Analysis of information security risks in the banking sector using the example of UniCredit Bank. Multifactor analysis of information security risks. Approaches and methods

How to correctly assess information security risks - our recipe

The task of assessing information security risks today is perceived ambiguously by the expert community, and there are several reasons for this. First, there is no gold standard or generally accepted approach. Numerous standards and methods, although similar in general terms, differ significantly in details. The use of a particular technique depends on the area and object of assessment. But choosing the appropriate method can be a problem if the participants in the assessment process have different presentation about it and its results.

Secondly, assessing information security risks is a purely expert task. Analysis of risk factors (such as damage, threat, vulnerability, etc.) performed by different experts often gives different results. The lack of reproducibility of the assessment results raises questions about the reliability and usefulness of the data obtained. Human nature is such that abstract assessments, especially those related to probabilistic units of measurement, are perceived differently by people. Existing applied theories designed to take into account the measure of a person’s subjective perception (for example, prospect theory) complicate the already complex methodology of risk analysis and do not contribute to its popularization.

Thirdly, the risk assessment procedure itself in its classical sense, with decomposition and inventory of assets, is a very labor-intensive task. Trying to perform analysis manually using common office tools (such as spreadsheets) inevitably leaves you drowning in a sea of ​​information. Specialized software tools designed to simplify individual stages of risk analysis facilitate modeling to some extent, but do not at all simplify the collection and systematization of data.

Finally, the very definition of risk in the context of the information security problem has not yet been established. Just look at the changes in the terminology of ISO Guide 73:2009 compared to the 2002 version. If previously risk was defined as the potential for damage due to the exploitation of a vulnerability by some threat, now it is the effect of deviation from expected results. Similar conceptual changes have occurred in the new edition of the ISO/IEC 27001:2013 standard.

For these, as well as a number of other reasons, information security risk assessments are treated with caution at best, and with great distrust at worst. This discredits the very idea of ​​risk management, which ultimately leads to sabotage of this process by management, and, as a result, the occurrence of numerous incidents that are replete with annual analytical reports.

Considering the above, from which side is it better to approach the task of assessing information security risks?

Fresh look

Information security today is increasingly focused on business goals and integrated into business processes. Similar metamorphoses occur with risk assessment - it acquires the necessary business context. What criteria should a modern information security risk assessment methodology meet? Obviously, it should be simple and universal enough so that the results of its application are credible and useful to all participants in the process. Let us highlight a number of principles on which such a methodology should be based:

1. avoid excessive detail;
2. rely on business opinion;
3. use examples;
4. consider external sources information.

The essence of the proposed methodology is best demonstrated with a practical example. Let's consider the task of assessing information security risks in a trading and manufacturing company. Where does it usually start? From defining the boundaries of assessment. If a risk assessment is carried out for the first time, its boundaries should include the main business processes that generate revenue, as well as the processes that serve them.

If business processes are not documented, a general idea of ​​them can be obtained by studying the organizational structure and regulations on departments containing a description of goals and objectives.

Having determined the boundaries of the assessment, let's move on to identifying assets. In accordance with the above, we will consider the main business processes as enlarged assets, postponing the inventory of information resources until next steps(rule 1). This is due to the fact that the methodology involves a gradual transition from the general to the specific, and at this level of detail this data is simply not needed.

Risk factors

We will assume that we have decided on the composition of the assets being valued. Next, you need to identify the threats and vulnerabilities associated with them. However, this approach is applicable only when performing a detailed risk analysis, where the objects of the information asset environment are the object of assessment. In the new version of the ISO/IEC 27001:2013 standard, the focus of risk assessment has shifted from traditional IT assets to information and its processing. Since at the current level of detail we are considering the company’s enlarged business processes, it is sufficient to identify only the high-level risk factors inherent in them.

A risk factor is a specific characteristic of an object, technology or process that is a source of future problems. At the same time, we can talk about the presence of risk as such only if the problems negatively affect the company’s performance. A logical chain is built:

Thus, the task of identifying risk factors comes down to identifying unsuccessful properties and characteristics of processes that determine probable risk scenarios that have an impact on negative impact for business. To simplify its solution, we will use the information security business model developed by the ISACA association (see Fig. 1):

Rice. 1. Information security business model

The nodes of the model indicate the fundamental driving forces of any organization: strategy, processes, people and technology, and its edges represent the functional connections between them. The main risk factors are mainly concentrated in these ribs. As you can easily see, risks are associated not only with information technology.

How to identify risk factors based on the above model? Business needs to be involved in this (rule 2). Business units usually have a good understanding of the problems they face in their operations. The experience of colleagues in the industry is often recalled. You can get this information by asking the right questions. It is advisable to address questions related to personnel to the HR service, technological questions to the automation service (IT), and questions related to business processes to the relevant business units.

In the task of identifying risk factors, it is more convenient to start from problems. Once you have identified a problem, you need to determine its cause. As a result, a new risk factor may be identified. The main difficulty here is to avoid slipping in particular. For example, if an incident occurred as a result of unlawful actions of an employee, the risk factor will not be that the employee violated the provision of some regulation, but that the action itself became possible. A risk factor is always a prerequisite for a problem to arise.

In order for staff to better understand what exactly they are being asked about, it is advisable to accompany the questions with examples (rule 3). The following are examples of several high-level risk factors that can be common to many business processes:

Staff:

• Insufficient qualifications (Human Factors edge in Fig. 1)
• Staff shortage (Emergence rib)
• Low motivation (edge ​​Culture)

Processes:

• Frequent changes in external requirements (Governing edge)
• Undeveloped process automation (Enabling & Support edge)
• Combination of roles by performers (Emergence edge)

Technologies:

• Legacy software (Enabling & Support edge)
• Low user accountability (Human Factors edge)
• Heterogeneous IT landscape (Architecture edge)

An important advantage of the proposed assessment method is the possibility of cross-analysis, in which two different departments look at the same problem from different angles. Given this fact, it is very useful to ask interviewees questions like: “What do you think about the problems identified by your colleagues?” This is a great way to get additional marks, as well as correct existing ones. To clarify the result, several rounds of such assessment can be carried out.

Impact on business

As follows from the definition of risk, it is characterized by the degree of influence it has on the business performance of the organization. A convenient tool that allows you to determine the nature of the impact of risk scenarios on a business is the Balanced Scorecards system. Without going into details, we note that Balanced Scorecards identifies 4 business prospects for any company, connected in a hierarchical manner (see Fig. 2).

Rice. 2. Four Business Perspectives of the Balanced Scorecard

In relation to the methodology under consideration, a risk can be considered significant if it negatively affects at least one of the following three business prospects: finances, customers and/or processes (see Fig. 3).

Rice. 3. Key business indicators

For example, the risk factor “Low user accountability” can result in the “Leakage of customer information” scenario. In turn, this will affect the business indicator “Number of customers”.

If the company has developed business metrics, this greatly simplifies the situation. Whenever it is possible to track the impact of a specific risk scenario on one or more business indicators, the corresponding risk factor can be considered significant, and the results of its assessment must be recorded in questionnaires. The higher up in the hierarchy of business metrics the impact of a scenario can be traced, the greater the potential impact on the business.

The task of analyzing these consequences is an expert one, so it should be solved with the involvement of specialized business units (rule 2). For additional control of the obtained estimates, it is useful to use external sources of information containing statistical data on the amount of losses as a result of incidents that occurred (rule 4), for example, the annual “Cost of Data Breach Study” report.

Probability Estimation

At the final stage of the analysis, for each identified risk factor, the impact of which on the business has been determined, it is necessary to assess the likelihood of the occurrence of associated scenarios. What does this assessment depend on? To a large extent, it depends on the sufficiency of the protective measures implemented in the company.

