RA WHIZ - RISK ASSESSMENT AUTOMATION FOR AN

INFORMATION SECURITY MANAGEMENT SYSTEM

BY

NOR AZA RAMLI

A thesis submitted in fulfilment of the requirement for the degree of Master of Computer Science

Kulliyyah of Information and Communication Technology International Islamic University Malaysia

APRIL 2016

ii

ABSTRACT

Information is a business asset that needs to be accessed and processed for it to bring value to the business. The use of technologies in handling information introduces information security risks that are inherited from flaws and weaknesses in the implementation of these technologies. Information security risks could be addressed systematically by having a comprehensive management system in place. ISO/IEC 27001 is a standard for information security management system (ISMS). It is published in a joint effort by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard introduces a risk-based approach in managing information security. A risk assessment exercise for an ISMS implementation requires human expertise with comprehensive understanding and considerable knowledge in information security. Risk assessment exercise is based on three steps; identification, analysis and evaluation. There are available tools which cater for the automation of the analysis and evaluation steps. However, there is still a lack of automation in an overall information security risk area. This could be due to the fact that the analysis and evaluations phases are based on risk assessment approach whereas the identification phase requires specific knowledge in information security risks. This work aims to automate the risk identification process by studying key parameters in risk assessment and develop relationship models of these parameters. Scopes undertaken by ISMS certified organizations in Malaysia will be analyzed to determine a significant scope for this study. Key parameters for risk assessment will be identified and relationship models will be developed for these parameters. The key parameters are assets with explicit grouping and definitions, corresponding threats and vulnerabilities. Asset relationship model presents a link between three types of assets. This model demonstrates the idea of information container, primary assets and supporting assets which needs to be understood by organizations to enable efficient risk assessment. Information is a primary asset with supporting assets such as infrastructure and system. Threats relationship model presents a link between the types of threats. It demonstrates how a data security threat could become a result of inherited risk from threats on infrastructure and system. Vulnerabilities relationship model presents the relationship between specific threat and common vulnerabilities. The relationship models are implemented using Protégé, an ontology editor. The risk assessment ontology becomes the knowledge base of RA Whiz, a risk assessment advisory system. RA Whiz produces results for risk assessment on a secure data centre, which is a scope identified earlier in this study. Validation of the results is sought from information security professionals with ISMS working experience to gauge the reliability of the results produced by RA Whiz.

iii

خلاصة البحث

لمعلومات هي اساس المشاريع حيث هناك حاجة إلى الوصول إليها ومعالجتها من أجل تحقيق قيمة ا

استخدام التقنيات في التعامل مع المعلومات يؤدي الى مخاطر أمنية ورثت نتيجة العيوب ونقاط .للمشروع

بشكل منتظم من خلال وجود نظام يمكن معالجة مخاطر أمن المعلومات .الضعف في تنفيذ هذه التقنيات

تم (ISMS). هو معيار لنظام إدارة أمن المعلومات ISO / IEC 27001 .إداري شامل في المكان

واللجنة الكهروتقنية (ISO) نشره في جهد مشترك من قبل المنظمة الدولية للتوحيد القياسي

عملية تقييم المخاطر لتنفيذ .ن المعلوماتيمثل المعيار منهج قائم على المخاطر في إدارة أم (IEC).الدولية

ISMS ومع ذلك، وجود .تتطلب خبرة الإنسان مع فهم شامل ومعرفة كبيرة في مجال أمن المعلومات

وتستند .محللي المخاطر المختصة محدود والمشكلة اصبحت اساسية مع عدم توفر الأدوات في هذا اال

تحليل وتقييم تمتةناك أدوات متاحة تلبي أه .تحديد وتحليل وتقييم ;عملية تقييم المخاطر على ثلاث خطوات

هذا قد يكون .خطوة تحديد المخاطر لم يتم بعد النظر فيه تمتةالعمل ذات الصلة على أ الخطوات ولكن

راجعا إلى حقيقة أن تحليل وتقييم المراحل يستند إلى ج تقييم المخاطر في حين أن المرحلة تحديد المخاطر

عملية تحديد المخاطر من خلال تمتةويهدف هذا العمل لأ .تتطلب معرفة محددة في مخاطر أمن المعلومات

من قبلالمأخوذة النطاقات . دراسة المعايير الرئيسية في تقييم المخاطر وتطوير نماذج العلاقة بين هذه المعايير

