Risk Analysis On It Assets Using Case Based Reasoning
1. Risk Analysis on IT Assets using Case-Based
Reasoning
A Thesis Report
Submitted By
Afeef Veetil (Registration Number: 0713001)
Student of M.Sc.-Information Systems
Specialization: Internet Systems & Security
Under the Guidance of
Dr. S.K.Pandey
Chairperson IT Dept.
Chairperson, Department of Information Technology
June 2009
Department of Information Technology,
Manipal University – Dubai Campus,
Block No: 7, Dubai International Academic City, Dubai, UAE
2. Manipal University Dubai Campus
Certificate
This is to certify the project work entitled “Risk Analysis on IT Assets using Case
Based Reasoning “ carried out by Afeef Veetil (Registration Number: 0713001),
bonafide student of Manipal University Dubai Campus, in partial fulfillment for the
award of the Masters Degree in Internet Systems and Security of Manipal
University Dubai Campus, during the year 2008 – 2009.
Project guide:
Dr SK Pandey
Chairperson Dept. of Information Technology
External Viva Date: _____________
External Examiner Name:
External Examiner Signature:
3. Acknowledgements
This thesis paper is submitted towards the Final Year Master of Science in
Information Security 2009; Manipal University, Dubai Campus.
In the process of researching and writing this thesis, many people have
been very generous with their time, advice and support. I would like to
thank my supervisors, Professor Dr SK Pandey, Chairperson Department
of IT Mahe Manipal University Dubai Campus and Mr. Mohammed
Shabir, Head of IT United Arab Bank who was the project guide, without
their encouragement, this thesis would not have been written.
I would also like to thank Mr.PathaSarathy Lead Vulnerability Assessor in
Paramount Computer Systems and Mr.Suhas Lead Risk Assessor from
Paramount Computer System who have also helped and guided me
informally for the success of this paper. Also sincere gratefulness to Mr.
Mohandas K Nair, Senior Developer Al Tayer Group of companies in
helping me in creating the prototype design forms.
Last but not least my sincere thanks to my colleagues and my family
without them this paper would not have been completed.
4. Table of Contents
Chapter 1: Introduction.............................................................................................. 7
1.1. Purpose, Scope and Limitations ....................................................................... 7
1.2. Sources and Methods ....................................................................................... 8
Chapter 2: Risk Assessment .................................................................................... 10
2.1. Risk Assessment Methodology ...................................................................... 10
2.1.1. Quantitative Analysis ................................................................................. 12
2.1.2. Qualitative Analysis ................................................................................... 12
2.1.2.1. Asset Value ............................................................................................ 13
2.1.2.2. Threat Level ........................................................................................... 13
2.1.2.3. Vulnerability Level ................................................................................ 14
2.1.3. Quantitative V/S Qualitative Analysis ........................................................ 14
Chapter 3: Case Based Reasoning ............................................................................ 16
3.1. Main types of CBR methods .......................................................................... 16
3.2. The CBR cycle ............................................................................................... 19
3.3. CBR Inductive Retrieval using Decision Tree ................................................ 20
Chapter 4: Applying CBR Technique in Risk Analysis ............................................ 21
Chapter 5: Methodology .......................................................................................... 23
5.1. Decision Tree for E banking........................................................................... 23
5.2. Prototype Screen ............................................................................................ 31
Chapter 6: Conclusion ............................................................................................. 39
Glossary ........................................................................................................................ 40
Bibliography ................................................................................................................. 41
5. List of Figures
Fig 1 Risk Assessment Procedure
Fig 2 Risk Factor Impact
Fig 3 CBR Cycle
Fig 4 Decision Tree
Fig 5 Risk Analysis System with CBR Workflow
Fig 6 Screen 1 of Assessment Tool
Fig 7 Screen 2 of Assessment Tool
Fig 8 Screen 3 of Assessment Tool
Fig 9 Screen 4 of Assessment Tool
Fig 10 Screen 10 of Assessment Tool
Fig 11 Report Screen of Assessment Tool
6. Abstract /Summary
The purpose of this thesis is to discuss a prototype of using Case based
reasoning with decision tree approach to assess the risk factor related to E-
Banking. A Qualitative Risk Analysis is done on using methodology
specified by ISO 27001. The case based reasoning values are attained with
decision tree approach. To analyze the same, E-banking system (EB) is
taken under study as EB appears to be essential for any bank’s day to day
business which extends its support to its customer with an online presence.
Then the security of the EB systems, which ensures authorized and correct
transaction processing, becomes one of the most critical issues in
implementing the systems. The analysis of risk that a system faces is the
core part of security management. Risk analysis can identify the principal
assets, the threats and the vulnerabilities of those assets, and the risks
confronting the Assets. The process of the proposed system is composed
of four steps: initial data collection, asset evaluation, threat and
vulnerability evaluation, and result generation of risk analysis.
This system employs the case base of past analyses and security accidents.
The proposed system is the first to apply the CBR technique for risk
analysis for finding the Risk Factor based on Threats and Vulnerability of
an EB system.
