karabacak 2005 computers & security

Computers & Security (2005) 24, 147e159

www.elsevier.com/locate/cose

ISRAM: information security riskanalysis method

Bilge Karabacaka,*, Ibrahim Sogukpinarb

aNational Research Institute of Electronics & Cryptology (UEKAE), P.O Box 74, 41470 Gebze,Kocaeli, TurkeybGebze Institute of Technology, 41400 Gebze, Kocaeli, Turkey

Received 24 December 2003; revised 27 July 2004; accepted 27 July 2004

KEYWORDSInformation security;Risk analysis;Quantitative risk

analysis;Paper-based risk

analysis;Risk model

Abstract Continuously changing nature of technological environment has beenenforcing to revise the process of information security risk analysis accordingly. Anumber of quantitative and qualitative risk analysis methods have been proposedby researchers and vendors. The purpose of these methods is to analyze today’sinformation security risks properly. Some of these methods are supported bya software package. In this study, a survey based quantitative approach is proposedto analyze security risks of information technologies by taking current necessitiesinto consideration. The new method is named as Information Security Risk AnalysisMethod (ISRAM). Case study has shown that ISRAM yields consistent results ina reasonable time period by allowing the participation of the manager and staff ofthe organization.ª 2004 Elsevier Ltd. All rights reserved.

Introduction

The structure and type of information technologieshave changed enormously over last decade. Thesimple stand-alone batch applications evolved intodistributedcomputing environments, including real-time control, multitasking and distributed process-ing. The process of information security risk analysishas also been affected by these enormous changes.

* Corresponding author.E-mail addresses: [email protected] (B. Karabacak),

[email protected] (I. Sogukpinar).

0167-4048/$ - see front matter ª 2004 Elsevier Ltd. All rights resedoi:10.1016/j.cose.2004.07.004

It is claimed to be ‘‘inconsistent, long lasting anddifficult to apply’’ (Gerber and Solms, 2001). Due tothe difficulties of applying complex risk analysistools into today’s information systems, researchershave studied to develop new methods.

Because the success and continuity of organ-izations vastly depend on the availability of infor-mation technologies, the task of protection ofinformation technologies have become more crit-ical than ever. In 1980s, the head of informationtechnologies (IT) department of organization wasthe responsible staff to protect information sys-tems. Nowadays, some of the company managers

rved.

mailto:[email protected]

mailto:[email protected]

http://www.elsevier.com/locate/cose

148 B. Karabacak, I. Sogukpinar

are taking over this responsibility from the head ofIT department (Owens, 1998). Thus, managers oforganizations should understand the risk analysisprocess that directly affects the protection ofinformation technologies. Moreover, managersmay desire to participate in risk analysis process.The structure of new risk analysis methods allowsthe participation of managers (Bilbao, 1992; Kaileyand Jarratt, 1995; Jenkins, 1998; C&A SystemsSecurity Limited, 2000; Toval et al., 2002; Jacobson,2002; Coles and Moulton, 2003).

In this study, a new method named InformationSecurity Risk Analysis Method (ISRAM) is proposedfor information security risk analysis by takingtoday’s needs into account. ISRAM is designed foranalyzing the risks at complex information systemsby allowing the participation of managers andstaff. Proposed method consists of seven steps.These steps are exemplified in a case study inorder to explain ISRAM clearly. To verify the resultsof the same case study, a risk model is set up withArena simulation software. The collected real-lifestatistical data are introduced into the risk model.

This paper is organized as follows: risk analysismethods for information security are introducedbriefly after the Introduction. Then the risk modelof ISRAM, explanations and experimental resultsare presented. The section following that containssome ideas on the verification, comparison and theresults of the application. The last section is theconclusion.

Risk analysis methods for informationsecurity

Basically there are two types of risk analysismethods. Quantitative risk analysis methods usemathematical and statistical tools to representrisk. In qualitative risk analysis methods, risk isanalyzed with the help of adjectives instead ofusing mathematics. Risk analysis methods that useintensive quantitative measures are not suitablefor today’s information security risk analysis. Incontrast to the past decades, today’s informationsystems have a complicated structure and a wide-spread use. Therefore, intensive mathematicalmeasures used to model risk for complex environ-ments make the process more difficult. Calcula-tions performed during the risk analysis processare also very complex. Quantitative methods maynot be able to model today’s complex risk scenar-ios. Risk analysis methods based on qualitativemeasures, are more suitable for today’s complexrisk environment of information systems. However,

one important drawback for qualitative risk anal-ysis methods is their nature that yields inconsis-tent results. Because qualitative methods do notuse tools like mathematics and statistics to modelthe risk, the result of method is vastly dependedon the ideas of people who conduct the riskanalysis. There is a risk of giving subjective resultswhile using qualitative risk analysis methods.Following examples can be given for two types ofrisk analysis tools which are based on quantitativeand qualitative methods. TUAR is a quantitativetool, which uses fault trees and fuzzy logic toexpress the risk (Bilbao, 1992). RaMEX is a qualita-tive tool, which does not use mathematical orstatistical instruments (Kailey and Jarratt, 1995).

