Post on 17-Jan-2022
RA WHIZ - RISK ASSESSMENT AUTOMATION FOR AN
INFORMATION SECURITY MANAGEMENT SYSTEM
BY
NOR AZA RAMLI
A thesis submitted in fulfilment of the requirement for the degree of Master of Computer Science
Kulliyyah of Information and Communication Technology International Islamic University Malaysia
APRIL 2016
ii
ABSTRACT
Information is a business asset that needs to be accessed and processed for it to bring value to the business. The use of technologies in handling information introduces information security risks that are inherited from flaws and weaknesses in the implementation of these technologies. Information security risks could be addressed systematically by having a comprehensive management system in place. ISO/IEC 27001 is a standard for information security management system (ISMS). It is published in a joint effort by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard introduces a risk-based approach in managing information security. A risk assessment exercise for an ISMS implementation requires human expertise with comprehensive understanding and considerable knowledge in information security. Risk assessment exercise is based on three steps; identification, analysis and evaluation. There are available tools which cater for the automation of the analysis and evaluation steps. However, there is still a lack of automation in an overall information security risk area. This could be due to the fact that the analysis and evaluations phases are based on risk assessment approach whereas the identification phase requires specific knowledge in information security risks. This work aims to automate the risk identification process by studying key parameters in risk assessment and develop relationship models of these parameters. Scopes undertaken by ISMS certified organizations in Malaysia will be analyzed to determine a significant scope for this study. Key parameters for risk assessment will be identified and relationship models will be developed for these parameters. The key parameters are assets with explicit grouping and definitions, corresponding threats and vulnerabilities. Asset relationship model presents a link between three types of assets. This model demonstrates the idea of information container, primary assets and supporting assets which needs to be understood by organizations to enable efficient risk assessment. Information is a primary asset with supporting assets such as infrastructure and system. Threats relationship model presents a link between the types of threats. It demonstrates how a data security threat could become a result of inherited risk from threats on infrastructure and system. Vulnerabilities relationship model presents the relationship between specific threat and common vulnerabilities. The relationship models are implemented using Protégé, an ontology editor. The risk assessment ontology becomes the knowledge base of RA Whiz, a risk assessment advisory system. RA Whiz produces results for risk assessment on a secure data centre, which is a scope identified earlier in this study. Validation of the results is sought from information security professionals with ISMS working experience to gauge the reliability of the results produced by RA Whiz.
iii
خلاصة البحث
لمعلومات هي اساس المشاريع حيث هناك حاجة إلى الوصول إليها ومعالجتها من أجل تحقيق قيمة ا
استخدام التقنيات في التعامل مع المعلومات يؤدي الى مخاطر أمنية ورثت نتيجة العيوب ونقاط .للمشروع
بشكل منتظم من خلال وجود نظام يمكن معالجة مخاطر أمن المعلومات .الضعف في تنفيذ هذه التقنيات
تم (ISMS). هو معيار لنظام إدارة أمن المعلومات ISO / IEC 27001 .إداري شامل في المكان
واللجنة الكهروتقنية (ISO) نشره في جهد مشترك من قبل المنظمة الدولية للتوحيد القياسي
عملية تقييم المخاطر لتنفيذ .ن المعلوماتيمثل المعيار منهج قائم على المخاطر في إدارة أم (IEC).الدولية
ISMS ومع ذلك، وجود .تتطلب خبرة الإنسان مع فهم شامل ومعرفة كبيرة في مجال أمن المعلومات
وتستند .محللي المخاطر المختصة محدود والمشكلة اصبحت اساسية مع عدم توفر الأدوات في هذا اال
تحليل وتقييم تمتةناك أدوات متاحة تلبي أه .تحديد وتحليل وتقييم ;عملية تقييم المخاطر على ثلاث خطوات
