probability of re-
identification also diminishes when the data record entries increases.
By sharing such an anonymized aggregate trend data, participating organizations can get a cue
that their industry counterparts have identified & used certain controls which they could have
potentially overlooked. By considering & iterating on those “slipped” control measures, we
believe overall security can be strengthened.
Fig 4.4b - Privacy & enough valid information preserved & shared
![Page 44: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/44.jpg)
37
4.4.2a Justification on using K-anon
Although raw data anonymization techniques are fairly in development phases, K-anon has
been a popular technique especially in health information sharing environments. (El Emam and
Dankar 2008) The major advantage of K-anon over other such algorithms is accuracy of
published results & its lower computational overhead. K-anon achieves“good enough” privacy
by achieving a balance in data sacrificed to data obscured. The re-identification in a released
data set, at worst narrows down an individual entry to a group of ‘K’ individuals in a dataset
(williams and Blum 2007). Taking into consideration the nature of application & cost to
computation, K-anonymity among others proved a successful candidate.
4.4.2b Limitations to K-anon
Although K-anonymity has been long proposed as a mechanism for providing privacy in micro
data publishing (Samarati and Sweeney n.d.) and numerous re-coding models have been
considered for achieving k anonymity, it still is in early stages of perfection. K-anon poses
certain limitation in a way that it is susceptible to Homogeneity attack (Machanavajjhala et al
2006) especially in cases where all sensitive values in a K-anon group are the same. In
(Narayanan and Shmatikov 2010), the authors quote that privacy techniques used by
companies to store and anonymize data is not adequate in terms of confidentiality as always
there are attacks that can trace back the dataset to the original individual compromising his
privacy. Organizations such as credit card companies, hospitals, and real estate hold large
volume of personally identifiable data and their released anonymized data sets often are
traceable to the individual.
(Narayanan and Shmatikov 2010) argue that K-anonymity de-identifies quasi identifiers
effectively in a given data set; however, by joining enough datasets on common attributes, re-
identification of data pointing to an individual is possible. Then there is the human element
involved in re-identification process which makes the algorithm even more intelligent. The
![Page 45: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/45.jpg)
38
author from his experience quotes that any remaining attributes can be used to re-identify as
long as they differ from individual to individual. Therefore, for instance, with respect to
published medical data, an anonymized version of Personally Identifiable Information (PII) has
no meaning even in the context of HIPAA privacy rule.(HHS 2002) And hence, an absolute de-
identified data is an un-attainable goal & further computational research is deemed necessary.
4.4.2c Addressing the K-anon limitation
ORAF has been proposed to use Single Dimensional Generalization K-anon at the time of
writing, which when following a generic approach of storing sensitive data and public release as
practiced currently by data gathering industry will also be prone to attacks & privacy
compromise. However, we tend to achieve differential privacy in a way that sensitive data that
can give away Organization Specific information is never stored to the ORAF knowledge
repository. It is to be noted that RA data by itself is a sensitive document, but only if we know
to which Organization does that RA belongs to. There are potentially lower chances of tracing
back Risk data to its parent Organization since that information will never exist in the first place.
(Narayanan and Shmatikov 2010) agree that interactive query based approach is generally superior
to the “release and forget” approach, which is exactly what ORAF will adhere to. Our knowledge
repository displays trend or information to “risk controls” to participating entities only upon query and
deters from frequent release or publishing this trend data to the naked internet sphere where we have
no access controls.
4.5 Summary
In this chapter we proposed a RA guidance model aligned with the PDCA cycle of ISO
27001 processes suggesting a typical usage scenario to users adopting the ORAF framework.
This showed how the ORAF assessment framework overlapped with the well established &
familiar PDCA model reducing fear of change in User’s mind. The ORAF’s proposed IS incident
reporting service was critically compared to WARP (Gov, 2010) & major differences were
![Page 46: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/46.jpg)
39
highlighted. We showed how ORAF was comparatively a faster way to report incidents by
eliminating the need for human intervention to mediate reporting. Owing to the privacy &
identity concerns of participating Organizations, we suggested the use of selective data
stripping & k-anon algorithms with suppression and generalization applied to RA report data,
the anonymized versions of which were placed in the ORAF knowledge pool searchable by
queries. Illustrated sample data records shows the ‘just enough’ privacy and abstraction
attained by our process enabling free flow of critical information yet withholding compromising
attributes. Although k-anon is a widely practiced anonymization techniques, it does have
certain limitations & drawbacks. We followed a “query based approach” over the “release &
forget” approach thereby considerably addressing one of the K-anon limitations.
![Page 47: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/47.jpg)
40
Chapter 5
5.1 Design Specification
In this chapter, from a technical architect point of view, we specify a design framework for the
web based ORAF decision tool using Unified Modeling Language (UML) to communicate a road
map or a blue print for the ORAF project.
5.2 ORAF Business Requirements
The ORAF prototype is intended to be a web based RA & decision support tool which
relies on collaborative defense against cyber threats & aims to suggest a structured yet mutual
& additive risk assessment based on the ISO 27001 standards. The web based system should
allow Organizations or relevant participating entities to work closely with each other enabling
free flow of anonymized risk assessment data coupled with recommendations for best security
practices, ability to report IS incident for proactive heads up alert & defense, gain insight on
decision making based on knowledge of crowds marching closely on the UK cyber security
strategy (cabinet office 2011) of a safer cyber space.
All participating entities must be able to conduct an assisted self risk assessment with
compliance to the ISO 27001 ISMS and an anonymized version of the report be submitted to a
repository which we shall call as the “knowledge pool” and must be retrievable by queries. The
assistance could be either proactive – the functionality of a guided probability estimation for
assigning one of the values (Probability of occurrence) for the risk index based on knowledge of
the crowds or, reactive – Insights & trends based on collective past incidents accompanied with
near instant incident report alert systems.
![Page 48: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/48.jpg)
41
The Organizations must be able to set up & configure “watch-lists” which lets them stay up-to-
date on threat & risk alerts. The reporting systems that work in conjugation with the watch list
should have provisions to alert others in real time and maybe accompanied with “first-aid”
mitigation controls.
The insight capability API integration (depicted in fig 5.6a labels 5, 6) of ORAF at the moment is
based on aggregate unstructured report data from trusted sources such as news media, social
networks etc filtered through “Recorded future” graph analysis engine (recorded future 2012)
which tries to build a structured point in temporal space by linking past unstructured events –
people, time, location, incident itself etc. The data could be plotted over a visual map to show
the geographic distribution of threat sources & incidents. Also, the system should be able to
analyze the knowledge pool autonomously and present a visual display of Top 10 Risks based
on industry sectors to the subscribed Organizations. This serves as a gentle reminder for
Organizations to take heed & ensure those high ranked risks are addressed.