There is a small assumption here. It is logical to assume that since the problem has been identified, it means that it is still relevant. At the same time, the implemented measures are most likely not enough to neutralize the preconditions for its occurrence. The sufficiency of countermeasures is determined by the results of assessing the effectiveness of their application, for example, using a system of metrics.

For assessment, you can use a simple 3-level scale, where:

3 - implemented countermeasures are generally sufficient;

2 - countermeasures have not been implemented sufficiently;

1 - no countermeasures.

As references describing countermeasures, you can use specialized standards and guidelines, for example CobiT 5, ISO/IEC 27002, etc. Each countermeasure must be associated with a specific risk factor.

It is important to remember that we analyze the risks associated not only with the use of IT, but also with the organization of internal information processes in the company. Therefore, countermeasures need to be considered more broadly. It is not for nothing that the new version of ISO/IEC 27001:2013 contains a clause that when choosing countermeasures, it is necessary to use any external sources (rule 4), and not just Annex A, which is present in the standard for reference purposes.

Magnitude of risk

To determine the final risk value, you can use the simplest table(see Table 1).

Table 1. Risk assessment matrix

In the event that a risk factor affects several business prospects, for example “Customers” and “Finance”, their indicators are summed up. The dimension of the scale, as well as acceptable levels of information security risks, can be determined in any convenient way. In the above example, risks of levels 2 and 3 are considered high.

At this point, the first stage of risk assessment can be considered complete. The final value of the risk associated with the assessed business process is determined as the sum of the composite values ​​for all identified factors. The owner of the risk can be considered the person responsible in the company for the assessed object.

The resulting figure does not tell us how much money the organization risks losing. Instead, it indicates the area where risks are concentrated and the nature of their impact on business performance. This information is necessary in order to further focus on the most important details.

Detailed assessment

The main advantage of the methodology under consideration is that it allows you to analyze information security risks with the desired level of detail. If necessary, you can “fall into” the elements of the information security model (Fig. 1) and consider them in more detail. For example, by identifying the highest concentration of risk in IT-related edges, you can increase the level of detail in the Technology node. If previously a separate business process acted as the object of risk assessment, now the focus will shift to a specific information system and the processes of its use. In order to provide the required level of detail, it may be necessary to conduct an inventory of information resources.

All this applies to other areas of assessment. When you change the detail of the People node, personnel roles or even individual employees can become the objects of assessment. For the “Process” node, these can be specific work regulations and procedures.

Changing the level of detail will automatically change not only the risk factors, but also the applicable countermeasures. Both will become more specific to the object being assessed. However, the general approach to performing risk factor assessment will not change. For each identified factor it will be necessary to assess:

• the degree of influence of risk on business prospects;
• sufficiency of countermeasures.

Russian syndrome

The release of the ISO/IEC 27001:2013 standard has put many Russian companies in a difficult position. On the one hand, they have already developed a certain approach to assessing information security risks, based on the classification of information assets, assessment of threats and vulnerabilities. National regulators have managed to issue a number of regulations supporting this approach, for example, the Bank of Russia standard, FSTEC orders. On the other hand, the task of risk assessment is long overdue for change, and now it is necessary to modify the established procedure so that it meets both old and new requirements. Yes, today it is still possible to obtain certification according to the GOST R ISO/IEC 27001:2006 standard, which is identical previous version ISO/IEC 27001, but not for long.

The risk analysis methodology discussed above resolves this issue. By controlling the level of detail when performing an assessment, you can consider assets and risks at any scale: from business processes to individual information flows. This approach is also convenient because it allows you to cover all high-level risks without missing anything. At the same time, the company will significantly reduce labor costs for further analysis and will not waste time on a detailed assessment of insignificant risks.

It should be noted that the higher the detail of the assessment area, the greater the responsibility assigned to the experts and the greater the competence required, because when the depth of analysis changes, not only risk factors change, but also the landscape of applicable countermeasures.

Despite all the attempts at simplification, information security risk analysis is still time-consuming and complex. The leader of this process has a special responsibility. Many things will depend on how competently he builds his approach and copes with the task at hand - from allocating a budget for information security to business sustainability.

It is known that risk is the likelihood of an information security threat occurring. In the classical view, risk assessment includes an assessment of threats, vulnerabilities and damage caused by their implementation. Risk analysis consists of modeling the pattern of the occurrence of these most unfavorable conditions by taking into account all possible factors that determine the risk as such. From a mathematical point of view, when analyzing risks, such factors can be considered input parameters.

Let's list these parameters:
1) assets - key components of the system infrastructure that are involved in the business process and have a certain value;
2) threats, the implementation of which is possible through the exploitation of a vulnerability;
3) vulnerabilities - a weakness in security measures caused by errors or imperfections in procedures, design, implementation, which can be used to penetrate the system;
4) damage that is assessed taking into account the costs of restoring the system in initial state after a possible information security incident.

So, the first step in conducting multifactor risk analysis is the identification and classification of the analyzed input parameters. Next, it is necessary to gradate each parameter according to significance levels (for example: high, medium, low). At the final stage of probable risk modeling (preceding the receipt of numerical data on the risk level), the identified threats and vulnerabilities are linked to specific components of the IT infrastructure (such a link may imply, for example, risk analysis with and without taking into account the availability of system security measures, the likelihood that that the system will be compromised due to unaccounted factors, etc.). Let's take a step-by-step look at the risk modeling process. To do this, first of all, let's pay attention to the company's assets.

Inventory of company assets
(SYSTEM CHARACTERIZATION)

First of all, it is necessary to determine what is a valuable asset of the company from an information security point of view. The ISO 17799 standard, which describes in detail the procedures of the information security management system, distinguishes the following types of assets:
. information resources (databases and data files, contracts and agreements, system documentation, research information, documentation, training materials, etc.);
. software;
. tangible assets ( computer equipment, telecommunications, etc.);
. services (telecommunications services, life support systems, etc.);
. company employees, their qualifications and experience;
. intangible resources (reputation and image of the company).

It is necessary to determine which information security violations of which assets could cause damage to the company. In this case, the asset will be considered valuable and will need to be taken into account when analyzing information risks. Inventory consists of compiling a list of the company's valuable assets. Typically, this process is carried out by asset owners. The concept of "owner" defines the persons or parties who have responsibilities, approved by company management, to manage the creation, development, maintenance, use and protection of assets.

In the process of categorizing assets, it is necessary to assess the criticality of the assets for the company's business processes or, in other words, to determine what damage the company will suffer in the event of a violation of the information security of the assets. This process is the most difficult because... the value of assets is determined on the basis of expert assessments of their owners. During this phase, discussions often take place between the management system design consultants and the asset owners. This helps asset owners understand how to determine the value of assets from an information security perspective (typically, the process of determining the criticality of assets is new and non-trivial for the owner). In addition, various valuation techniques are being developed for asset owners. In particular, such methods may contain specific criteria (relevant for a given company) that should be taken into account when assessing criticality.

Asset criticality assessment

Asset criticality is assessed based on three parameters: confidentiality, integrity and availability. Those. the damage that the company will suffer if the confidentiality, integrity or availability of assets is compromised should be assessed. Asset criticality assessment can be done in monetary units and in levels. However, given the fact that the analysis of information risks requires values ​​in monetary units, in the case of assessing the criticality of assets in levels, it is necessary to determine the assessment of each level in money.

