A New Standard On Security Risk Analysis Breaking The Mould By Roy Stranden ASIS Europe, Frankfurt, Germany March 31, 2015 (*) Introduction In November 2014 the Norwegian standardisation organisation Standards
Norway released a brand new standard in Security Risk Analysis (*).
The process took over five years and hundreds of hours were invested, but we
believe it has been worth the time and effort. (*)
I have had the pleasure to lead the working group that wrote the standard.
With me I had representatives from all the major players in the security field
in Norway. We are talking about the security authorities such as the
Norwegian Police Security Service, the Norwegian National Security
Authority and the Norwegian armed forces represented by the Norwegian
Defence Estate Agency. In addition there were representatives from the
private sector represented by the Norwegian Business and Industry Security
Council and the oil and gas company Statoil.
Before I share with you what we came up with I will share some of the main
arguments for why we believed there was need for a change. And I can´t do
that until I tell you a little bit of the history. If we are to understand the
present we need to understand the history. (*)
History of risk Risk has gotten an increased attention in recent years, at least in Norway.
There are many reasons for this. This is also a topic and concept that is under
constant development. However, it is my experience that many who
participates in the debate, including politicians and security experts aren’t
able to look at this area of expertise in a more holistic and broader context.
People talk in absolute terms and with certitude. I also have the feeling that
many are not aware of the history of risk. This can in many circumstances
become a problem. One reason for this is that to understand the presence and
Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. future we have to understand the history and that nothing stays the same
forever. We call it evolution (*).
The concept of risk is not new. In fact, it has been developed through
centuries. We can trace the first method for risk analysis back to the 15th
century. (*)
While the first method was concerned with calculating possible gains and loss
in the game of dice, another 100 years passed before someone discovered that
the concept of probability also could be used in other decision making
processes that is concerned with the future. One discovers that it is possible to
use risk as an index to present our fear of loss beyond the game of dice. Fifty
years later the development makes a detour to economics and politics. At this
moment the development splits in two directions. The one within gambling
continues to view risk as an expression of the anticipated loss if the game
should fall in your disfavour. The other direction is within decision-making
theory where risk is an index of fear. (*)
We also often talk about risk as if it is a uniformly understood and accepted
concept and method. The truth is that there are a number of fields that uses
the same terms differently, in addition to using different methods with
different perspectives. We find examples of this within the fields of
healthcare, economics, industry, psychology and not at least within our own
area of business; (*) security. Thus, it is therefore more correct to talk about
risk as a group of islands or an archipelago, where the islands are different but
are connected.
This can be viewed upon as a minor detail; however, I believe this difference
is of great importance when it comes to communicating with one another.
Closely associated to this is the choice of method. In many cases a single risk
analysis method is presented as a universal tool that can be used on all
problems. (*) It is my view that this is as true as using the same tool to putting
jam or marmalade on your toast in the morning (*) as you do when you
change tires on your car in the evening. Not particular appropriate. The point
is that you have to select the method based on what it is that you are trying to
reveal.
In a former job I was pulled into a discussion between two people in the same
organisation that wanted my help to put an end to a long discussion on which
method of risk analysis was best. They were arguing which method was best
Copyright © 2015 Roy Stranden 2 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. suited to address their own challenges. The problem, as I saw it, was that they
both were right and they both were wrong. The reason for this was that they
represented two different units in the company and thus using different
methods. The terminology was also different even thought they used the same
words. Both was right in that their preferred method was best suited for their
own field of expertise. However, at the same time it was less suitable for other
fields.
As long as we continue to make this lapse in rational thought it will be
difficult to move forward. (*)
The legacy from the field of safety The development in the field of risk follows the philosophical and scientific
development in the world. New tools for measurement and thoughts help
propel the field forward until we in Norway find oil in the North Sea. (*)
When the oil adventure in Norway begins there are few that thinks about the
risks involved. We are occupied celebrating that we have become rich.
However, as history shows us it did not come without trouble. After a few
major accidents and near accidents we start to investigate how we could avoid
such accidents in the future. (*) Big recourses and political demands meet
sharp minds. This creates action and within a few years our universities takes
lead in establishing a risk based thinking in how to design and operate
dangerous processes within oil and gas. Other countries may have similar
experiences.
However, they are not alone. Good thoughts and ideas have the tendency to
spread. Within our fields of expertise security, more and more people started
arguing that that we can use the same approach as they do to prevent
accidents to prevent crime. It can be argued that these people were pioneers
within our field of expertise. However, as often things are, there was not a
direct match. Even though much was the same there was differences in key
areas. One of the more significant ones was that frequency or the use of
probability was not particularly suited to assess the threat. I will come back to
this and more in a minute.