The last but not the least component is information reference space – site content where
comprehensive information on legal & legislative laws is presented. This is to serve guidance
and remind compliance of laws & data protection act to participating organizations.
5.3 Top-level Use Case design – Modeling the functional
requirement
The top level use case diagram captures “what” the system will do for the user,
capturing the functional requirement of the system in a high level generalization schema. It is to
be noted that a top level use case specification as shown in fig 5.3 does not include the “how”
or the implementation details. The conventions used are explained below.
![Page 49: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/49.jpg)
42
Actors:
The actors could be a person, a system or a device – an external entity that interacts with a
system. In our case, we have 4 actors as explained below
a. Participating Organizations – the main actors around whom the system is to be built.
b. ORAF intelligence module – a major system component responsible for pooling &
responding to user queries, the algorithm component that processes raw data into
structured format usable in the knowledge pool and a host of other functions as
described.
c. Trusted Sources – They are external system interface that contribute data to the
ORAF for trend analysis & insight purposes. They could be news media, social
network sites etc.
d. Administrator – The well known entity responsible for overall system maintenance &
site management.
Relationships:
Interactions carried out by the actors with the system are represented by an arrow.
The use cases specified in the Top level Use Case diagram (fig 5.3) tries to capture the essence
of the ORAF business requirements.
![Page 50: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/50.jpg)
43
Fig 5.3 Top Level Use Case diagram of ORAF system
In the figure, the administrator (actor) and connected use cases is self explanatory in the sense
that “Perform System Maintenance” & “Manage Site Content” enable the user to perform
periodic maintenance tasks on the ORAF website. “Moderate Registered Users” allows the
admin to moderate or govern over registered profiles & resolve issues should any conflict arise.
The “Participating Organization” is a primary actor and interacts with a majority of the use
cases as shown, the “Manage personal account” is a personal profile editor that allows the user
to register & maintain a personal profile. This could be say, an Organization name, the type of
![Page 51: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/51.jpg)
44
industry they operate on, and a host of other information. This information is stored
beforehand so that at each new RA they conduct; this data can be appended into their
personally retrievable RA reports.
The “Manage risk assessment” allows user to create new RA, access/print or remove previously
conducted assessments. “Submit RA reports” lets users approve personal RA reports to be
forwarded for anonymization & being added to the ORAF knowledge pool.
The “manage threat watch list” allows users to set up an alert system for an asset of their
concern. This lets us add, remove new watch lists, receive alerts etc. The alert viewer is real
time and should display an alert when it has been reported by another participating entity. This
works in conjugation with the “Report/send Asset compromise notification” use case where
users are given the ability to report the problem & a probable solution. Additionally the use
case “view real time asset compromise notification” allows users to receive such reported
alerts. When an Organization believes one of its assets have been compromised, it does not
need to remain in the dark waiting for newspapers to report the incident next day, by which
enough time would have passed for the attack to propagate over a larger territory and claim
more victims. We are referring to area of compromised network resources as territory. The
reporting functionality allows a compromised entity to notify others of the compromise and
also lists an option to include possible mitigation controls. However, the notification would be
received only by those already subscribed to the respective alert. A watch list set up for, say
SQL v9 will not receive the alert if a compromise has occurred for a say, biometric scanner with
a faulty firmware, however, this incident does get reported to the ORAF knowledge base and
displayed in trend analysis at a later date.
“Rank Top-10 risks” use case accepts inputs from participating organizations & pre-defined
trusted sources. The ORAF module needs to interact here at this point to classify & list out Top-
10 risks based on trend data & organization industry sector.
We shall now explain what each Use Case represent and how each plays a significant role as a
part of the system with reference to each other. The individual functionality of each use case
can be understood by the Use case Specification document as shown below.
![Page 52: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/52.jpg)
45
5.3.1 Use Case Specification
The use case specification describes each of the use in more detail to aid in the implementation
process. The specification document describes what actors interact with each use case, the
preconditions that need to be met for the use case function to be activated and the description
or scenario that can be performed on a use case.
Use Case No. 1 Use Case Name: Perform System Maintenance Rating: Essential
Purpose: To allow administrator to perform basic maintenance tasks on the ORAF system
Main Actor: Administrator Secondary Actors: NA
Pre Conditions: Requires User to be logged-in into system with admin privileges
Trigger: No special trigger.
Description:
Enable admin perform maintenance routine
Must limit task to database optimization, content moderation & other such pseudo-primary task
Must NOT allow changes to core system functionality EXT: None Post Conditions: Optimized system performance
Related Use Cases: Moderate Registered Users, Manage Site Content
Use Case No. 2 Use Case Name: Moderate registered users Rating: Essential
Purpose: Allows super admin governance over registered profiles
Main Actor: Administrator Secondary Actors: NA
Pre Conditions: Requires User to be logged-in into system with admin privileges
Trigger: The need to interact with a user profile
Description:
Enables monitor & moderation of registered user profiles
Useful to review a profile based on suspicious activity
Ability to remove, block or suspend accounts
Ability to send group messages
EXT: None Post Conditions: One of the intended purposes.
Related Use Cases: Manage Site Content, Perform System Maintenance
Use Case No. 3 Use Case Name: Manage Site Content Rating: Essential
Purpose: To manage site content
Main Actor: Administrator Secondary Actors: NA
Pre Conditions: Requires User to be logged-in into system with admin privileges
![Page 53: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/53.jpg)
46
Trigger: A need to update/modify feeds from trusted sources. No special trigger.
Description:
Allows overall site administration – posting special announcements
Configure/modify incoming RSS & news snippet feeds (Trusted sources)
EXT: None Post Conditions: Achieve required changes.
Related Use Cases: Manage Registered users, system maintenance
Use Case No. 4 Use Case Name: Manage personal account Rating: Essential
Purpose: To allow user to review/update personal information
Main Actor: Participating Organization
Secondary Actors: NA
Pre Conditions: Requires user to be logged-in into system terminal
Trigger: changes in organization profile
Description:
Enables Add/update personal information into the database
Requests information on Organization details, industry segment and size
This information is appended to risk assessment report conducted by relevant User but is NOT shared with others and is discarded when submitting RA data to the knowledge pool.
EXT: None Post Conditions: Update changes to profile as required.