ISMS سيتم تحديد .نطاق كبير لهذه الدراسة هي المنظمات المعتمدة في ماليزيا وسيتم تحليلها لتحديد

المعايير الأساسية هي الأصول مع .المعايير الأساسية لتقييم المخاطر، وسيتم تطوير نموذج علاقة لهذه المعايير

يعرض نموذج أصول العلاقة وجود صلة .التجمع والتعريفات الصريحة والتهديدات ونقاط الضعف المقابلة

يوضح هذا النموذج فكرة حاويات المعلومات والأصول الأساسية والأصول .ولبين ثلاثة أنواع من الأص

المعلومات هي .الداعمة الذي يجب أن يكون مفهوما من قبل المنظمات لتمكينها من تقييم المخاطر بكفاءة

تباط يعرض نموذج التهديدات علاقة الار .الأصول الأساسية مع الأصول الداعمة مثل البنية التحتية والنظام

حيث إنه يوضح كيف أن ديد أمن البيانات يمكن أن يؤدي إلى خطر موروث من .بين أنواع التهديدات

يعرض نموذج نقاط الضعف العلاقة بين ديد محدد ونقاط الضعف .التهديدات على البنية التحتية والنظام

. إن مقيم ontology، محرر Protégéسيتم تنفيذ نماذج العلاقة باستخدام .المشتركة

RA Whiz .RAسوف يصبح قاعدة المعرفة لنظام تقييم المخاطر الاستشاري ontologyالمخاطر

Whiz ينتج نتائج تقييم المخاطر على مركز بيانات آمن، وهو نطاق حدد في وقت سابق من هذه

ISMS عمل فيالمصادقة على النتائج تمت من قبل مهنيين في أمن المعلومات لهم خبرة في ال .الدراسة

.RA Whiz لقياس موثوقية النتائج التي تنتجها

iv

APPROVAL PAGE

I certify that I have supervised and read this study and that in my opinion, it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a thesis for the degree of Master of Computer Science.

………………………… Normaziah Abdul Aziz

Supervisor

I certify that I have read this study and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a thesis for the degree of Master of Computer Science.

……………………….. Imad Fakhri Taha

Examiner

……………………….. Omar Zakaria

External Examinar This thesis was submitted to the Department of Computer Science and is accepted as a fulfilment of the requirement for the degree of Master of Computer Science.

……………………….. Normi Sham Awang Abu Bakar

Head, Department of Computer Science This thesis was submitted to the Kulliyyah of Information and Communication Technology (KICT) and is accepted as a fulfilment of the requirement for the degree of Master of Computer Science.

……………………….. Abdul Wahab Abdul Rahman

Dean, Kulliyyah of ICT

v

DECLARATION

I hereby declare that this thesis is the result of my own investigations, except where

otherwise stated. I also declare that it has not been previously or concurrently

submitted as a whole for any other degrees at IIUM or other institutions.

Nor Aza Ramli

Signature ........................................................... Date .........................................

vi

YRIGHT PAGE

INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA

DECLARATION OF COPYRIGHT AND AFFIRMATION OF FAIR USE OF UNPUBLISHED RESEARCH

RA WHIZ - RISK ASSESSMENT AUTOMATION FOR AN

INFORMATION SECURITY MANAGEMENT SYSTEM

I declare that the copyright holders of this thesis are jointly owned by the student and IIUM.

Copyright © 2016 Nor Aza Ramli and International Islamic University Malaysia. All rights reserved.

No part of this unpublished research may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission of the copyright holder except as provided below

1. Any material contained in or derived from this unpublished research

may be used by others in their writing with due acknowledgement.

2. IIUM or its library will have the right to make and transmit copies (print or electronic) for institutional and academic purpose.

3. The IIUM library will have the right to make, store in a retrieval system and supply copies of this unpublished research if requested by other universities and research libraries.

By signing this form, I acknowledged that I have read and understand the IIUM Intellectual Property Right and Commercialization policy. Affirmed by Nor Aza Ramli ……………………………….. ……………………..