.
7. Chapter 1: Introduction
Risk Analysis assessment on IT assets has become a vital process as heavy
financial losses, breaches of privacy, and even the downfall of
corporations have recently been attributed to the inability of corporations
to protect themselves from cyber-risks. Cyber-risks are generated from
hackers, malicious software, disgruntled employees, competitors, and
many other sources both internal and external. These external and internal
cyber-attacks on corporate assets and an increasingly technology-savvy
corporate management have led to a more appropriate awareness of the
information security risks to corporate information than ever previously
experienced in corporations and government agencies.
It should be rather clear that the organizations need a reliable method for
measuring the effectiveness of their information security program. An
information security risk assessment is designed specifically for that task.
An information security risk assessment, when performed correctly, can
give corporate managers the information they need to understand and
control the risks to their assets. Now the challenge is how to perform a
security risk assessment correctly, efficiently, and effectively.
Case-Based Reasoning (CBR) is a problem solving technique based on the
reuse of past experiences. For this reason there is considerable optimism
about its use in difficult problem solving areas where human expertise is
evidently experience based. It is particularly suitable in weak theory
domains, that is on types of problems where cause and effect are not well
understood
1.1. Purpose, Scope and Limitations
The majority of risk analysis is done using the Memory based approach,
where which the Threat and vulnerability which constitutes two major
factor in any Risk assessment method is relied on the experience and
judgment made by the Risk assessor. Thus relying upon the risk assessor’s
experience may jeopardize the entire purpose of the Risk Assessment. The
purpose of this thesis is to discuss the effectiveness of the Case Based
reasoning on each case [Threats] to asses the value of Risk Factor, which
compares each threat with a database and possible vulnerabilities of the
particular case. Once the Threat is identified and a vulnerability pertaining
to that threat is also identified, the Risk assessor is prompted with a
decision tree to decide based on the controls already in place to assess the
threat or vulnerability level exposed to the particular asset under study.
This will ensure that the Risk assessor has touched up all the possible
vulnerabilities associated with the threat which is already in the Database.
If in case the particular vulnerability or threat is not listed in the database
the Assessor can always add this case and can be used for similar risk
assessment on later stage.
8. This thesis is no way introducing any new Risk assessment methodology
as the methodology in practice is well proven. The thesis is only trying to
introduce a tool so that the Risk assessor can enhance the quality of the
Assessment.
The scope of this study is discussing the effectiveness of Case based
reasoning System in assessing the Risk value on calculating the Risk
factor for E-Banking system. This paper doesn’t include the full cycle
Risk assessment or Risk treatment
The approach can only be used for a qualitative risk assessment Since the
Risk Factor is highly dependent on the variables visa vi Asset Value,
threat and vulnerability, each factor has limitation .Asset Value is highly
dependable on the business .Threat and vulnerability are dependable on
the Business and the region ,so the approach currently will be having these
dependencies as well ,but once the data in the database gets more samples
the reliability to this approach will be much higher .As the assessment of
Threat and the vulnerability are the factors which are highly dependable
on human based experience both factors has to under go the cased based
reasoning technique. Another limitation for this method is that the
technique is more relevant for an organization which does risk assessment
of various clients as huge database has to be collected before. The
database normally is confined to individual Risk assessment Consultants
or consultancy organization as the previous case pertaining to particular
assessment are not normally allowed to share as per the NDA signed
between the consultants and the client’s organization.
1.2. Sources and Methods
The statistics used for building the Database in this work is indicative as
real data are not publicly due to security reasons as the risk of any
organizations cannot be made public. Anyhow, for the Proof of Concept
the indicative values can be used. The Risk assessment on the E banking is
done on Organization’s E banking system.
The Risk Analysis methodology used in this paper is as suggested by ISO
27001 directives. The Information Technology — Code of Practice for
Information Security Management (ISO 27001) was issued by the
International Organization for Standardization. The objective of the
standard is to provide a common basis for organizations developing
information security management programs. The ISO 27001 comprises a
set of information security controls seen as best practices and applicable to
most organizations.
Case-Based Reasoning (CBR) is a problem solving technique based on the
reuse of past experiences. CBR techniques use different methodologies
like Cohen’s Formula [Nearest Neighbor Algorithm], KATE
10. Chapter 2: Risk Assessment
Risk Assessment activity measures the strength of the overall security
program and provides the information necessary to make planned
improvements based on information security risks. The security risk
assessment is the tool of senior management that gives them an
effectiveness measurement of their security controls and an indication of
how well their assets are protected. The objective of this analysis is to
analyze the effectiveness of the current security controls that protect an
organization’s assets and a determination of the probability of losses to
those assets. A security risk assessment reviews the threat environment of
the organization, the value of assets, the criticality of systems, the
vulnerabilities of the security controls, the impact of expected losses, and
recommendations for additional controls to reduce risk to an acceptable
level. Based on this information the senior management of the
organization can determine if additional security controls are required.
The below figure depicts a typical Risk Assessment Cycle including the
process of Treatment plan.