Both qualitative and quantitative risk analysismethods may be supported by software. On thecontrary, risk analysis methods that are executedwithout assistance of software are referred aspaper-based methods (Gordon, 1992). There area number of risk analysis methods that are sup-ported by software (Spinellis et al., 1999). Soft-ware-based risk analysis methods may have somedisadvantages. First, the cost of such methods isusually high. Second, the main frame of riskanalysis process is drawn by software. Thus, somenecessary variations of the risk analysis processwould not be achieved. Paper-based risk analysismethods consist of meetings, discussions and work-ing sheets. One important drawback for paper-based method is their duration. Because of thenature of the meetings, paper-based methods maytake a long time to give the risk results.

The Buddy System (Jenkins, 1998) and Cobra(C&A Systems Security Limited, 2000) are examplesof risk analysis methods that are supported bysoftware. The Buddy System is quantitative, andCobra is qualitative. SPRINT is an example ofpaper-based risk analysis method (ISF, 1997).

Both quantitative and qualitative risk analysismethods may be supported by standards andguides like Common Criteria Framework (ISO,1999), ISO 13335 (ISO, 1996e2001), ISO 17799(ISO, 2000), NIST 800-30 Special Publication (NIST,2001) and the other standards and guides relatedto information technologies (Toval et al., 2002). Asan example, CRAMM (CCTA, 2001) is a quantitative,software-based risk analysis method that is com-patible with standards. CORA is another riskanalysis tool, which is quantitative, softwarebased and compatible with NIST 800-30 guide(Jacobson, 2002). A risk manager can use CORAto perform risk analysis process described in NIST800-30 guide. These standards put forward robustand well-defined risk analysis methods. However,these methods may require the participation of

Information security risk analysis method 149

expert risk analysts because of complexity andformality of methods.

BPIRM, business process information risk man-agement, is an approach for risk management,which is suggested to close the major gaps found atsome risk management practices conducted byorganizations (Coles and Moulton, 2003). Under-standing the real risks by the business processowner and defining their control requirements arerecommended by the method of BPRIM. Also thismethod is useful for establishing who is responsiblefor implementing and managing the controls re-lated to these risks throughout all aspects of thebusiness process.

The driving force for changes to informationsecurity risk analysis is not just the technology.Information security risk analysis has been affectedby the new legal requirements. Therefore, riskmanagement is required novel governance ap-proaches. To overcome this issue, a governanceapproach is proposed to provide a better frame-work to manage risks (Moulton and Coles, 2003).

ISRAM: information security riskanalysis method

By taking today’s information technology environ-ment into consideration, risk analysis methodshould allow effective participation of managerand staff into the process. In today’s technologicalenvironment, if the risk analysis method containscomplicated mathematical and statistical tools, itmay require the expert participation and it maylast for a long time. Also, the risk analysis processshould not contain pure qualitative measures. Thismay cause subjective results. Risk analysis meth-ods that do not possess these properties may notmeet the requirements of organizations. ISRAM isa quantitative, paper-based risk analysis methodthat is designed to have these properties.

Risk model of ISRAM

The underlying risk model of ISRAM is based on thefollowing formula, which is the fundamental riskformula (NIST, 2001; McEvoy and Whitcombe,2002; USGAO, 1999).

RiskZProbability of occurrence of security breach

!Consequence of occurrence of security breach

ð1Þ

The risk model of ISRAM, which is deduced fromformula (1), is given by formula (2). Formula (2)

consists of two main parts, which are the projec-tions of two fundamental parameters in formula (1).

RiskZ

Pm

�T1

�Pi

wipi

��m

! Pn

½T2ðPj

wjpjÞ�

n

!ð2Þ

where

i: the number of questions for the survey of pro-bability of occurrence, determined at Step-2;j: the number of questions for the survey ofconsequences of occurrence, determined atStep-2;m: the number of participants who participatedin the survey of probability of occurrence,becomes definite at Step-5;n: the number of participants who participatedin the survey of consequences of occurrence,becomes definite at Step-5;wi, wj: weight of the question ‘‘i’’ (‘‘j’’),determined at Step-2;pi, pj: numerical value of the selected answerchoice for question ‘‘i’’ (‘‘j’’), determined atStep-3;T1: risk table for the survey of probability ofoccurrence, constructed at Step-4;T2: risk table for the survey of consequences ofoccurrence, constructed at Stepe4;Risk: single numeric value for representing therisk. Obtained at Stepe6.

ISRAM is basically a survey preparation andconduction process to assess the security risk inan organization. Two separate and independentsurvey processes are being conducted for two riskparameters in formula (2). The preparation andconduction of survey, so as the analysis of itsresults are defined according to the well-definedsteps to yield the risk. Formula (2) representsthese steps mathematically.

Annual Loss Expectancy (ALE) value may berequired for some company managers after riskanalysis. ISRAM does not make Single Loss Expec-tancy (SLE) or ALE calculations during the calcula-tion of ‘‘risk’’. The unit of ‘‘risk’’ is not in dollars.Rather, it is a single numerical value between 1and 25, which will be defined later in Table 9.