Related Use Cases: None
Use Case No. 5 Use Case Name: Manage Risk Assessment Rating: Essential
Purpose: To allow actors to manage risk assessments activities.
Main Actor: Participating Organization
Secondary Actors: NA
Pre Conditions: Requires user to be logged-in into system terminal
Trigger: No special trigger. Can be accessed when there is a need to review or perform a new risk assessment.
Description:
Allows user to perform one of the desired tasks – initiate a new risk assessment based on ISO 27001
Allows user to View or print previously performed risk assessments
Provides guided step-by-step template to perform risk assessment
Must comply to ISO 27001 requirements
RA starts with confirming/updating the organization profile, registering the Assets, the actual assessment where threats and risk factors are identified, assigning risk index etc
EXT: Print RA report Post Conditions: RA results are populated and the report is applied K-anon algorithm to anonymize the data. Submitted to the Knowledge pool and confirmation sent to parent organization
Related Use Cases: submit RA reports, Anonymize submitted reports
Use Case No. 6 Use Case Name: Submit RA report Rating: Essential
Purpose: Allows user to authorize submission of personal RA report to ORAF
![Page 54: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/54.jpg)
47
Main Actor: Participating Organizations
Secondary Actors: NA
Pre Conditions: None
Trigger: When a fresh Risk assessment is made
Description:
Recommends users to submit RA data
Forwards the report to anonymization module before being added to the pool.
EXT: None Post Conditions: A new anonymized RA report is made available in the pool for all to share.
Related Use Cases: Anonymize submitted RA report
Use Case No. 7 Use Case Name: Anonymize submitted RA report Rating: Essential
Purpose: Enables the ORAF to successfully anonymize user submitted risk assessment data
Main Actor: ORAF intelligent module
Secondary Actors: Participating organization
Pre Conditions: Requires successful completion of a new risk assessment
Trigger: Process started before submitting to the knowledge pool
Description:
The module takes RA report as input and anonymizes the data in line with the privacy concerns of the organization
All quasi identifiers pertaining to the organization are removed
The asset details, risk rating, industry segment & size, identified threats, risk controls are preserved
EXT: None Post Conditions: Anonymized RA data is submitted to the knowledge pool & made available to other participating organizations
Related Use Cases: None
Use Case No. 8 Use Case Name: Manage Threat Watch-list Rating: Essential
Purpose: To allow user to customize & receive threat alerts
Main Actor: Participating Organization
Secondary Actors: NA
Pre Conditions: Requires user to be logged-in into system terminal
Trigger: Interest to know real time update on potential vulnerabilities to a particular asset
Description:
Enables Add/Remove customized threat watch lists with real time updates
A pre registered organization’s asset needs to be assigned here
The knowledge pool is monitored continually for any reported incidents or vulnerabilities pertaining to that asset.
EXT: None Post Conditions: Submits watch list criteria to the system for real time monitoring.
![Page 55: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/55.jpg)
48
Related Use Cases: Report/Send asset compromise notification, View asset compromise notification
Use Case No. 9 Use Case Name: Report/Send asset compromise notification
Rating: Essential
Purpose: To allow user to report any 0-day vulnerability or emerging threat outbreak to all participating organization
Main Actor: Participating Organization
Secondary Actors: NA
Pre Conditions: Requires user to be logged-in into system terminal
Trigger: Identification of a 0-day vulnerability or a security incident
Description:
Allows the participating organizations to notify all in a network of the incident
A sort of alert system
Notification sent real time along with Asset type, recorded incident & possible controls EXT: None Post Conditions: Real time alert received by participating organizations
based on their watch list.
Related Use Cases: View asset compromise notification
Use Case No. 10 Use Case Name: View asset compromise notification
Rating: Essential
Purpose: To allow user receive real time threat alerts based on watch list preference
Main Actor: Participating Organization
Secondary Actors: NA
Pre Conditions: Requires Supervisor to be logged-in into system terminal and have at least one preconfigured watch list
Trigger: Report of a prioritized threat from trusted sources
Description:
Shows visual alerts based on watch list
Does NOT show the compromised organization’s identifiers yet includes the compromised asset, vulnerability, risk and potential mitigation controls.
EXT: None Post Conditions: Update Service record once the prescribed service is done.
Related Use Cases: Report/Send asset compromise notification, Manage Threat Watch-list
Use Case No. 11 Use Case Name: show IS Trends & Insight Rating: Essential
Purpose: Allows users to obtain a graphical trend chart & keyword insight
Main Actor: Trusted Sources Secondary Actors: ORAF intelligent module
Pre Conditions: Trusted sources needs to be defined and the module configured to received RSS data feeds
Trigger: updates each time user logs in to the system
Description:
Collects data feeds from predefined trusted sources – News media, social networks etc
Plots geographic threat distribution over a graphical map
Aids in predicting advancing threat agents & propagating risks
API to be built over Google insight, trend analysis similar to “Recorded Future” intelligent
![Page 56: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/56.jpg)
49
prediction analysis.
Enables real time Cyber threats monitoring
EXT: None Post Conditions: Enlighten Users with comprehensive knowledge and aid in informed decisions
Related Use Cases: None
Use Case No. 12 Use Case Name: View IS best practices & UK law compliance
Rating: medium
Purpose: Allows user to quickly refer up to date UK cyber laws & recommended practices
Main Actor: Participating Organizations
Secondary Actors: Trusted Sources
Pre Conditions: None
Trigger: No special conditions, can be accessed any time within the site navigation menu
Description:
Contains an exhaustive list of recommendations & Information Security best practices
Acts as a quick reference scheme
Updated information on UK cyber law compliance requirements
EXT: None Post Conditions: Advices Users to ensure integrity to required Law & practices.
Related Use Cases: None
![Page 57: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/57.jpg)
50
5.4 Activity Diagram
In previous section we saw how use case diagram helped us in understanding what the user
wants to do with the system, here we use an activity diagram to capture the business operation
workflow, actions & activities related to it.
Fig 5.4 Activity Diagram
We have visually represented an overview of overall workflow in general with decisions &
choices affecting possible outcomes.
![Page 58: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/58.jpg)
51
Fig 5.4b Legend
Img source: http://www.csci.csusb.edu/dick/samples/uml0.html
Let us start at the point <Register Organization>, this step can be skipped if the user is
already registered with the ORAF. Upon creating a valid user profile, the participating entity can
now log into the system as denoted by <Login> and be able to choose one of the many available
options within the site. They could now decide if they would like to <initiate a new risk
assessment> or <view/print existing RA reports> if they have already done one earlier using the
ORAF. For the sake of scenario, let us assume the user initiates a new assessment. They are
then shown the option <Register organizational Assets> where they need to input
comprehensive list of assets categorized by type. Once done, they proceed to perform the
actual assessment. When the process is complete, ORAF displays a detailed printable output of
the RA with risks categorized by risk index. The user now has an option to <print report> or use
the electronic format and <compare> self selected mitigation controls to the knowledge pool.
