Step 3 - Risk Assessment

Step 3 - Risk Assessment

What is the Diri Risk Analysis?

The Diri risk analysis (DRA) is the model for identifying and assessing cyber risk in the Diri software. The purpose of the DRA is to identify unacceptable cyber risks such that we can implement risk mitigating treatments. DRA is step 3 of the Diri risk assessment process. The DRA model is a combination of well-established risk science concepts and modern software functionality. Best practice information security (ISO/IEC 27005) defines the risk scenario as a combination of assets, vulnerability, threat, controls, and outcomes. In the DRA, we have expanded these concepts with our prior research findings in combination with the commonly known Bowtie risk analysis to produce a novel ISRA method and model. The software allows for many-to-many relationships between all components in the analysis.

The traditional Bowtie analysis consists of an adverse event, coupled with possible causes and outcomes of said event. The security controls in the bowtie are in place to either mitigate the cause (probability) or the outcome (consequence). The flexibility of the bowtie coupled with the Diri assessment methods makes the DRA state-of-the-art.


The DRA model for risk assessment.

When you enter step 3 in Diri, you will meet an empty risk assessment with three main paths to start working: Causes, Events, and Consequences. The rationale behind the model is illustrated well in the picture of the DRA above. The starting point for a DRA is illustrated below.

The starting point for DRA

DRA components

Firstly, in Diri we apply the following definitions (based on ISO/IEC 27000), starting from the left side of the risk assessment (above picture). Clicking "New" under causes will ask you to register a new cause:


Cause

  1. Cause: A threat exploits a vulnerability to define the attack vector (cause), leading to the event.
    1. Threat: The potential cause of an unwante incident, which can result in harm to a system or organization. In Diri, we focus on the person or group posing the threat, the threat actor/agent. The cause is a description of the attackers method. Diri comes with a pre-defined set of threat agents that you can add to your analysis.
    2. Vulnerability: Weakness of an asset of control that can be exploited by one or more threats. In Diri, we aim to quantify vulnerability using pre-defined vulnerability categories, we propose the following four categorizations, but you are free to define your own:
      1. Human: The attack targets and exploits human weaknesses, such as through social engineering attacks.
      2. Organisational: The attack targets and exploits organisational weaknesses, such as lack of oversight and control.
      3. Physical: The attack exploits missing physical security barriers, such as missing door locks and poor locking routines.
      4. Technical: The attack exploits missing or weak technical security controls, such as an exposed attack surface, outdated services or through a poorly configured firewall.
    3. Probability: What is the inherent probability of the threat successfully exploiting the vulnerability without considering existing controls? Both existing and new mitigating controls are added later.

Register a New Cause

Event

  1. Event: An occurrence or change of a particular set of circumstances. In Diri, the event is adverse and can have many causes and lead to many consequences.
    1. Event type: Predefined information securitys events to choose from. You can add a new event to the list if it is not present.
    2. Description: You can choose to add an extra description of the event, this text will be visible below the event title in the

Event description (left) and visualisation (right) in the DRA. The numbers illustrate how mange causes and consequences are tied to the event.

Consequence

  1. Consequence: Outcome of an event that affects objectives. The impact (outcome) from the event affects one or more assets.
    1. Consequence type: Similar to Event type, Diri contains a catalogue of known information security consequences to choose from. You can add a new consequence to the list if it is not present.
    2. Name: You can choose to further name your consequence.
    3. Add affected asset: Lets you choose assets from Step 2 - Asset evalutaion and include them in the impact analysis.
      1. Select implicated asset from the asset evaluation
      2. CIA: Choose if the consequence violates confidentiality, integrity, or availability.
      3. Assessment: Displays your asset evaluation of the selected asset within the chosen CIA category. Use this information as a guideline in the Consequence estimate.
    4. Consequence estimate: What is the inherent consequence level if the event materializes into this specific consequence without considering existing controls? Both existing and new mitigating controls are added later.
    5. Cost estimates: You can add cost estimates to the consequence to quantify the risk. If a consequence occurs:
      1. What will be the most likely minimum cost?
      2. What is the maximum it will cost?
      3. What is the expected cost (average)?

