The analysis of information systems (IS) security risks can no longer be neglected by companies. Which method to choose among those proposed? What are the strengths and weaknesses of each of them?
An organization’s information system is increasingly seen as a strategic asset. A malfunction of the IS can indeed seriously impact the entire activity of a company. As such, the analysis of IT security risks has become essential.
Once the risks have been identified, the objective of the analysis is to quantify and budget the reduction measures in order to prioritize them. Once the catalog of risks has been defined, it is compared to a catalog of solutions. Security actions are then carried out with regard to the priority level of each risk and the available budget, this step constituting the last stage of the hierarchical risk model, which includes three levels: strategic, tactical and operational.
The first methods of analyzing IS security risks focused on the security issue, without focusing on the budgets and resources necessary for the implementation of action plans. As they lacked good judgment, they subsequently integrated risk management in order to assess the impact of each threat and prioritize the actions to be taken.
The first methods appeared in the 1980s, with disparities linked to the local context and the culture specific to each country. The DCSSI (Central Directorate for Information Systems Security), ancestor of ANSSI (National Agency for Information Systems Security), then attempted to map these different methods.
France offers a large number of methods. The CLUSIF
has indeed been very active in this field, resulting in a multiplication of methods and variations of methods. The British, with the British Standard 7799, for their part laid the first bricks of the future ISO standards of the 27000 series.
The methods were subsequently refined and converged. To date, the three most used are:
- ISO 27005: 2018,
- a standard used in all countries, but more specifically within the Spanish-speaking world.NIST SP 800 30
- , popular in the Anglo-Saxon sphere, but also in regions such as Central America and Japan. ANSSI EBIOS
Risk Manager, present in the French-speaking sphere (except Canada) and some African countries.
IBM X-Force 2021 report: main attacks 2020 vs 2019
ISO 27005: 2018: a common international foundation
ISO 27005: 2018 is the only one of the three methods that is an international standard. Being the fruit of consultation and conciliation, its main quality is to form a minimum base accepted by all and widely used. All associated with accessible tools.
With its five-level scale, it allows easy classification of risks. However, it has the drawback of only being interested in strategic risks. Another weakness is the confusion between risk frequency and risk probability. Finally, this method is weighed down by its catalogs, even if – on this point – GRC tools (**) will help to clear the ground.
NIST SP 800 30: the American tank
American culture transpires through the NIST SP 800 30 method, which is intended to be as complete and detailed as possible. Multiparametric, it assesses both strategic and tactical risks. And this with a well-supplied tool.
It takes into account all risk factors, with guaranteed ratings on broad scales (ratings ranging from 0 to 100). However, this level of detail is a weakness: as it is not possible to find the appropriate box, many risks are indeed classified as moderate, which will not allow them to be prioritized at the end of the chain. The NIST SP 800 30 method therefore suffers from its qualities. Complex, it is complicated to apply as it stands, as companies often have to rely on a simplified version.
ANSSI EBIOS Risk Manager: modern and practical
ANSSI’s EBIOS Risk Manager method is interesting in more than one way. It is indeed intended to be simple, with a clear division between strategic risks and tactical risks. Launched in 2018, it takes into account next-generation threats, such as ransomware. All with simple tools (an Excel spreadsheet may suffice).
Practical, the ANSSI EBIOS Risk Manager works in workshops:
1. Scoping phase;
2. Definition of sources of risk; 3. Development of a strategic scenario, in order to determine the gravity
a risk; 4. Development of a tactical scenario, in order to assess the likelihood
5. Assessment of the level of risk according to the two previous factors (severity and likelihood).
Operational cycles between workshops 3, 4 and 5 are carried out for each risk. Then a new strategic cycle makes it possible to relaunch the process from the first phase. This risk analysis method has the merit of being anchored in the concrete and adopting a proactive defense-type posture (and not a simple security posture) aimed at continuously improving risk management and the level of security. .
What about cybersecurity?
If the ANSSI EBIOS Risk Manager method remains limited to the French-speaking sphere, its qualities mean that it could inspire others. Starting with the NIST SP 800 30. Well suited to current threats such as ransomware, phishing or botnet, the French approach constitutes a promising basis for the analysis of risks relating to IS.
Even if it means comparing its results subsequently to the ISO 27005: 2018 standard, in order to ensure an international transition. Note that the market offers EBIOS RM certification, which will further strengthen the attractiveness of this tool.
All the methods we have studied have the limitation of focusing on the risks directly threatening information systems. Example: when a developer builds an application, he is tempted to look for pieces of code or libraries on the Internet.
As this code has not been audited, it may contain Trojans or logic bombs. They are not suitable for taking into account other cyber risks, those of the semantic layer of cyberspace, such as manipulation or disinformation with the famous fake news.
So when will we see a multi-layered cyber risk analysis method?
CLUSIF: French Information Security Club
(**) GRC: Governance, Risks and Compliance