Download PDF

Software & Systems Modeling

, Volume 10, Issue 4, pp 553–580 | Cite as

Model-based qualitative risk assessment for availability of IT infrastructures

  • Emmanuele Zambon
  • Sandro Etalle
  • Roel J. Wieringa
  • Pieter Hartel
Open Access
Regular Paper
First Online:
Received:
Revised:
Accepted:

Abstract

For today’s organisations, having a reliable information system is crucial to safeguard enterprise revenues (think of on-line banking, reservations for e-tickets etc.). Such a system must often offer high guarantees in terms of its availability; in other words, to guarantee business continuity, IT systems can afford very little downtime. Unfortunately, making an assessment of IT availability risks is difficult: incidents affecting the availability of a marginal component of the system may propagate in unexpected ways to other more essential components that functionally depend on them. General-purpose risk assessment (RA) methods do not provide technical solutions to deal with this problem. In this paper we present the qualitative time dependency (QualTD) model and technique, which is meant to be employed together with standard RA methods for the qualitative assessment of availability risks based on the propagation of availability incidents in an IT architecture. The QualTD model is based on our previous quantitative time dependency (TD) model (Zambon et al. in BDIM ’07: Second IEEE/IFIP international workshop on business-driven IT management. IEEE Computer Society Press, pp 75–83, 2007), but provides more flexible modelling capabilities for the target of assessment. Furthermore, the previous model required quantitative data which is often too costly to acquire, whereas QualTD applies only qualitative scales, making it more applicable to industrial practice. We validate our model and technique in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results with respect to the goals of the stakeholders of the system. We also perform a review of the most popular standard RA methods and discuss which type of method can be combined with our technique.

Keywords

Information risk management Risk assessment Availability Information security System modelling 
Download to read the full article text

Notes

Open Access

This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.