هذا قد يكون .خطوة تحديد المخاطر لم يتم بعد النظر فيه تمتةالعمل ذات الصلة على أ الخطوات ولكن
راجعا إلى حقيقة أن تحليل وتقييم المراحل يستند إلى ج تقييم المخاطر في حين أن المرحلة تحديد المخاطر
عملية تحديد المخاطر من خلال تمتةويهدف هذا العمل لأ .تتطلب معرفة محددة في مخاطر أمن المعلومات
من قبلالمأخوذة النطاقات . دراسة المعايير الرئيسية في تقييم المخاطر وتطوير نماذج العلاقة بين هذه المعايير
ISMS سيتم تحديد .نطاق كبير لهذه الدراسة هي المنظمات المعتمدة في ماليزيا وسيتم تحليلها لتحديد
المعايير الأساسية هي الأصول مع .المعايير الأساسية لتقييم المخاطر، وسيتم تطوير نموذج علاقة لهذه المعايير
يعرض نموذج أصول العلاقة وجود صلة .التجمع والتعريفات الصريحة والتهديدات ونقاط الضعف المقابلة
يوضح هذا النموذج فكرة حاويات المعلومات والأصول الأساسية والأصول .ولبين ثلاثة أنواع من الأص
المعلومات هي .الداعمة الذي يجب أن يكون مفهوما من قبل المنظمات لتمكينها من تقييم المخاطر بكفاءة
تباط يعرض نموذج التهديدات علاقة الار .الأصول الأساسية مع الأصول الداعمة مثل البنية التحتية والنظام
حيث إنه يوضح كيف أن ديد أمن البيانات يمكن أن يؤدي إلى خطر موروث من .بين أنواع التهديدات
يعرض نموذج نقاط الضعف العلاقة بين ديد محدد ونقاط الضعف .التهديدات على البنية التحتية والنظام
. إن مقيم ontology، محرر Protégéسيتم تنفيذ نماذج العلاقة باستخدام .المشتركة
RA Whiz .RAسوف يصبح قاعدة المعرفة لنظام تقييم المخاطر الاستشاري ontologyالمخاطر
Whiz ينتج نتائج تقييم المخاطر على مركز بيانات آمن، وهو نطاق حدد في وقت سابق من هذه
ISMS عمل فيالمصادقة على النتائج تمت من قبل مهنيين في أمن المعلومات لهم خبرة في ال .الدراسة
.RA Whiz لقياس موثوقية النتائج التي تنتجها
iv
APPROVAL PAGE
I certify that I have supervised and read this study and that in my opinion, it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a thesis for the degree of Master of Computer Science.
………………………… Normaziah Abdul Aziz
Supervisor
I certify that I have read this study and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a thesis for the degree of Master of Computer Science.
……………………….. Imad Fakhri Taha
Examiner
……………………….. Omar Zakaria
External Examinar This thesis was submitted to the Department of Computer Science and is accepted as a fulfilment of the requirement for the degree of Master of Computer Science.
……………………….. Normi Sham Awang Abu Bakar
Head, Department of Computer Science This thesis was submitted to the Kulliyyah of Information and Communication Technology (KICT) and is accepted as a fulfilment of the requirement for the degree of Master of Computer Science.
……………………….. Abdul Wahab Abdul Rahman
Dean, Kulliyyah of ICT
v
DECLARATION
I hereby declare that this thesis is the result of my own investigations, except where
otherwise stated. I also declare that it has not been previously or concurrently
submitted as a whole for any other degrees at IIUM or other institutions.
Nor Aza Ramli
Signature ........................................................... Date .........................................
vi
YRIGHT PAGE
INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA
DECLARATION OF COPYRIGHT AND AFFIRMATION OF FAIR USE OF UNPUBLISHED RESEARCH
RA WHIZ - RISK ASSESSMENT AUTOMATION FOR AN
INFORMATION SECURITY MANAGEMENT SYSTEM
I declare that the copyright holders of this thesis are jointly owned by the student and IIUM.
Copyright © 2016 Nor Aza Ramli and International Islamic University Malaysia. All rights reserved.
No part of this unpublished research may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission of the copyright holder except as provided below
1. Any material contained in or derived from this unpublished research
may be used by others in their writing with due acknowledgement.
2. IIUM or its library will have the right to make and transmit copies (print or electronic) for institutional and academic purpose.
3. The IIUM library will have the right to make, store in a retrieval system and supply copies of this unpublished research if requested by other universities and research libraries.
By signing this form, I acknowledged that I have read and understand the IIUM Intellectual Property Right and Commercialization policy. Affirmed by Nor Aza Ramli ……………………………….. ……………………..