However, while presenting the survey result tosenior management, the risk value may be con-verted to an ALE value by the risk analyst. ISRAMsupports an easy conversion from the risk value tothe ALE value. A sample conversion for the resultof case study is given in the section ‘Verification,comparison and the results of the application’.


The method in detail

The aim of ISRAM is to assess the risk caused by theinformation security problems. To achieve thisgoal, ISRAM is performed by using public opinionon the problem. Public opinion is obtained byconducting a survey. A survey is composed ofquestions and answer choices related to the infor-mation security problem. Manager, directors, tech-nical personal and common users of computer maybe candidates for answering the survey questions.The aim of the survey is to understand the effectof information security problem on the system ororganization. In other words, conducting a surveyis somewhat making an as-is analysis. ISRAM makesa structured as-is analysis to assess the risk causedby information security problem.

ISRAM consists of seven main steps as shown inFig. 1. Of these seven steps, first four steps belongto the survey preparation phase, fifth step is theconduction of the survey and the last two stepsare the phase in which results are obtained andassessed. In the survey preparation phase ofISRAM, the questions, the number of the questions,

Figure 1 Basic flow diagram of ISRAM.

the weight values of the questions, the number ofanswer choices and the numerical values of answerchoices are determined. Finally, the risk tables areprepared.

The existence of information security problem isdetected in the first step. After the first step,ISRAM process is divided into two parallel sub-processes. One of these sub-processes is performedfor the probability of occurrence of security breachparameter and the other is performed for theconsequences of occurrence of security breachparameter. Hereafter, only the sub-process forthe probability of occurrence of security breachwill be explained according to Fig. 1.

In the second step, all the factors that mayaffect the probability of occurrence of securitybreach are listed. After listing all possible factorsfor the risk parameter, weight values are desig-nated to the factors. One factor may have moreeffect on the probability of the occurrence thanthe other. That’s why weight values for factors aredesignated. Weight values of the factors are in factweight values for the questions. (Factors are con-verted into survey questions in the third step.)Step-2 is a vital part of ISRAM to obtain the realisticand objective results. To achieve this step, peoplewho have general security perspective and prefer-ably company workers should participate in. Thesestaff should have enough knowledge and aware-ness on the information security problem, itseffects and its probable causes. Also, staff shouldhave enough knowledge on the information systemthat is affected by the problem.

In the third step, the factors are convertedinto the survey questions and the answer choicesare determined for each question. Each questionmay have different number of choices. Thenumber of choices should be selected by the riskanalyst according to the questions and the casebeing analyzed. After the answer choices aredetermined, numerical values are designated tothe answer choices. Because certain differentia-tions have to be supplied among the answerchoices of a question. The answer choices andtheir numerical values have to be selected care-fully, because, the answers selected by surveyparticipants will be the main assessment compo-nents for the risk. In Step-6, risk amount will becalculated quantitatively according to the answerchoices selected by participants. The team wholists the factors should work carefully on theselection of the choices and assignment ofnumerical values.

In the fourth step, two risk tables are prepared.Risk tables are vital for the quantitative analysis ofthe survey results. A risk table converts bulk survey


result to meaningful, quantitative and scaledvalues. To do this, a risk table scales all possiblesurvey results that can be obtained from a singlesurvey. Risk tables are the main reference pointsfor the evaluation of the survey results. Theyprevent confusions while quantitatively assessingthe survey results. The content of a risk tablechanges according to the surveys conducted. A risktable forms a connection between the result ofsurvey and the quantitative value of the riskparameter under consideration.

Survey is conducted after the preparation of risktables is over. This is the fifth step of ISRAM. Thisstep is the most peculiar part of ISRAM in whichordinary information system users participate ac-tively into the risk analysis process. At Step-5, thesurvey questions can be distributed to the relevantstaff as hard copy or it can be answered electron-ically. The questions for two risk parameters canbe delivered in one survey or it is possible todeliver separate surveys for two risk parameters.In this case, the number of participants may bedifferent for two surveys. It is important to notethat the answers to the survey questions arevaluable information for risk analysis process. Butthe main purpose of ISRAM is to convert theseanswers into numeric values.

In the sixth step, formula (2) is applied to getsingle quantitative risk result from answered sur-veys. An example of application of formula (2) isgiven in Table 10, which shows the calculations forour case study.

Step-7 is the assessment phase of ISRAM. In theassessment phase, not only the numerical surveyresult, which is obtained in Step-6, is assessedbut also the answers to the survey questions areanalyzed.

All of these phases allow the active participa-tion of managers and staff into the risk analysis

process. Among these seven steps, addition, multi-plication and division operations are used only inSteps 4 and 6. Other complicated mathematicaland statistical calculations are not used in thesesteps.

Steps 2e4 are the most vital parts of ISRAM foran objective risk analysis. Company staff mustwork carefully during these steps to vanish anysubjectivity and incompleteness.

Practice of ISRAM

In the case study, ISRAM was used to analyze therisk arising from computer viruses. Our environ-ment for risk analysis was composed of 20 com-puters on a Local Area Network (LAN) as shownin Fig. 2. These computers belong to a researchinstitute and are used by staff to connect toInternet. Every computer has a dedicated user.However, any of the computers in the network canbe used by any user. Twenty institute workers tookaction in the survey to obtain the public opinion oncomputer viruses.