Figure 1 Risk Assessment Procedure
2.1. Risk Assessment Methodology
Kailay and Jarratt (1995) stated that the risk is the potential for damage to
a system or associated assets that exist as the result of the combination of a
security threat and vulnerability. The risk is the combination of threats,
vulnerability and asset value. The term vulnerability is a weakness in the
security system that might be exploited to cause loss or harm (Pfleeger,
11. 1989). Threats are defined as the sources or circumstances that have the
potential to cause loss or harm (Kailay and Jarratt, 1995; Pfleeger, 1989).
Risk analysis is a systematic process to examine the threats facing the IT
assets and the vulnerabilities of these assets and to show the likelihood
that these threats will be realized.
Risk analysis begins with the identification of IT assets. However, not all
the assets require protection; therefore the boundary of the review should
be established during asset identification. After the boundary is specified,
the overall worth of the identified assets should be assessed. The next step
is to identify all possible threats to the identified assets and to note
vulnerabilities. As with the IT assets, all the threats will not necessarily be
realized for each identified asset. Only those threats that are likely to occur
in any given organization need be identified. The identified threats are
assessed as the likelihood of occurrences in accordance with the related
vulnerabilities. The final step is the analysis of the risk in the current IT.
The impact of the threats is analyzed in this step. This assessment should
take into account the asset value within the review boundary and
The identified threats and vulnerabilities. The assessed impact leads to risk
measures
Fig 2. Risk Factor Impact
There are many number of Risk Assessment techniques in practice, but
fundamentally the variables determining the Risk assessment are common
and they are ;
o value of the asset;
o likelihood that a vulnerability will be exploited; and
o severity of the impact
Various risk analysis methodologies used currently are categorized into
quantitative and qualitative. This paper discusses more on calculating the
risk factor on the qualitative approach.
12. 2.1.1. Quantitative Analysis
The quantitative methodologies usually calculate the impact and frequency
of threats mathematically. Quantitative analysis is an approach that relies
on specific formulas and calculations to determine the value of the risk
decision variables. There are several formulas that are commonly
associated with quantitative security risk analysis. These formulas cover
the expected loss for specific risks and the value of safeguards to reduce
the risk.
There are three classic quantitative risk analysis formulas: annual loss
expectancy, single loss expectancy, and safeguard value:
o Annual Loss Expectancy (ALE) =Single Loss Expectancy * Annual
Rate of Occurrence.
o Single Loss Expectancy= Asset Value * Exposure Factor.
o Safeguard Value = ALE Before - ALE After - Annual Safeguard Cost.
Thus the Management can figure out the amount to be spent on to protect
the particular asset on the listed threats.
2.1.2. Qualitative Analysis
Whereas quantitative analysis relies on complex formulas and monetary or
frequency values for the variables, qualitative analysis relies on the
subjective judgment of the security risk assessment members to determine
the overall risk to the information systems. The same basic elements are
required to determine risk, such as asset value, threat frequency, impact,
and safeguard effectiveness, but these elements are now measured in
subjective terms such as ‘‘high’’ or ‘‘not likely.’’
Formula used to Asses the Risk Factor is depicted below
RISK FACTOR= ASSET VALUE +THREAT+ VURNERABILITY+LIKELY HOOD OF
OCCURENCE
Thus arrived Risk factor is analyzed using the Risk Matrix to depict the
exposure of the Asset in terms of Security Risk associated with it.
Low Medium High
Levels of threat
1 2 3
Levels of Low Medium High Low Medium High Low Medium High
vulnerability 1 2 3 1 2 3 1 2 3
13. Negligible 1 3 4 5 4 5 6 5 6 7
Asset Value Low 2 4 5 6 5 6 7 6 7 8
Medium 3 5 6 7 6 7 8 7 8 9
High 4 6 7 8 7 8 9 8 9 10
Very High 5 7 8 9 8 9 10 9 10 11
Table 1- Risk Matrix
The details of the above table is discussed in more below
2.1.2.1. Asset Value
As mentioned in the above table [Table 1] Asset Value is quantified using
the scale starting from 1 to 5 which is Measured using the level Negligible
through Very High being Negligible the least.
The Asset Value is measured by the corresponding business unit,
considering the various factor like the importance of the asset to the
business in terms of the revenue generated, considerable loss of revenue in
an event of unavailability due to any threats or vulnerability. So the asset
value depends on business to business and organization to organization.
For e.g.: An Email Server used in an Airline for sending the Reservation
tickets and communicating with the customers are very vital. As for the
airline the service disruption to the Asset Email server can incur loss also
the reputational risk ,since the tickets are not been sent out to the customer
which may impact the customer confidence.
Where as in a bank where the dependency to the email server to run its
business is very less they may not consider the asset value as VERY
HIGH or HIGH as the bank can afford the unavailability of the services
for a specific period of time so it can value the asset as MEDIUM. But if
another bank is sending out the Customer Statements using Email, it may
consider the Asset value as HIGH.