Signature Date

vii

ACKNOWLEDGEMENTS ال�������رحيم بس�������م الله ال�������رحمن All praise is due to Allah, and Allah's Peace and Blessings be upon His Final Messenger. This research is carried out under the supervision of Assoc. Prof. Dr. Normaziah Abdul Aziz in the Department of Computer Science, Kulliyyah of ICT, IIUM. All praises is due to Allah, for without His blessings, I will not be able to complete and present this thesis. My heartfelt appreciation goes to my supervisor for her continuous dedication and patience in guiding me throughout the process of completing this thesis. I am indebted to my loving husband for his undivided support that allows me to dedicate my time through these few years, facing up to the many challenges that came by. Thank you for believing in me and for always standing by my side. A very special thanks goes to my children, mother, siblings, relatives and friends for their understanding and support. Last but not least, I would like to thank everyone especially the academic and administration staff at the Kulliyyah of ICT who have directly or indirectly helped me during my tenure here. May Allah s.w.t reward all of you accordingly.

viii

TABLE OF CONTENTS

Abstract .......................................................................................................................... ii Abstract in Arabic ......................................................................................................... iii Approval Page ............................................................................................................... iv Declaration ..................................................................................................................... v Copyright ...................................................................................................................... vi Acknowledgments ........................................................................................................ vii List of Tables ................................................................................................................. x List of Figures .............................................................................................................. xii Terms and Acronyms .................................................................................................. xiv CHAPTER ONE: INTRODUCTION AND OVERVIEW ............ ........................... 1

1.1 Introduction................................................................................................... 1 1.2 Thesis Overview ........................................................................................... 2

1.2.1 Problem Statement ............................................................................. 3 1.2.2 Research Question .............................................................................. 4 1.2.3 Research Objective............................................................................. 4 1.2.4 Research Methodology....................................................................... 7 1.2.5 Research Hypothesis .......................................................................... 7 1.2.6 Significance of the Study ................................................................... 8 1.2.7 Scope and Limitations ........................................................................ 8

1.2.7.1 Scope of the Research ............................................................. 8 1.2.7.2 Limitation of the Research .................................................... 10

1.3 Thesis Structure .......................................................................................... 11 CHAPTER TWO: LITERATURE REVIEW .................... ..................................... 12

2.1 Introduction................................................................................................. 12 2.2 Information Security Management System Standards ............................... 12 2.3 Information Security Risk Assessment ....................................................... 14 2.4 Risk Assessment Tools ............................................................................... 16

2.4.1 Documented Guidelines ................................................................... 16 2.4.2 Documentation Toolkit and Software .............................................. 19

2.5 Risk Assessment on Expert System ............................................................ 19 2.6 Expert System Tools ................................................................................... 23

2.6.1 Expert System Shells ....................................................................... 23 2.6.1.1 CLIPS .................................................................................... 23 2.6.1.2 Java Expert System Shell ...................................................... 24 2.6.1.3 JessGUI .................................................................................. 24 2.6.1.4 JavaDON ............................................................................... 24

2.6.2 Ontology Editor ................................................................................ 25 2.6.3 Expert System Tools Review ........................................................... 26

2.7 Summary ..................................................................................................... 27

ix

CHAPTER THREE: METHODOLOGY AND DESIGN ............. ......................... 29 3.1 Introduction................................................................................................. 29 3.2 Research Methodology ............................................................................... 29 3.3 Research Design ......................................................................................... 31

3.3.1 Studying Published Standards .......................................................... 32 3.3.2 Developing RA Whiz ....................................................................... 32 3.3.3 Validating RA Whiz Results ............................................................ 34

3.4 The Underlying Concept of RA Whiz ........................................................ 35 3.4.1 ISMS Scope ...................................................................................... 35 3.4.2 Risk Assessment Approach .............................................................. 37 3.4.3 Relationship Models ........................................................................ 41

3.4.3.1 Assets Identification .............................................................. 41 3.4.3.2 Threats Identification ............................................................. 43 3.4.3.3 Vulnerabilities Identification ................................................. 46

3.4.4 Formulation of Questionnaires ......................................................... 48 3.5 Summary ..................................................................................................... 51

CHAPTER FOUR: DEVELOPMENT OF RA WHIZ .............. ............................ 52

4.1 Introduction................................................................................................. 52 4.2 Facts and Rules ........................................................................................... 52 4.3 Relationship Models ................................................................................... 56

4.3.1 Relationship 1 – Assets Relationship ............................................... 57 4.3.1.1 Relating Primary Asset (Information) to Supporting Assets (Infrastructure and System) ............................................................... 63