Step-1: awareness of the problemAs it has been already said in the previousparagraph, the information security problem iscaused by computer viruses. Computers whichare used in the case study do not have appropriateantivirus software installed. Personal firewallproducts are installed in a few computers. It isapparent that there is a strong requirement fora structured risk analysis in which the probabilityof a virus infection and the consequences of anincident is estimated.

Technically oriented people of the instituterealize the information security problem and de-cide to make a risk analysis. The first step of ISRAMis completed.

Figure 2 Environment of ISRAM.


Step-2: listing and weighing the factorsAt Step-2, separate analyses are made for two riskparameters to determine the factors, which affectthese parameters.

After determining and listing all the factors,weight values are assigned to the factors by usingTable 1. The value of assets, the strength ofalready existing countermeasures, and the levelof vulnerabilities are all considered during theassignment of weight factors.

After the discussions among risk analysis team, 21factors are determined that affect the probabilityof a virus infection. Fifteen factors are determinedthat affect the consequences of infection. Amongthese factors, six of them affect both parameters.

Three of the factors are directly associated withvulnerabilities of operating system and patch level(these three factors affect both risk parameters).

Some of the factors that affect the probabilityof a virus infection and their equivalent weightvalues are shown in Table 2. (Because of the spaceconstraints, all the factors could not be written.)

Some of the factors that affect the consequen-ces of a virus infection and their equivalent weightvalues are shown in Table 3.

Six factors that affect both the probability andthe consequences of a virus infection and theirequivalent weight values are shown in Table 4.

First three factors in Table 4 are directlyassociated with vulnerabilities of systems. Notethat these factors affect both the probability andthe consequences of infection. These factors havealso considerable weight values.

Step-3: converting factors into questions,designating answer choices and assigningnumerical values to answer choicesAt Step-3, all the factors are converted into surveyquestions and answer choices are designated. The

number of answer choices can change according tothe type and structure of survey question. In ourcase study, there are a total number of 30 surveyquestions. Ten of these questions have only twoanswer choices (six of them are yes/no questions).Sixteen of the questions have four answer choices.Four of the questions have three answer choices.Apart from yes/no questions, all questions have ananswerchoice,named‘‘Other:’’ If aparticipantcan-not find an appropriate answer among dedicatedchoices, he/she is expected to write his/her answerthere.

After designation of answer choices, Table 5 isused to convert answer choices into numericalvalues.

Some of the questions and their answer choicesare shown in Table 6. The weight values ofquestions and the numerical values of answerchoices are also given in parenthesis. In questionscolumn, ‘‘p’’ in parenthesis means that the factoraffects the probability of infection and ‘‘c’’ inparenthesis means that the factor affects the con-sequences of infection. Note that, if the question(factor) affects both parameters (probabilityand consequences), then first numerical weightvalue in next parenthesis is for the probability of

Table 2 Some of the factors that affect theprobability

Factor Weightvalue

The type of attachment of e-mails 3The number of e-mails per day 1The number of different websites entered

per day1

The source of floppies 2The number of files downloaded per day 1

Table 1 Reference table for the weight values of the factors

Weightvalue

Explanation

3 The factor is directly associated with a severe vulnerability and/or the factor is directly associatedwith a critical asset and/or there is no countermeasure in place. Because of these reasons, the factoris most effective factor that affects the probability of infection or the consequences of infection.The factor contributes directly to the value of the risk parameter.

2 The factor is somewhat associated with a vulnerability and/or the factor is directly associated with animportant asset and/or there is a few countermeasure in place. Because of these reasons, the factor isslightly/normally effective factor that affects the probability of infection or the consequences ofinfection. The factor contributes somewhat directly to the value of the risk parameter.

1 The factor is a little associated with vulnerability and/or the factor is indirectly associated with animportant asset and/or there are enough countermeasures in place. Because of these reasons, the factoris least effective factor that affects the probability of infection or the consequences of infection. Thefactor contributes indirectly to the value of the risk parameter.


infection and the other one is for the consequen-ces of infection.

For a participant, more than one choice may beapplicable. In this case, the most effective choice

Table 3 Some of the factors that affect theconsequences

Factor Weightvalue

The backup condition of files 3The place of files 2The importance of files in a computer 3The dependence to files and applications 2

Xi

wipi

8<:

i : the number of the questionsw : the weight of the ith questionp : the value of the selected answer choice of the ith question

9=; ð3Þ

(the choice which has the largest numerical value)is used during calculations.

Step-4: preparation of risk tablesTwo risk tables are constructed for our case study(one for the probability of infection parameter andone for the consequences of infection parameter).Each of the tables has five levels to represent thelevel of risk parameter. These dynamic tablesscale the possible results of the surveys of thefundamental risk parameters both quantitativelyand qualitatively.

For the probability of infection parameter,there were 21 factors, so 21 survey questions areapplied. Until now, each of these questions wasweighted. Answer choices were designated to eachof these questions. Different number of answerchoices was designated for survey questions. For

each of the answer choices, numerical valuesbetween 0 and 4 are determined.