![Page 59: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/59.jpg)
52
This can be extremely useful step where knowledge of the crowds ensures if we have
considered maximum exhaustive possibility list of risks & controls. Going one step backward,
the fork & join denote the incidence where ORAF performs background stripping &
anonymization of the RA data to be added to the knowledge pool. A <confirmation> is then
shown. The process could stop here or continue again with a new choice, say <Access
Knowledge pool>
The knowledge pool is a huge central repository where participating organization can
turn to seek guidance & validation on their risk assessment & control measures. Let us take the
first activity, <seek mitigation advice>, the ORAF prompts user to enter <Asset details> for
which the controls needed to be looked up. The knowledge pool that contains variety of RA
data from various anonymized Organization, is now queried and results are populated at the
user view. The Organization can now <Compare> the populated list of strategy with its own
mitigation control & iterate on the same.
5.5 Sequence Diagram
A sequence diagram is part of an UML diagram that illustrates sequence of messages &
interactions between “objects” over specific period of time and can be used to work out
detailed object oriented designs. A sequence diagram contains lifelines that represent
properties of any UML element that shows behavior, including actors, systems or subsystems,
classes, and components. (IBM 2005)
The sequence diagram shown below illustrates the same scenario as described in the activity
diagram, yet here we capture complicated interactions between objects which potentially add
more clarity for the project development phase.
The “Objects” that make up the system are represented with boxed heads and the dotted line
that drips vertically down is the life line segment of those objects. The vertically overlapping
white rectangular boxes show the period of time in which the object is initiated, remains active
![Page 60: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/60.jpg)
53
and dies after an operation. Requests are represented with dark arrows whereas replies from
other objects are represented in dotted arrows as shown. These requests could sometimes
have conditions to be true in order for an action to occur, as denoted with square brackets
[condition statement]
Fig 5.5a Legend
![Page 61: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/61.jpg)
54
There is also a recursive function where the object waits until, say a math function has been
computed which can be denoted using a half loop arrow to self as follows
Fig 5.5b Recursive notation
The activity diagram shown in fig 5.4 has been interpreted conceptually as a sequence diagram
below, starting with a conditional logon statement and the object: participating organization
calling a new risk assessment from the object: RA module. From the diagram, the steps are self
explanatory, however, if we note the “activation period” of the object: ORAF intelligence
module and object: Knowledge pool are not alive till a function is actually called for that
involves their participation.
![Page 62: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/62.jpg)
55
Fig 5.5c – Sequence diagram
![Page 63: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/63.jpg)
56
For illustration purposes, in the sequence diagram (fig 5.5c), let us see how a RA report
anonymization function is called by the system. Once the user has been presented with a
detailed RA report, the object “:RA module” prompts the user (Request) to submit the RA to the
knowledge pool. The user approves (reply) submission to the module which in turn passes on a
<request> to the “:ORAF intelligent Module” to initialize anonymization process & compute
filtering as required. The computed data is then submitted to the knowledge pool and an
acknowledgement is sent to the ORAF module. The module is then shown to pass the
confirmation to the end user thereby successfully completing a phase of an operation.
5.6 Mockup of ORAF framework
In this section, we present a potential User Interface (UI) and sample functionality for the
proposed web based Open Risk Assessment Framework & Decision support tool. The
framework mockup was created using trail version of Balsamiq (http://www.balsamiq.com/)
and Adobe Photoshop CS3 (http://www.adobe.com/).
In the fig 5.6a that represents the home screen of the web based framework; key controls have
been labeled numerically for easier interpretation.
![Page 64: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/64.jpg)
57
Fig 5.6a - ORAF dashboard
The label 1 is the profile manager which stores personal information about the organization as
described in Use Case Specification No.4. This is visible only to the parent Organization & no
other participating entity can access this information.
![Page 65: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/65.jpg)
58
The label 2 is the center for all RA related operations as described in Use Case Specification
No.5. The option “View/Print reports” lets logged in User to access their existing personal RA
reports. The “Manage assets” contains a list of assets that Organization might have added to
the RA form during one or many of the previous Risk assessments. This functionality lets users
keep tab of previously assessed assets and makes the process of configuring a watch list a
matter of choosing assets from drop down as shown in fig 5.6g. The “Access knowledge pool”
provides an interactive interface to query the ORAF knowledge pool (public sphere) where
anonymized public RA data is stored. The following decision support queries are supported
a. Guided estimation on assigning probability index in a risk matrix
b. Crowd identified threats/vulnerabilities for a particular asset
c. Possible known mitigation controls for an asset
Our hypothesis or rather a factual belief is that
1. The reliability or quality of decision making depends directly on availability & accuracy
of critical information appended with experience.
2. Risk rating must be a logical measure backed up with judgmental reasoning and not
merely relied upon numerical statistics.
Fig 5.6b decision vs. information hypothesized graph Please note the graph is not accurately plotted
![Page 66: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/66.jpg)
59
The upward increasing curve has been used to visually express the idea that when we are
placed in a situation to make a decision, the quality of decision we make greatly depends on the
amount of relevant information we have at our disposal on the subject matter. This information
could be a personal experience, or made available through unabated information channels. This
information has to be accurate, relevant and available at the right time and/or when the
decision maker needs it. (India 2010)
In the past, we had our fair share of concern when analyzing the Risk Rating Formula (RRF),
where a single person or a small group of technical personnel assigns decisive factors (either
probability or impact). Calculating the Cost of impact is a huge debatable topic of its own which
is out of scope of this project, but we realized that by increasing accuracy of one of the two
factors, the accuracy of RRF can be improved.
Fig 5.6c Venn diagram
![Page 67: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/67.jpg)
60
In the figure 5.6c we represent two factors of commonly used Risk Rating index to be
Probability and Impact. The impact cost varies greatly with each Organization and it is up to the
IS assessor to understand and formulate Organization’s impact cost. Furthermore, even if we
cannot directly influence the “probability of occurrence” and is often left to chances; we can
however, strive to perfect our accuracy in estimating the probability of occurrence which will
greatly give us better insight on the RRF which directly influences our risk prioritization
controls. The objective is to ensure that we are not focusing on the lesser risks & overlooking
greater ones.