However, because of the strong focus on safety risk it has proven difficult to
break this mould and try to create a new direction with security risk analysis.
A major event had to take place before a new direction was accepted. (*)
Copyright © 2015 Roy Stranden 3 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. Recent history As all of you probably know, the terrorist attacks on 22 July 2011 changed
Norway in many ways. This was also the case in methods and standards for
understanding security risks.
Even though the work on the standard was well under way at this time it can
be argued that the work got more traction. (*) One example of this was when
the Norwegian Police Security Service assisted other governmental agencies
in the search for replacement offices for the Norwegian government after the
attack; they demanded that the new standard was to be followed. This even
before the standard was formally approved. (*)
Theoretical foundation We are not the first ones to explore new ideas on security risk analysis. An
example of this is the use of the factors asset, threat and vulnerability. There
are a number of other people who have looked at the same ingredients. Many
of these have inspired us to continue exploring.
Nonetheless, it was important for us to have a theoretical foundation for our
approach from the academic world of security. This was not difficult to find.
We found actually two. We have Giovanni Manuntas universal theory of
security and we have the Routine activity theory. (*)
Many of the methods and standards out there on risk assessment are based
upon a scientific foundation. Our approach is based in the social sciences and
is rooted in theories in criminology, sociology and psychology. (*)
First a key principle within both sociology and criminology is assumed namely
the rational choice theory. This is a framework to understand social
behaviour, including criminal behaviour. It postulates that all individuals in a
society are rational in their actions and that their understanding of the costs
and benefits of a certain course of action drives them. Here we see that this
approach is different than that of for instance safety where undesired events
such as a flood or fire naturally does not evolves as a rational choice among
alternatives made by humans. Based on the theory of rational choice we also
find the routine activity theory. (*)
The latter identifies three factors that need to be present if a crime is to take
place. You need a suitable target, you need a motivated offender and last but
not least you need the absence of a capable guardian. When these meets in
Copyright © 2015 Roy Stranden 4 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. time and place a criminal act may occur. As I will show you today, this theory
actually fits very nice with the foundations for the new standard on security
risk analysis.
When it comes to the use of probability it is maybe possible to say something
about the probability of being a victim of for instance terrorism. (*) A
Norwegian philosopher Joakim Hammerlin argue that there is a higher
probability of drowning in a toilet that being the victim of a terrorist attack.
Purely statistically this is probably true. (*) However, we can assume that it is
not purely coincidental who drowns in a toilet, let alone that is a target of
terrorism. Factors such as who you are and where you are and what you have
done to protect yourself all play in. (*)
Security services also tell us that terrorism is such a rear and low frequency
event that who is a target and when an attack takes place is impossible to
predict using historical data. (*)
Based on this, this standard has made a stand to rule out the use of probability
or likelihood when addressing security risk. And the argument is that we
believe we can achieve the same or event a better result using our new
approach.
That said, some people argue that the use of a Bayesian statistics approach is
feasible. A Bayesian approach involves a mathematical approach to the
problem. This is an approach, which is expressed in terms of degrees of belief
and is based on deficient or uncertain data. Nevertheless, this approach still
entails that events or attacks occur with some frequency, whereas our
approach, which is based on a social science approach, uses intelligence as a
method and product to say something about the threat and the antagonist’s
intention and capacity to launch an attack.
Another problem with the use of Bayesian statistics is that you need to
understand mathematics if you are to use this method and understand its
result. For those of us that have limited abilities in this area this is not a viable
option.
But, enough history and theory. Let move to the main topic. (*) The New
Norwegian standard. Well, there are actually a series of standards. (*)
Copyright © 2015 Roy Stranden 5 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. NS 5830 I will start with this one, terminology. (*) As a prerequisite to communicate
we need to understand each other. That means that we need to have a
common terminology. The first standard in the series was therefore the one on
terminology. In this we defined key terms as they relate to the field of
security. That means that some terms are defined differently than other
sources and standards. (*) The best example of this is the definition of risk.
Risk is in this series defined as the “expression of the relationship between the
threat towards a given asset and this asset´s vulnerability opposite the
specified threat”, my translation (NS 5830). (*)
This is different than many other definitions such as “effect of uncertainty on
objectives” (ISO 31000), or more commonly the probability of something
happening multiplied by the resulting cost if it does.
