DARIS: A ProbabilisticModel for DependencyAnalysis of Risks
DARIS: A ProbabilisticModel for Dependency Analysisof Risksin InformationSecurity
163
in academia.We agreewith approaches directedtowardsteachingrisk managernent the statementgiven in [4] that teachinginformationsecurityis a dauntingtask. Although,thereare severalvaluabletextbooksusedin computersecurityeducation, e.g.,[5], it is difficult to find a completesourcefor a throughrisk analysistask.Our in securityeducation. risk assessment approachis a novelsourcefor theoretical
Suleyman Kondakci Facultyof ComputerScience,Izmir Universityof Economics,
[email protected]
Abstract. This paper presentsan abstract concept of security planning processes usinga simpleprobabilisticmodelto expressconditionalrisk factors. This analytical work emphasizesrelationshipsrelated to major security planningphases.The work discusses the chain of logical eventsthat describe dependence in risk propagation. This uniquework can providea guidancefor securityplanningandrisk management applicableto variousengineering fields. Especially,for securityeducation,we need to provide approachesthat are theoreticallysoundas well as practicaland realistic. The risk analysismethod provided by DARIS can also provide a theoreticalbasis in educationof informationsecurity.
I Introduction The processof lifecyclesecurityplanninginvolvesat leastfour phases;as the initial phase(i) requirements analysis,(ii) design,(iii) implementation, and (iv) test and evaluation.Risk assessment during the initial phase is an essentialrequirement neededto reducecumulativerisksthat may propagatethroughthe subsequent phases of a securityplanningprocess.In this work we presenta probabilisticrisk propagation model calledDependency Analysisof Risks in InformationSecurity(DARIS). The root of the risks that is likely to encounterin the first phase is due to the misspecificationof the security objectives. Security objectives representthe fundamentalknowledgeon securityaspectsand the specificationof assetsand IT environment.Estimationof risk levels by use of numericalvalues,probabilistic means,andassociated algorithms/models is termedas quantitativerisk assessment. In the following, Section 2 presentsrelated work. Section 3 deals with the methodologyand context of this paper. Section 4 describesthe probabilistic dependence analysisofrisks in a securityplanning.Section5 concludesthepaper.
2 RelatedWork Statistical and probabilistic models for risk assessmenthave been widely applied in diverse fields. Among many, three such areas are discussedin Il-3]. We do not find methodologies similar to the one presentedhere. Especially, it was difficult to find comparable theoretical methods in IT security risk analyses dealing with weakness propagation. A limitcd number of practical approachesmotivated only by business needs are found in the literature. It is, however, difficult to address abstract
Processand Metrics 3 Assessment There are several common approachesto security planning presentedby different sources.For example,information security processis describedby [6] has the followingflow: )Trai ning)Audit)Assessment. Assessment)Policy)Implementation In similarnotation,DARIS hasthe iterativeflow of stepsshownin Fig I . Test & evaluation
phases. andimprovement Fig. l. The DARIS securitydesignandassessment of objectives(O) and proceeds The improvementprocessstartswith the assessment from the objectives.Further,the of policy (P) generated similarlywith the assessment generated from of the Implementation continueswith the assessment decision-making to weak producesa risk value corresponding the policy. Eachphaseof assessment (ll/), moderate(M), severe(S),or very severe(V).lf an undesiredrisk level (e'g.,W) is iterated' The is found then an improvementis applied and the assessment improvement is done via necessarymodification on objectives, policy, or tasks.Finally, while performingthe chain of assess-improve-iterate implementation an overalltestandevaluationis executedin orderto determinethe statusofthe entire resultsin solution.A simplemetric is usedto quantify and classifuthe assessment anda ranges four sub risk. We use orderto determinethe degree(W, M, S, and V) of masterscaleof scoresvarying between0 and 5. Thus, we can use the following schemefor risk subranging: - sl. w = {0 - 1.25},na = {1.26- 2.5},S= 12.6-3.7sl,andV = 13.76
4 The ConditionatModel of DecisionMaking The DARIS frameworkrelies on a probabilisticdecisionhierarchybasedon the conditionalprobabilitytheory.This probabilisticmodelcan alsobe usedto generate necessaryprobability distributionsthat can be incorporatedinto some mapping decisionmakingmodel,which is functionsto quanti$ risk levels.An event-oriented interoperablewith DARIS is presentedin [7]. Recently,due to increasingterror activities,homelandsecurityhas been under focus for creatingeffectivedecisionA common approachto risk analysisfor homelandsecurity making mechanisms. processcan be is given in [8]. Dependence in a securityassessment decision-making illustratedby a Venn diagramshown in Fig. 2 as a collectionof sets and their relationshiPs.