The ORAF guided probability works by taking average of individually assigned probability
estimates from various RA data categorized by industry type for an Asset.
This formula is applicable only to a set of records from each category – for an asset ‘X’ (defined
by metadata or searchable by keywords within ORAF knowledge pool) being owned by
Organizations ‘O’ falling under Industry type ‘Y’ having Vulnerability ‘V’ and Threats ‘T’.
SQL database (X) used in Zydus Cadilla (O) which is a Pharma/hospital database (Y) vulnerable
to SQL injection (V) from known Threats will have higher probability of facing an attack than a
SQL database being targeted in an education industry. In this case, an IS assessor who has spent
most of his career among education industry will experience a “cognitive bias” and rate risk
probability to be on a lower scale for the Pharma industry. The lack of information has made
him commit a grave error in assessing risk index. This can potentially be addressed by ORAF
decision support queries.
![Page 68: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/68.jpg)
61
Let us consider a sample scenario where the ORAF knowledge pool has assimilated 3 RA data
from individual organizations, 2 from finance sector and 1 from Pharma, each using more or
less overlapping assets and similarly identified threats and vulnerabilities.
From the figure we can see that since each RA was conducted by unique individuals with
varying perception towards probability of occurrence or Likelihood, the same asset with the
same vulnerability has been assigned varying likelihood values. Now, if a fourth organization
from Finance sector conducts a RA and identifies similar threats or vulnerabilities to the same
asset ‘A’ and would like to verify its accuracy, it can do so by calling ORAF guided probability
index.
![Page 69: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/69.jpg)
62
In which case, ORAF will compute (for asset A)
In which case, recommended probability rating will be 0.3 and is advised to reiterate if self
formulated index rating & ORAF index varies greater than 2 points.
Observe that ORAF has ignored the RA data from PHARMA industry in the computation even
though all the 3 reports had a similar Asset ‘A’ with same threats & vulnerabilities; as
mentioned earlier, this is because of the varying likelihood of events based on industry sector.
Below shown is a mockup showing an excerpt from ISO 27001 compliance Risk assessment
template (Full doc attached herewith in appendix) illustrating how it could take place in ORAF
system.
![Page 70: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/70.jpg)
63
Fig 5.6d – Asset registration window
This is the Risk assessment window, where the actual process of risk assessment takes place. A
full RA template has been created and attached herewith in appendix. Seen here in fig 5.6e is
ORAF tooltip suggesting that guidance is available for formulating priority risk index. This works
only after a value has been assigned by an assessor based on his estimate, and auto guidance
kicks in only if the values differ by a considerable margin (pre-defined range). As always, they
are accessible manually as well at any point of time.
Fig 5.6e Risk Assessment page
Figure 5.6f shows ORAF’s “guided probability” formulation where Users can query ORAF
knowledge pool for assistance on “probability of Occurrence” or “likelihood” chances. The
![Page 71: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/71.jpg)
64
figure shows interactive “tag cloud” - a set of keywords or meta-tags relevant to the User
search query which aims to simplify the query process.
Fig 5.6f – ORAF’s probability guidance system
Such information availability in real-time enables an assessor to potentially overcome
“information gap” that plagues effectiveness or validity of decisions; and also to estimate
efficiency or comprehensiveness of a formulated mitigation technique with respect to others.
The Label 3 in fig 5.6a can be related to use case 8. The Watch list manager interfaces to the
live alert on homepage dashboard marked by label 8. Any alerts configured via watch-list
window (figure 5.6g), will be constantly monitored by ORAF and any reported incident is
displayed near instantly along with possible mitigation controls as shown in label 8 of fig 5.6a.
![Page 72: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/72.jpg)
65
Fig 5.6g – Watch-list manager
The label 8 in figure 5.6a is the visual dashboard that receives filtered watch-list alerts. In our
case, it shows a scenario where a previously configured watch list asset “Windows 7” has been
reported compromised due to vulnerability and suggested treatment plan has been sent by a
participating organization. This alert will be received by all who have subscribed or set up such
a watch list, however, the reporting organization’s name is kept anonymous. This anonymity
however, although not recommended, can be made visible if the reporting organization wishes
to disclose it. There is also a Vote Up/down feature that sends an aggregate feedback to the
reporter of the reported incident either being positive or negative.
The label 9 is the report incident panic button, that lets the compromised Organization report
the incident to [problem + solution] filtered listening parties. (Please refer to section 4.3)
![Page 73: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/73.jpg)
66
Fig 5.6h is a mockup of the reporting window.
Fig 5.6h – Incident reporting system
Towards the left are a list + pie chart that show all previously reported incidents by the user and
the feedback received from others. The right shows a template to report an incident.
Labels 5 & 6 in figure can be related to Use case specification number 11 are trend data
received from pre-defined trusted sources configured to send live feeds to ORAF; in our case
we show Google Trend API, and Recorded future API, which give an insight on currently trending
threat agents. Depicted here is the Google insight on trending “SQL injection” attacks, and
recorded future’s temporal analysis engine is shown to predict an event (still in experimental
phases) for Oct 2012 by structuring articles & events from the largely unstructured information
floating in the web sphere. A single page canvas view where the manager can have up-to-date
information of his preference goes a long way in helping him make that decisive choice.
Label 7 is a live scrolling alert window showing Top 10 risks for a particular industry sector
populated by aggregate risk rating index of public RA data. This data is compared with user’s
native RA data and color variations shows if the risk has been identified and addressed in one of
![Page 74: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/74.jpg)
67
the prior recently conducted Risk Assessments. In the mockup, ORAF has recognized that risks
due to “insider actions” has not been identified or addressed in the recent most RA by current
active user and has highlighted the field in red alerting the user. This lets an Organization know
if top risks to its industry sector have been addressed comprehensively.
The label 4 is a read only page where current laws & compliance regulation information have
been provided for a read. The aim here is to provide a consolidated reference repository of UK
legal & legislative laws pertaining to Cyber Security. This serves as a reminder to enrich
Organizations with the need to adhere to compliance requirements and avoid unexpected law
suits.
![Page 75: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/75.jpg)
68
Chapter 6
6.1 Case scenario validation
In this chapter we will simulate a case scenario comparing typical risk assessment approach
with ORAF suggested approach and validate them on basis of
a. Addressing knowledge gap & cognitive bias in risk decision making
b. Timeliness of critical information availability
c. Mutual defense against risk
We will be using a sample risk assessment report from (Security and Webcast 2004) for our
illustration purposes.