Signature Date
vii
ACKNOWLEDGEMENTS ال�������رحيم بس�������م الله ال�������رحمن All praise is due to Allah, and Allah's Peace and Blessings be upon His Final Messenger. This research is carried out under the supervision of Assoc. Prof. Dr. Normaziah Abdul Aziz in the Department of Computer Science, Kulliyyah of ICT, IIUM. All praises is due to Allah, for without His blessings, I will not be able to complete and present this thesis. My heartfelt appreciation goes to my supervisor for her continuous dedication and patience in guiding me throughout the process of completing this thesis. I am indebted to my loving husband for his undivided support that allows me to dedicate my time through these few years, facing up to the many challenges that came by. Thank you for believing in me and for always standing by my side. A very special thanks goes to my children, mother, siblings, relatives and friends for their understanding and support. Last but not least, I would like to thank everyone especially the academic and administration staff at the Kulliyyah of ICT who have directly or indirectly helped me during my tenure here. May Allah s.w.t reward all of you accordingly.
viii
TABLE OF CONTENTS
Abstract .......................................................................................................................... ii Abstract in Arabic ......................................................................................................... iii Approval Page ............................................................................................................... iv Declaration ..................................................................................................................... v Copyright ...................................................................................................................... vi Acknowledgments ........................................................................................................ vii List of Tables ................................................................................................................. x List of Figures .............................................................................................................. xii Terms and Acronyms .................................................................................................. xiv CHAPTER ONE: INTRODUCTION AND OVERVIEW ............ ........................... 1
1.1 Introduction................................................................................................... 1 1.2 Thesis Overview ........................................................................................... 2
1.2.1 Problem Statement ............................................................................. 3 1.2.2 Research Question .............................................................................. 4 1.2.3 Research Objective............................................................................. 4 1.2.4 Research Methodology....................................................................... 7 1.2.5 Research Hypothesis .......................................................................... 7 1.2.6 Significance of the Study ................................................................... 8 1.2.7 Scope and Limitations ........................................................................ 8
1.2.7.1 Scope of the Research ............................................................. 8 1.2.7.2 Limitation of the Research .................................................... 10
1.3 Thesis Structure .......................................................................................... 11 CHAPTER TWO: LITERATURE REVIEW .................... ..................................... 12
2.1 Introduction................................................................................................. 12 2.2 Information Security Management System Standards ............................... 12 2.3 Information Security Risk Assessment ....................................................... 14 2.4 Risk Assessment Tools ............................................................................... 16
2.4.1 Documented Guidelines ................................................................... 16 2.4.2 Documentation Toolkit and Software .............................................. 19
2.5 Risk Assessment on Expert System ............................................................ 19 2.6 Expert System Tools ................................................................................... 23
2.6.1 Expert System Shells ....................................................................... 23 2.6.1.1 CLIPS .................................................................................... 23 2.6.1.2 Java Expert System Shell ...................................................... 24 2.6.1.3 JessGUI .................................................................................. 24 2.6.1.4 JavaDON ............................................................................... 24
2.6.2 Ontology Editor ................................................................................ 25 2.6.3 Expert System Tools Review ........................................................... 26
2.7 Summary ..................................................................................................... 27
ix
CHAPTER THREE: METHODOLOGY AND DESIGN ............. ......................... 29 3.1 Introduction................................................................................................. 29 3.2 Research Methodology ............................................................................... 29 3.3 Research Design ......................................................................................... 31