2.1.2.2. Threat Level
The threats are identified from the various sources pertaining to the region
or business. But most of the threats are common in every business and
region only assessing the level of the threat varies. This is purely based on
memory based reasoning or by interviewing various stakeholders. Again
once the threat level is identified the scaling is done as LOW, MEDIUM
and HIGH
But as mentioned the threat level varies from business to business and
region to region.
For e.g.:
The possibility of the Robbery is much higher in some places like
India while comparing to the same in UAE which is very less as
14. the reported number of robberies is lesser. So in India the Threat
Robbery/Theft will be HIGH while in UAE can be MEDIUM.
Even though the Risk assessor does do a historical and statistical approach
to assess the threat level, level is identified partly based by his judgment or
chances of missing the real threats are high.
2.1.2.3. Vulnerability Level
Each threat will be associated to various vulnerability .The risk assessor
will evaluate the current controls in place to assess the exposure of
vulnerability compared to the controls in place. Again each vulnerability
level is scaled through LOW to HIGH after assessing the controls in place
and likelihood of the vulnerability which can expose the threat.
For e.g;
a. A public available system with no firewall ,the vulnerability
level associated with the threat Hackers will be HIGH, where as
another organization with a Firewall and IPS will be LOW
b. A Asset Car with Value HIGH with the threat Robbery and
Vulnerability of having Door Lock but no Theft Alarm will be
HIGH in a country like India but MEDIUM in UAE, as the
vulnerability of not having Theft Alarm is subjective.
The Vulnerability level assessment is still a risk assessor’s memory based
reasoning or may be concluded after an interview or statistical analysis.
But chances of missing the right vulnerability or assessing the proper
controls can lead to a wrong interpretation.
2.1.3. Quantitative V/S Qualitative Analysis
To select the proper Analysis approach is really dependable on the time,
Scope and quality of the risk assessment. The below table depicts some of
the Advantages and disadvantages of both Quantitative and Qualitative
approaches for the risk assessment.
15. Quantitative Qualitative
• Applicability to all assets • Simple risk calculation
• Mathematical foundation • Usability to the irrelevant or
• Support to cost–benefit unknowable asset value
Advantages decision • Less time consuming
• More Credible as based on real • Provides Adequate Identification of
calculations Problem Areas
• Can supports Budget Decisions as
the values are in Cost.
Table 2: Advantages Quantitative and Qualitative Approach
Quantitative Qualitative
• Inappropriateness of monetary • Coarse granularity
of asset value • Inability of cost–benefit decision
• Inappropriateness of general • Subjective result
Disadvantages
statistics • Difficult to Track Improvements
• Time consuming • Subjective Asset Value
• Complex formulas
Table 3: Disadvantages Quantitative and Qualitative Approach
16. Chapter 3: Case Based Reasoning
Case-Based Reasoning (CBR) is a problem solving technique based on the
reuse of past experiences. As past experiences are used there is
considerable optimism about CBR’s use in difficult problem solving areas
where the problem has to depend on human expertise, which are evidently
experience based. It is particularly suitable in weak theory domains, which
are on types of problems where cause and effect are not well understood.
A case is a prior experience and, therefore, is situation-specific and
domain-dependent. A case base is the collection of cases (Brown and
Gupta, 1994). A case base is to a CBR system as a knowledge base is to a
rule-based system. The CBR technique is one of the major artificial
Intelligence (AI) methodologies and is mostly applied to the problem-
solving and learning area.
The fundamental principle of the CBR technique is similar to that of the
human reasoning process. Humans use analogical reasoning in complex
situations, which employs solutions to past problems to solve current ones.
While humans use analogical reasoning, the limitation of the human brain
does not take all past cases into consideration. As the number of cases
increases, humans seem to use cases most recently solved or that seem
most important. However, the CBR system can overcome this limitation
and use all past cases in its reasoning, potentially making more effective
decision. It can use successful cases to solve current problems or failed
cases to adjust solutions to them. Please find below CBR life cycle
When the CBR system is presented with a new problem, it selects past
cases that are similar to the current problem and proposes a solution based
on solutions to the selected past cases. Once the system solution is
evaluated, the evaluation results are reported to the system. The system
updates its case base by capturing and storing important lessons learned
during the problem-solving process
3.1. Main types of CBR methods
The CBR paradigm covers a range of different methods for organizing,
retrieving, utilizing and indexing the knowledge retained in past cases.
Cases may be kept as concrete experiences, or a set of similar cases may
form a generalized case. Cases may be stored as separate knowledge units
or split up into subunits and distributed within the knowledge structure.
Cases may be indexed by a prefixed or open vocabulary, and within a flat
or hierarchical index structure. The solution from a previous case may be
directly applied to the present problem, or modified according to
differences between the two cases. The matching of cases, adaptation of
solutions, and learning from an experience may be guided and supported
by a deep model of general domain knowledge, by more shallow and
17. compiled knowledge, or be based on an apparent, syntactic similarity only.
CBR methods may be purely self-contained and automatic, or they may
interact heavily with the user for support and guidance of its choices.
