An Risk Assessment Example for Mobile Devices

The ability to assess the level of loss, whether it is financial, personal or perhaps business confidence, is imperative in establishing appropriate controls for the protection of assets. Risk analysis techniques have been developed and widely utilised by organisations to ensure they take account of the threats and vulnerabilities against their systems. Without considering the full range of risks associated with mobile assets, an example method for establishing the level of trust required in the identity of the user wishing to access the application or service is presented here. It is recognised that mobile devices are often owned by individuals and used to store business data (or vice versa). With this in mind, the required security could be defined by responsibility in one of three ways:

1. Organisation is wholly responsible for the device and all applications, services and business processes that operate on it.

2. Personal user is wholly responsible for the device and all applications and services that operate on it.

3. Both organisation and end-user take partial responsibility for particular applications, services and business processes that operate on it. No specific apportioning of responsibility is assumed.

67

Similarly to risk assessment, it is the responsibility of the appropriate party (or parties) to define the trust level required for each application, service or business process. What actually needs to be assessed will largely depend on whether the device is being used for business or personal purposes. It is envisaged for instance, for personal purposes, the user is likely to utilise the applications and services that are available and provided on the device by the network operator. The range of applications and services will largely depend on the device and therefore be fairly static. For business purposes, the range of applications and services operating on the device is likely to include all of the default functionality (similarly to personal users), but also operate a wider range of third party and bespoke applications. It is therefore important to ensure an organisation has the ability to add applications and services.

The level of trust can be established in several ways. By recognising the different requirements of a personal user versus an organisation, one could potentially use three main models:

1. Personal Security Model (PSM) : A model to be undertaken by a personal user:

Although risk assessment methodologies are traditional tools used by businesses to identify the level of risks, such an approach is not so viable for the end-user. It could place a significant burden upon novice users, as specialist knowledge and procedures are required. As such a simple means of assigning risk to a service or application could be a more appropriate solution, which could provide a simple way to the personal user to set a risk/security

68

level to each service or application, without any further analytical view of impact, based on his knowledge and use of the device.

2. Simple Risk Assessment Model (SRAM): A model to be undertaken by either the personal user, the organisation, or a combination of both:

This type of model could represent a more focused risk analysis tool than the one for the personal user, useful for more security aware mobile device users.

As such it could include a risk analysis process that can incorporate a more complete solution and granularity required in the process but at the same time follow a simplified risk analysis process. Organisations not versed in risk analysis, or lacking related expertise, could also follow this model. In addition, taking into account that the responsibility of the device might reside with more than one party, such model could also permit the choice of which stakeholder has the responsibility of assigning risk to each service or application.

In order to appoint the sensitivity levels, each service could be analysed in terms of the typical consequence that would potentially result from breaches of confidentiality, integrity and availability in each usage context. The consequences considered have been adopted from a standard risk analysis methodology (CRAMM) (Barber and Davey,1992), and are classified as follows:

• Disruption • Financial loss

• Breach of personal privacy • Legal liability

• Embarrassment • Threat to personal safety

• Breach of commercial confidentiality

69

3. Organisational Risk Assessment Model (ORAM): A model to be undertaken by organisations incorporating the mobile device functionality into their current risk assessment methodology and tools:

Many organisations already have formal risk assessment strategies in place, with relevant expertise. As such in this case the model would simply permit them to integrate mobile devices, and the applications and services accessed by them, into the existing risk analysis processes.

Figure 3.4 illustrates the 3 models, where it can be seen that as there is a move towards organisational use there is an increasing reliance upon formal and established risk assessment methodologies.

Figure 3.4: Risk Assessment Models

These three models are just an example used here to indicate a way to assist in providing the flexibility required when dealing with differing stakeholder responsibilities and for each party can use the process that best matches their

Organization Individual User

PSM SRAM ORAM

Level of Risk Assessment

Low High

70

requirements and ability. As such, even in the case of both the business and the user having responsibility on the contents of the device, each one will be able to attribute security levels to the services that refer to them. A more extensive description of the models can be found in (Clarke et al, 2011) in Appendix B.

This section discussed the need for enhanced authentication as mobile devices evolve to offer functionality that enables the use and access of sensitive information.

This need has been established from the views of stakeholders acquired through the focus group. What is also considered important is to address the issue of different security requirements across different services. Therefore a flexible and robust mechanism is required to meet these needs and provide an appropriate level of trust to the user’s identity. It is envisaged that the use of continuous authentication during the interaction that the user has with his device is one way that this can be achieved.

In order for the latter to be tolerant from a usability perspective the authentication would require a level of transparency. As such the use of biometric techniques that lend themselves very well to transparency is considered in the context of this research.