3.3.1 Studying Published Standards .......................................................... 32 3.3.2 Developing RA Whiz ....................................................................... 32 3.3.3 Validating RA Whiz Results ............................................................ 34
3.4 The Underlying Concept of RA Whiz ........................................................ 35 3.4.1 ISMS Scope ...................................................................................... 35 3.4.2 Risk Assessment Approach .............................................................. 37 3.4.3 Relationship Models ........................................................................ 41
3.4.3.1 Assets Identification .............................................................. 41 3.4.3.2 Threats Identification ............................................................. 43 3.4.3.3 Vulnerabilities Identification ................................................. 46
3.4.4 Formulation of Questionnaires ......................................................... 48 3.5 Summary ..................................................................................................... 51
CHAPTER FOUR: DEVELOPMENT OF RA WHIZ .............. ............................ 52
4.1 Introduction................................................................................................. 52 4.2 Facts and Rules ........................................................................................... 52 4.3 Relationship Models ................................................................................... 56
4.3.1 Relationship 1 – Assets Relationship ............................................... 57 4.3.1.1 Relating Primary Asset (Information) to Supporting Assets (Infrastructure and System) ............................................................... 63
4.3.2 Relationship 2 – Threats Relationship ............................................. 65 4.3.3 Relationship 3 – Vulnerabilities Relationship ................................. 77
4.4 RA Whiz User Interface ............................................................................. 81 4.5 Summary ..................................................................................................... 82
CHAPTER FIVE: RESULTS AND ANALYSIS .................................................... 83
5.1 Introduction................................................................................................. 83 5.2 Risk Assessment Results ............................................................................ 83 5.3 Validation of Results .................................................................................. 86
5.3.1 Identification of Key Assets ............................................................. 86 5.3.2 Identification of Specific Threats ..................................................... 89 5.3.3 Identification of Common Threats ................................................... 93
5.4 Overall Observation of Analysis .............................................................. 101 5.5 Summary ................................................................................................... 103
CHAPTER SIX: CONCLUSION AND MOVING FORWARD ........ ................. 104
6.1 Introduction............................................................................................... 104 6.2 Finding Summary ..................................................................................... 105 6.3 Contribution .............................................................................................. 108 6.4 Future Work .............................................................................................. 110
REFERENCES ......................................................................................................... 111
PUBLICATION / PRESENTATION ..................................................................... 114
x
LIST OF TABLES
Table 1.1 Context of Research Questions in Association with Research Objectives 6
Table 2.1 Description of OCTAVE Methods 17 Table 2.2 Summary of Features of RA Whiz vs Expert Systems on Risk Assessment 22 Table 2.3 Summary of Expert System Tools Reviewed 26 Table 3.1 Asset – Impact Valuation 39 Table 3.2 Likelihood of Occurrence 39 Table 3.3 Types of Assets 41 Table 4.1 Facts and Rules in Risk Assessment 53 Table 4.2 List of Threats and Corresponding Vulnerabilities 55 Table 4.3 Summary of Relationship Between Physical Security Threats
And Data Security Threats 76 Table 4.4 Summary of Relationship Between Network Security Threats
and Data Security Threats 76 Table 4.5 Summary of Physical Security Threats and Corresponding
Vulnerabilities 79 Table 4.6 Summary of Network Security Threats and Corresponding
Vulnerabilities 80 Table 5.1 Description of Key Assets 87 Table 5.2 Q1 of Questionnaire 88 Table 5.3 Responds to Q1 of Questionnaire 88 Table 5.4 Q2 of Questionnaire 89 Table 5.5 Q2.1 of Questionnaire 90 Table 5.6 Responds to Q2.1 of Questionnaire 91 Table 5.7 Suggested Additional Threats 92
xi
Table 5.8 Q2.2 of Questionnaire 94 Table 5.9 Responds to Q2.2 of Questionnaire 94 Table 5.10 Q3 of Questionnaire 95 Table 5.11 Q3.1 of Questionnaire 96 Table 5.12 Responds to Q3.1 of Questionnaire 96 Table 5.13 Suggested Additional Vulnerabilities 98 Table 5.14 Overall Observation of Analysis 101 Table 5.15 Summary of RA Whiz Results Validation 103 Table 6.1 Research Objective and Hypothesis Justification 105
xii
LIST OF FIGURES