Some CBR method assume a rather large amount of widely distributed
cases in its case base, while others are based on a more limited set of
typical ones. Past cases may be retrieved and evaluated sequentially or in
parallel.
Actually, "case-based reasoning" is just one of a set of terms used to refer
to systems of this kind. This has lead to some confusions, particularly
since case-based reasoning is a term used both as a generic term for
several types of more specific approaches, as well as for one such
approach. To some extent, this can also be said for analogy reasoning. An
attempt of a clarification, although not resolving the confusions, of the
terms related to case-based reasoning are given below.
o Exemplar-based reasoning
The term is derived from a classification of different views to concept
definition into "the classical view", "the probabilistic view", and "the
exemplar view" (see [Smith-81]). In the exemplar view, a concept is
defined extensionally, as the set of its exemplars. CBR methods that
address the learning of concept definitions (i.e. the problem addressed by
most of the research in machine learning) are sometimes referred to as
exemplar-based. Examples are early papers by Kibler and Aha [Kibler-
87], and Bareiss and Porter [Porter-86]. In this approach, solving a
problem is a classification task, i.e. finding the right class for the
unclassified exemplar. The class of the most similar past case becomes the
solution to the classification problem. The set of classes constitutes the set
of possible solutions. Modification of a solution found is therefore outside
the scope of this method
o Instance-based reasoning.
This is a specialization of exemplar-based reasoning into a highly
syntactic CBR-approach. To compensate for lack of guidance from
general background knowledge, a relatively large number of instances are
needed in order to close in on a concept definition. The representation of
the instances are usually simple (e.g. feature vectors), since a major focus
is to study automated learning with no user in the loop. Instance-based
reasoning labels recent work by Kibler and Aha and colleagues [Aha-91],
and serves to distinguish their methods from more knowledge-intensive
exemplar-based approaches (e.g. Protos' methods). Basically, this is a non-
generalization approach to the concept learning problem addressed by
classical, inductive machine learning methods
18. o Memory-based reasoning.
This approach emphasizes a collection of cases as a large memory, and
reasoning as a process of accessing and searching in this memory.
Memory organization and access is a focus of the case-based methods.
The utilization of parallel processing techniques is a characteristic of these
methods, and distinguishes this approach from the others. The access and
storage methods may rely on purely syntactic criteria, as in the MBR-Talk
system [Stanfill-88], or 7 they may attempt to utilize general domain
knowledge, as in PARADYME [Kolodner-88] and the work done in Japan
on massive parallel memories [Kitano-93].
o Case-based reasoning.
Although case-based reasoning is used as a generic term in this paper, the
typical case-based reasoning methods have some characteristics that
distinguish them from the other approaches listed here. First, a typical case
is usually assumed to have a certain degree of richness of information
contained in it, and a certain complexity with respect to its internal
organization. That is, a feature vector holding some values and a
corresponding class is not what we would call a typical case description.
What we refer to as typical case-based methods also has another
characteristic property: They are able to modify, or adapt, a retrieved
solution when applied in a different problem solving context. A
paradigmatic case-based method also utilizes general background
knowledge - although its richness, degree of explicit representation, and
role within the CBR processes varies. Core methods of typical CBR
systems borrow a lot from cognitive psychology theories.
o Analogy-based reasoning.
This term is sometimes used, as a synonym to case-based reasoning, to
describe the typical case-based approach just described [Veloso-92].
However, it is also often used to characterize methods that solve new
problems based on past cases from a different domain, while typical case-
based methods focus on indexing and matching strategies for single-
domain cases. Research on analogy reasoning is therefore a subfield
concerned with mechanisms for identification and utilization of cross-
domain analogies [Kedar-Cabelli-88, Hall-89]. The major focus of study
has been on the reuse of a past case, what is called the mapping problem:
Finding a way to transfer, or map, the solution of an identified analogue
(called source or base) to the present problem (called target).
19. 3.2. The CBR cycle
At the highest level of generality, a general CBR cycle may be described
by the following four
Processes*:
*As a mnemonic, try "the four REs".
1. RETRIEVE the most similar case or cases
2. REUSE the information and knowledge in that case to solve the
problem
3. REVISE the proposed solution
4. RETAIN the parts of this experience likely to be useful for future
problem solving
A new problem is solved by retrieving one or more previously
experienced cases, reusing the case in one way or another, revising the
solution based on reusing a previous case, and retaining the new
experience by incorporating it into the existing knowledge-base (case-
base). The four processes each involve a number of more specific steps,
which will be described in the task model
Fig 3 CBR Cycle
20. 3.3. CBR Inductive Retrieval using Decision Tree
As the final outcome of the CBR is to retrieve the similar case from the
Database, in this paper the methodology using Decision tree is used for
retrieval.