It is an important standard because it is central in creating a common
language that we could use in the other standards that were to come. It was
published in 2012. (*)
NS 5832 The second standard that we developed, and the main topic in this
presentation, was the new standard for security risk analysis. (*)
And for us it all started with this. (*) Norwegian standard 5814 Requirements
for risk assessments. It has existed for many years, since 1991 in fact, and has
been used also to address security issues. In 2008 it was revised and made
compliant with ISO 31000. (*)
However, as earlier mentioned, many of us started to question whether this
standard was adequately addressing some key areas within security. Our
conclusion was that; no it was not good enough for our purpose in key areas.
I have already mentioned the lack of theoretical foundation and the use of
probability.
Other standards and methods, such as the Norwegian standard 5814, focus a
lot on probability or frequency of events. However, as many of you know
criminal acts may be rear and the use of frequency may be difficult and
misleading. The reason for this is that calculation of probability usually is
based on previous events and a mathematical calculations is not necessary
Copyright © 2015 Roy Stranden 6 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. relevant when you are trying to assess an antagonist’s intention to attack you
and your assets. (*)
Intelligence as a method and product is however key in order to understand
an antagonists intention and capacity. Few, it any, other methods addresses
this key issue adequately. This is kind of upsetting and sad because this is so
essential in assessing security risks. (*)
Another key area that is not getting enough attention in other methods is the
asset assessment. The asset assessment is the foundation of all sensible use of
recourses used to protect something. Threats and vulnerabilities do not have
any relevance if we not first identify and assess our assets. (*)
Here we have a slightly simplified version of the key areas in the new
standard for security risk analysis. As you can see it consists of a number of
new factors and ordered in a new way.
I will now show you the process of the new standard. I will do so also using a
new method that I have developed to comply with the standard. I have called
this the “ATV-methodTM of security risk analysis”.
You should note that there is a difference between a standard and a method.
A standard is based on what they call normative text. That means that any
elaborations and examples are kept to a minimum. This creates problems for
the end user who needs a method that describes the process in detail.
However, we acknowledged the need to develop different methods that
addresses different needs within different branches and fields of expertise. (*)
You can therefore view the standard as skeleton. It describes that there has to
be a head, a spine and a pair of arms and legs. The muscles that cover the
skeleton, however, can vary in volume. Some need a muscular body while
others needs a slim and endurance body.
This is the same with methods. Some are more holistic and require more
details, while others are quite specific and less dependant upon detailed
descriptions. Or, they focus slightly different on the same topics. (*)
Copyright © 2015 Roy Stranden 7 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. Asset assessment The process starts with the asset assessment. The asset assessment is defined
as “mapping and ranking of an entity’s assets”, my translation (NS 5830).
This assessment is the most important part of the security risk assessment.
The reason for this is, as previous mentioned, that the asset assessment is the
foundation for any sensible use of resources to protect something. If there are
no assets to protect, or the assets are deemed not worth protecting, there is no
justification for using resources to protect it. Thus, without anything to
protect the process stops before it starts.
This is contrary to many other methods for risk assessments, which argue that
the process should start with either identifying threats or scenarios that might
lead to a loss. (*)
There is also a number of different ways of conducting an asset assessment. It
could be done thorough a simple brainstorming session, or through the use of
an IDF0 diagram.
Some times the assets are clearly visible and easy to identify. In other cases
they are more difficult to find. This is particularly the case in complex
processes and organisations.
If we use a model such as the IDF0 diagram we might not only identify what
we can call assets, but also the context surrounding the assets. This can be
valuable to understand the context in which security risk management has to
operate.
Whatever the approach to identify the assets, when they are identified they
are assessed and ranked according to a predetermined scale. (*)
Goal of security measures When the assets are identified and assessed in relation to criticality the next
step is to express a goal for any risk management or security measures. This
could be associated with some form of risk acceptance criteria. However, it is
important to stress that this is not the case.
It is my experience that decision makers try to stay clear from any process
that is trying to make them say something about what is acceptable risk before
anyone really understand the problem.
Copyright © 2015 Roy Stranden 8 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. And rightfully so; because no sensible person would make such a decision
before he or she know the facts on the matter. Or expressed in another way,
you would not make a decision on what you accept before you know what the
risk are, and if the risk is unacceptable what the cost are to reduce or remove
the risk.
That said. In order to have the right mind-set and the right pair of glasses on
in order to say something meaningful about both the threat and the
vulnerability the analyst need to know whether we are facing a 0-tollerance of
loss, or if we are looking info a higher degree of acceptance of potential loss.
It should however be mentioned that this expression of the goals of security is
not carved in stone. It is only a first assessment of the final goal of the security
risk management. This should also be clearly expressed to the decision maker.
Later in the security risk analysis process it will be possible to revise this goal.