Figure 1.1 The Main Stages Undertaken in the Study 7 Figure 2.1 Risk Assessment Process 15 Figure 2.2 Summary of Literature Review 27 Figure 3.1 Description of the Phases in the Research Methodology 30 Figure 3.2 Research Design Process Flow 31 Figure 3.3 Architecture of RA Whiz 33 Figure 3.4 ISMS Certificates in Malaysia (ISO Survey of Management
System Standard Certifications, 2013) 35 Figure 3.5 ISMS Certificates in Malaysia (breakdown by scope) 36 Figure 3.6 Information Security Risk Management Process
(Reference: ISO/IEC 27005) 38 Figure 3.7 Risk Scales (Reference: ISO/IEC 27005) 40 Figure 3.8 Assets Relationship Model 43 Figure 3.9 Threats Relationship Model – 1 44 Figure 3.10 Threats Relationship Model – 2 45 Figure 3.11 Threats and Vulnerabilities Relationship Model 47 Figure 4.2 RA Whiz - Risk Assessment Tool Based on Protégé
Ontology Editor 54
Figure 4.3 The Three Categories of Assets 57 Figure 4.4 Types of Assets in Ontograph 58 Figure 4.5 The Extension of Assets Based on Three Categories 59 Figure 4.6 Description of Data Centre Infra 60 Figure 4.7 Ontograph of Data Centre Infrastructure Assets 60 Figure 4.8 Description of Data Centre System 61
xiii
Figure 4.9 Ontograph of Data Centre System Assets 62 Figure 4.10 Description of Information 62 Figure 4.11 Ontograph of Information Assets 63 Figure 4.12 Information Containers 64 Figure 4.13 Description of Threats 65 Figure 4.14 Threats Ontograph 66 Figure 4.15 Description of Physical Security Threat 67 Figure 4.16 Ontograph of Physical Security Threats 68 Figure 4.17 Physical Security Threat – Equipment Failure 69 Figure 4.18 Physical Security Threat – Unauthorized Physical Access 70 Figure 4.19 Ontograph on the Relationship Between Physical Security Threat
and Data Security Threat 71 Figure 4.20 Description of Network Security Threat 72 Figure 4.21 Ontograph of Network Security Threats 72 Figure 4.22 Network Security Threat – DoS/DDoS 73 Figure 4.23 Network Security Threat – Reconnaissance Attacks 74 Figure 4.24 Network Security Threat – Malware Attacks 74 Figure 4.25 Ontograph on the Relationship of Network Security Threat
and Data Security Threat 75 Figure 4.26 Description of Vulnerability 77 Figure 4.27 Ontograph on the Relationship of Physical Security Threats
and Their Corresponding Vulnerabilities 78 Figure 4.28 Ontograph on the Relationship of Network Security Threats
and Their Corresponding Vulnerabilities 80 Figure 5.1 RA Whiz Screen Capture with Extended ViewComponent Tab
Labelled as Security 84 Figure 5.2 Results of Risk Assessment – Data Centre System 85
xiv
TERMS AND ACRONYMS
CIA Confidentiality, integrity and availability CLIPS C Language Integrated Production System ISMS Information Security Management System ISO/IEC International Organization for Standardization and International
Electrotechnical Commission JESS Java Expert System Shell NIST National Institute of Standards and Technology, United States OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation OWL Web Ontology Language
1
CHAPTER ONE
INTRODUCTION AND OVERVIEW
1.1 INTRODUCTION
Organizations that are dependent on information technologies consequently have to
face a common issue of managing information security risks which are inherited with
the use of the technologies. A report entitled Trial by fire (2009) published by
PricewaterhouseCoopers based on its annual Global State of Information Security
Survey for year 2010 has in its findings, organizations have considered taking a risk-
based approach as well as adopting a recognized security framework in addressing
information security issues. Consistent outcome of this annual survey for year 2011 in
a report entitlted Respected - but still restrained (2010) emphasized on the importance
of understanding information security risks and prioritizing investment to mitigate the
most critical ones.
According to Humphreys (2008), if an organization does not know the risks it
faces, it will not be able to implement proper and effective protection. Kailay and
Jarrat (1995) have highlighted that one of the gaps then was limited risk analysis
methodologies and corresponding tools for certain domain users. At present that gap
has been addressed by several risk assessment methodologies that are available such
as the ISO/IEC 27005 which is published by the International Organization for
Standardization and International Electrotechnical Commission (ISO/IEC). This
research aims to automate the risk assessment process by identifying a plausible set of
risks for a particular scope in an Information Security Management System (ISMS)
implementation.
2
Chapter 1 is organized as follows; Section 1.1 presents the introduction of this
chapter. It discusses the needs to respond to information security issues through
understanding of risks. Thesis overview in Section 1.2 briefly explains risk-based
approach in information security management system. Section 1.2 includes details of
the research such as the problem statement, research objectives, research method,
research questions and research hypotheses. At the end of Section 1.2, the significance
of the study, the scope and limitations are discussed. Finally, the thesis structure is
outlined in Section 1.3.
1.2 THESIS OVERVIEW
The impeccable importance of understanding and managing information security risk
has resulted into a global effort in developing standard for an Information Security
Management System (ISMS). As stated by Humphreys (2008), the initiative of
developing ISMS standards has started in the early 90s with the first draft of a British
Standard BS 7799 that focused in security related to people, processes, information
and Information Technology (IT). Humphreys (2007) described the evolution of the
BS 7799 Part 2, that was developed as a national standard and later formalized and
published as an international standard known as the ISO/IEC 27001 in 2005.