According to the authoritative NIST classification included in the RISK MANAGEMENT GUIDE FOR THE INFORMATION TECHNOLOGY SYSTEMS, the categorization and assessment of threats is preceded by the direct identification of their sources. Thus, according to the above classification, the main sources of threats can be identified, including:
. threats of natural origin (earthquakes, floods, etc.);
. threats emanating from humans (unauthorized access, network attacks, user errors, etc.);
. threats of man-made origin (accidents of various kinds, power outages, chemical pollution, etc.).

The above classification can be further categorized in more detail.
Thus, according to the mentioned NIST classification, independent categories of sources of threats originating from humans include:
- hackers;
- criminal structures;
- terrorists;
- companies engaged in industrial espionage;
- insiders.
Each of the listed threats, in turn, must be detailed and assessed on a scale of significance (for example: low, medium, high).

Obviously, threat analysis must be considered in close connection with the vulnerabilities of the system we are studying. The task of this stage of risk management is to compile a list of possible system vulnerabilities and categorize these vulnerabilities taking into account their “strength”. Thus, according to global practice, the gradation of vulnerabilities can be divided into levels: Critical, High, Medium, Low. Let's look at these levels in more detail:

1. Critical level of danger. This level of danger includes vulnerabilities that allow remote compromise of a system without additional influence from the target user and are currently being actively exploited. This danger level implies that the exploit is publicly available.

2. High degree of danger. This level of danger includes vulnerabilities that allow remote compromise of the system. Typically, there is no publicly available exploit for such vulnerabilities.

3. Medium degree of danger. This severity level includes vulnerabilities that allow remote denial of service, unauthorized access to data, or execution of arbitrary code through direct user interaction (for example, through a vulnerable application connecting to a malicious server).

4. Low level of danger. This level includes all locally exploitable vulnerabilities, as well as vulnerabilities that are difficult to exploit or that have minimal impact (for example, XSS, client application denial of service).

The source for compiling such a list/list of vulnerabilities should be:
. public, regularly published lists of vulnerabilities (for example: www.securitylab.ru);
. a list of vulnerabilities published by the software manufacturer (for example: www.apache.org);
. penetration test results (for example: www.site-sec.com);
. analysis of vulnerability scanner reports (carried out by the security administrator within the company).

In general, vulnerabilities can be classified as follows:
. OS and software vulnerabilities (code errors) discovered by the manufacturer or independent experts (at the time of writing, the total number of detected vulnerabilities reached about ~1900 - this included vulnerabilities published in “bug tracks” on xakep.ru, securitylab, milw0rm.com and securityfocus .com).
. System vulnerabilities associated with administration errors (inappropriate web server or PHP settings for the environment, ports with vulnerable services not closed by the firewall, etc.).
. Vulnerabilities, the sources of which can be incidents not covered by the security policy, as well as natural events. A prime example of a common OS and software vulnerability is buffer overflow. By the way, the vast majority of currently existing exploits implement a class of buffer overflow vulnerabilities.

Numerical methods for risk assessment

The simplest assessment of information risks involves calculating risks, which is performed taking into account information about the criticality of assets, as well as the likelihood of vulnerabilities being realized.
Classic risk assessment formula:
R=D*P(V), where R is information risk;
D - asset criticality (damage);
P(V) - probability of vulnerability implementation.
One example of a practical implementation of the above approach to determining risk levels is the risk matrix proposed by NIST.

Each of the possible input parameters (for example, vulnerability, threat, asset and damage) is described by its membership function taking into account the corresponding coefficient.

Risk assessment based on fuzzy logic

Risk assessment mechanisms based on fuzzy logic include a sequence of stages, each of which uses the results of the previous stage. The sequence of these stages is usually as follows:
. Entering programming rules in the form of production rules (“IF,… THEN”), reflecting the relationship between the level of input data and the level of risk at the output.
. Setting the membership function of input variables (as an example - using specialized programs like "Fuzyy logic" - in in this example we used MatLab).
. Obtaining the primary result of estimates of input variables.
. Phasification of estimates of input variables (finding specific values ​​of membership functions).
. Aggregation (implies checking the truth of conditions by transforming membership functions through fuzzy conjunction and fuzzy disjunction).
. Activation of conclusions (finding weight coefficients for each of the rules and truth functions).
. Accumulation of conclusions (finding the membership function for each of the output variables).
. Defuzzification (finding clear values ​​of output variables).

So, in the above example (Table 1.1.), a two-parameter risk assessment algorithm with three-level scales of input parameters was actually considered. In this case:
. for input quantities and risk, three-level scales were specified, on which fuzzy terms were defined (corresponding to “high”, “medium” and “low” values ​​of the variables - see Fig. 1);
. the significance of all logical inference rules is the same (all weighting coefficients of production rules are equal to one).

Rice. 1. Trapezoidal membership functions of a three-level “vulnerability” scale

It is obvious that a two-parameter algorithm that involves entering two input variables cannot provide an objective result of risk analysis, especially taking into account many factors - input variables, which, by the way, reflect the real picture of the information security risk assessment.

Four-parameter algorithm

Let us assume that, using the production rules of fuzzy logic, it is necessary to reproduce the inference mechanism, taking into account four input variables. Such variables in this case are:
. assets;
. vulnerability;
. threat (or rather, its likelihood);
. damage.

Each of the listed input variables is assessed on its own scale. So, let’s assume that, based on a preliminary analysis, some estimates of the input variables were obtained (Fig. 2):

Rice. 2. Input of variable estimates and output mechanism

Using a simple example, let us consider the type of production rules for a certain case with a three-level scale:

Rice. 3. Production rules of the four-parameter algorithm

In this case, the Fuzzy Logic Toolbox graphical interface allows you to view graphs of the dependence of risk on the probability of a threat and, accordingly, other input variables.

Fig.4. Dependence of risk on the probability of threat

Rice. 5. Dependence of risk on damage

A smooth and monotonic graph of the dependence of the “inference curve” indicates the sufficiency and consistency of the inference rules used. A clear graphical representation allows you to assess the adequacy of the properties of the output mechanism to meet the requirements. In this case, the “inference curve” indicates that the inference mechanism is advisable to use only in the region of low probability values, i.e. if the probability is less than 0.5. How can one explain such a “blockage” in values ​​with a probability greater than 0.5? Probably because the use of a three-level scale, as a rule, affects the sensitivity of the algorithm in the region of high probability values.

Review of some Multi-Factor Risk Analysis Tools

When performing a full risk analysis, taking into account many factors, there are a number of complex problems to solve:
. How to determine the value of resources?
. How to compose full list information security threats and evaluate their parameters?
. How to choose the right countermeasures and evaluate their effectiveness?
To solve these problems, there are specially developed tools built using structural methods of systems analysis and design (SSADM - Structured Systems Analysis and Design), which provide:
- building an IS model from an IS point of view;
- methods for assessing the value of resources;
- tools for compiling a list of threats and assessing their likelihood;
- selection of countermeasures and analysis of their effectiveness;
- analysis of options for constructing protection;
- documentation (generating reports).
There are currently several software products of this class on the market. The most popular of them is CRAMM. Let's look at it briefly below.

CRAMM method

In 1985, the UK's Computers and Telecommunications Agency (CCTA) began researching existing information security analysis techniques to recommend methods suitable for use in government agencies handling unclassified but sensitive information. None of the methods considered worked. Therefore, a new method was developed to meet the CCTA requirements. It is called CRAMM - CCTA Risk Analysis and Control Method. Then several versions of the method appeared, focused on the requirements of the Ministry of Defense, civilian government agencies, financial institutions, and private organizations. One version - the "commercial profile" - is commercial product. Currently, CRAMM is, judging by the number of links on the Internet, the most common method of risk analysis and control. Risk analysis involves identifying and calculating risk levels (measures) based on the scores assigned to resources, threats, and resource vulnerabilities. Risk control consists of identifying and selecting countermeasures to reduce risks to an acceptable level. A formal method based on this concept should ensure that protection covers the entire system and there is confidence that:

All possible risks have been identified;
. resource vulnerabilities are identified and their levels assessed;
. threats are identified and their levels assessed;
. countermeasures are effective;
. costs associated with information security are justified.