A decision tree will retrieve the similar case with the decisions made in
the input level searching the database. This is a hierarchical tree where the
decision will be made once there is no sub tree is available
If the case is not listed in the list it will go under LEARNING process and
add to the Database for future REUSE
A typical Table and used Decision tree is depicted below
Case-Starting point Destination Road Between 6 AM and Retrieved Value
by Car from 8 AM
Sharjah Dubai Emirates Road Yes 90 minutes
Sharjah Dubai Emirates Road No 30 minutes
Sharjah Dubai Ittihad Road Yes 70 minutes
Table 4 Decision Tree Sample Data
Value
Measure
YES
Learning
Mode(New
Case)
>>> Ittihad Road
Between 6 am and 8 am
NO
30
Sharjah
YES
90
>>> Emirates Road
Between 6 am and 8 am
NO
30
Fig 4 Decision Tree for Table 4
In the above table Arm “Sharjah Ittihad Road Yes“doesn’t have a
value as there are no value in the table. This could be added into the table
as a new case [Learning algorithm]
21. Chapter 4: Applying CBR Technique in Risk Analysis
The proposed system in this study has two sub-goals, which are threat
analysis and vulnerability analysis. The process is composed of four steps
as shown in Figure 4. First, the system collects data about the business and
IT environment of an organization by asking questions. Once the First task
of identifying the asset value is ascertained, After inputting the asset value
and the Asset details, system will verify if the memory provides a relevant
case at this point for identifying the threat level, the system focuses on the
analysis of threat level by asking few questions towards the assessor from
the previous cases to see whether anything can be adopted from it.
22. Fig 5 Risk Analysis System with CBR Workflow
During this process, the system may ask additional questions about the
environment of the organization. If a case of a past security incident is
recalled, the system attempts to find out whether it is possible for the
accident to occur in the current case. Then the system produces initial
results from the recall and adaptation process.
23. Chapter 5: Methodology
Based on the above Risk Methodology and the CBR techniques of
assessing the risk using Decision Tree a case study is done on e-banking
system with sample data.
5.1. Decision Tree for E banking
E banking [Asset Value=5]* Ascertained by the Business Unit
|
Threat
|
Threat 1:"Fires, Explosions"
|
Fire incident is common in this Area
|
YES=1 √
NO=0
|
Are there any Written Procedures to be followed in an event of Fire
|
YES=1
NO=0 √
|
Any Fire Evacuation Drill Conducted in Last 6 months
|
YES=1 √
NO=0
|
New Case to Be Added
|
Threat Level= 2
|
Vulnerability of Fires Explosions
|
Is the Datacenter is near to Oil, Gas & Explosive Chemicals manufacturing units"
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR1=AV+T+V=5+2+1=8
|
Is there any Combustible Material Found near to Datacenter?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+2+1=8
|
The interiors of Data Center are made up of non combustible material?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+2+1=8
|
The quality of electrical circuits & equipments are superior
LOW=1 √
MEDIUM=2
24. HIGH=3
RISK FACTOR4=AV+T+V=5+2+1=8
|
The Gas Cylinder and Pipes are properly protected
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR5=AV+T+V=5+2+1=8
|
Fire Suppression System [FM200] is enabled
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR6=AV+T+V=5+2+1=8
|
Fire Suppression System [FM200] is properly maintained
|
LOW=1
MEDIUM=2 √
HIGH=3
RISK FACTOR7=AV+T+V=5+2+1=8
|
Fire Detection System is properly maintained
LOW=1
MEDIUM=2 √
HIGH=3
RISK FACTOR8=AV+T+V=5+2+2=9
|
Fire fighting equipment is properly maintained
LOW=1
MEDIUM=2 √
HIGH=3
RISK FACTOR9=AV+T+V=5+2+2=9
|
Strict Control of Smoking near to premises
LOW=1
MEDIUM=2 √
HIGH=3
RISK FACTOR10=AV+T+V=5+2+2=9
|
New Case
|
Vulnerability Level = 1∑10RiskFactor =83
Threat 2:"Earth Quake"
|
Earthquake is common in this Area
|
YES=1
NO=0 √
|
Are there any Written Procedures to be followed in an event of Earthquake?
|
YES=1
NO=0 √
|
25. New Case to Be Added
|
Threat Level= 1
|
Vulnerability of Earthquake
|
Is the Datacenter is in Seismic Zone
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR1=AV+T+V=5+1+1=7
|
Is Datacenter is situated in Sky scrapper Building?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+1+1=7
|
Are the interiors of Data Center and the Roof /Structure with superior quality?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+2+1=7
|
New Case
|
Vulnerability Level = 1∑3RiskFactor =21
Threat 3:"Hurricane"
|
Hurricane is common in this Area
|
YES=1
NO=0 √
|
Are there any Written Procedures to be followed in an event of Hurricane?
|
YES=1
NO=0 √
|
New Case to Be Added
|
Threat Level= 1
|
Vulnerability of Hurricane
|
Is the Datacenter is in Hurricane prone area
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR1=AV+T+V=5+1+1=7
|
Is Datacenter is situated in near Sea shore?
|
LOW=1 √
MEDIUM=2
HIGH=3
26. RISK FACTOR2=AV+T+V=5+1+1=7
|
Is Datacenter is situated in Ground Floor?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+1+1=7
|
Is Datacenter is situated in Open Space?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+1+1=7
Are the interiors of Data Center has Raised Floor?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+2+1=7
|
New Case
|
Vulnerability Level = 1∑5RiskFactor =35
Threat 4:" Hardware/Software Failures"
|
Is there a Standardized Hardware in Place?