DARIS: A Probabilistic Model for DependencyAnalysis of Risks
164 Sulevman Kondakcr
165
the security policy. Hence, the compoundprobability for the security measureand policy is given by
Pr(Ma P)=Pr(P)Pr(M ' Ip) =p(r)YlI)
Q)
Pr(P)
of O, P, andM, of intersection Fig.2. TheVenndiagramrepresentation We assumethat dominating threats are rooted from nonexistentor weak security objectives.Thus, we define three data sets,O for the securityobjectives,P for the policies, and M for the countermeasures. The set R representsthe entire spaceof all possiblesecurityattributesfor a given environment. Fig. 2 depicts an environmentwhere the assessmentof a security planning is conducted.In order to combinewith an empirical study,this probabilisticmodel can be simulatedto supporta wide rangeofpredefined scenarios.Thereafter,appropriate input attributescan be selectedto matcha variety ofsecurity solutions.For example, in the initial phase, it may be required to observe the effect of weak security objectives against moderate or severe security objectives. To do so, randomly generateditems of the security objectives with various weights and scores are produced.This, in turn, producesdifferent item scoresto reflect the scoringsubranges to match weak, moderate, severe, or very severe. The items are evaluatedand classifiedaccordingto the subrangesthey are supposedto fall in. The scoringscheme is detailedin [7]. Here,we introducethe theoremsof the risk dependencyin the securityplanning(or solutions).If necessary,relatedmaterial and statisticaltheoriesand practicescan be found in [9-10]. A simple relational hierarchy of dependence,as a roadmap to decisionmaking,canjustify the overalljoint relationshipin a securityprocess. Theorem l. If an organizationis not aware of security aspectsand has not yet definedits securityobjectives(O), thenthe organizationcannotclaim to havedefined (M) canbe an appropriatesecuritypolicy (P), and henceno efficient countermeasures designedvia inappropriatesecuritypolicy. In order to calculatethe probability of O and P events,it is convenientto use conditional probabilities as an intermediateframework. Thus, for two dependent events(O and P, objectiveand policy) the compoundprobabilityis given by
Pr(on P) = Pr(Pl o) Pr(o)J(rt\-o)
tnq
Similar to the Pr(P I O) conjecture,the number of outcomes leading to the occurrenceof both P and M out of np(N) outcomescan be computed.Thus, the conditionalrelative frequencyof P and M. Here n(P ^ M) depictsthe numberof outcomesleadingto the occurrenceof both P and M, and np(N) is the total numberof with successfullydefinedsecuritypolicies,i.e., n(O nP).Proof of organizations Theorem 1 and2. Since the security policy (P) is derived from objectives(O) and security measures(M) are derived from the security policy, it is obvious that measuresare also dependenton the objectives.Hence,the proofofTheorem I and 2 can be derivedin a combinedform given below. Thus, the probability Pr(P) assumes (or dependson) the occurence of O, and Pr(M) assumesthe occurrenceof P. Starting (l) and(2), the conditionalprobabilityPr(P lO) is calculatedby with equations
p r ( p' -'t o ) - P r ( P n o ) p ( M l p ) i s p r ( M l p ) = P t g ! P ) - -\Pr(P) Pr(O)
The definitions of dependencebetween O, P, and M, and Eq. (3) imply that, probability P(P) is dependent on probability Pr(O), and probability Pr(M) is dependenton probability Pr(P),respectively.The overall dependentprobability Pr(P) canbe calculatedby using the total probability formula, i.e.,
Pr(P)= IP