References

  1. 1.
    Bagchi, S., Kar, G., Hellerstein, J.: Dependency analysis in distributed systems using fault injection: application to problem determination in an e-commerce environment. In: DSOM ’01: Proceedings of 2001 International Workshop on Distributed Systems: Operations & Management. http://www.research.ibm.com/PM/DSOM2001_dependency_final.pdf (2001)
  2. 2.
    Baiardi F., Suin S., Telmon C., Pioli M.: Assessing the risk of an information infrastructure through security dependencies. Crit. Inf. Infrastruct. Secur. 4347, 42–54 (2006)CrossRefGoogle Scholar
  3. 3.
    Bennet, S.P., Kailay, M.P.: An application of qualitative risk analysis to computer security for the commercial sector. In: Eighth Annual Computer Security Applications Conference, pp. 64–73. IEEE Computer Society Press. http://ieeexplore.ieee.org/xpls/abs_all.jsp?isnumber=5913&arnumber=228232&count=25&index=15, April 1992
  4. 4.
    Brown, A., Kar, G., Keller, A.: An active approach to characterizing dynamic dependencies for problem determination in a distributed application environment. In: IM ’01: IEEE/IFIP International Symposium on Integrated Network Management, pp. 377–390 (2001)Google Scholar
  5. 5.
    BS 7799-3: Information Security Management Systems. Part 3: Guidelines for Information Security Risk Management (2006)Google Scholar
  6. 6.
    BSI: BS IEC 61882:2001: Hazard and Operability Studies (HAZOP studies). Application Guide. British Standards Institute (2001)Google Scholar
  7. 7.
    Cunningham, B., Dykstra, T., Fuller, E., Gatford, C., Gold, A., Hoagberg, M.P., Hubbard, A., Little, C., Manzuik, S., Miles, G., Morgan, C.F., Pfeil, K., Rogers, R., Schack, T., Snedaker, S.: The Best Damn IT Security Management Book Period. Syngress Publishing. November 2007Google Scholar
  8. 8.
    den Braber F., Hogganvik I., Lund M.S., Stolen K., Vraalsen F.: Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)CrossRefGoogle Scholar
  9. 9.
    Evangelidis, A., Akomode, J., Taleb-Bendiab, A., Taylor, M.: Risk assessment & success factors for e-government in a UK establishment. In: Electronic Government, vol. 2456/2002, pp. 93–99. Springer, Berlin (2002)Google Scholar
  10. 10.
    Goseva-Popstojanova K., Hassan A., Guedem A., Abdelmoez W., Nassar D.E.M., Ammar H., Mili A.: Architectural-level risk analysis using UML. IEEE Trans. Softw. Eng. 29, 946–960 (2003)CrossRefGoogle Scholar
  11. 11.
    Gunter C.A., Gunter E.L., Jackson M.A., Zave P.: A reference model for requirements and specifications. IEEE Softw. 17(3), 37–43 (2000)CrossRefGoogle Scholar
  12. 12.
    Herrmann D.S.: Complete Guide to Security and Privacy Metrics. Auerbach Publications, Boston (2007)CrossRefGoogle Scholar
  13. 13.
    Innerhofer-Oberperfler, F., Breu, R.: Using an enterprise architecture for IT risk management. In: ISSA ’06: Proceedings of Information Security South Africa Conference. http://icsa.cs.up.ac.za/issa/2006/Proceedings/Full/115_Paper.pdf (2006)
  14. 14.
    ISO/IEC 13335:2001: Information Technology—Security Techniques. Guidelines for the management of IT security (2001)Google Scholar
  15. 15.
    ISO/IEC 15408:2006: Common Criteria for Information Technology Security Evaluation. http://www.commoncriteriaportal.org/thecc.html, September 2006
  16. 16.
    ISO/IEC 17799:2000: Information Security. Code of Practice for Information Security Management (2000)Google Scholar
  17. 17.
    ISO/IEC 27001:2005: Information Technology. Security Techniques: Information Security Management Systems—Requirements (2005)Google Scholar
  18. 18.
    ISO/IEC 27002:2005: Information Technology. Security Techniques: Code of Practice for Information Security Management (2005)Google Scholar
  19. 19.
    Kar, G., Keller, A., Calo, S.: Managing application services over service provider networks: architecture and dependency analysis. In: NOMS ’00: Proceedings of the 7th IEEE/IFIP Network Operations and Management Symposium, pp. 61–75. IEEE Press (2000)Google Scholar
  20. 20.
    Kim, I.-J., Jung, Y.-J., Park, J.G., Won, D.: A study on security risk modeling over information and communication infrastructure. In: SAM ’04: Proceedings of the International Conference on Security and Management, pp. 249–253. CSREA Press, June 2004Google Scholar
  21. 21.
    Lippmann, R.P., Ingols, K.W.: An annotated review of past papers on attack graphs. Technical report, Defense Technical Information Center OAI-PMH Repository. http://stinet.dtic.mil/oai/oai (United States), 1998. http://en.scientificcommons.org/18618950
  22. 22.
    Morali, A., Zambon, E., Houmb, S.H., Sallhammar, K., Etalle, S.: Extended eTVRA vs. security checklist: experiences in a value-Web. In: ICSE ’09: Proceedings of the 31th IEEE International Conference on Software Engineering, IEEE. IEEE Computer Society Press (2009)Google Scholar
  23. 23.
    Muntz R.R., de Souzae Silva E., Goyal A.: Bounding availability of repairable computer systems. SIGMETRICS Perform. Eval. Rev. 17(1), 29–38 (1989)CrossRefGoogle Scholar
  24. 24.
    Pawson R., Tilley N.: Realistic Evaluation. Sage Publications, Beverly Hills (1997)Google Scholar
  25. 25.
    Rossebo, J.E.Y., Cadzow, S., Sijben, P.: eTVRA, a threat, vulnerability and risk assessment method and tool for eEurope. In: ARES ’07: Second International Conference on Availability, Reliability and Security, pp. 925–933. IEEE Computer Society Press. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4159893, April 2007
  26. 26.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: IEEE Symposium on Security and Privacy, p. 273 (2002)Google Scholar
  27. 27.
    Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30: Risk management guide for information technology systems. Technical report, NIST National Institute of Standards and Technology (2002)Google Scholar
  28. 28.
    Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F.: Fault tree handbook. Technical report, US Nuclear Regulatory Commission NUREG-0492 (1981)Google Scholar
  29. 29.
    Wieringa, R.J., Heerkens, J.M.G.: Designing requirements engineering research. In: CERE ’07: Workshop on Comparative Evaluation in Requirements Engineering, pp. 36–48. IEEE Computer Society Press. http://eprints.eemcs.utwente.nl/13002/, October 2007
  30. 30.
    Wieringa R.J., Maiden N., Mead N., Rolland C.: Requirements engineering paper classification and evaluation criteria: a proposal and a discussion. Requir. Eng. J. 11, 102–107 (2006)CrossRefGoogle Scholar
  31. 31.
    Zambon, E., Bolzoni, D., Etalle, S., Salvato, M.: Model-based mitigation of availability risks. In: BDIM ’07: Second IEEE/IFIP International Workshop on Business-Driven IT Management, Munich, pp. 75–83. IEEE Computer Society Press. May 2007Google Scholar

