Risk Management Methodologies Review

OWASP suggests to gather information that will enable the computation of the risk level based on the factors used by the methodology itself. The factors are four, and each of them depends on four different aspects.

First of all the method says to gather information about:

• the threat agent involved.
• The attack that will be used. So the concrete explotation used by the source toward the asset.
• The vulnerability.
• Impact of a successful exploit on the business. It is important to define the relationships between the ICT part and Business part of the organization.

The OWASP methodology does not provide any direction on how to identify the risk, so this process has to be performed by the assessor following other methodologies or references.

The likelihood estimation is based on two main relevant aspects. The first is the threat agent, and the set of vulnerabilities that are possible entry point for the specific attacker.

The impact could be estimated looking at two orthogonal perspectives: the ICT perspective and the Business one. The technical impact can we considered on the application, the data and the functions it provides. The business impact is related to the support that the application may give to the business functions of the company. Having low ICT impact does not necessary mean that the business impact may be low.

Two arrpoach can be used: informal method or repeatable method. In the informal method the owerall risk level is represent by qualitative values, while with the repeatable method a more formal approach is used. A documentation that justify each decision is produced and the analysis is repeated during time to confirm or update it.

An example of informal method:

An example of repeatable method:

Once we have acquired the values the severity must be determined considering the likelihhod and the impact, the OWASP methodology also provide a observation:

In the end the risk is represented inside the risk matrix:

After the risk to application have been classified there will be a prioritized list of what to fix. As a general rule the high priority will be assigned to the most severe risk, also not all risk are worth fixing, for example can happen that a fix may cost more than the occurence of the incident itself or that the risk has an huge impact but a very low likelihood and so it is shared but not fixed.

The customization part gives some information on how to customize the OWASP model to better tailor it for the organization. Some actions to put in place can be:

• Add new factors
• Customize options
• Assign a better score to the factors

The OWASP methodology is supported by an online tool.

PRO	CONS
Structured in few simple steps	Allows only a course grained risk analysis. Complex situations are difficoult to analyze
Easy to apply	Does not provide too much support to the risk mitigation phase
Supported by open source tools

In the first stage the methodology stress on the existence of three particular kinds of assets: data, application sowftware and physical assets. The aim is to enlarge the view on the context around the digital services and how they are provided.

Threats and vulnerabilities are investigated against selected asset groups, and the structural point is that CRAMM provides predefined tables form threat/asset group and threat/impact combinations. The tool is fed with the data collected and produce a managerial level risk assesment: it works an high level aggregating the types of threat and vulnerabilities.

The methodology provides two alternative way to assess risks: full and rapid.

Full	Rapid
Threts and vulnerabilities analysis is driven by questionnaires allowing to entering the answer in the tool	threat and vulnerability levls are inputted directly with a rating guide
Use the tool to calculate levels of threat to assets as well as levels of vulnerability to threats

Via the toll CRAMM roduces a set of countermeasures applicable to the system, it works on the detail of the mitigation. It does it by reasoning on the security profile and compare the mitigation with the target security profile and plan how to implement the mitigation. CRAMM supports also the prioritization of the mitigation techniques provided. It takes into account if:

• it protects against several threats
• it is required to protect a high risk system
• there are no alternative countermeasures installed
• it is less expensive to implement
• it is more effective to meet the objectives
• it prevents an incident instead of facilitate recovery.

PRO	CONS
Structured in few simple steps	It can be only applied via a proprietary tool
Oriented to the management

To identify the risk there are two question to answer:

• What is the best way to do this?
• characteristic elements of risks must be highlighted but how many details must be described?

The first thing to do is to identify the assets, analyze their vulnerabilities and then look at the threat:

The risk estimation is done via the common two factor model, in this methodology is important the distinction between the intrinsic impact and the instrinsic likelihood, then the effect of security measures on these two parameter are considered. It is like to go from the worst factor and then adjust it considering all the policies, prevention, and detection measures.

The evaluation step is done by placing the risk in the risk matrix. MEHARI provide the matrix and categorize the risk into three levels: intolerable, inadmissible and accepted.

It refrase what is exaplained is the ISO standards, it do not support the analist with prioritization.

It simply repeats the general principles discussed in the standards without providing any addition nor support.