4.3.2 Relationship 2 – Threats Relationship ............................................. 65 4.3.3 Relationship 3 – Vulnerabilities Relationship ................................. 77

4.4 RA Whiz User Interface ............................................................................. 81 4.5 Summary ..................................................................................................... 82

CHAPTER FIVE: RESULTS AND ANALYSIS .................................................... 83

5.1 Introduction................................................................................................. 83 5.2 Risk Assessment Results ............................................................................ 83 5.3 Validation of Results .................................................................................. 86

5.3.1 Identification of Key Assets ............................................................. 86 5.3.2 Identification of Specific Threats ..................................................... 89 5.3.3 Identification of Common Threats ................................................... 93

5.4 Overall Observation of Analysis .............................................................. 101 5.5 Summary ................................................................................................... 103

CHAPTER SIX: CONCLUSION AND MOVING FORWARD ........ ................. 104

6.1 Introduction............................................................................................... 104 6.2 Finding Summary ..................................................................................... 105 6.3 Contribution .............................................................................................. 108 6.4 Future Work .............................................................................................. 110

REFERENCES ......................................................................................................... 111

PUBLICATION / PRESENTATION ..................................................................... 114

x

LIST OF TABLES

Table 1.1 Context of Research Questions in Association with Research Objectives 6

Table 2.1 Description of OCTAVE Methods 17 Table 2.2 Summary of Features of RA Whiz vs Expert Systems on Risk Assessment 22 Table 2.3 Summary of Expert System Tools Reviewed 26 Table 3.1 Asset – Impact Valuation 39 Table 3.2 Likelihood of Occurrence 39 Table 3.3 Types of Assets 41 Table 4.1 Facts and Rules in Risk Assessment 53 Table 4.2 List of Threats and Corresponding Vulnerabilities 55 Table 4.3 Summary of Relationship Between Physical Security Threats

And Data Security Threats 76 Table 4.4 Summary of Relationship Between Network Security Threats

and Data Security Threats 76 Table 4.5 Summary of Physical Security Threats and Corresponding

Vulnerabilities 79 Table 4.6 Summary of Network Security Threats and Corresponding

Vulnerabilities 80 Table 5.1 Description of Key Assets 87 Table 5.2 Q1 of Questionnaire 88 Table 5.3 Responds to Q1 of Questionnaire 88 Table 5.4 Q2 of Questionnaire 89 Table 5.5 Q2.1 of Questionnaire 90 Table 5.6 Responds to Q2.1 of Questionnaire 91 Table 5.7 Suggested Additional Threats 92

xi

Table 5.8 Q2.2 of Questionnaire 94 Table 5.9 Responds to Q2.2 of Questionnaire 94 Table 5.10 Q3 of Questionnaire 95 Table 5.11 Q3.1 of Questionnaire 96 Table 5.12 Responds to Q3.1 of Questionnaire 96 Table 5.13 Suggested Additional Vulnerabilities 98 Table 5.14 Overall Observation of Analysis 101 Table 5.15 Summary of RA Whiz Results Validation 103 Table 6.1 Research Objective and Hypothesis Justification 105

xii

LIST OF FIGURES

Figure 1.1 The Main Stages Undertaken in the Study 7 Figure 2.1 Risk Assessment Process 15 Figure 2.2 Summary of Literature Review 27 Figure 3.1 Description of the Phases in the Research Methodology 30 Figure 3.2 Research Design Process Flow 31 Figure 3.3 Architecture of RA Whiz 33 Figure 3.4 ISMS Certificates in Malaysia (ISO Survey of Management

System Standard Certifications, 2013) 35 Figure 3.5 ISMS Certificates in Malaysia (breakdown by scope) 36 Figure 3.6 Information Security Risk Management Process

(Reference: ISO/IEC 27005) 38 Figure 3.7 Risk Scales (Reference: ISO/IEC 27005) 40 Figure 3.8 Assets Relationship Model 43 Figure 3.9 Threats Relationship Model – 1 44 Figure 3.10 Threats Relationship Model – 2 45 Figure 3.11 Threats and Vulnerabilities Relationship Model 47 Figure 4.2 RA Whiz - Risk Assessment Tool Based on Protégé