Oleg Boytsev, head of "Cerber Security // Security Analysis of Your Site"

Issues of practical application of risk analysis in information security management processes, as well as general issues of the process of information security risk analysis itself.

In the process of managing any area of ​​activity, it is necessary to develop conscious and effective decisions, the adoption of which helps to achieve certain goals. In our opinion, an adequate decision can be made only on the basis of facts and analysis of cause-and-effect relationships. Of course, in a number of cases, decisions are made on an intuitive level, but the quality of an intuitive decision very much depends on the manager’s experience and, to a lesser extent, on a successful combination of circumstances.

To illustrate how complex the process of making a well-founded and realistic decision is, we will give an example from the field of information security (IS) management. Let's take a typical situation: the head of the information security department needs to understand in which directions to move in order to effectively develop his main function - ensuring the information security of the organization. On the one hand, everything is very simple. There are a number of standard approaches to solving security problems: protection of perimeters, protection from insiders, protection from force majeure circumstances. And there are many products that allow you to solve this or that problem (protect yourself from this or that threat).

However, there is a small “but”. Information security department specialists are faced with the fact that the choice of products of various classes is very wide, the organization’s information infrastructure is very large-scale, the number of potential targets of attacks by intruders is large, and the activities of the organization’s departments are heterogeneous and cannot be unified. At the same time, each department specialist has his own opinion about the priority of areas of activity, corresponding to his specialization and personal priorities. And the implementation of one technical solution or the development of one regulation or instruction in a large organization results in a small project with all the attributes of project activity: planning, budget, those responsible, deadlines, etc.

Thus, to protect yourself everywhere and from everything, firstly, is not physically possible, and secondly, it makes no sense. What can the head of the information security department do in this case?

First, he may not do anything until the first major incident. Secondly, try to implement some generally accepted information security standard. Thirdly, trust the marketing materials of software and hardware manufacturers and integrators or consultants in the field of information security. However, there is another way.

Defining information security management objectives

You can try - with the help of the organization's management and employees - to understand what actually needs to be protected and from whom. From this moment, specific activities begin at the intersection of technology and the main business, which consists of determining the direction of activity and (if possible) the target state of information security support, which will be formulated simultaneously in business terms and in terms of information security.

The risk analysis process is a tool with which you can determine the goals of information security management, assess the main critical factors that negatively affect the company’s key business processes, and develop informed, effective and justified solutions to control or minimize them.

Below we will describe what tasks are solved as part of the information security risk analysis to obtain the listed results and how these results are achieved as part of the risk analysis.

Asset identification and valuation

The goal of information security management is to maintain the confidentiality, integrity and availability of information. The only question is what kind of information needs to be protected and what efforts should be made to ensure its safety (Fig. 1).

Any management is based on awareness of the situation in which it occurs. In terms of risk analysis, awareness of the situation is expressed in the inventory and assessment of the organization's assets and their environment, that is, everything that ensures the conduct of business activities. From the point of view of information security risk analysis, the main assets include information, infrastructure, personnel, image and reputation of the company. Without an inventory of assets at the business activity level, it is impossible to answer the question of what exactly needs to be protected. It is important to understand what information is processed within an organization and where it is processed.

In a large modern organization, the number of information assets can be very large. If the activities of an organization are automated using an ERP system, then we can say that almost any material object used in this activity corresponds to some information object. Therefore, the primary task of risk management is to identify the most significant assets.

It is impossible to solve this problem without the involvement of managers of the main activity of the organization, both middle and senior levels. The optimal situation is when the top management of the organization personally sets the most critical areas of activity, for which it is extremely important to ensure information security. The opinion of senior management regarding priorities in providing information security is very important and valuable in the risk analysis process, but in any case it should be clarified by collecting information about the criticality of assets at the average level of company management. At the same time, it is advisable to carry out further analysis precisely in the areas of business activity designated by top management. The information received is processed, aggregated and transmitted to senior management for a comprehensive assessment of the situation (but more on that later).

Information can be identified and localized based on a description of business processes in which information is considered as one of the types of resources. The task is somewhat simplified if the organization has adopted an approach to regulating business activities (for example, for the purposes of quality management and optimization of business processes). Formalized descriptions of business processes are a good starting point for asset inventory. If there are no descriptions, you can identify assets based on information received from the organization's employees. Once assets have been identified, their value must be determined.

The work of determining the value of information assets across the entire organization is both the most significant and complex. It is the assessment of information assets that will allow the head of the information security department to choose the main areas of activity to ensure information security.

The value of an asset is expressed by the amount of losses that an organization will suffer in the event of a security breach of the asset. Determining value is problematic because in most cases, organizational managers cannot immediately answer the question of what would happen if, for example, purchase price information stored on file server, will go to a competitor. Or rather, in most cases, organizational managers have never thought about such situations.

But the economic efficiency of the information security management process largely depends on the awareness of what needs to be protected and what efforts will be required for this, since in most cases the amount of effort applied is directly proportional to the amount of money spent and operating expenses. Risk management allows you to answer the question of where you can take risks and where you can’t. In the case of information security, the term “risk” means that in a certain area it is possible not to make significant efforts to protect information assets, and at the same time, in the event of a security breach, the organization will not suffer significant losses. Here we can draw an analogy with protection classes automated systems: the greater the risks, the more stringent the protection requirements should be.

To determine the consequences of a security breach, you must either have information about recorded incidents of a similar nature, or conduct a scenario analysis. Scenario analysis examines the cause-and-effect relationships between asset security events and the consequences of these events on the organization's business activities. The consequences of scenarios should be assessed by several people, iteratively or deliberatively. It should be noted that the development and evaluation of such scenarios cannot be completely divorced from reality. You must always remember that the scenario must be probable. The criteria and scales for determining value are individual for each organization. Based on the results of scenario analysis, information about the value of assets can be obtained.

If assets are identified and their value is determined, we can say that the goals of providing information security are partially established: the objects of protection and the importance of maintaining them in a state of information security for the organization are determined. Perhaps all that remains is to determine who needs to be protected from.

Analysis of the sources of problems

After determining the goals of information security management, you should analyze the problems that prevent you from approaching the target state. At this level, the risk analysis process descends to the information infrastructure and traditional information security concepts - intruders, threats and vulnerabilities (Fig. 2).

Intruder model

To assess risks, it is not enough to introduce a standard violator model that divides all violators by type of access to the asset and knowledge of the asset structure. This division helps determine what threats can be directed at an asset, but does not answer the question of whether these threats can, in principle, be realized.

In the process of risk analysis, it is necessary to assess the motivation of violators in implementing threats. In this case, the violator does not mean an abstract external hacker or insider, but a party interested in obtaining benefits by violating the security of an asset.

It is advisable to obtain initial information about the offender’s model, as in the case of choosing the initial directions of information security activities, from top management, who understands the organization’s position in the market, has information about competitors and what methods of influence can be expected from them. The information necessary to develop a model of an intruder can also be obtained from specialized research on computer security violations in the business area for which the risk analysis is being carried out. A properly developed intruder model complements the information security objectives determined when assessing the organization's assets.