To construct a risk table, firstly, minimum andmaximum numerical values that can be obtainedfrom the survey of risk parameter are found.Formula (3) is applied in order to find the minimumand maximum survey results of the probability ofinfection parameter. For our case study, the valueof ‘‘i’’ is 21, ‘‘wi’’ is the weight of ‘‘ith’’ question,and ‘‘pi’’ is the value of the answer choice forquestion-i. Maximum value for a survey is foundout by assuming that a participant chooses themost influential answer choice for all questions (sothat ‘‘pi’’ has its maximum possible value). In thiscase, ‘‘maximum output’’ equals to 128.

Minimum value for a survey is found by assumingthat a participant chooses the least influentialanswer choice for all the questions (so that ‘‘pi’’has its maximum possible value). The ‘‘minimumoutput’’ is 29 for our case study.

One hundred and twenty-eight points, which isthe maximum possible value for a survey resultpresent the highest probability of infection bya virus. Twenty-nine points, which is the minimumpossible value for a survey result present thelowest probability of infection by a virus. InTable 7, the values between 29 and 128 arearranged to represent risk levels. Possible surveyresults presented in Table 7 are scaled andmatched to quantitative and qualitative values.

While building the risk table, the possible surveyvalues are grouped evenly and scaled to representthe level of risk parameter. It may not be possible

Table 4 Factors that affect both the probability and the consequences

Factor Weight value forprobability

Weight value forconsequences

The operating system of computer 3 3The update against vulnerabilities 3 3The type of user account 2 3The frequency of update 1 2Access to the shared folders of other computers 1 2The number of computers which are

accessed by sharing1 2


Table 5 Numerical values of answer choices

Numerical value ofanswer choice

Explanation

4 Most effective answer choice. Affect enormously the probability of occurrenceor consequences of occurrence.

3 Rather effective answer choice. Affect highly the probability of occurrence orconsequences of occurrence.

2 Somewhat effective answer choice. Affect considerably the probability ofoccurrence or consequences of occurrence.

1 Least effective answer choice. Affect slightly the probability of occurrence orconsequences of occurrence.

0 No effect on the probability of occurrence or consequences of occurrence.

for all intervals to be divided evenly. In this case,interval of excess should be assigned to the mostcritical value. Table 7 is the risk table constructedfor the probability of infection parameter. In thecase study, the interval of ‘‘very high probability’’is 20. The intervals of other four scales are 19.

The other risk table is for the consequences ofinfection. The same calculations for maximum andminimum values of survey output were made forthe consequences of infection variable during ourcase study. To find these values, formula (4) isused. This is the same as formula (3), except ‘‘j’’ is

Table 6 Some of the questions and their respective answer choices

Answer choices

Questions a b c d e

What do you do atInternet? (p) (2)

Download (4) Sending andreceiving e-mails(3)

Chat (2) Readingnewspapersand articles (0)

Other:

How manydifferent sitesdo you visit?(p) (1)

More than 10 (4) 7e9 (3) 5e7 (2) Less than four (1) Other:

What type of filesdo youdownload?(p) (2)

Executables (4) Scripts (3) Documents (1) No download (0) Other:

What is theimportanceof files presentat yourcomputer?(c) (3)

Very importantand only at mycomputer (4)

Important, thereare copies atothercomputers (3)

Not important (0) Other: e

What is theoperatingsystem of yourcomputer?(p) (c) (3) (3)

Belongs toWindowsfamily (4)

Linux/Unix (0) Other: e e

In what accountdo you use yourcomputer?(p) (c) (2) (3)

Administrator/root (4)

Normal user (1) Other: e e

Do you updateyour computeragainstvulnerabilities?(p) (c) (3) (3)

No (4) Yes (0) e e e


used to represent the questions of the consequen-ces of occurrence parameter.

Table 7 Risk table for the survey of probability ofinfection parameter

Surveyresult

Qualitative scale Quantitativescale

29e48 Very low probability 149e68 Low probability 269e88 Medium probability 389e108 High probability 4108e128 Very high probability 5

Xj

wjpj

8<:

j : the number of the questionw : the weight of the jth questionp : the value of the selected answer choice of the jth question

9=; ð4Þ

According to formula (4), ‘‘maximum output’’ isfound to be 160 and ‘‘minimum output’’ is calcu-lated as 47.

Table 8 is constructed for the consequences ofinfection parameter. For this risk table, interval ofexcess is 26, which is for ‘‘very serious consequen-ces’’. The interval values of other scales are all 21.

A final risk table, Table 9, is prepared by usingthe fundamental risk formula. The final risk tableprevents confusions in the last step of ISRAM,which is the assessment phase. This final risk tableis static. The uppermost row of the final risk tableshows the quantitative values of probability ofinfection parameter. The leftmost column showsthe quantitative values of consequences of in-fection parameter. The multiplication of thesetwo values according to formula (1) gives thevarious risk values between 1 and 25.