An independent Organization ‘X’ wishes to perform a risk assessment. This is going to be their
first ISMS process and they settle upon the ISO 27001 process of RM. Lacking comprehensive
knowledge on the same, they hire a third party IS assessor, John; as part of their managerial
team to steer the assessment process. Although John is not originally from Organization X’s
industry sector, assessor’s familiarity with RM was approved by the Organization’s managerial
team. After minor hiccups & a few disagreements of opinions on both sides, the team finally
lays a blueprint for the RM process. John and team begin with traditional approach of laying
down purpose, scope & document versioning with list of involved personnel. Owing to budget
& time constraints, the Organization wants John to formulate a risk model to prioritize &
implement controls only for top priority risks.
Based on John’s personal experience & skill set, John formulates a risk model as follows.
![Page 76: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/76.jpg)
69
Fig 6.1a – Threat likelihood ; Source - (Security and Webcast 2004)
Fig 6.1b – Magnitude of impact ; source - (Security and Webcast 2004)
![Page 77: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/77.jpg)
70
Since Organization ‘X’ liked numbers, John formulated his risk index as follows and advised his
team that risk priority can be assessed by their the overall score ranges as listed below
Fig 6.1c – Risk matrix ; source - (Security and Webcast 2004)
The risk assessment was completed and sample report was summarized as follows
Fig 6.1d – Report excerpt adapted from (Security and Webcast 2004) showing flawed risk rating
![Page 78: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/78.jpg)
71
The populated controls seen in figure 6.1d shows John & team’s cognitive bias that the
likelihood of an event - Cross Site Scripting (CSS) attack occurring are low. John had no way of
forecasting this unless he had prior knowledge of the industry. Even with an Impact scale a
“High (100)”, that could typically bring down ‘X’ to its knees, according to John’s risk scale
matrix, the risk index would still be about (0.1*100) = 10 – classifying it a low risk category
merely because an speculative “low (0.1)” rating for likelihood due to knowledge gap. Of course
if John had enough resources & time frame to validate his number theory, this gap could have
been addressed yet owing to the project deadline & budgetary constraints, the Organizational
decision makers authorize resources for only medium to high risk controls, leaving out CSS.
Unexpectedly a CSS attack happens within first few weeks setting back the Organization by
huge resource costs and trouble.
6.2 How ORAF could have helped
As mentioned earlier, Risk ratings are not always verified by logical constructs & are being
overlooked (Eli 2010). Another major problem with ISMS is the inability to validate decisions or
distinguish between critical and non-critical assets. (Theiia n.d.)
The main purpose of ORAF is to provide a standardized approach to RM and aid in decision
making by providing structured & real-time critical information where required. Using ORAF
alongside the ISMS process would have provided a structural approach to risk assessment and
validation of controls against other “structurally similar” RA reports categorized by industry
sectors. When John had his doubts on likelihood of CSS as risk in X’s industry sector, he could
have used the “guided probability” functionality as mentioned in section 5.4 under label 2 to
validate his estimate against knowledge of the crowds thereby addressing the knowledge gap
almost instantaneously. An increased accuracy in Risk index would have meant tighter priority
checks & logical scrutiny.
Updated anonymized risk assessments being made available by various Organizations in real-
time over the knowledge pool could have potentially been used to ensure if all known threats
to an asset was identified and addressed. In cases such as CSS, knowledge of crowds could be
![Page 79: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/79.jpg)
72
used to “figure out the odds” in spite of cumulative lower risk index ratings ensuring availability
of critical information when needed.
Even if an IS incident was to happen, even those unidentified before, the combination of
reporting & filtered Watch-list functionality could have been used to report (problem & a
solution) incident in real time and alert many others in the network preventing further
compromise of territory & subsequently minimizing area of compromise. Such selfless reporting
saves other members from facing the likelihood of such attacks or at least prepares them to
defend better against onset of such attack. All submitted RA reports are stripped and K-
anonymized and each field is referentially accessible by queries via ORAF. The HUD on ORAF
webpage constantly monitors new threats and are color coded (label 7 in fig 5.6a) to ensure
comprehensive risk assessment has been made to an asset at given point of time. These
elucidate our mutual defense strategy.
![Page 80: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/80.jpg)
73
Chapter 7
In this chapter, we conclude our research with a reflective report on insight & learning.
7.1 Reflective Conclusion
The main aim of this Masters dissertation was to propose a framework for standardized Risk
assessment approach and decision support tool, to allow participating organizations to take
part in a mutual defense initiative against lurking cyber threats which was previously limited by
concerns for privacy & trust. The focus being on addressing risks to Organizations, we
encouraged sharing anonymized versions of partially obscured RA reports via ORAF to realize
comprehensiveness or validity of an assessment and also, to aid in Managerial decision making
by providing guidance on Probability or likelihood index, free flow of mission critical
information to address knowledge gap and the ability to validate their decisions based on
logical constructs be referring to the multitude of knowledge of crowds. The ORAF was also
designed with the ability to report an incident with solution where applicable & receive alerts in
real time near instantaneously via subscribed watch-list monitors to all in the network thereby
controlling widespread of epidemic attacks.
The very foundation of motivation to this research was laid by Dr. Burnap of Cardiff University
UK (http://burnap.org/) and was kindled by UK Gov’s cyber security goals for 2015 (cabinet
office 2011) coupled with strong personal interest in Information security. Based on assimilated
knowledge from academic & real world risk assessment practices and the complications
involved, followed by unabated breaches of security in spite of such risk controls provoked the
need to dive in depth to understand where exactly are we going wrong? With each individual
risk assessment within various organizations are we re-inventing the wheel with the same
inherent flaws of conducting an assessment for the same asset and each time missing out
important controls? The industry acknowledges that there exists knowledge gap when
identifying emerging or unknown threats. Why not share Risk related data with similar industry
sectors to challenge comprehensives of assessment & strengthen cyber space mutually?
![Page 81: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/81.jpg)
74
Upon research we uncovered important issues relevant to RM process
a. Organizations are quite particular & concerned for their privacy when it came to sharing
RA document and often lack trust on perception towards rivaling organizations.
b. The ISO 27001 was a document of “What” and not a “How” to actually do the RA
process.
c. There was also no way to identify a security incident until it had happened.
d. Managers, who authorized prioritized risk controls, had no trusted way of validating
their decisions and there existed knowledge gaps often pressed with cognitive biases
that clouded better decisions.