Threat model

The development of a threat model and the identification of vulnerabilities are inextricably linked with an inventory of the environment of the organization’s information assets. The information itself is not stored or processed. Access to it is provided using an information infrastructure that automates the organization’s business processes. It is important to understand how an organization's information infrastructure and information assets are interconnected. From the perspective of information security management, the importance of information infrastructure can be established only after determining the relationship between information assets and infrastructure. If the processes for maintaining and operating the information infrastructure in an organization are regulated and transparent, the collection of information necessary to identify threats and assess vulnerabilities is greatly simplified.

Developing a threat model is a job for information security professionals who have a good understanding of how an attacker can gain unauthorized access to information by violating the security perimeter or using methods social engineering. When developing a threat model, you can also talk about scenarios as sequential steps according to which threats can be realized. It very rarely happens that threats are implemented in one step by exploiting a single vulnerable point in the system.

The threat model should include all threats identified through related information security management processes, such as vulnerability and incident management. It must be remembered that threats will need to be ranked relative to each other according to the level of likelihood of their implementation. To do this, in the process of developing a threat model for each threat, it is necessary to indicate the most significant factors, the existence of which influences its implementation.

Vulnerability Identification

Accordingly, after developing a threat model, it is necessary to identify vulnerabilities in the asset environment. Identification and assessment of vulnerabilities can be performed as part of another information security management process - audit. Here we should not forget that in order to conduct an information security audit it is necessary to develop verification criteria. And verification criteria can be developed based on the threat model and the intruder model.

Based on the results of developing a threat model, an intruder model and identifying vulnerabilities, we can say that the reasons that influence the achievement of the target state of the organization’s information security have been identified.

Risk assessment

Identify and evaluate assets, develop an adversary model and a threat model, and identify vulnerabilities - all these are standard steps that should be described in any risk analysis methodology. All of the above steps can be performed with different levels quality and detail. It is very important to understand what and how can be done with a huge amount of accumulated information and formalized models. In our opinion, this question is the most important, and the answer to it should be given by the risk analysis methodology used.

The results obtained need to be evaluated, aggregated, classified and displayed. Since damage is determined at the stage of asset identification and assessment, it is necessary to estimate the probability of risk events. As in the case of asset assessment, a probability assessment can be obtained based on statistics on incidents, the causes of which coincide with the information security threats under consideration, or by the forecasting method - based on weighing factors corresponding to the developed threat model.

A good practice for assessing likelihood would be to classify vulnerabilities according to a selected set of factors that characterize the ease of exploitation of vulnerabilities. Forecasting the likelihood of threats is carried out based on the properties of the vulnerability and the groups of offenders from whom the threats come.

An example of a vulnerability classification system is the CVSS standard - common vulnerability scoring system. It should be noted that in the process of identifying and assessing vulnerabilities, the expert experience of information security specialists performing risk assessments and the statistical materials and reports used on vulnerabilities and threats in the field of information security are very important.

The magnitude (level) of risk should be determined for all identified and corresponding asset-threat sets. At the same time, the amount of damage and probability do not have to be expressed in absolute monetary terms and percentages; Moreover, as a rule, it is not possible to present the results in this form. The reason for this is the methods used to analyze and assess information security risks: scenario analysis and forecasting.

Making a decision

What can you do with the assessment result?

First of all, you should develop a simple and visual risk analysis report, the main purpose of which will be to present the collected information about the significance and structure of information security risks in the organization. The report should be presented to the organization's senior management. A common mistake is to present intermediate results to senior management instead of conclusions. Undoubtedly, all conclusions must be supported by arguments - all intermediate calculations must be attached to the report.

For clarity of the report, risks must be classified in business terms familiar to the organization, and similar risks must be aggregated. In general, the classification of risks can be multifaceted. On the one hand, we are talking about information security risks, on the other – about the risks of damage to reputation or loss of a client. Classified risks must be ranked according to the likelihood of their occurrence and significance for the organization.

The risk analysis report reflects the following information:

• the most problematic areas of information security in an organization;
• the impact of information security threats on the overall risk structure of the organization;
• priority areas of activity of the information security department to improve the efficiency of information security support.

Based on the risk analysis report, the head of the information security department can develop a department work plan for the medium term and set a budget based on the nature of the activities necessary to reduce risks. Note that a correctly compiled risk analysis report allows the head of the information security department to find a common language with the organization’s top management and solve pressing problems related to information security management (Fig. 3).

Risk Treatment Policy

Very important question- risk management policy of the organization. The policy sets the rules for risk treatment. For example, the policy may say that reputational risks should be mitigated first, while mitigation of risks of medium significance that are not confirmed by information security incidents is postponed to the end of the queue. Risk management policies may be determined by the corporate risk management unit.

A risk treatment policy can explain the issues of risk insurance and restructuring of activities in the event that potential risks exceed an acceptable level. If the policy is not defined, then the risk reduction sequence should be based on the principle of maximum efficiency, but it should still be determined by senior management.

Let's sum it up

Risk analysis is a rather labor-intensive procedure. In the process of risk analysis, methodological materials and tools should be used. However, this is not enough to successfully implement a repeatable process; Another important component is risk management regulations. It can be self-sufficient and address only information security risks, or it can be integrated with the overall risk management process in the organization.

The process of risk analysis involves many structural divisions of the organization: divisions leading the main directions of its activities, the information infrastructure management division, and the information security management division. In addition, in order to successfully conduct a risk analysis and effectively use its results, it is necessary to involve the top management of the organization, thereby ensuring interaction between structural divisions.

Risk analysis techniques or specialized tools for assessing information security risks alone are not enough. Procedures are required to identify assets, determine asset significance, develop intruder and threat models, identify vulnerabilities, and aggregate and classify risks. In different organizations, all of the listed procedures may vary significantly. The goals and scope of information security risk analysis also influence the requirements for processes associated with risk analysis.

The use of the risk analysis method for information security management requires the organization to have a sufficient level of maturity at which it will be possible to implement all the processes necessary within the framework of risk analysis.

Risk management allows you to structure the activities of the information security department, find a common language with the top management of the organization, evaluate the effectiveness of the information security department and justify decisions on the choice of specific technical and organizational protection measures to top management.

The risk analysis process is continuous, since the top-level goals of information security can remain unchanged for a long time, but the information infrastructure, information processing methods and risks associated with the use of IT are constantly changing.

The information security department and the organization as a whole, when structuring its activities through continuous risk analysis, receive the following very significant benefits:

• identification of management goals;
• determination of management methods;
• management efficiency based on making informed and timely decisions.

There are a few more points to note in connection with risk management and information security management.

Risk analysis, incident management and information security audit are inextricably linked with each other, since the inputs and outputs of the listed processes are connected. The development and implementation of the risk management process must be carried out with an eye to the management of incidents and IS audits.

The established risk analysis process is mandatory requirement standard STO-BR IBBS-1.0-2006 for ensuring information security in the banking sector.

Setting up a risk analysis process is necessary for an organization if it has decided to undergo certification for compliance with the requirements of the international standard ISO/IEC 27001:2005.

Establishing a regime for the protection of trade secrets and personal data is inextricably linked with risk analysis, since all of these processes use similar methods for identifying and assessing assets, developing a model of an intruder and a threat model.

The process of analysis and risk assessment is one of the key stages of the most well-known methods for building information security systems, such as Symantec Lifecycle Security and the Microsoft methodology. In addition, there are specialized methods and software products for risk analysis and assessment, such as CRAMM, FRAP, RiskWatch, GRIF, etc. Let us describe the most famous of them in order to get a correct understanding of the features of each method for subsequent selection of the most suitable one for use in banking companies.

