The ISACA risk definition and the asset risk of PCUBE-SEC

The two ISACA basics, the CISA Review Manual, and COBIT, work with the same risk definition, word by word, which, at the same time, is very similar to the ISO information security risk quoted above, but with the exception, that ISACA mentions "business".

According to the Glossary of both materials:

"Risk - in business is the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss of/or damage to the assets. It usually is measured by a combination of impact and probability of occurrence" [CRM, COBIT 4.1 - Glossaries].

In all of these definitions the fact, that the business value has very important relation both with the impact, and with "the potential" of the occurence is totally overlooked, not mentioning the connections between vulnerability, and the other factors.

Thinking about how to adjust risk to the philosophy of PCUBE-SEC, and, what is more important, aligning theory to my practical experience collected in financial institutions and during audits of companies, I realized, that in the everyday practice we meet frequently with risk connected to the corporate assets, but we often have to deal with the risks of operations, too.

I solve this problem by introducing an asset risk definition, and by describing the handling of operational risk by a risk management cycle. The risk connected to the assets are the base of lots of important procedures, e.g. that of the business continuity plans, while handling the risks of operations we strive to reach an excellent operations level.

Thus my asset risk definition will help both in planning business continuity, and in communicating those issues to the management, that threaten it. Furthermore, the exactness

of the planning is increased by the exact values of weights, as the relation between these weights the management will be able to estimate much easier, than answer questions about probabilities of dangers and threats.

Asset risk is such a value, which

• is assigned to a pair of o corporate asset, and

o operational objective (this can be a strategic goal, or an excellence criterium just as well)

• is supposed to be directly proportional to

o the strategic / business value of this asset, in achieving this operational objective, as a goal

o the probability of the occurence of an event threatening the business use of this asset (the duration of this usage is determined by the business process(es) needing this asset, in achieving this goal)

o the vulnerability of this asset.

Where:

The strategic / business value is estimated in a subjective way by the top management or by the employee empowered by the top management to take on this business decision.

This estimation aims at the comparison of this asset to other assets, with respect to its importance in achieving this goal. The opinion of the estimator is expressed by the relation between the assigned values. The individual values assigned to the assets one-by-one have no individual meaning. In order to facilitate comparison and calculations integers are to be used as "values".

Formally:

business_value (asset_i, goal_j) := k_ij where

kij ∈ {1, ... I }

i= 1, ... n, j=1, ...m, l is an integer < ∞ (actually l ≤ 5 is more, than enough)

(that is k_ij takes its value from a finite series of integers) and

if

business_value (asseti, goalj) is estimated to be

< business_value (assetk, goalj) then

∀ j i= 1, ... m: kij (is chosen by the estimator to be) < kkj

As instead of individual values we express the value of the assets in terms of relations, these relations "offer" themselves to be weighted even further. Thus different composite classifications can be devised "on top of" this classification of assets according to their business value. For example, classification of the given business according to its

"hierarchical role" in the corporate strategy might be a useful refinement.

Different other refinement facilities can also be formulated, that the top management thinks to be relevant, e.g. classification by the process owner according to the importance of the asset in fulfilling given goals, or according to other aspects, that the top management thinks to be relevant.

As this fulfillment might require such efforts, that hinder the achievement of other goals, further weighting might be especially useful in the everyday practice.

Contrasting to the positive, goal-achieving approach of the preceeding paragraphs, we have to deal with the obstacles, too. In order to be able to take into consideration the effort of the staff to overcome them, we define

vulnerability of an asset or, shortly: asset-vulnerability

as the probability, that this asset fails to serve the fulfillment of any given operational objective, or, at least, fails to fulfill it to the required extent.

This probability depends on the choice of the asset, the goal, and the effort spent to improve the situation. This choice depends on the PCUBE-SEC user. PCUBE-SEC is not able to ensure, that every relevant factors are taken into consideration. As we often have to mention describing this methodology, completeness can not be achieved. The success of problem solving depends on the user. However, as it will be seen, there will even be advice given here on systems analysts' methods for exploring situations.

