Cyber Security Risk Assessment Practices: Core Unified Risk Framework

Abstract

We conduct risk assessments to reducing the uncertainty regarding future events in order to make the best decisions possible and to control risk. In industry, the aim is to find the appropriate balance in risk-taking relative to the organization’s risk appetite and tolerance. Too many security controls will inhibit business functionality, and the opposite will lead to unacceptable exposure. The complexity in the information and cyber security domain increases on a daily basis, which makes identifying, analyzing, and controlling the relevant risk events a major challenge. Thus, this thesis addresses several aspects of Cyber and Information Security Risk Assessment (ISRA) and Management (ISRM) Practices and contributes to novel research problems, methods, models, and knowledge within the discipline. This thesis applies the Design Science Research framework to investigate the theoretical and practical issues in ISRA. The challenges within the ISRM field are many, and scholars, researchers, and practitioners have known about several of them throughout many years. With over hundred ISRA methods to choose from, multiple theoretical comparative studies of these methods, the literature on the topic of issues in ISRM was quite dispersed. To address this problem, this thesis applies literature review and structures the known research problems into a taxonomy. The findings from the initial literature survey were mainly theoretical, which made their practical relevance and implications uncertain. For a variety of reasons, one of the fundamental problems in information security is conducting empirical research. For validating and expanding the initial findings, this work reached industry practitioners through an online questionnaire. The study found that the main ISRM issues for the practitioners regarded risk communication, security measurements, and return on investments. While for risk assessment and analysis, we found the key issues to be the application of quantitative and qualitative methods, need for expertise, and asset evaluation. Furthermore, empirical studies of method use are necessary to derive cause and effect between method choice, tasks, and results, and to figure out what works in ISRA. There exists multiple comparative assessments of ISRM/RA methods which are primarily scoped to compare method content to a predetermined set of criteria. Although the findings from applying these approaches are useful in understanding ISRA practices, they leave out the tasks and activities not present in the criteria and were not helpful in establishing cause and effect. To address this issue, we propose the Core Unified Risk Framework (CURF) as a bottom-up approach to ISRA method comparison and to measure completeness. By applying CURF, we found ISO/IEC 27005 Information Security Risk Management to be the most complete approach at present, with the Factor Analysis of Information Risk (FAIR) as the most complete risk estimation method. Also, we also discovered several gaps in the surveyed methods. Moreover, we ran an experiment where we applied three different ISRA methods on four large-scale case studies. By using CURF in a novel way, it enabled us to do metadata analysis of ISRA reports and establish cause-effect between ISRA method choice and result. Our study found that the method selection influences the assessment process, along with its outcome. Finally, one of the foremost discussed research problems in ISRM is the application of qualitative and quantitative methods. In short, the critique of the approaches is: (i) Quantitative ISRA is mostly conducted using previous cases and historical data. Depending on statistical data alone for risk assessments will be too naive as the data quickly becomes obsolete, lack of data, and is limited to only previously observed events, while the Qualitative ISRA is prone to several human biases. However, ISRM methods claim to be mainly quantitative or qualitative, but the quantitative versus qualitative risk situation is not strictly either-or. There are degrees of subjectivity and human-made assumptions in any risk assessment, and this work explores the intersection of these two approaches. Firstly, we analyzed the limitations of quantitative ISRA forecasting through a novel application of Taleb’s Four Quadrants Risk Classification scheme. Using the findings from the prior CURF studies combined with the risk classification scheme, we construct a state of the art model for risk assessing a DDoS attack (Distributed Denial of service). The risk model consists of distinct classes and estimators gathered from CURF, where the novelty lies in the combination both the quantitative (statistics) and qualitative (subjective knowledge-based) aspects to model the attack and estimate the risk. The approach centers on qualitative estimations of assets, vulnerabilities, threats, controls, and associated outcomes, together with a statistical analysis of the risk. Our main contribution is the process to combine the qualitative and quantitative estimation methods for cyber security risks, together with an insight into which technical details and variables to consider when risk assessing the DDoS amplification attack.