- Risk Management: Activity of performing a number of discrete risk analysis exercises to identify, track and mitigate risk throughout the SDLC
- Risk Analysis: Activity of identifying and ranking risks at some stages of the SDLC
- Risk Assessment: Activity of identifying and evaluating risks
- Elements of Risk Analysis
1) Threat: Entity who causes the threat
2) Threat Event: Event or circumstance with potential adversely impact to organisational assets
3) Threat Scenario: Set of discrete threat events that cause harm
4) Vulnerability: Weakness that could be exploited by a threat
5) Likelihood: Probability that a threat event will occur
6) Adverse Impact / Consequence: Magnitude of the harm caused by a threat event
7) Risk: Function of Likelihood and Adverse Impact / Consequence
8) Treatment: An appropriate measure to reduce risk level
- Risk Analysis Process
Phase
|
Description
|
|
| Context Identification | - Characterise target of analysis - Specify risk evaluation criteria |
|
| Risk Identification | - Identify threats / vulnerabilities | Risk Assessment |
| Risk Estimation | - Risk = Likelihood * Impact | |
| Risk Evaluation | - Determine which risks need treatment | |
| Risk Treatment | - 4 options: Accept / Treat / Avoid or Terminate / Transfer |
https://www.mindtools.com/pages/article/newTMC_07.htm
2. CORAS
- Language: A graphic language that supports the analysis process
- Process: A process for security risk analysis based on internationally established standards (ISO 31000)
- Tool: A graphical editor
3. CORAS Process
Steps
|
Objective
|
Tasks
|
Artifacts
|
| 1. Preparation for the analysis | to do the necessary initial preparations prior to the actual startup of the analysis | - Setting the scope and focus - Informing the client of its responsibilities |
|
| 2. Customer presentation | to achieve an initial understanding of the target of risk analysis | - Client presents the goals and the target of the analysis | |
| 3. Refining the target | to ensure a common understanding of the target analysis | - Identify the parties and assets | - Asset diagram |
| 4. Approval of the target | to decide a ranking of the assets | - Define Likelihood / Consequence scales for each direct asset - Agree on Risk evaluation criteria |
- Likelihood / Consequence scales - Risk function and Risk evaluation criteria |
| 5. Risk Identification | to identify unwanted incidents, threats, threat scenarios and vulnerabilities | - Identify Assets and Threats - Identify Unwanted incidents - Identify Threat Scenarios - Identify Vulnerabilities |
- Threat diagrams |
| 6. Risk estimation | to determine level of the identified risks | - Assign likelihood estimated for each Threat Scenario - Assign likelihood estimated for each Unwanted Incident - Assign consequence caused by each Unwanted Incident on each Asset |
- Threat diagrams with likelihood and consequences assigned |
| 7. Risk evaluation | to identify acceptable risks and risks that have to be treated | - Map the risks into the Risk Function (from step 4) - Evaluate which risks are acceptable and which are not - Summarise the risk picture by Risk Diagram |
- Completed Risk Function - Risk diagram with evaluation result |
| 8. Risk treatment | to identify cost-effective treatments for the unacceptable risks | - Identify Treatment Scenario for unacceptable risks - Summarise by Treatment Overview diagram - Estimate the cost-benefit of each treatment | - Treatment diagram |
http://coras.sourceforge.net/
댓글 없음:
댓글 쓰기