The above considerations can be formalized in the following way:

risk (asset, goal) ~ distance (asset, goal) *

probability (asset, goal, attack) * vulnerability (asset, goal, effort) Where:

/1 These function notations mean here, that the notion in the position "function name" is considered to depend at least on the notions listed in the position of parameters, between the parentheses.

The proportionality relations between right- and left-hand side, factor by factor are denoted by the "~" and the "*" signs.

/2 "distance"

serves comparison of assets the same way, as it is used in comparing other PCUBE-SEC notions, that is:

Let's define the

"distance of an asset from any kind of goal", as its degree of importance in achieving the goal.

This goal can be any operational objective, as a special case, an excellence criterium, or a strategic goal just as well.

We work with the distance here, as in the other cases, that is the relation of the values assigned to the different values is taken into consideration, the individual values themselves are not meaningful.

The k_ij business values used in the formal description of the asset risk are just the distances of asset_i, from goal_j.

/3 "probability"

the only hypothesis we need on "probability" is the following:

if distance (asset1, goal) < distance (asset2, goal) then

if attack_x, attack_y comes from a concurrency or from an enemy inside then probability (asset1, goal, attack_x) > probability (asset2, goal, attack_y)

that is if asset1 is "closer" to the given "goal", then asset2,

then the "probability", that any kind of attack_x will be launched on asset1 is greater, then the "probability", that asset2 would be attacked by an attack_y.

else if

attack_x, attack_y comes from an outside intruder, then the benefit to be gained by the intruder will be the determinig factor, that is:

probability (asset1, goal_x, attack_x) ~ distance (asset1, goal_y)

where goal_y is a goal of the intruder.

On "vulnerability", the following hypothesis might be a good working one - or, at least, PCUBE-SEC suggests to "take better care" of the "more precious" assets:

if distance (asset1, goal) < distance (asset2, goal) then

vulnerability (asset1, goal, effort1) > vulnerability (asset2, goal, effort2) where usually effort1 < effort 2

Note: the case of a goal, without an identifiable asset

It is possible, that the asset is unknown, that is there is no concrete asset to which we can connect the risk, or at least it is difficult to specify exactly, what is actually threatened. In this case the PCUBE-SEC user needs the other parts of this asset risk notion, in describing the problem world. An example to this situation is the necessity to describe a risk management life-cycle, that has to deal with asset risks at the risk assessment phase of this life-cycle.

In this case a kind of "default asset" can be used, which is just a strategic goal, instead of being such a concrete asset, that has a concrete role in satisfying a concrete strategic goal. If no concrete strategic goal can be identified in a situation, then such a very high-level goal, as, e.g. the market success of the company is, or something as general, as that can be chosen. If the asset to be handled is that general, then its strategic value can be taken to be equal to the maximum value assigned to the chosen strategic goal. Probability and vulnerability will have to be shaped to this special case.

This "special case" of our definition gives back just one of the "old" definitions, which take the probability and the vulnerablitity into account, or sometimes omits even the vulnerability. The reason of this omission might be the practical experience, mentioned above, that the asset is maintained usually more thoroughly, if it is thought to be interesting to the external attackers.

An example of the use of a similar kind of default asset is a note of an ISACA member, proposing a differentiation between so-called "intentional", and "opportunistic" risk [Chapela, 2011]. The former is related to given data or functionality, so it is a kind of special case of my asset risk, while handling the latter, the opportunistic risk, seems to serve the improvement of a kind of general security level. However, I can not totally agree with Chapela. He assigns priorities to his intentional risks depending on the threats coming

from external sources. In order to evaluate external threats, he introduces three risk vectors.

"Access" is determined by the easiness of accessing information. "Value" vector is the value of the threatened information. "Anonimity" vector is determined by the need of authentication to access the threatened information. Chapela states, that these vectors are independent form each other. I still insist, that the value of the information is not independent from the easiness to access it, as the more valuable is the information, the more effort is - or at least should be - spent to defend it. Besides, while priorities can be assigned based on a feature of external threat, internal threats, that are usually more dangerous, are also to be taken into consideration. Annyway, giving priorities based on any kind of danger is only a special case of strategic value-directed prioritizing.