Web References (Last Accessed: May 2010)

  1. 32.
    Alberts, C.J., Dorofee, A.J.: OCTAVE criteria. Technical report ESC-TR-2001-016, Carnegie Mellon-Software Engineering Institute. http://www.cert.org/octave/, December 2001
  2. 33.
    Risk management: AS/NZS 4360:2004. http://www.riskmanagement.com.au/, October 2004
  3. 34.
    CISCO Systems: Cisco 2007 Annual Security Report. http://www.cisco.com/web/about/security/cspo/docs/Cisco2007Annual_Security_Report.pdf (2007)
  4. 35.
    CobiT 4.1: Control objectives for information and related technology. http://www.isaca.org (2007)
  5. 36.
    CRAMM v5.1 Information Security Toolkit. http://www.cramm.com (2009)
  6. 37.
    Deladrière, A., Morrison, M.: The risk management challenge. http://www.bankingfinance.be/40915/default.aspx, March 2008
  7. 38.
    EBIOS: Expression des Besoins et Identification des Objectifs de Sécurité. Section 2: Approach. http://www.ssi.gouv.fr/en/ (2004)
  8. 39.
    ENISA: Risk management: implementation principles and inventories for risk management/risk assessment methods and tools. Technical report, European Network and Information Security Agency (ENISA). http://www.enisa.europa.eu/rmra/rm_home.html, June 2006
  9. 40.
    BSI Standard 100-1: Information Security Management Systems (ISMS). http://www.bsi.de/english/gshb/ (2005)
  10. 41.
    McAfee: In the Crossfire—Critical Infrastructure in the Age of Cyber War. http://resources.mcafee.com/content/NACIPReport (2010)
  11. 42.
    MEHARI 2007: Risk analysis guide. http://www.clusif.asso.fr/en/clusif/present/, April 2007
  12. 43.
    NIST National Vulnerability Database. http://nvd.nist.gov/ (2009)
  13. 44.
    PriceWaterhouseCoopers: BERR Information Security Breaches Survey 2008. http://www.pwc.co.uk/pdf/BERR_ISBS_2008(sml).pdf (2008)
  14. 45.

Copyright information

© The Author(s) 2010

Authors and Affiliations

  • Emmanuele Zambon
    • 1
  • Sandro Etalle
    • 1
    • 2
  • Roel J. Wieringa
    • 1
  • Pieter Hartel
    • 1
  1. 1.University of TwenteEnschedeThe Netherlands
  2. 2.Technical University of EindhovenEindhovenThe Netherlands

Personalised recommendations