In support of the above claims, Chapter 2 shows in detail the currently existing trends, process
and misconceptions with ISMS. Although risk assessments are extremely integral parts of a RM
process, we learnt that current RA approaches are far too varied and are not suitable for
scenarios where one need to conduct rapid assessments. Also analyzed is the widely practiced
Risk index or Risk rating formula whose computed points system formed the basis of prioritizing
risks. Practically speaking, they did not seem to provide a solid basis for formulating risk
priorities and one is needed to logically examine and involve a certain degree of rational
reasoning when prioritizing risks. As always, traditional ISMS processes were rigid &
authoritative and often failed when such arguments or decisions needed to be validated. A lot
of existing RA tools available commercially restricted assessments within Organizational
boundaries. We used trail versions of vsRisk to see how it faired in terms of fluidity, but it too
was rigid, with pre-populated identifiers & little room for a comparative assessment.
Also, we learnt that security risk controls are expensive to implement and the industry was
facing difficulties in validating their security enhancements. We realized that there was clear
case of knowledge gap between The Technical assessors & The Managerial authority. Though
risk assessments did identify vulnerabilities and threats to an asset and measures of control, we
still lack a way to autonomously align these assessments in terms of business concepts.
Thus taking into consideration the key concerns, we spent a considerable amount of time
conducting interviews & background research as summarized in chapter 3. A considerable
![Page 82: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/82.jpg)
75
amount of quality articles that were available seemed to argue the inherent flaws in traditional
ISMS – Managers lacking effective decision channel. Although there were variety of research
papers that argued in favor of cultivating free flow of information and sharing security
responses, it was surprising to see that not even a handful were implemented & many faced
resistance. Lack of trust & privacy concerns often came out as top two reasons in this issue and
we wanted to find a way to address this.
To compliment a structured approach to RA, we developed an ORAF risk assessment guidance
model with an aim to bring in collaborative defense strategy by sharing RA data with peers and
ensured that it aligned with the ISO 27001 PDCA cycle to avoid inconsistencies. Dividing
Organizations into zones based on their industry sectors, we hypothesized that an event of a
particular type is more likely to occur in certain zone than others, which partially depends on
motive of the threat entity and also the territory resources. We also suggested that ISMS being
a continual process that there be a facility to report & receive IS incidents as instantaneous as
possible with the aim to minimize threat propagation. In contrast to ORAF filtered reporting
services, the commercially available WARP service was critically examined as shown in section
4.3.
To gain trust in system and to address privacy concerns of participating organizations, we
suggested the use of K-anonymity algorithm and anonymized a sample RA data set for
demonstration purposes. We achieved a balance on compromise of loss of information to
abstraction as listed in section 4.4.2. The challenging part was deciding what part of data to
obscure and what was to be preserved. This has to be critical since we did not want to give
away sensitive information within RA report nor obscure too much information that defeats the
very purpose of our effort.
In the design specification section, we presented a technical blueprint for interested developers
to code this system. A lot of work was put in to ensure business requirements were met &
desired level of generalization was achieved in Top level Use cases followed by activity &
sequence diagrams. To give a visionary view of the ORAF framework, we used Balsamiq
Mockup to envision the system graphically. We developed and demonstrated the ORAF’s
![Page 83: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/83.jpg)
76
guided probability functionality based on our hypothesis that by ensuring maximum accuracy to
likelihood - one of the two factors of Risk Index, and by validating it against knowledge of the
crowds, the overall accuracy could be improved considerably. We also formulated a formula to
achieve this control & validated with an example. The concluding chapter featured a scenario
validation showing how ORAF could have addressed the commonly occurring issues
experienced with traditional ISMS processes.
Due the course of research, we personally had wonderful opportunity to interact with senior IS
personnel & challenges they face in everyday risk assessments. The field of Information Security
is indeed a challenging one, yet, the thrill of diving deeper into uncovering newer controls &
techniques to address fallbacks & promote a safer Cyber space is what kept us going.
7.2 Contributions
Through our research, we believe we have taken research around collaborative IS risk
assessments & verifiable decision making one more step closer to realizing the goal of safer
cyber space. (cabinet office 2011) The proposed risk assessment guidance model in chapter 4
that we aligned around ISO 27001’s PDCA model and the formula on probability estimation
based on knowledge of crowds as defined in chapter 5, demonstrated how IS risk assessments
necessarily need not lack effective validation measures and ORAF’s capability as a decision
support tool. We also suggested the use of k-anonymity that is widely practiced in public
release data of medical records to be applied to Information Security RA reports, obscuring just
enough information to enable sharing critical information with participating Organizations
without the concern for privacy or trust issues, thereby to strengthen cyber security
collectively. The idea of reporting an IS incident with possible countermeasures near
instantaneously to participating organizations via filtered or subscriber list was suggested to
potentially suppress wide spread attacks. A standardized RA template in spreadsheet format
has also been suggested, attached herewith at appendix.
![Page 84: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/84.jpg)
77
7.3 Limitations & Future Work
This research being a bold step to suggest collaborative cyber security defense attainable
through sharing anonymized risk related data, is still in nascent stages and has its limitations.
The major limitations of this being around our work, since the amount of time & resources
available was extremely limited by the number of individual Organizations willing to contribute
to our study and the security personnel who gave us their valuable time for an academic
research. Had we access to actual real world RA reports from various organizations & the
Managerial decision makers; we would have been able to better classify the research work in a
more detailed fashion. Being a technical architect, we were able to go so far only as to design a
framework specification for the system with UML & mockups but regrettably not actually build
it. There is a surprising amount of information available online yet most of them were highly
unstructured. We experimented with & suggested commercially available Recorded Future’s
prediction based temporal engine API in our work that intends to structure these data and
provide in-depth trends, however, we would like to develop an open source trend engine native
to ORAF in the future. If there was also a possibility to receive SMS based text notification over
mobile networks or through a mobile version of ORAF, the turnaround time of “report:
reception” can be reduced further. The future of RA & ORAF could be in a way that we develop
a “specification language” that transcends and aligns technical & business lingo together. As
with any research, we would like see this work be critically reviewed, challenged and
improvements suggested. Nonetheless the time spent on researching was fruitful and taught us
a lot about Organization risk assessments & decision making. We hope this work sets a starting
point to foster a standardized approach to RM process & of sharing critical information data
across boundaries to enable a safer cyber space & we wish this framework is considered by
developers and researchers for study in future work.
![Page 85: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/85.jpg)
78
References
Burnap, P.R. 2009. Advanced Access Control in support of Distributed Collaborative Working and.