The number of survey questions, the types ofquestions and the structures of risk tables arechangeable according to the information securityproblem. The flexibility of the method allows

Table 8 Risk table for the survey of consequencesof infection parameter

Surveyresult

Qualitative scale Quantitativescale

47e68 Negligible consequences 169e90 Minor consequences 290e111 Important consequences 3112e133 Serious consequences 4134e160 Very serious consequences 5

ISRAM to apply to diverse information securityproblems effectively.

To obtain consistent and accurate results froma survey, it is important to carefully list the factorsand prepare the questions and answers. Accordingto the nature of problem, the number and type ofstaff that participate in a survey may change. Allstaff may participate in a survey that plans toexpress the risk that arises from viruses.

Step-5: conduction of the surveyAfter preparation of risk tables for two riskparameters and the final risk table, the survey isready for the distribution to the related staff.

Thus, the preparation phase of the survey processis over. At Step-5, the survey questions aredistributed to the relevant staff as hard copy. Inour case study, one survey, which contains thequestions of both risk parameters are submitted tothe user. Twenty people participated in the survey.

Step-6: application of formula (2) andobtaining a single risk valueAfter Step-5 is finished, formula (2) is applied. Inour case study, the probability for a computer tobe infected by a virus is found to be 3.8, which isclose to ‘‘high probability’’ at qualitative scale.The consequence of a virus infection is found to be4.05, which is approximately ‘‘serious consequen-ces’’ at qualitative scale. As a result, the value ofrisk is found to be 15.39, which is high level riskaccording to the final risk table, Table 9.

Detailed survey results are given in Table 10. Inthis table, the bulk survey results, simplifiedsurvey results (after risk conversion tables) for allparticipants, values of risk parameters and thefinal risk value are given. The detail of applicationof formula (2) is clearly seen in Table 10.

Step-7: assessment of the resultsThe most important output of ISRAM is the single riskvalue obtained at Step-6. This risk value is obtainedafter performing considerable amount of prelimi-nary work including listing the factors, designat-ing answer choices, weighting the factors, givingnumerical values to answer choices and preparingrisk tables. The quality of this preliminary workdefinitely affects the accuracy of single risk value.


Table 9 The final risk table prepared from risk tables (Tables 7 and 8)

Risk Z (1)! (2) 1: Very low 2: Low 3: Medium 4: High 5: Very high

1: Negligible 1: Very low 2: Very low 3: Very low 4: Low 5: Low2: Minor 2: Very low 4: Low 6: Low 8: Medium 10: Medium3: Important 3: Very low 6: Low 9: Medium 12: Medium 15: High4: Serious 4: Low 8: Medium 12: Medium 16: High 20: Very high5: Very serious 5: Low 10: Medium 15: High 20: Very high 25: Very high

On the other hand, not only these calculationsand the final numerical result are considered butalso answers given for questions are examined indetail by the risk analysts while assessing thesurvey results.

By examining the answers to the survey ques-tions in the case study, some important resultsare obtained. Some of the users have adminis-trative privileges while using their computers,which increases both the probability and con-sequences. USB storage devices and CD-ROMs(not floppies) widely used in the network. Mostof the users do not backup their data. A smallgroup of the users download programs. Half of

the participants do not patch their computer.This is a great vulnerability for virus infection. Ingeneral, user security awareness should reducesomewhat the probability and consequences ofinfection.

The structure of ISRAM allows the gross risk andnet risk calculations. After user security awarenessprogram is held, the same survey is performed toobtain the net risk value. In our case study, afteruser security awareness program, risk value isfound to be 14.3, which is between medium andhigh risk but very close to the high risk level.

The assessment of survey results is an importantpart of ISRAM. Managers and staff can easily

Table 10 Survey results

Participant-m(m is equal to n in ourcase study)

Probability of infection(bulk result)

Pi

wipi

where iZ 21

T1 Consequences ofinfection (bulk result)Pj

wjpj where jZ 15

T2

Participant-1 94 4 103 3Participant-2 100 4 124 4Participant-3 74 3 95 3Participant-4 73 3 112 4Participant-5 110 5 121 4Participant-6 97 4 113 4Participant-7 89 4 129 4Participant-8 88 3 118 4Participant-9 99 4 105 3Participant-10 85 3 135 5Participant-11 93 4 136 5Participant-12 124 5 156 5Participant-13 69 3 98 3Participant-14 95 4 123 4Participant-15 96 4 145 5Participant-16 90 4 119 4Participant-17 118 5 135 5Participant-18 71 3 129 4Participant-19 94 4 113 4Participant-20 71 3 123 4 P

m½T1ðPi

wipiÞ�m

!Z 3.8

Pn½T2ðPj

wjpjÞ�n

!Z 4.05

RiskZ

Pm½T1ðPi

wipiÞ�m

! Pn½T2ðPj

wjpjÞ�n

!Z 15.39


participate into this step like other steps andexpress their opinions.

The survey results are assessed and suggestionsare put forward for the risk mitigation process.The outcome of ISRAM is a risk report, whichclearly puts forward the survey results and as-sesses these results.

Verification, comparison and the resultsof the application

In order to verify the results of ISRAM case study,we have gathered statistical data and run simula-tion based on statistical data obtained. Arenasimulation software has been used to model therisk environment and simulate on the real statis-tical data.

