Variations

Given the model described in the previous section, a number or taxonomic variations can be identified when comparing the reviewed Conceptual Models against it. The variations in naming and grouping of the core concepts identified as described above are shown in Table4.1on page69. Due to the limited information available on the AS/NZS 31000 standard, it is omitted from this Table.

The frameworks also differ in the way they group the attributes into intermediary factors as well as in the way the use these factors to compute Risk. These differences are obvious in the descriptions and decompositions of Risk given in the dedicated sections above so they will not be treated here.

If we would attempt to distill a "core" model, consisting only of the common concepts and factors present in all discussed models (an intersection instead of a union), we would end up with only two entities: asset and threat. These are the core entities that any discussion regarding Information Security and/or Risk must address, no matter the level of granularity or technicality. While this may appear to be obvious, it also reveals the fact that even amongst conceptual models designed to tackle the singular notion of Information Security Risk, there are significant variations. These stem not only from differences in taxonomy but can be traced down to completely different conceptualizations of Risk. While this might seem surprising, it becomes understandable if we go back to the context these models were developed in and the purpose they were developed for.

Discussion on variations

From Table4.1we can see that the most complete model seems to be FAIR. This is because they take intro consideration a very large number of factors. The only missing attribute is the criticality of the asset. However, this seems to be typical for general-purpose, enterprise-wide Risk Models. On the contrary, only models designed for Security Critical systems take this factor into consideration, as in that case we are not interested in achieving an overview of the Risk the organization Information Systems are facing and achieving "good enough" security, but rather in securing such critical aspects and demonstrating "as good as possible" protection.

The ISO 13335 framework also discusses similar factors, except for the Attack Cost. This seems to be ignored, as the framework is only concerned with the frequency of attacks and assumes the strength of existing controls directly influences the attack cost. This cost is then reflected back into the frequency of attack. Furthermore, threat capability is not explicitly defined, but rather implicitly assumed in the classification of Threats into groups. Each group is then defined, amongst other this, by their resources. Thus, we need not estimate specific, possibly unknown attributes of the attacker, as long as we know what impact these attributes have on the frequency and severity of attacks.

As we go on towards models designed to be used in lower-level assessments, we can see that organizational factors like asset value, and external vs. internal threat nature are ignored. The focus lies on the possible actions, and their potential consequences. SRA, as well as the Microsoft Threat Model and the OWASP methodology are also not concerned with scenarios and attacker profiles. They do not take into consideration multi-step attacks and mostly ignore factors related to the threat. They are mostly concerned with the intrinsic technical vulnerabilities and risks associated with the object of study.

As such, it becomes obvious that the most complete models, like FAIR, The Open Group taxonomy and ISO are suitable for scenarios where business factors are relevant for the Risk Assessment and the output is mostly aimed at management or meant to be useful for the organization wide Risk Man- agement process. As such, these models are compatible with most of the Risk Assessment methods described in Section3. Microsoft Threat Model and OWASP Risk rating methodology, as expected, are easier to apply due to the lower number of factors that require estimation, but also provide output less relevant for making security decisions. This makes them less relevant to enterprise-wide Risk Manage- ment processes. SRA is somewhere in the middle, providing limited support for decisions regarding Security Investments, while also supporting low-level technical discussions regarding individual compo- nents. However, this makes it compatible only with the dedicated Risk Assessment method, described in Section3.4.13and applicable to a restricted number of scenarios.

Integrated Model FAIR & Open Group ISO 13335-1 SRA Microsoft Threat Model OWASP Risk Rating Methodology

Threat Threat Agent Threat Agent Attacker N/A Treat Agent

Threat.internalORexternal Threat Loss Factors: in- ternal vs. external

Threat: source N/A N/A N/A

Threat.profile Threat Community Threat: group N/A N/A Threat Agent Factors

Attack Threat Event Attack Attack Threat Attack

Attack.actionType Threat Loss Factors: ac- tion type

threat: numberOfAssets + threat.Severity

Attack: ThreatType {con- fidentiality, integrity, avail- ability}

Threat.STRIDE{spoofing, tampering, repudiation, disclosure, DoS, eleva- tionOfPrivilege}

Attack

Attack.threatCapability Vulnerability: TCap N/A N/A N/A Threat Agent Skill Level +

Opportunity + Size Attack.defenseStrentgh Vulnerability: DefenseS-

trentgh

Asset: Safeguards Likelihood of Capture N/A Intrusion Detection

Attack.frequency Threat Event Frequency Threat: frequency Attack.Probability Reproductibility + Discover-ability

Likelihood

Attack.lossType Loss form Impact: consequences Vulnerability: Type {Con-

fidentiality, Integrity, Avail- ability}

N/A Technical Impact + Busi-

ness Impact

Attack.lossMagnitude Probable Loss magnitude Impact Damage DamagePotential + Af-

fected users

Impact

Attack.cost Asset: level of effort N/A Cost of attack N/A Opportunity

Asset Asset Asset Information entity Asset Asset

Asset.valueforOrg Asset Loss Factors: Value

Asset: value N/A N/A N/A

Asset.critical? N/A Asset: sensitivity N/A N/A N/A

Expected gain Asset value Threat: motivation Gain N/A Threat Agent Motive

Vulnerability Vulnerability Vulnerability Vulnerability Vulnerability Vulnerability

Vulnerability.level TCap - Control Strentgh N/A 1 - Cost of attack Exploitability Vulnerability Factors

Table 4.1: Naming variations between Information Security Conceptual Models

0000000 Current Estab lished Risk Assessment Methodologies and T ools P age 69