Humphreys (2007) further elaborated that this standard adopts a risk-based approach
for an effective information security management taking into consideration the
information security aspects of various areas within an organization.
Acknowledging the importance of information security management, in
Malaysia, the Ministry of Science, Technology and Innovation (MOSTI) has included
risk assessment framework as an initiative for Thrust 6: Compliance and Enforcement,
one of the eight policy thrusts in the National Cyber Security Policy (2005).
3
CyberSecurity Malaysia (2010) stated that the Malaysian cabinet has agreed that all
Critical National Information Infrastructure (CNII) organizations were to fulfill the
ISMS standard requirements. In an ISMS implementation, organization will have to
identify a scope for the ISMS and this scope will be subject to risk assessment and the
entire process of the management system. Hence, the inclusion of risk assessment
framework in the national policy has provided a sound foundation for the
implementation of ISMS in Malaysia.
1.2.1 Problem Statement
In ISMS, information security is managed by applying a risk management process
within the management system. One of the sub-processes in risk management is risk
assessment. According to Liao and Song (2003), automating risk assessment is
difficult due to heavy dependence on human experts in each phase of the process as
well as lack of historical data than can be used.
In the year 2002, the National Institute of Standards and Technology in the
United States has published NIST 800-30, a Risk Management Guide for Information
Technology Systems document. This document includes a detail risk assessment
procedure. According to Peterson (2008), conducting risk assessment that complies to
the NIST 800-30 is problematic for many organizations as the standards are
voluminous and complex. A tool has been developed to automate the risk
management to address the issue.
In the case of ISMS stanadards, guidelines on risk assessment such as the
ISO/IEC 27005 provides threats and vulnerabilities in a listing which still needs to be
carefully analysed by expert assessors. Experts in both risk management and
information security areas are required by organizations to conduct risk assessment
4
that comply to the requirements of the ISMS standards. According to Aime et al
(2007), there is still a lack of automation in information security risk area. Hence,
automating the risk assessment process is seen as a gap that needs to be addressed to
assist organizations in their ISMS implementation and certification efforts.
1.2.2 Research Question
The following research questions (RQ) will be addressed in thesis:
1. RQ1: What is a significant scope of an ISMS implementation?
2. RQ2: What are key assets within the scope and what are the corresponding
threats and vulnerabilities that would lead to information security risks on
the assets?
3. RQ3: What are the relationships between the key parameters that can be
used to automate risk identification?
4. RQ4: How to automate the risk assessment process?
1.2.3 Research Objective
This work attempts to automate the risk identification process by identifying a
plausible set of risks for a particular scope in an ISMS implementation. An advisory
system prototype named RA Whiz will be developed to demonstrate this automation.
Relationship models for risk identification focusing on assets, threats and
vulnerabilities will be developed to be implemented in RA Whiz. Various guidelines
in information security best practices document will be used to achieve the overall
research objectives guided by the research questions described in Section 1.2.2. The
research objectives are:
5
1. RO1: To identify a scope that would be significant in an ISMS
implementation
- To study the landscape of ISMS certification in Malaysia. Scopes
undertaken by the ISMS certified organizations will be analysed and a
significant scope to be used in this study will be identified.
2. RO2: To study a plausible set of risks for the identified scope
- To identify key assets in the scope that need to be protected.
- To study potential threats and corresponding vulnerabilities on these
assets. Assets, threats and vulnerabilities are the three key parameters
in risk assessment.
3. RO3: To develop a relationship model and implement it in an
advisory system prototype to demonstrate a risk assessment
automation
- To develop relationship models of the key parameters.
- To use ontology editor to create classes and object properties to
represent the relationship models. These models will be used for
automating risk identification. Other relevant risk parameters such at
the risk assessment approach will be included to facilitate the risk
assessment automation.
Table 1.1 shows the context of the research objectives in addressing the research
questions.
6
Table 1.1 Context of Research Questions in Association with Research Objectives
Research Question (RQ) Research Objective (RO)
RQ1:
What is a significant scope of an ISMS
implementation?
RO1:
To study the landscape of ISMS
certification in Malaysia. Scopes
undertaken by the ISMS certified
organizations will be analysed and a
significant scope to be used in this
study will be identified.