By making analyses on the pilot network, it isseen that, three main sources of virus are e-mails,downloads and removable media (USB storagedevices, floppy diskettes and CD-ROMs). So, thegathered statistical data are composed of thenumber of received e-mails, downloads and stor-age media usage per day, per computer and peruser basis. The statistical data were gathered forone month. During this month, virus incidents werecarefully noted. The sources and number of in-fections were written down.

After the completion of gathering of the statis-tical data, three independent risk models wereconstructed at Arena software because of theindependency of sources of data, which come tocomputers.

In the risk models, generated data is repre-sented by exponential probability distribution

function. Mean value of the probability distribu-tion function was determined according to thegathered statistical data for e-mail traffic, numberof downloads and storage media usage. The gen-erated data were passed through the probability ofinfection and the consequences of infection enti-ties for all three risk models. The probability ofinfection was constructed according to thestatistical data. Consequences of infection entitieswere constructed after the discussion withexperts.

The gathered statistical data were importedinto the risk model and based upon the realstatistical data, Arena software simulated thesituation of the test network as if one year ofperiod had passed. Table 11 shows the final resultof this simulation.

The simulation results revealed the similarresults as ISRAM application. As it is seen in Table11, there are a number of virus infections in oneyear, which can correspond to the high level ofprobability. Also, as it can be easily seen from thelast five rows of table, most of the infected viruseshave serious consequences. These two results arecompatible with the results obtained at the Step-6of ISRAM. At Step-6 of ISRAM, formula (2) wasapplied and single values for probability of in-fection and consequences of infection were found.The value for the first parameter was close to highprobability level and the value for the secondparameter was approximately equal to seriousconsequences level.

‘‘As-if’’ analyses are also performed duringsimulation. If the users perform updates andbackup operations, the probability and consequen-ces of virus infections decrease dramatically. But it

Table 11 Simulation results

Risk report 1 Date: 17 May 2004E-mail virus model Time: 2:34:51PMModel parameter Average

Total e-mails 25342.1000The number of e-mails that contain viruses 42.6000The number of e-mails that contain viruses, which infect 32.5000Total downloads 5245.1200The number of downloads that contain viruses 12.0732The number of downloads that contain viruses, which infect 10.0200Total storage media usage 17445.3400The number of storage media that contain viruses 8.334The number of storage media that contain viruses, which infect 6.5300The number of infections that cause very serious consequences 3.0000The number of infections that cause serious consequences 19.0500The number of infections that cause important consequences 5.0450The number of infections that cause minor consequences 12.9550The number of infections that cause negligible consequences 9.0000


should not be expected from users to performthese operations.

Consequently, the results of simulation based ongathered statistical data are compatible with theresults of ISRAM case study. ISRAM gives the similarresults in a much shorter time period withoutstruggling with statistical data and by allowingparticipation of staff.

An important advantage of ISRAM is its appro-priateness to ALE calculations. In order to presentthe survey result to the senior management, ALEcalculations can be performed. Some managersmay desire to see monetary losses rather thensingle numerical values.

Calculation of ALE can be achieved as informula (5).

Annual Loss Expectancy

Z Threat Occurrence Rate per Year

! Single Loss Expectancy ð5Þ

where, the unit of Annual Loss Expectancy is‘‘dollars per year’’. Similarly the unit of Single LossExpectancy is ‘‘dollars per worst case occur-rence’’. ‘‘Threat Occurrence Rate per Year’’ canbe characterized as ‘‘the probability of virusinfection’’ and ‘‘Single Loss Expectancy e SLE’’can be characterized as ‘‘the consequences ofvirus infection’’

For ALE calculation, it is necessary to convertthe numerical values of two risk parameters tothreat occurrence per year and SLE values. In ourcase study, the probability of virus infection wasfound to be 3.8 e high probability, the conse-quence of a virus infection was found to be 4.05 eserious consequences. Risk analysts can convertthese results to ‘‘Threat Occurrence Rate perYear’’ and ‘‘Single Loss Expectancy’’ values bytaking companies situation into consideration.For our case study, ‘‘Threat Occurrence Rate perYear’’ is designated as 50 occurrences per year and‘‘Single Loss Expectancy’’ is designated as 40$.Therefore, ALE is equal to 2000$. This is more thanthe cost of an antivirus software package for aninstitute. Thus, it is easily said that the lack ofantivirus software exposes high risk to institute.

Conclusion

In this study, a novel method, ISRAM, is proposedfor information security risk analysis. The pro-posed method is based on a quantitative approachthat uses survey results to analyze informationsecurity risks.

Quantitative tools included in ISRAM are simplenumbers related with the survey, risk tables,addition, multiplication and division operations.The main advantage of ISRAM over other riskanalysis methods is its ease of use. There are nocomplicated mathematical and statistical instru-ments in ISRAM.

Previously, it was mentioned that qualitativemethods might give subjective results. ISRAM isa quantitative tool with well-defined steps andmathematical measures. With a careful operation,ISRAM gives objective risk results. The comparisonof the case study and simulation results proves thisstatement.