Review of the most actively used methods for analyzing and assessing information security risks

Symantec Lifecycle Security is a model that describes a way of organizing an enterprise information security system that allows you to systematically solve problems related to information protection and provides the opportunity to adequately evaluate the result of using technical and organizational means and measures to protect information (Petrenko, 2009). This technique includes seven main components:

1. security policies, standards, procedures and metrics;

2. risk analysis;

3. strategic plan for building a defense system;

4. selection and implementation of solutions;

5. personnel training;

6. protection monitoring;

7. development of incident response and recovery methods.

Since this work addresses the problem of analyzing and assessing information security risks, we will focus our attention on this stage life cycle NIB. Below are key points in the risk analysis process for the Symantec Lifecycle Security model.

1. Detailed documentation of the enterprise computer system with an emphasis on describing applications critical to the enterprise’s activities.

2. Determining the degree of dependence of the normal functioning of the organization on the serviceability of individual parts computer network, specific nodes, from the security of stored and processed data.

3. Search for vulnerabilities in the enterprise computer system.

4. Search for threats that can be implemented in relation to identified vulnerabilities.

5. Search and assessment of risks associated with the use of an enterprise computer system.

Another well-known way of constructing integrated system protecting information in an enterprise is a technique developed by Microsoft. It includes a model for managing company information security risks. The entire risk management cycle can be divided into four main stages.

1. Risk assessment.

· Plan data collection, discuss key conditions for successful implementation and prepare recommendations.

· Collect risk data and document it.

· Determination of the significance of risks. Description of the sequence of actions for qualitative and quantitative risk assessment.

2. Decision support.

· Determination of functional requirements.

· Selecting suitable controls.

· Validation of proposed controls against functional requirements.

· Risk reduction assessment.

· Estimation of direct and indirect costs associated with the implementation of control elements.

· Determination of the most economical effective solution to neutralize risk by analyzing benefits and costs.

3. Implementation of control. Deployment and use of controls that reduce the risk to the organization's information security.

· Search for a holistic approach.

· Organization of multi-level protection.

4. Assessing the effectiveness of the program. Analysis of the effectiveness of the risk management process, checking selected control elements for compliance with the required level of protection.

· Development of a system of risk indicators.

· Assess the effectiveness of the risk management program and identify opportunities for improvement.

Fig.1

Let's take a closer look at the first stage. It should be noted that the stages of qualitative risk assessment are usually approximately the same: identifying information security risks, determining the likelihood of each of them occurring, determining the value of assets that will suffer from the implementation of a specific risk, as well as distributing the described risks into groups depending on previously agreed criteria for the significance of the risk, as well as the possibility of its adoption. So in this method initial stage risks are assigned values ​​in accordance with the scale: “high” (red area), “significant” (yellow area), “moderate” (blue area) and “insignificant” (green area) (Fig. 2). After this, if necessary, the most significant risks are identified and financial indicators are calculated, a quantitative assessment is carried out.

Rice. 2Matrix for tabular risk assessment.

Conducting an effective assessment requires gathering the most up-to-date information about the organization's assets, security threats, vulnerabilities, current control environment, and proposed controls. Next, a complex and multi-stage process of risk analysis and assessment is carried out, as a result of which business owners receive information not only about existing risks, the likelihood of their implementation, the levels of impact on the company’s activities, but also an estimate of the expected annual loss (ALE).

Also worth mentioning here is the Microsoft Security Assessment Tool (MSAT), which is a free software that can “assess vulnerabilities in IT environments, provide a list of prioritized issues, and a list of recommendations for mitigating those threats.”

The process of analyzing an information network for vulnerabilities is carried out by answering more than 200 questions “covering infrastructure, applications, operations and personnel.” The first series of questions is designed to determine the company's business model, based on the answers received, the tool creates a "business risk profile (BRP)." Based on the results of the answers to the second series of questions, a list of protective measures implemented by the company over time is compiled. Together, these security measures “form layers of protection, providing greater protection against security threats and specific vulnerabilities.” The sum of the levels that form a “combined defense-in-depth system” is called the “Defense-in-Depth Index (DiDI).” BRP and DiDI are then compared to measure the distribution of threats across areas of analysis - infrastructure, applications, operations and people.

This assessment is intended for use in mid-sized organizations "with between 50 and 1,500 desktop systems." As a result of its use, company management receives general information about the state of the enterprise’s information security system, covering most “areas of potential risk,” but the described tool is not intended to provide “in-depth analysis of specific technologies or processes.”

The CCTA Risk Analysis and Management Method (CRAMM) is one of the first risk analysis techniques in the field of information security. The CRAMM method is based on an integrated approach that combines quantitative and qualitative risk assessment procedures.

The study of system information security using CRAMM can be carried out in two ways, pursuing two qualitatively different goals: providing a basic level of information security and conducting a complete risk analysis. The number of work stages carried out depends on the task that risk assessors are faced with. Let's list all the possibilities of this technique, focusing on the circumstances of application of a particular analysis procedure.

The first stage is preparatory and mandatory when setting any of the two possible goals for studying the information security of a system. During this stage, the boundaries of the area under consideration are formally determined. information system, its main functions, categories of users and personnel participating in the study.

At the second stage, an analysis is carried out of everything related to identifying and determining the value of the resources of the system under consideration: the identification of physical, software and information resources located within the boundaries of the system is carried out, and then they are distributed into pre-allocated classes. As a result, the customer has a good understanding of the state of the system and can decide whether to conduct a full risk analysis. Provided that providing a basic level of information security to the client is not enough, a model of the information system is built from the information security perspective, which will allow identifying the most critical elements.

The third stage, which is carried out only if a full risk analysis is necessary, considers everything that relates to identifying and assessing the threat levels for groups of resources and their vulnerabilities. At this stage, the impact of certain groups of resources on the performance of user services is assessed, the current level of threats and vulnerabilities is determined, risk levels are calculated, and the results are analyzed. As a result, the customer receives identified and assessed levels of information security risks for the system under study.

In the fourth stage, for each resource group and each of the 36 threat types, CRAMM software creates a list of questions with a clear answer. As in the case of Microsoft's methodology, CRAMM conducts a qualitative risk assessment by assigning threat levels to one or another category depending on the responses received. In total, this methodology has five categories of threat levels: “very high”, “high”, “medium”, “low” and “very low”. In turn, the level of resource vulnerability is assessed, depending on the answers, as “high”, “medium” and “low”. Based on this information, as well as the size of the expected financial losses, risk levels are calculated on a scale from 1 to 7, combined in a risk assessment matrix (Fig. 3).

Fig.3

It should be noted here that the CRAMM method can rightfully be classified as a method that uses both qualitative and quantitative approaches to the analysis of information security risks, since the assessment process takes into account the level of expected financial losses from the realization of the risk, and the results are provided in points according to scale from 1 to 7. This fact significantly increases the rating of the CRAMM technique in the eyes of specialists in this subject area.

At the last stage of the study, called “Risk Management,” the selection of adequate control elements is made: CRAMM software generates several options for countermeasures that are adequate to the identified risks and their levels, from which the optimal option for the security system that meets the customer’s requirements is selected.

The Facilitated Risk Analysis Process (FRAP) methodology is a model for building an information security system that includes a qualitative risk analysis. Let us examine precisely this component of the methodology that interests us. Below are the main steps in risk assessment.

1. At the first stage, based on survey data, technical documentation, automated network analysis, a list of assets at risk is compiled.

2. Identification of threats. When compiling a list of threats, they can be used different approaches:

· Conventional method. In this case, experts compile checklists of potential threats, from which the most relevant ones for a given system are subsequently selected;

· Statistical. Here, the statistics of incidents related to the information security of this IS and similar ones are analyzed, and their average frequency is estimated, after which the risk points are assessed;

· " Brainstorm", carried out by company employees. The difference from the first method is that it is carried out without the involvement of external experts.