Registering a New Consequence

Risk treatments

The risk treatment option can be found through re-opening an existing Cause or Consequence. The option for adding new or existing treatment appears at the bottom of the window, below the Description.

Treatment options for causes and consequences.

The three choices for risk treatment are:
  1. New Treatment creates a new security control.
  2. Add existing allows you to re-use an existing treatment, meaning that an existing control will be used in your assessment. For global controls.
  3. Copy a treatment allows you to make a copy of an existing control. The copy retains the treatment name, description, type, and class. 

  1. Risk Treatment definition and options: Treating risk is a process to modify risk. The primary approaches to risk treatment are:
    1. Reduce the probability of event occurrence.
    2. Reduce the consequence of the the event impact.
    3. Avoid risk by removing the risk source.
    4. Sharing the risk (transferring) with another party or parties, through contracts and risk financing.
    5. Accepting the risk through informed choice.

Registering a new treatment
  1. When clicking "New treatment" the following choices appear
    1. Name of treatment
    2. Description
    3. Type: Treatment types are categorised within the following three categories in Diri
      1. Physical controls are barriers in the physical domain, such as door locks, card readers, and fences.
      2. Technical controls are the technical barriers typically associated with cybersecurity, such as firewalls, network monitoring, and encryption.
      3. Administrative controls are security policies, guidelines, and routines, but also organisational security measures.

    4. Class: A treatment class in Diri is derived from established security frameworks. The broad categorisation is as follows:
      1. Identify is a treatment class for developing the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
      2. Protect and maintain is a class for safeguarding and maintaining delivery of critical infrastructure services and asset protection (primarily probability
      3. Detect are treatmens for identifying the occurrence of a cybersecurity event.


      4. Respond and recover are treatments for developing and implementing the appropriate activities to take action regarding a detected cybersecurity incident. And for developing and maintaining plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

    5. Documentation link: Add a link to relevant documentation for the treatment
    6. Responsible user: Link the responsible user to the treatment. The user should be listed in the Diri user database for the quality function of following up the treatment to work.
    7. Due time: Select a deadline for the treatment. If selected, the responsible user will receive notifications of assigned treatment and deadline closing in.

    8. Cost estimations are used to calculate the total cost of treatment plan and high quality cost estimates are very useful in the cost-benefit analysis in step 4.
      1. Onetime Cost: What is the estimated one-time cost of the treatment? E.g. buying and implementing the treatment
      2. Yearly Cost: What are the estimated yearly costs of license and maintenance?

    9. Treatment effect: Is an estimate of relative control strength considering the cause or consequence. This estimate is subjective, but consider the threat agent in question and their capabilities when compared to the control effect. For example, multifactor authentication will generally be a strong control against several foreign adversaries.
      1. A note on treatment re-use: In the current version of Diri you can re-use treatments on multiple causes and consequences, but the treatment only has one effect estimate. Changing the treatment effect will impact all associated risks.

    10. Treatment Status displays the current state for the treatment, a treatment can be
      1. Open meaning that it has been identified and added as a suggestion to the risk.
      2. Recommended as a treatment for the risk but not planned.
      3. Planned the decision has been made to implement the treatment, but not yet started.
      4. Ongoing the treatment is currently under implementation.
      5. Implemented the treatment is completed and currently in use.

    11. The Treatment status and effect is used to calculate the risk picture in Diri:
      1. Before treatments describes the risk picture without any measures at all.
      2. Current risk describes the risk picture with current treatments in place.
      3. All treatments describes the risk picture if all suggested treatments where implemented.

Risk estimations and calculations

    1. Risk estimations in Diri:
      1. Everything in Diri is built on scales from 0-100, including choices in probability and consequences being sorted on the same scale.
      2. The control effect is also estimated on a scale from 0-100, but we can have multiple treatments for controlling one cause or consequence.
      3. Calculations of current risk in Diri is found using multiplication of inherent risk and implemented controls: (Inherent risk) * (100-("control effect 1") /100) * (100-("Control effect ...n") /100) = Current risk example calculation:
        A likely risk, p=80%, is mitigated by two implemented controls with moderate effects, C1=20% and C2=30%. In Diri the calculations are made as follows:
        Current risk = 80 * ((100-20)/100) * ((100-30)/100)

              = 80*0,8*0,7

              = 44,8
        The updated risk estimate will be placed on scale and categorized within the probability/consequence scale.