Cohen, D. 2012. What is a Zero-Day Exploit? - An introduction to zero-day software exploits and tips on avoiding them at home. [Online]. Available at: http://what-is-what.com/what_is/zero_day_exploit.html [Accessed: 2 August 2012].
Coldman, D. 2011. Organized cybercrime has already hacked you - Jul. 27, 2011 [Online]. Available at: http://money.cnn.com/2011/07/27/technology/organized_cybercrime/index.htm [Accessed: 17 July 2012].
Coles-Kemp, L. 2009. Information security management: An entangled research challenge. Information Security Technical Report 14(4), p.pp. 181–185. Available at: http://linkinghub.elsevier.com/retrieve/pii/S1363412710000063 [Accessed: 23 July 2012].
Dyadem 2012. Stature Risk Management : Upgrading to Stature Risk Management.
El Emam, K. and Dankar, F.K. 2008. Protecting privacy using k-anonymity. Journal of the American Medical Informatics Association : JAMIA 15(5), p.pp. 627–37. Available at: http://www.pubmedcentral.nih.gov/articlerender.fcgi?artid=2528029&tool=pmcentrez&rendertype=abstract [Accessed: 6 September 2012].
Eli 2010. Introduction to Risk Assessment [Online]. Available at: http://www.youtube.com/watch?v=EWdfovZIg2g&feature=fvwrel [Accessed: 3 August 2012].
Elsinger, H. et al. 2003. Risk Assessment for Banking Systems ∗ Risk Assessment for Banking Systems. . Available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=423985.
Gionis, A. 2007. Approximation algorithms for k-anonymity and privacy preservation in query logs.
Gov 2010. A Background to WARPs [Online]. Available at: http://www.warp.gov.uk/background.html [Accessed: 5 September 2012].
HHS 2002. HIPAA Privacy Rule. . Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html [Accessed: 29 August 2012].
Homeland Security, U. 2011. Blueprint for a Secure Cyber Future.
![Page 86: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/86.jpg)
79
IBM 2005. Sequence Diagrams [Online]. Available at: http://publib.boulder.ibm.com/infocenter/rsdvhelp/v6r0m1/index.jsp?topic=/com.ibm.xtools.modeler.doc/topics/cseqd_m.html [Accessed: 30 August 2012].
India, T. 2010. Information accuracy and decision-making capability | eresource ERP [Online]. Available at: http://www.eresourceerp.com/Information-accuracy.html [Accessed: 3 September 2012].
Lefevre, K. et al. 2005. Incognito : Efficient Full Domain K Anonymity. In: SIGMOD.
Mandrik, C.A. 2005. Exploring the Concept and Measurement of General Risk Aversion. 32, p.pp. 531–539.
Narayanan, A. and Shmatikov, V. 2010. Myths and fallacies of “personally identifiable information.” Communications of the ACM 53(6), p.p. 24. Available at: http://portal.acm.org/citation.cfm?doid=1743546.1743558 [Accessed: 30 July 2012].
OWASP 2006. Introduction_to_OWASP. . Available at: https://www.owasp.org/index.php/File:Introduction_to_OWASP.ppt.
Ozkan, S. and Karabacak, B. 2010. Collaborative risk method for information security management practices: A case context within Turkey. International Journal of Information Management 30(6), p.pp. 567–572. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0268401210001222 [Accessed: 23 July 2012].
Peyton, E. 2010. Data Security: A 5-Step Risk Assessment Plan [Online]. Available at: http://www.smallbusinesscomputing.com/news/article.php/3896756/Data-Security-A-5Step-Risk-Assessment-Plan.htm [Accessed: 22 August 2012].
Pricewaterhousecoopers 2010. PwC UK - Research.
Qi, X. and Zong, M. 2012. An Overview of Privacy Preserving Data Mining. Procedia Environmental Sciences 12(Icese 2011), p.pp. 1341–1347. Available at: http://linkinghub.elsevier.com/retrieve/pii/S1878029612004331 [Accessed: 31 July 2012].
Rak, A. 2002. Information Sharing in the Cyber Age : a Key to Critical Infrastructure Protection.
Samarati, P. and Sweeney, L. Protecting Privacy when Disclosing Information : k -Anonymity and Its Enforcement through Generalization and Suppression 1 Introduction. , p.pp. 1–19.
Schneier, B. 2011. Bruce Schneier: The security mirage. In: TED. TED.
![Page 87: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/87.jpg)
80
SecureThinking, B. 2012. Are Security Risk Assessments Outdated? « Secure Thinking [Online]. Available at: http://www.btsecurethinking.com/2012/02/are-security-risk-assessments-outdated/ [Accessed: 17 July 2012].
Security, C. and Webcast 2004. Detailed risk assessment report.
Sims, S. 2012. Qualitative vs. Quantitative Risk Assessment [Online]. Available at: http://www.sans.edu/research/leadership-laboratory/article/risk-assessment [Accessed: 21 July 2012].
Siponen, M. and Willison, R. 2009. Information security management standards: Problems and solutions. Information & Management 46(5), p.pp. 267–270. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0378720609000561 [Accessed: 16 July 2012].
Stanleigh, M. 2010. Risk Management...The What, Why, and How [Online]. Available at: http://www.bia.ca/articles/rm-risk-management.htm [Accessed: 25 July 2012].
Stewart, A. 2004. On risk: perception and direction. Computers & Security 23(5), p.pp. 362–370. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0167404804001233 [Accessed: 23 July 2012].
Theiia Managing_and_Auditing_IT_Vulnerabilities. . Available at: www.theiia.org/download.cfm?file=96404.
Tregear, J. 2001. Risk Assessment.
Welke, D.W.S. and R.J. 1998. Coping with Systems Risk : Security Planning Models for Management Decision Making. 22(4), p.pp. 441–469.
Wright, C.S. 2012. IS interview with Craig.
recorded future 2012. Recorded Future: Solutions for Defense & Intelligence [Online]. Available at: https://www.recordedfuture.com/.
cabinet office, U. 2011. The UK Cyber Security Strategy Protecting and promoting the UK in a digital world. (November). Available at: http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy/.
williams, R. and Blum, M. 2007. k-anonymity. , p.pp. 1–7.
![Page 88: Web Based Open Risk Assessment Framework for ISO 27001](https://reader034.vdocuments.mx/reader034/viewer/2022051615/552be7854a7959eb7c8b4609/html5/thumbnails/88.jpg)
81
Appendix
A1. ISO 27001 compliant Risk Assessment Template
A. Asset registration form
B. Risk assessment form
The above two forms have been developed for ORAF and are ISO 27001 complaint.