3. After compiling a list of potential threats, statistics are collected on each case of risk occurrence: the frequency of a particular situation, as well as the level of damage suffered. Based on these values, experts assess the level of threat based on both parameters: the probability of the threat occurring (High Probability, Medium Probability and Low Probability) and the damage from it (High Impact, Medium Impact and Low Impact). Next, in accordance with the rule specified by the risk matrix (Fig. 4), an assessment of the risk level is determined:

· level A - measures aimed at eliminating the threat (for example, the introduction of information security systems) must be taken immediately and mandatory;

· level B - measures must be taken to reduce the risk;

· level C - monitoring of the situation is necessary;

· level D - no actions in at the moment no action required.

4. Once threats have been identified and relative risks assessed, an action plan should be developed to eliminate the risk or reduce it to an acceptable level.

5. Once the risk assessment has been completed, the results should be documented in detail and translated into a standardized format. This data can be used when planning further security procedures, the budget allocated for these procedures, etc.

Rice. 4

Risk Advisor is a software product developed by MethodWare, which implements a methodology that “allows you to set a model of an information system from the perspective of information security, identify risks, threats, and losses as a result of incidents.” There are five main stages of work:

Description of the context. First of all, it is necessary to create a general scheme of external and internal information contacts of the organization. This model is built in several dimensions and is specified by the following parameters: strategic, organizational, business goals, risk management, criteria. The picture of the overall context in terms of strategy describes the strengths and weaknesses organization in terms of external contacts. Here, a classification of threats associated with relationships with partners is made, and the risks associated with various options for the development of the organization’s external relations are assessed. The description of the context in the organizational dimension includes a picture of relations within the organization, development strategy and internal policies. The risk management framework includes the concept of information security. Finally, in the context of business objectives and assessment criteria, as the name suggests, the key business objectives and qualitative and quantitative criteria are described, based on which risk management is carried out.

Description of risks. In order to facilitate and standardize the decision-making process related to risk management, risk data must be standardized. IN different models different templates are used to formalize the available information. In the methodology we describe, a risk matrix is ​​specified, which takes into account not only the own parameters of these risks, but also information about their connections with other elements common system. It should be noted that risks are assessed here on a qualitative rather than quantitative scale and are divided into only two categories: acceptable and, accordingly, unacceptable. After this assessment, a selection of countermeasures is made and an analysis of the cost and effectiveness of the selected remedies is carried out.

Description of threats. First of all, a general list of threats is compiled. They are then classified according to a qualitative scale, and the relationships between various threats and the threat-risk relationships are described.

Description of losses. At this stage, the events associated with information security incidents are described, after which the risks caused by these events are assessed.

Analysis of results. After building the model, a detailed report (consisting of more than 100 sections) is generated. Aggregated descriptions are presented to the consumer in the form of a risk graph.

RiskWatch, like Microsoft, has developed its own methodology for analyzing and assessing risks, which is implemented in a number of their software. "The RiskWatch method uses annual loss expectancy (ALE) and Return on Investment (ROI) as criteria for assessing and managing risks. The RiskWatch method is focused on an accurate quantitative assessment of the ratio of losses from security threats and costs of creation of a protection system." The risk analysis process consists of four stages.

At the first stage, which is essentially preparatory, the subject of the study is determined: a description is given of the type of organization, the composition of the system under study, basic requirements in the field of information security, etc. RiskWatch software offers a wide selection of various categories of protected resources, losses, threats, vulnerabilities and protection measures, from which the analyst selects only those that are actually present in the system under study. In addition, it is possible to add new elements and adjust existing descriptions.

At the second stage, a more detailed description of the system is made (what resources are present in it, what types of losses may occur when a risk occurs, and what classes of incidents can be identified “by comparing the category of losses and the category of resources”). There are two options for entering data: manually or by importing from reports generated during the analysis of a computer network for vulnerabilities. To identify possible weaknesses of the system, a questionnaire is used, which asks you to answer more than 600 questions related to resource categories. Due to the fact that companies from different fields of activity have their own exceptional characteristics, and also taking into account the rapidly developing market information technology, it seems very reasonable and convenient to have the ability to correct questions and exclude/add new ones. Next, the frequency of implementation of each of the threats present in the system, the level of vulnerability and the value of resources are determined. Based on this information, the effectiveness of using certain information security control elements is calculated.

At the third stage, a quantitative risk assessment is carried out. The first step is to determine the relationship between the resources, losses, threats and vulnerabilities identified during the first two stages of work. Next, for each risk, the mathematical expectation of losses for the year is calculated using the following formula:

where p is the frequency of occurrence of the threat during the year,

v is the value of the resource that is threatened.

For example, if taking a server down for one hour costs a company $100,000, and the probability of a DDoS attack occurring within a year is 0.01, then the expected losses will be $1,000. In addition, “what if…” scenarios are modeled, in which similar situations are considered taking into account the implementation of security measures. By comparing the expected losses with and without the use of control elements, it is possible to assess how effective the implementation of certain protective measures will be.

At the last stage, reports are generated different types: "summaries, full and concise reports on the elements described in stages 1 and 2, a report on the cost of protected resources and expected losses from the implementation of threats, a report on threats and countermeasures, a report on the results of a security audit."

Thus, the tool in question allows not only to assess the risks that currently exist for the enterprise, but also the benefits that the implementation of physical, technical, software and other protection tools and mechanisms can bring. Prepared reports and graphs provide sufficient material for making decisions about changing the enterprise security system. In addition, the described software can be a convenient basis for developing your own information security risk analysis and assessment tool, most suitable for a specific type of enterprise (for example, credit institutions).

GRIF is a Russian comprehensive tool for analyzing and managing risks of an organization’s information system, developed by Digital Security. The operating principle of this software is based on two conceptually different approaches to assessing information security risks, called the “information flow model” and the “threat and vulnerability model.” Let's consider each of the algorithms separately.

The information flow model is characterized by the fact that the risk analysis and assessment algorithm is based on the construction of a model of the organization’s information system. The calculation of risk values ​​is based on information about the means of protecting resources with valuable information, the relationships between resources, the impact of access rights of user groups and organizational countermeasures.

At the first stage, it is necessary to prepare a complete description of the architecture of the network under study, including information about valuable resources, their relationships, user groups, information security tools, etc. “Based on the entered data, you can build full model the company’s information system, on the basis of which an analysis of the security of each type of information on the resource will be carried out.”

Let's move on to a direct description of the algorithm. Risk assessment is carried out separately for each user group-information connection for three types of threats: confidentiality, integrity and availability (for the first two types the result is calculated as a percentage, and for the latter - in downtime hours). Damage from the implementation of different types of threats is also specified separately, because It is not always possible to estimate complex losses. The key criteria on which the likelihood of a particular threat depends are the types (local and/or remote) and rights (read, write, delete) of user access to resources, availability of Internet access, number of people in the group, use of anti-virus software, cryptographic means protection (especially important for remote access), etc. At the same stage, the means of protecting information are determined and the coefficients of “local security of information on a resource, remote security of information on a resource and local security of a user group’s workplace” are calculated. The minimum coefficient reflects the real level of resource protection, because indicates the most vulnerable place in the information system. In order to obtain the final probability of a threat being realized, the resulting indicator must be multiplied by the basic probability of an information security threat being realized, which is calculated based on the method of expert assessments.

At the last stage, the value of the resulting final probability is multiplied by the amount of damage from the implementation of the threat and the risk of an information security threat is calculated for the connection “type of information - group of users”. The algorithm for calculating the risk value for a denial of service threat has minor differences, mainly related to the units of measurement.