RQ2:
What are key assets within the scope and
what are the corresponding threats and
vulnerabilities that would lead to
information security risks on the assets?
RO2:
To identify key assets in the scope that
need to be protected.
To study potential threats and
corresponding vulnerabilities on these
assets. Assets, threats and
vulnerabilities are the three key
parameters in risk assessment.
RQ3:
What are the relationships between the
key parameters that can be used to
automate risk identification?
RQ4:
How to automate the risk assessment
process?
RO3:
To develop relationship models of the
key parameters.
To use ontology editor to create classes
and object properties to represent the
relationship models. These models will
be used for automating risk
identification. Other relevant risk
parameters such at the risk assessment
approach will be included to facilitate
the risk assessment automation.
7
1.2.4 Research Methodology
The study is carried out in phases to accomplish the overall research objectives. The
research methodology is based on actual ISMS implementation within Malaysia. The
landscape of ISMS certifications in Malaysia is used as the scope of the research.
Figure 1.1 illustrates the main stages undertaken in conducting this study.
Figure 1.1: The Main Stages Undertaken in the Study
There are 5 phases undertaken in conducting this study. The research methodology
corresponding to these phases are further explained in Chapter 3.
1.2.5 Research Hypothesis
The purpose of the case study is to find out if there is a relationship between the types
of assets identified in a particular scope of an ISMS implementation with the risks
8
identified. It is common that a set of risks were found to be repetitively identified due
to the inefficient grouping of key assets. Hence, the hypothesis of this study is that
automation of risk identification to enable a full risk assessment will lead to an
acceptable risk assessment results based on predetermined relationship models.
1.2.6 Significance of the Study
The findings of this research are expected to benefit organizations by aiding their
information security risk assessment process. The advisory system may become a tool
for risk assessors in the identification of assets, relevant threats and vulnerabilities.
The advisory system will also facilitiate in the analyzing and estimation of
corresponding risk levels for a specific scope in an ISMS implementation. This may
become very handy during the initial attempt in risk assessment especially for
organization that is working towards ISMS certification. By using a user-friendly
ontology editor, the knowledge base could be updated from time to time. The
relationships models could also be further expanded for different scopes of ISMS
implementation.
1.2.7 Scope and Limitations
1.2.7.1 Scope of the Research
The main objective of this research is to model and implement a risk identification
automation within risk assessment. This study focuses on a scope of an ISMS
implementation thus, limiting the boundary of relevant assets being identified and are
subject to a risk assessment exercise. The scope of this study is listed below to guide
the limitation:
9
1. Looking at ISMS certification landscape in Malaysia
2. Focusing on three key processes of risk assessment; risk identification,
risk analysis and risk evaluation.
3. Automating risk identification for assets within an identified scope of an
ISMS implementation.
This study focuses on secure data centre sevices as a scope of an ISMS
implementation. There are several types of threats, including those related to human
factors. Threats related to human factors are excluded from this study as it is an
elaborate topic on its own. Threats related to human can be categorized into
motivation, opportunity and capability (Colwill, 2010). Human threats are also
presented by identifying threat-source like hacker, cracker, insiders and listing
corresponding motivation and threat actions as published by the National Institute of
Standards and Technology (Stoneburner et all, 2002) in the Risk Management Guide
for Information Technology Systems document.
There are many studies focusing on people as threat sources. Amongst others
are studies on improving compliance through training program (Puhakainen &
Siponen, 2010), user education in computer security (Gorling, 2006) and enforcement
of baseline security policies and procedures as well as ongoing personnel checks
(Colwill, 2010). With many guidelines available, organizations with good governance
would have implemented some baseline controls with regards to human resources
security to address common threats related to human.
10
1.2.7.2 Limitation of the Research
There are limitations and challenges in the context of this study that should be noted:
1. Data constraint
The data available for public research is limited due to the confidentiality
of classified information uphold by the certified organizations. However,
reliable and sufficient data could be obtained by studying and analyzing
relevant data from the following sources:
a) the International Register of ISMS Certificates available at
http://www.iso27001certificates.com; and
b) the ISO Survey of Management System Standard Certifications
available at http://www.iso.org/iso/home/standards/management-
standards.htm.
2. Technical challenges
As much as this study hopes to focus on technical aspect of information
security, ISMS being a management system, technical issues would be
addressed from all the three aspects of information security building
blocks namely people, process and technology.