Software-based risk analysis methods have a rigidframe. During risk analyses in which software isused, necessary variations may not be achieved.This is not the case for ISRAM. ISRAM does not haverigid frames. The number of questions and answerchoices, risk tables, weight values and the othervalues may be changed from one analysis toanother. ISRAM has well-defined steps, and there-fore it is deterministic. There is no risk of longperiod of analysis like the paper-based methods.

Because ISRAM is a quantitative method whichdoes not contain complicated mathematical andstatistical instruments, manager and the staff mayeffectively participate in the risk analysis process.It is suggested that information security risk anal-ysis should be more business oriented. Thus, lesstechnology and more culture and organizationshould be used in order to succeed (McEvoy andWhitcombe, 2002; Sommer, 1994; Reid and Floyd,2001). ISRAM fulfills both the business and tech-nology requirements by taking today’s needs intoconsideration.

ISRAM may be used for a wide range of prob-lems. From technical problems like the one in ourcase study, to procedural and political issues liketo find out the risk arises from the weaknesses ofinformation security policies.

References

Bilbao A. TUAR. A model of risk analysis in the security field,CH3119-5/92. IEEE; 1992.

C&A Systems Security Limited. COBRA consultant products forwindows. Evaluation & user guide; 2000.

Coles RS, Moulton R. Operationalizing IT risk management.Computers & Security 2003;22(6):487e93.

Gerber M, Solms RV. From risk analysis to security requirements.Computers & Security 2001;20(7):577e84.

Gordon J. Security modelling, risk analysis methods and tools.IEE colloquium; 1992. p. 6/1e6/5.

Information Security Forum (ISF). Simplified practical riskanalysis methodology (SPRINT) user guide; 1997. p. 43e57.


ISO. Evaluation criteria for IT security ISO15408, Parts 1 thru 3.Geneva: ISO; 1999.

ISO. Guidelines for the management of IT security ISO 13335,Parts 1 thru 5. Geneva: ISO; 1996e2001.

ISO. Code of practice for information security management ISO17799. Geneva: ISO; 2000.

Jacobson RV. Using CORA to implement the NIST risk manage-ment guide Available from: !http://www.ist-usa.com/Downloads/UsingCORA with NISTSP800-30.zipO; 2002.

Jenkins BD. Security risk analysis and management White Paper,Countermeasures Inc. Available from: !http://www.cs.kau.se/~albin/Documents/RA_by%20Jenkins.pdfO; 1998.

Kailey MP, Jarratt P. RAMeX: a prototype expert system forcomputer security risk analysis and management. Computers& Security 1995;14(5):449e63.

McEvoy N, Whitcombe A. Structured risk analysis InfraSec 2002.LNCS 2437; 2002. p. 88e103.

Moulton R, Coles RS. Applying information security governance.Computers & Security 2003;22(7):580e4.

National Institute of Standards and Technology (NIST). Riskmanagement guide for information technology systems2001. Special Publication 800-30.

Owens S. Information security management: an introduction.British Standards Institution; 1998.

Reid RC, Floyd SA. Extending the risk analysis model to includemarket-insurance. Computers & Security 2001;20(4):331e9.

Spinellis D, Kokolakis S, Gritzalis S. Security requirements, risksand recommendations for small enterprise and homeeofficeenvironments. Information Management & Computer Secu-rity 1999;7(3):121e8.

Sommer P. Industrial espionage: analysing the risk. Computers &Security 1994;13(7):558e63.

Toval A, Nicolas J, Moros B, Garcia F. Requirements reuse forimproving systems security: a practitioner’s approach.Requirements Engineering 2002;6:205e19.

United Kingdom Central Computer and TelecommunicationAgency (CCTA). Risk analysis and management method,CRAMM user guide, Issue 2.0 2001.

United States General Accounting Office (USGAO). Informationsecurity risk assessment, !http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-33O; 1999.

Bilge Karabacak received his B.Sc. degree in ElectronicEngineering from Bilkent University in 1999, and his M.Sc.degree in Computer Engineering from Gebze Institute ofTechnology in 2003. Currently he is pursuing Ph.D. degree inComputer Engineering at Gebze Institute of Technology. Hisinterested areas are risk management, network security andapplication security.

Ibrahim Sogukpınar received his B.Sc. degree in Electronic andCommunications Engineering from Technical University of_Istanbul in 1982, and his M.Sc. degree in Computer and ControlEngineering from Technical University of _Istanbul in 1985. Hereceived his Ph.D. degree in Computer and Control Engineeringfrom Technical University of _Istanbul in 1995. Currently he is theAssistant Professor at Computer Engineering Department inGebze Institute of Technology. His interested areas are in-formation security, networking, information systems applica-tions and computer vision.

http://www.ist-usa.com/Downloads/UsingCORA with NISTSP800-30.zip

http://www.ist-usa.com/Downloads/UsingCORA with NISTSP800-30.zip

http://www.cs.kau.se/~albin/Documents/RA_by%20Jenkins.pdf

http://www.cs.kau.se/~albin/Documents/RA_by%20Jenkins.pdf

http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-33

http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-33