(*)
Threat assessment After identifying the assets to be protected and estimated their value to the
company, the next step is to identify any antagonists, or motivated offender,
that might remove, destroy or in any other way negatively affect the identified
assets. This is done in the threat assessment.
A threat assessment is defined as the “description of an entity’s threats and an
assessment of the antagonists intention and capacity”, my translation (NS
5830).
The first part of the assessment involves identifying different antagonists that
might attack your assets. This could be done during a brainstorming session
or through intelligence.
For me a threat assessment in a security setting have two different goals or
purposes.
The first is to help determine what level of security is required to resist an
attack. That means what should be the normal everyday security baseline.
The focus of the threat assessment should be to identify antagonists and
determine how dangerous they are to you and your assets, in addition to
understand their modus operandi historically, now and not at least in the
future. The latter is particular true if you are to put up something that is going
Copyright © 2015 Roy Stranden 9 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. to be there for a long time. An example of this could be a building.
Secondly, a threat assessment should function as an early warning. That
means monitoring the security situation and if certain indicators are triggered
an early warning should be sent in order to implement additional security
measures as necessary. (*)
Scenarios After identifying the assets we want to protect and those who might
negatively impact those assets we need to make scenarios. A scenario is a
detailed description of an antagonist going after a particular asset in a
particular way. And the point is to make this description as detailed as
possible, or more correct, as necessary.
If the description is not detailed enough it will be difficult or impossible to
succeed with the next step which is the vulnerability assessment.
One challenge you will experience in this stage is the number of scenarios you
might face. The way to overcome this challenge is to narrow down the list by
first identifying similar pattern of modus operandi. That is; is there several
different antagonists who uses the same modus operandi? If this is the case
you could choose the case with the most dangerous antagonist and use this
scenario as the baseline. An example of this is where you try to protect your
sensitive information on your servers that is hooked on to the Internet. In our
example we have identified two different antagonists who uses similar modus
operandi. However, there is a big difference in their intention to attack and
their capacity to do so. The first antagonist is the script kiddie, which is a
teenager sitting in his bedroom at night trying to hack into different networks.
The second antagonist is a foreign power who uses their government forces to
hack into your servers. Because they both target the same asset and uses
similar modus operandi we can select the scenario that describe the most
dangerous antagonist. Which in our case is the foreign power.
If we manage to reduce the list using this elimination method the number of
scenarios should be manageable. (*)
Copyright © 2015 Roy Stranden 10 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. Vulnerability assessment A vulnerability assessment is defined as an “assessment by an entity’s
vulnerability to identified threats”, my translation (NS 5830).
The purpose of this assessment is to identify whether we have a capable
guardian. In order to determine this we have to look at the different scenarios
that describe different ways of attacking our assets. (*)
There are a number of ways this could be done, however, I myself am using
what I call the Security trefoilTM. By using this I can identify which security
measures are relevant, whether I have the security measure in place, and not
least the quality of the security measure. Is it performing as intended? This
process is repeated on all the different scenarios.
It is possible through this process to rank the vulnerability of each scenario to
a predetermined scale. (*)
Risk assessment After completing the assessments on assets, threats and vulnerability the next
step is to put these into context and try to understand the risk associated with
the action under investigation.
In order to do this we need to put the newly acquired knowledge from the
asset, the threat and the vulnerability assessment into this risk assessment.
The risk assessment is defined as the “overall assessment based on the asset
assessment, threat assessment and vulnerability assessment, with the aim of
identifying an entity’s risk in a defined security context”, my translation (NS
5830).
There are several ways to do this. However, what is important to notice is that
we are not deducting three factors into two, as many do when they end up
with some form of a Boston square. That is turning asset, threat and
vulnerability into probability and consequence. No matter how you do it you
have to make sure that all three factors are taken care of. (*)
This also includes illustrating the risk in a new or neutral way. Here are one
examples of how this could be done.
Make also a note of that there is no mathematical equations in play here. You
have to assess each factor by itself and in conjunction with the others. A key
Copyright © 2015 Roy Stranden 11 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. here is also to factor in uncertainty. (*)
Uncertainty is important to consider in all circumstances. And even though I
am only addressing it now it is an essential part of all the previous
assessments.
When we are talking about uncertainty we mean; have we identified all
relevant factors, and have we interpret them correctly.
If the decision maker deems the risk that is identified acceptable the process
might stop here. However, if it is deemed as unacceptable we will proceed
with the next step, which is finding the best strategy and security measures in
order to manage the risk. (*)
Security strategy While risk involves both a potential for gain and not only the potential for
loss, this standard is only concerned with the latter. That means that when we
look for strategies we mainly focus on the four traditional strategies for
handling pure risk. (*)
These strategies are avoidance, sharing, accept, and lastly reduce or prevent.