The system also allows you to set countermeasures, the effectiveness of which can be assessed using the formula:

where E is the effectiveness of implementing a countermeasure,

Risk without taking into account countermeasures,

Risk taking into account countermeasures.

As a result of the algorithm, the customer receives the following information.

· "The risk of implementation of three basic threats to the type of information.

· Risk of implementation of three basic threats to the resource.

· Risk of implementation in total for all threats to the resource.

· Risk of implementation of three basic threats to the information system.

· Risk of implementation for all threats to the information system.

· Risk of implementation for all threats to the information system after setting countermeasures.

· The effectiveness of the countermeasure.

· The effectiveness of a set of countermeasures."

The threat and vulnerability analysis model describes another approach to analyzing and assessing information security risks. The input information is a list of resources containing valuable information, a description of the threats affecting each resource, and vulnerabilities through which the above-mentioned threats can be implemented. For each type of source data (except for vulnerabilities), the degree of criticality is indicated. The probability of a particular threat being realized is also introduced.

The algorithm can operate in two modes: calculating the probability of one basic threat occurring or distributing estimates across three basic types of threats. Let us list the stages of the method in general form for both modes.

1. The threat level for a specific vulnerability is calculated based on the criticality and likelihood of the threat being realized through this vulnerability.

2. The threat level for all vulnerabilities is calculated by summing the threat levels through specific vulnerabilities.

3. The overall threat level for the resource is calculated.

4. The resource risk is calculated.

5. The risk for the information system is calculated.

The GRIF risk analysis and assessment algorithm is an example of a methodology that takes into account the peculiarities of the customer’s company structure, using two different approaches to calculating risk values. Each of these two methods may be more effective in the case of one company and less effective in the situation of another. Thus, the GRIF methodology eliminates the possibility of using an inappropriate algorithm for calculating the level of risk, guaranteeing the achievement of an optimal result.

In practice, quantitative and qualitative approaches to assessing information security risks are used. What's the difference?

Quantitative method

Quantitative risk assessment is used in situations where the threats being studied and the risks associated with them can be compared with final quantitative values ​​expressed in money, interest, time, human resources, etc. The method allows you to obtain specific values ​​of risk assessment objects when information security threats are realized.

In the quantitative approach, all elements of the risk assessment are assigned specific and realistic quantitative values. The algorithm for obtaining these values ​​should be clear and understandable. The object of assessment may be the value of the asset in monetary terms, the likelihood of the threat being realized, the damage from the threat, the cost of protective measures, etc.

How to quantitatively assess risks?

1. Determine the value of information assets in monetary terms.

2. Assess in quantitative terms the potential damage from the implementation of each threat in relation to each information asset.

It is necessary to obtain answers to the questions “What part of the value of the asset will be the damage from the implementation of each threat?”, “What is the cost of damage in monetary terms from a single incident during the implementation of this threat to this asset?”

3. Determine the probability of implementation of each of the information security threats.

To do this, you can use statistical data, surveys of employees and stakeholders. In the process of determining the probability, calculate the frequency of incidents associated with the implementation of the considered information security threat over the control period (for example, one year).

4. Determine the total potential damage from each threat in relation to each asset over the control period (one year).

The value is calculated by multiplying the one-time damage from the threat by the frequency of the threat.

5. Analyze the received damage data for each threat.

For each threat, a decision must be made: accept the risk, reduce the risk, or transfer the risk.

Accepting a risk means recognizing it, coming to terms with its possibility, and continuing to act as before. Applicable for threats with low damage and low probability of occurrence.

Reducing risk means introducing additional measures and protective equipment, training staff, etc. That is, carrying out deliberate work to reduce risk. At the same time, it is necessary to quantitatively assess the effectiveness of additional measures and means of protection. All costs incurred by the organization, from the purchase of protective equipment to commissioning (including installation, configuration, training, maintenance, etc.), should not exceed the amount of damage from the threat.

To transfer risk means to shift the consequences of the risk to a third party, for example, through insurance.

As a result quantification risks must be identified:

• the value of assets in monetary terms;
• a complete list of all information security threats with damage from a single incident for each threat;
• frequency of implementation of each threat;
• potential damage from each threat;
• Recommended security measures, countermeasures and actions for each threat.

Quantitative information security risk analysis (example)

Let's consider the technique using the example of an organization's web server, which is used to sell a certain product. Quantitative one-time the damage from a server failure can be estimated as the product of the average purchase receipt and the average number of requests for a certain time interval, equal to the server downtime. Let’s say the cost of one-time damage from a direct server failure will be 100 thousand rubles.

Now it is necessary to evaluate by expert means how often such a situation may arise (taking into account the intensity of operation, quality of power supply, etc.). For example, taking into account expert opinion and statistical information, we understand that a server can fail up to 2 times a year.

Multiplying these two quantities, we get that average annual the damage from the threat of direct server failure amounts to 200 thousand rubles per year.

These calculations can be used to justify the choice of protective measures. For example, the implementation of an uninterruptible power supply system and a backup system with a total cost of 100 thousand rubles per year will minimize the risk of server failure and will be a completely effective solution.

Qualitative method

Unfortunately, it is not always possible to obtain a specific expression of the object of evaluation due to great uncertainty. How to accurately assess the damage to a company’s reputation when information about an information security incident appears? In this case, a qualitative method is used.

The qualitative approach does not use quantitative or monetary expressions for the object being assessed. Instead, the object of assessment is assigned an indicator ranked on a three-point (low, medium, high), five-point or ten-point scale (0... 10). To collect data for qualitative risk assessment, surveys of target groups, interviews, questionnaires, and personal meetings are used.

Information security risk analysis using a qualitative method should be carried out with the involvement of employees with experience and competence in the area in which the threats are considered.

How to conduct a good risk assessment:

1. Determine the value of information assets.

The value of an asset can be determined by the level of criticality (consequences) if the security characteristics (confidentiality, integrity, availability) of an information asset are violated.

2. Determine the likelihood of a threat occurring in relation to an information asset.

To assess the likelihood of a threat being realized, a three-level qualitative scale (low, medium, high) can be used.

3. Determine the level of possibility of successful implementation of the threat, taking into account the current state of information security, implemented measures and means of protection.

To assess the level of possibility of a threat being realized, a three-level qualitative scale (low, medium, high) can also be used. The threat feasibility value indicates how feasible it is to successfully carry out the threat.

4. Draw a conclusion about the level of risk based on the value of the information asset, the likelihood of the threat being realized, and the possibility of the threat being realized.

To determine the level of risk, you can use a five-point or ten-point scale. When determining the level of risk, you can use reference tables that provide an understanding of what combinations of indicators (value, probability, opportunity) lead to what level of risk.

5. Analyze the data obtained for each threat and the risk level obtained for it.

Often the risk analysis team uses the concept of “acceptable level of risk.” This is the level of risk that the company is willing to accept (if the threat has a risk level less than or equal to acceptable, then it is not considered relevant). The global task in a qualitative assessment is to reduce risks to an acceptable level.

6. Develop security measures, countermeasures and actions for each current threat to reduce the level of risk.

Which method should you choose?

The goal of both methods is to understand the real risks of a company’s information security, determine a list of current threats, and select effective countermeasures and means of protection. Each risk assessment method has its own advantages and disadvantages.

The quantitative method provides a visual representation in money terms of the objects of assessment (damage, costs), but it is more labor-intensive and in some cases inapplicable.

The qualitative method allows for a faster risk assessment, but the assessments and results are more subjective and do not provide a clear understanding of the damage, costs and benefits of implementing information security.

The choice of method should be made based on the specifics of a particular company and the tasks assigned to the specialist.

Stanislav Shilyaev, information security project manager at SKB Kontur