Re-using existing causes, events, consequences, and treatments

Re-use is an excellent opportunity to save time in your DRA. The "Existing"-button lets you add to your assessment from existing data and is available for causes, events, consequences, and treatments. Clicking this button lets you access and add from the results of previous risk assessments. You can only re-use data from risk assessments that your user has access to.
The "Existing"-button is always visible in for the events, but you have to highlight an event for the button to become visible for causes and consequences, as illustrated in the picture below. Copying a cause, event, or consequence will not include the associated treat

A risk in Diri illustrated with available functionality for adding from existing risk assessments.

If you wish to add an existing treatment, you open the cause/consequence in question and click the "Add existing"-button below the "New"-button. This action will show you a list containing the existing treatments from both the current risk assessment and other objects that you have access to. You can sort the list on all the available variables, illustrated below.


Global and system specific controls

One of the most complex issues in a risk management system is the many-to-many relationships between risk assessment objects (IT systems) and security controls. It is not uncommon that a control (treatment) has implications for the risk of many IT systems. Managing this is an essential issue as it prevents the same treatment from being registered and recommended multiple times. 

We call it a global control when a unique control is included in more than one assessment. Typical global control mechanisms are single sign-on solutions that provide access to many systems and network firewalls that protect multiple systems and servers. A system-specific control only applies to one specific IT system. 

Global controls can now easily be added in Diri via the Organizational risk assessment. System-specific treatments can also be made global by including them in new risk assessments. The treatment now lists how many risk assessments it is included in and the number of risks it mitigates. A premise for re-using existing treatments is that the user can access the original analysis where the control resides.


A warning is displayed on treatments connected to more than one risks and assessments.

Many-to-many relationships in the DRA

A cause can lead to several events and an event can lead to many consequences. The DRA allows you to quickly create multiple connections between these elements. How to add an existing treatment to multiple elements is described above. There are primarily two ways of connecting elements in Diri:

Drag and drop

You can drag and drop causes and consequences and connect them to existing events. Grab the chain icon on the cause or consequence and drop it onto the event that you want to connect, as illustrated in the figure below. The number below the chain icon displays how many connections the item has to events.

Making many-to-one connections by grabbing the chain icon of a cause and dropping it on the connected event.

Editing and removing connections between elements

You have to access cause or consequence directly to remove connections between events and causes/consequences. The connections are visible in the "May lead to"-field for causes and in the "A result of"-field for consequences. Click the "X" next to the event name to remove the connection or click the space behind the last event to add existing ones.

Editing connections between a cause and multiple events in the cause description.

Event and Consequence catalogues

Diri comes with pre-defined catalogues for Events and Consequences that users can choose from and add to in the DRA. Through research and experience we have found that there is generally a limited set of both that are in use in a cybersecurity risk assessment. New items that are not a part of the list can be added by the user. These suggestions will be available on the organisational level.














    • Related Articles

    • Copy and re-use risk assessments

      Are you delighted with one or more of your assessments? Or is the same IT system in use multiple places? Existing risk assessments can be copied and re-used in other parts of the organization. The copy functionality allows for selective censorship of ...

    • The Diri five step process

      Why the five step process Diri is developed to support companies that need to carry out risk assessments. Diri is designed to give your company an overview of risk together with risk reducing measures. Processes and methods are developed by Diri, but ...

    • 3 - The Problem Risk Assessment

      What is the Problem Risk Assessment? Put plainly, the Problem Risk Assessment (PRA) is a simplified risk assessment with lower documentation requirements when compared to IT system assessments. The PRA is an option for risk assessing problems that ...

    • Step 4 - Risk Treatment Plan

      What is the Diri Risk Treatment Plan? Risk treatment aims to modify the risk to achieve risk acceptance. The risk treatment plan in Diri summarises all the security controls proposed in the risk assessment step. This step aims to choose treatments ...

    • 1 - Overall Risk Assessment

      What is the Overall Risk Assessment? The Overall risk assessment (ORA) provides the easiest way to get started with risk assessments in Diri. The Diri ORA asks you to briefly describe the parts of your organization that impact cybersecurity, such as ...