Ontology Editor 54

Figure 4.3 The Three Categories of Assets 57 Figure 4.4 Types of Assets in Ontograph 58 Figure 4.5 The Extension of Assets Based on Three Categories 59 Figure 4.6 Description of Data Centre Infra 60 Figure 4.7 Ontograph of Data Centre Infrastructure Assets 60 Figure 4.8 Description of Data Centre System 61

xiii

Figure 4.9 Ontograph of Data Centre System Assets 62 Figure 4.10 Description of Information 62 Figure 4.11 Ontograph of Information Assets 63 Figure 4.12 Information Containers 64 Figure 4.13 Description of Threats 65 Figure 4.14 Threats Ontograph 66 Figure 4.15 Description of Physical Security Threat 67 Figure 4.16 Ontograph of Physical Security Threats 68 Figure 4.17 Physical Security Threat – Equipment Failure 69 Figure 4.18 Physical Security Threat – Unauthorized Physical Access 70 Figure 4.19 Ontograph on the Relationship Between Physical Security Threat

and Data Security Threat 71 Figure 4.20 Description of Network Security Threat 72 Figure 4.21 Ontograph of Network Security Threats 72 Figure 4.22 Network Security Threat – DoS/DDoS 73 Figure 4.23 Network Security Threat – Reconnaissance Attacks 74 Figure 4.24 Network Security Threat – Malware Attacks 74 Figure 4.25 Ontograph on the Relationship of Network Security Threat

and Data Security Threat 75 Figure 4.26 Description of Vulnerability 77 Figure 4.27 Ontograph on the Relationship of Physical Security Threats

and Their Corresponding Vulnerabilities 78 Figure 4.28 Ontograph on the Relationship of Network Security Threats

and Their Corresponding Vulnerabilities 80 Figure 5.1 RA Whiz Screen Capture with Extended ViewComponent Tab

Labelled as Security 84 Figure 5.2 Results of Risk Assessment – Data Centre System 85

xiv

TERMS AND ACRONYMS

CIA Confidentiality, integrity and availability CLIPS C Language Integrated Production System ISMS Information Security Management System ISO/IEC International Organization for Standardization and International

Electrotechnical Commission JESS Java Expert System Shell NIST National Institute of Standards and Technology, United States OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation OWL Web Ontology Language

1

CHAPTER ONE

INTRODUCTION AND OVERVIEW

1.1 INTRODUCTION

Organizations that are dependent on information technologies consequently have to

face a common issue of managing information security risks which are inherited with

the use of the technologies. A report entitled Trial by fire (2009) published by

PricewaterhouseCoopers based on its annual Global State of Information Security

Survey for year 2010 has in its findings, organizations have considered taking a risk-

based approach as well as adopting a recognized security framework in addressing

information security issues. Consistent outcome of this annual survey for year 2011 in

a report entitlted Respected - but still restrained (2010) emphasized on the importance

of understanding information security risks and prioritizing investment to mitigate the

most critical ones.

According to Humphreys (2008), if an organization does not know the risks it

faces, it will not be able to implement proper and effective protection. Kailay and

Jarrat (1995) have highlighted that one of the gaps then was limited risk analysis

methodologies and corresponding tools for certain domain users. At present that gap

has been addressed by several risk assessment methodologies that are available such

as the ISO/IEC 27005 which is published by the International Organization for

Standardization and International Electrotechnical Commission (ISO/IEC). This

research aims to automate the risk assessment process by identifying a plausible set of

risks for a particular scope in an Information Security Management System (ISMS)

implementation.

2

Chapter 1 is organized as follows; Section 1.1 presents the introduction of this

chapter. It discusses the needs to respond to information security issues through

understanding of risks. Thesis overview in Section 1.2 briefly explains risk-based

approach in information security management system. Section 1.2 includes details of

the research such as the problem statement, research objectives, research method,

research questions and research hypotheses. At the end of Section 1.2, the significance

of the study, the scope and limitations are discussed. Finally, the thesis structure is

outlined in Section 1.3.

1.2 THESIS OVERVIEW

The impeccable importance of understanding and managing information security risk

has resulted into a global effort in developing standard for an Information Security

Management System (ISMS). As stated by Humphreys (2008), the initiative of

developing ISMS standards has started in the early 90s with the first draft of a British

Standard BS 7799 that focused in security related to people, processes, information

and Information Technology (IT). Humphreys (2007) described the evolution of the

BS 7799 Part 2, that was developed as a national standard and later formalized and

published as an international standard known as the ISO/IEC 27001 in 2005.