|
YES=1
NO=0 √
|
Are there AMC with Hardware Vendors are in place?
|
YES=1
NO=0 √
|
Are there AMC with Software Vendors are in place?
|
YES=1
NO=0 √
New Case to Be Added
|
Threat Level= 3
|
Vulnerability of Hardware/Software Failures
|
Is the usage of Standard Hardware with Superior quality in place?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR1=AV+T+V=5+3+1=9
|
Are there any Usage of incompatible peripherals and spare parts?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+3+1=9
27. |
Is UAT in practice before going live?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
|
Is there a change management process in place?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
Are the developers access is restricted on to production server?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+3+1=9
|
Are there proper System overload / improper capacity planning in place?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+3+1=9
|
Are there regular Server monitoring and controls in place?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+3+1=9
|
Are there enough controls for Antivirus and Malicious software in place?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+3+1=9
Are there practices of regular Security awareness in place?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR3=AV+T+V=5+3+2=9
New Case
|
Vulnerability Level = 1∑9RiskFactor =93
Threat 4:" Backup and contingency Plan"
|
Is there Backup policy in Place?
|
YES=1
NO=0 √
28. |
Is the Backup policy reviewed every year?
|
YES=1
NO=0 √
|
Are there AMC with Backup Software Vendors are in place?
|
YES=1
NO=0 √
New Case to Be Added
|
Threat Level= 3
|
Vulnerability of Backup and contingency Plan
|
Is the offsite storage well protected?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR1=AV+T+V=5+3+1=9
|
Are there any Tape Management Life cycle in place?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+3+1=9
|
Is Backup Daily logs are monitored?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
|
Is there a backup restoration testing in place?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
Are the enough training provided to the backup operators?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+3+1=9
New Case
|
Vulnerability Level = 1∑5RiskFactor =47
Threat 5:" Security Breaches”
|
Are there too many incidents reported in last 6 months?
|
YES=1 √
NO=0
|
29. Are there any Security Policy in place?
|
YES=1
NO=0 √
|
Is there any incident reporting structure in place and are conveyed to all IT persons?
|
YES=1
NO=0 √
New Case to Be Added
|
Threat Level= 3
|
Vulnerability of Security Breaches
|
Is there a well written Security Policy in place?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR1=AV+T+V=5+3+1=9
|
Are there any physical access controls in place?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+3+1=9
|
Are the passwords are kept with System owners only? |
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
|
Is the administrator username renamed?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
Are the password complexity enforced?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+3+1=9
|
Is the administrator username renamed?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
|
Are the password complexity enforced?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+3+1=9
30. New Case
|
Vulnerability Level = 1∑7RiskFactor =66
Threat 6:" Virus Attack”
|
Are there too many incidents reported in last 6 months?
|
YES=1 √
NO=0
|
Is there proper Antivirus in place?
|
YES=1
NO=0 √
|
Is there any incident reporting structure in place and are conveyed to all IT persons?
|
YES=1
NO=0 √
New Case to Be Added
|
Threat Level= 3
|
Vulnerability of Virus Attacks
|
Is there a comprehensive virus protection system
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR1=AV+T+V=5+3+1=9
|
Does a default installation of virus protection tools exists?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR2=AV+T+V=5+3+1=9
|
Is there a proper periodical updating of latest virus definitions?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
|
Is there a proper control for the usage of external media (floppies, CD's, USB) without scanning?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
Is there a proper security awareness program conducted?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+3+1=9
|
31. Is there a control on downloading and usage of unauthorized software?
|
LOW=1
MEDIUM=2√
HIGH=3
RISK FACTOR2=AV+T+V=5+3+2=10
|
Is there a control on opening of mail attachments with scanning?
|
LOW=1 √
MEDIUM=2
HIGH=3
RISK FACTOR3=AV+T+V=5+3+1=9
New Case
|
Vulnerability Level = 1∑7RiskFactor =66
Analyzing With Database of Similar Cases and Risk
|
Asset Risk Factor= ∑Risk Factor =411
The above risk factor can be analyzed with Risk Matrix table r table to assess whether the
value 345 falls under HIGH, MEDIUM or LOW.
5.2. Prototype Screen
Below are the Prototype screens of Risk assessment tool developed for assessing the Risk
using CBR Technique. The asset in the evaluation is ATM servers pertaining to a bank.
Fig 6 Initial Screen
38. Fig 11 Report Screen of Assessment Tool after assessing similar cases
39. Chapter 6: Conclusion
From the risk matrix the value of 411 is considered as MEDIUM Risk
considering the past cases and thus the Asset is considered as protected
but potential threats are there where which the Management has to
mitigate those risk with higher Risk Value. The above risk has not
considered the business risk and statutory risk. The overall risk are
calculated considering the Risk factor of Business risk and statutory risk
[compliance].Thus the above Risk factor doesn’t mean that entire Risk
analysis is been carried out.