The main purpose of this stage is to find the best suitable strategy by finding
the optimal combination of one or several of these options. (*)
Under avoidance we can do this permanently or temporarily, Under sharing
we could do this completely or partially (*), under reduce or prevent we could
do this by going after the antagonists themselves, we could prevent it or we
can reduce the consequences it the attack takes place. When it comes to
targeting the antagonists themselves this is a job for the police or military
forces, not ordinary companies. However, it is an effective countermeasure
that should be supported by companies by giving police information on
threats received so that police can investigate and perhaps prosecute. The last
strategy is to accept the security risk, which we can do actively or passively.
(*)
Assessment of countermeasures If some variations of the strategy to reduce or prevent criminal acts are chosen
the next step is to find the best combination of technological, organisational
and human measures. (*)
Copyright © 2015 Roy Stranden 12 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. There are of course several different ways to achieve this. Again I use what I
call the Security trefoilTM to illustrate the options available to us.
In this process we can use the result from the vulnerability assessment. Here
we have already identified what security measures are present and their
quality.
After selecting a strategy and security measures a recommendation should be
made to the decision maker. Here at least three different options should be
presented with their associated costs. Cost could in this context be both the
economical cost of implementing security measures, but it could also be the
cost involved in not pursuing a certain activity that creates the security risk. A
restriction in freedom of speech is an example of the latter. (*)
Reassessment of the goals of the security measures The final step in the process is to make a reassessment of the goals for the
security measures we stated after identifying and ranking the assets.
It should, however, be mentioned that even thought this process is illustrated
as a linear process this is not necessary the case. There are times when it is
necessary to loop back to an earlier stage in order to make adjustments. This
is also the case in this last step. There are times when the decision maker
decides to re-evaluate the ambition for the security measures, which means
that both the strategy for managing risk and the security measures needs to be
adjusted. One example of this might be when the decision maker finds risk
management strategies or security measures to costly. That could mean that
he or she needs to accept more risk. (*)
NS 5831 I have now taken you through the basics of the New Norwegian standard for
security risk analysis.
This standard does, however, not exist in a vacuum. Closely related to this
standard is also a new standard on security risk management. The idea for
this standard is to provide companies and organisations without a formal
management system in place an option. If one already exists the security risk
analysis may be adopted to this one. (*)
Copyright © 2015 Roy Stranden 13 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. prNS 5833 A fourth standard in this series looks at what requirements should be placed
on verifying whether the security measures that are put in place actually
performs as intended or not.
This standard in under production, but the main idea is to make sure
verification methods such as security testing; exercises and security revisions
alone or in a combination are conducted in such a way that they in the best
way possible give clues to whether your security measures will perform as
intended or not before an event takes place.
This is as much as I will share on this topic at this time. For further details I
need to be invited back for a more thorough presentation. (*)
Conclusion The science and field of security and security risk assessment is evolving and
these new standards will hopefully contribute to this process. For me this has
been a journey for the last 10 years, and it has not ended yet. I believe that the
real job is ahead of us. Both to spread the idea and knowledge as, I do today,
but also to continue to develop the idea. I have used this standard and the
ATV-methodTM of security risk analysis for over five years now. However, I
would like more people to start using it and share their experiences doing so.
Unfortunately, these new standards are not by themselves suitable for
educating people to learn other than the bear basics. The main reason for this
is the requirements set for making standards. The text is required to be
normative and with as few examples as necessary. Education therefore must
come form other sources such as courses, guides and textbooks. All of which
is either in progress or under way.
I will end by commenting on the fact that some argue that these new
standards are difficult to accept due to the fact that they in some areas
separate themselves from other established standards and methods such as the
ISO 31000.
Firstly, I am a firm believer in challenging the established truth if you have
good reasons to do so. I believe it is a prerequisite for progress.
Secondly, it is not necessary so that because a new standard and method has
arrived everything else has to be abandoned. That is not the intention. The
Copyright © 2015 Roy Stranden 14 Stranden (2015). A New Standard On Security Risk Analysis. Breaking the Mould. ASIS Europe, Frankfurt, Germany. idea is that these new standards and method is a new tool in the toolbox of the
analyst. A new tool that is to be used for some types of challenges, but not all.
They come in addition to other standards and methods.
And for those who believe that the introduction of new standards creates
confusion, I could not disagree more. The challenge is not that several
different standards and methods within different areas exist. The challenge
lies in being able to use more than one and agreeing on which to use in
different situations. (*)
Thank you!
Copyright © 2015 Roy Stranden 15