Humphreys (2007) further elaborated that this standard adopts a risk-based approach

for an effective information security management taking into consideration the

information security aspects of various areas within an organization.

Acknowledging the importance of information security management, in

Malaysia, the Ministry of Science, Technology and Innovation (MOSTI) has included

risk assessment framework as an initiative for Thrust 6: Compliance and Enforcement,

one of the eight policy thrusts in the National Cyber Security Policy (2005).

3

CyberSecurity Malaysia (2010) stated that the Malaysian cabinet has agreed that all

Critical National Information Infrastructure (CNII) organizations were to fulfill the

ISMS standard requirements. In an ISMS implementation, organization will have to

identify a scope for the ISMS and this scope will be subject to risk assessment and the

entire process of the management system. Hence, the inclusion of risk assessment

framework in the national policy has provided a sound foundation for the

implementation of ISMS in Malaysia.

1.2.1 Problem Statement

In ISMS, information security is managed by applying a risk management process

within the management system. One of the sub-processes in risk management is risk

assessment. According to Liao and Song (2003), automating risk assessment is

difficult due to heavy dependence on human experts in each phase of the process as

well as lack of historical data than can be used.

In the year 2002, the National Institute of Standards and Technology in the

United States has published NIST 800-30, a Risk Management Guide for Information

Technology Systems document. This document includes a detail risk assessment

procedure. According to Peterson (2008), conducting risk assessment that complies to

the NIST 800-30 is problematic for many organizations as the standards are

voluminous and complex. A tool has been developed to automate the risk

management to address the issue.

In the case of ISMS stanadards, guidelines on risk assessment such as the

ISO/IEC 27005 provides threats and vulnerabilities in a listing which still needs to be

carefully analysed by expert assessors. Experts in both risk management and

information security areas are required by organizations to conduct risk assessment

4

that comply to the requirements of the ISMS standards. According to Aime et al

(2007), there is still a lack of automation in information security risk area. Hence,

automating the risk assessment process is seen as a gap that needs to be addressed to

assist organizations in their ISMS implementation and certification efforts.

1.2.2 Research Question

The following research questions (RQ) will be addressed in thesis:

1. RQ1: What is a significant scope of an ISMS implementation?

2. RQ2: What are key assets within the scope and what are the corresponding

threats and vulnerabilities that would lead to information security risks on

the assets?

3. RQ3: What are the relationships between the key parameters that can be

used to automate risk identification?

4. RQ4: How to automate the risk assessment process?

1.2.3 Research Objective

This work attempts to automate the risk identification process by identifying a

plausible set of risks for a particular scope in an ISMS implementation. An advisory

system prototype named RA Whiz will be developed to demonstrate this automation.

Relationship models for risk identification focusing on assets, threats and

vulnerabilities will be developed to be implemented in RA Whiz. Various guidelines

in information security best practices document will be used to achieve the overall

research objectives guided by the research questions described in Section 1.2.2. The

research objectives are:

5

1. RO1: To identify a scope that would be significant in an ISMS

implementation

- To study the landscape of ISMS certification in Malaysia. Scopes

undertaken by the ISMS certified organizations will be analysed and a

significant scope to be used in this study will be identified.

2. RO2: To study a plausible set of risks for the identified scope

- To identify key assets in the scope that need to be protected.

- To study potential threats and corresponding vulnerabilities on these

assets. Assets, threats and vulnerabilities are the three key parameters

in risk assessment.

3. RO3: To develop a relationship model and implement it in an

advisory system prototype to demonstrate a risk assessment

automation

- To develop relationship models of the key parameters.

- To use ontology editor to create classes and object properties to

represent the relationship models. These models will be used for

automating risk identification. Other relevant risk parameters such at

the risk assessment approach will be included to facilitate the risk

assessment automation.

Table 1.1 shows the context of the research objectives in addressing the research

questions.

6

Table 1.1 Context of Research Questions in Association with Research Objectives

Research Question (RQ) Research Objective (RO)

RQ1:

What is a significant scope of an ISMS

implementation?

RO1:

To study the landscape of ISMS

certification in Malaysia. Scopes

undertaken by the ISMS certified

organizations will be analysed and a

significant scope to be used in this

study will be identified.