The Risk assessment method using Case based Reasoning with Decision
tree will always give added value to the Risk Assessor to ask the right
questions and to asses the risk. Also assessor can introduce a new case or
search existing case in order to finalize the value he can quantify to each
threats and vulnerabilities associated to it. Further these values can be
reused if the database are maintained and updated accordingly on timely
basis. Risk analysis for any IT Assets requires considerable professional
judgment and knowledge of IT. Nonetheless, the immaturity of risk
analysis for an IT system makes it difficult to afford expertise and
knowledge. This is why this study takes advantage of the CBR technique.
The benefits of this technique correspond to the above characteristics of
risk analysis for IT assets and complement its immaturity. As the major
case base of CBR, this system uses the case base of past risk analyses and
security accidents.
The proposed system in this study provides a fast and cost-effective
analysis using the reasoning ability of CBR, which comes from analogical
reasoning of the past cases. Therefore it will become a useful instrument
of risk analysis for novices in this area. In addition, the learning ability to
update the case base dynamically makes the system valuable in the fast-
changing IT environment. Consequently, the performance of this system is
expected to improve gradually as the case base is updated. However, the
system that is proposed in this study is only a prototype. This prototype
system has not been validated, nor applied to any organization or assessed
for its superiority to traditional risk analysis methods
40. Glossary
Asset Value A qualitative Value given to an Asset in order to assess the impact
to the businesses if the asset is not available
the risks, liabilities and solutions associated with electronic
Cyber-risks processes and interactions arising from conducting business
activities through computer networks
Database A Collection of Data put together having common data types for
later easy retrieval
a decision support tool that uses a tree-like graph or model of
Decision Tree decisions and their possible consequences, including chance event
outcomes, resource costs, and utility.
Online banking (or E banking /Internet banking) allows customers
E-banking to conduct financial transactions on a secure website operated by
their retail or virtual bank, credit union or building society.
ISO/IEC 27001, part of the growing ISO/IEC 27000 series of
standards, is an information security management system (ISMS)
standard published in October 2005 by the International
ISO 27001
Organization for Standardization (ISO) and the International Electro
technical Commission (IEC). Its full name is ISO/IEC 27001:2005 -
Information technology—Security techniques—Information
security management systems—Requirements but it is commonly
known as "ISO 27001".
A non-disclosure agreement (NDA) creates a confidential
relationship between the parties to protect any type of confidential
NDA and proprietary information or a trade secret. is a contract through
which the parties agree not to disclose information covered by the
agreement
Risk assessor A Risk assessor is a professional who assess the Risk pertaining to
the scope of Risk Assessment
Risk compliance Mandatory Compliance of eliminating Risk on the basis of
directives from Legal Bodies or Institutions
A Risk Matrix is a tool used in the Risk Assessment process, it
Risk Matrix allows the severity of the risk of an event occurring to be
determined
Risk Mitigation Activities that eliminate or reduce the adverse effects of a
disaster/Risk
Risk treatment Risk Treatment is the process of selecting and implementing of
measures to modify risk
Technical Controls in place in order to control a threat attached to a
security controls
vulnerability
Security incident A security incident is an alert to the possibility that a breach of
security may be taking or may have taken place
Threats are entities, physical or logical that can compromise data because
Threat
of the presence of vulnerability.
Vulnerability is applied to a weakness in a system which allows an
Vulnerability attacker to violate the integrity of that system. Vulnerability is
directly attached to Threat
41. Bibliography
THE SECURITY RISK ASSESSMENT HANDBOOK by DOUGLAS J. LANDOLL, Auerbach
Publications Taylor & Francis Group
THE APPLICATION OF CASE-BASED REASONING TO EARLY SOFTWARE PROJECT COST
ESTIMATION AND RISK
Research Paper submitted by SARAH JANE DELANY Department of Computer Science DIT Kevin
Street, Dublin and PÁDRAIG CUNNINGHAM Department of Computer Science Trinity College Dublin
INTRODUCING OCTAVE ALLEGRO: IMPROVING THE INFORMATION SECURITY RISK
ASSESSMENT PROCESS , a technical report submitted to software engineering institute by RICHARD
A. CARALLI ,JAMES F. STEVENS , LISA R. YOUNG, WILLIAM R. WILSON
RISK ANALYSIS FOR ELECTRONIC COMMERCE USING CASE-BASED REASONING
Research paper submitted BY CHANGDUK JUNG, INGOO HAN AND BOMIL SUH
Korea Advanced Institute of Science and Technology, Seoul, Korea
USING CASE-BASED REASONING FOR THE DESIGN OF CONTROLS FOR INTERNET-BASED
INFORMATION SYSTEMS by SANGJAE LEE College of Business Administration, Sejong University
and KYOUNG-JAE KIM DEPARTMENT of Information Systems, Dongguk University, Republic of
Korea
AN INTRODUCTION TO INFORMATION SYSTEM RISK MANAGEMENT by Steve Elky, SANS
Institute InfoSec Reading Room