RQ2:

What are key assets within the scope and

what are the corresponding threats and

vulnerabilities that would lead to

information security risks on the assets?

RO2:

To identify key assets in the scope that

need to be protected.

To study potential threats and

corresponding vulnerabilities on these

assets. Assets, threats and

vulnerabilities are the three key

parameters in risk assessment.

RQ3:

What are the relationships between the

key parameters that can be used to

automate risk identification?

RQ4:

How to automate the risk assessment

process?

RO3:

To develop relationship models of the

key parameters.

To use ontology editor to create classes

and object properties to represent the

relationship models. These models will

be used for automating risk

identification. Other relevant risk

parameters such at the risk assessment

approach will be included to facilitate

the risk assessment automation.

7

1.2.4 Research Methodology

The study is carried out in phases to accomplish the overall research objectives. The

research methodology is based on actual ISMS implementation within Malaysia. The

landscape of ISMS certifications in Malaysia is used as the scope of the research.

Figure 1.1 illustrates the main stages undertaken in conducting this study.

Figure 1.1: The Main Stages Undertaken in the Study

There are 5 phases undertaken in conducting this study. The research methodology

corresponding to these phases are further explained in Chapter 3.

1.2.5 Research Hypothesis

The purpose of the case study is to find out if there is a relationship between the types

of assets identified in a particular scope of an ISMS implementation with the risks

8

identified. It is common that a set of risks were found to be repetitively identified due

to the inefficient grouping of key assets. Hence, the hypothesis of this study is that

automation of risk identification to enable a full risk assessment will lead to an

acceptable risk assessment results based on predetermined relationship models.

1.2.6 Significance of the Study

The findings of this research are expected to benefit organizations by aiding their

information security risk assessment process. The advisory system may become a tool

for risk assessors in the identification of assets, relevant threats and vulnerabilities.

The advisory system will also facilitiate in the analyzing and estimation of

corresponding risk levels for a specific scope in an ISMS implementation. This may

become very handy during the initial attempt in risk assessment especially for

organization that is working towards ISMS certification. By using a user-friendly

ontology editor, the knowledge base could be updated from time to time. The

relationships models could also be further expanded for different scopes of ISMS

implementation.

1.2.7 Scope and Limitations

1.2.7.1 Scope of the Research

The main objective of this research is to model and implement a risk identification

automation within risk assessment. This study focuses on a scope of an ISMS

implementation thus, limiting the boundary of relevant assets being identified and are

subject to a risk assessment exercise. The scope of this study is listed below to guide

the limitation:

9

1. Looking at ISMS certification landscape in Malaysia

2. Focusing on three key processes of risk assessment; risk identification,

risk analysis and risk evaluation.

3. Automating risk identification for assets within an identified scope of an

ISMS implementation.

This study focuses on secure data centre sevices as a scope of an ISMS

implementation. There are several types of threats, including those related to human

factors. Threats related to human factors are excluded from this study as it is an

elaborate topic on its own. Threats related to human can be categorized into

motivation, opportunity and capability (Colwill, 2010). Human threats are also

presented by identifying threat-source like hacker, cracker, insiders and listing

corresponding motivation and threat actions as published by the National Institute of

Standards and Technology (Stoneburner et all, 2002) in the Risk Management Guide

for Information Technology Systems document.

There are many studies focusing on people as threat sources. Amongst others

are studies on improving compliance through training program (Puhakainen &

Siponen, 2010), user education in computer security (Gorling, 2006) and enforcement

of baseline security policies and procedures as well as ongoing personnel checks

(Colwill, 2010). With many guidelines available, organizations with good governance

would have implemented some baseline controls with regards to human resources

security to address common threats related to human.

10

1.2.7.2 Limitation of the Research

There are limitations and challenges in the context of this study that should be noted:

1. Data constraint

The data available for public research is limited due to the confidentiality

of classified information uphold by the certified organizations. However,

reliable and sufficient data could be obtained by studying and analyzing

relevant data from the following sources:

a) the International Register of ISMS Certificates available at

http://www.iso27001certificates.com; and

b) the ISO Survey of Management System Standard Certifications

available at http://www.iso.org/iso/home/standards/management-

standards.htm.

2. Technical challenges

As much as this study hopes to focus on technical aspect of information

security, ISMS being a management system, technical issues would be

addressed from all the three aspects of information security building

blocks namely people, process and technology.