Available online at www.sciencedirect.com Energy Procedia 17 (2012) 1288 – 1294 A Survey on the Evolution of Risk Evaluation for Information Systems Security Yu Zhiweia,Ji Zhongyuanb a Ningbo Institute of Technology, Zhejiang University,Ningbo, China Email:nityzw@gmail.com b Lishui University ,Lishui, China Email: 5525@ls0578.net Abstract In order to study the risk evaluation of the information systems security effectively and the laws of the developments of risk evaluation, we have made a detailed analysis from the purpose, the objective, the process methodology of risk evaluation according to the role ,the structure and the environment of information system.The tendency of risk evaluation is asserted with the current informatization background and an idea of business process-oriented risk evaluation methodology of information systems security is presented. © Selection and/or peer-review under responsibility of Hainan University. © 2012 2011 Published Publishedby byElsevier ElsevierLtd. Ltd. Selection and/or peer-review under responsibility of [name organizer] Keywords:information systems; information systems security; risk evaluation; business processes-oriented 1.Introduction More and more companies and organizations are becoming totally dependent on computer systems for their daily operations. Information systems (IS) security has been proclaimed as a key issue for the development of a global Information Society [1]. In this digitized age, organizations use the information systems to support and complete their missions; risk management plays a crucial role in protecting organization information assets as well as information system mission [2]. And the core of risk management is risk assessment: the means by which risks to systems are identified and evaluated to justify security controls. In order to study the risk evaluation of the information systems security effectively, it is important to study the evolution rule of risk evaluation. Firstly, several concepts related to information system security risk evaluation are introduced in this paper. Then the purpose, the objectives, the processes and the methodologies of risk evaluation are analyzed according to the role, the structure and the environment of information systems. The longitudinal comparison to risk evaluation development in different stages is presented. Finally, the tendency of the risk evaluation is put forward under the current informatization background according to the evolution rule of risk evaluation. 1876-6102 © 2012 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of Hainan University. doi:10.1016/j.egypro.2012.02.240 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294 2.Basic concepts related to information system security risk evaluation Generally speaking, it is natural to mention several basic concepts such as risk, assets, threat, vulnerability, impact, information system, information system security, risk evaluation. And some core concepts are as follows: y Risk is defined in ISO/IEC TR 13335-1 as “the potential that a given treat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets”. And more concepts in relation with risk are also defined in ISO/IEC TR 13335-1. The relationship model of these concepts, which makes a clear explanation to the relations of those concepts, is shown as figure 1. threats protect against safeguards vulnerabilities exploit increase reduce tisks indicate met by security requireme increase expose assets increase have values FIGURE. 1 RELATIONSHIPS IN RISK MANAGEMENT y y y Information system It is a narrow concept of an information system, which refers to the computer-based system. It is an organic set of facilities as human beings, rules, databases, hardware and software, tools and running environment [3]. It highlights the application of computer and network communication technology. Two levels of meanings are included in the information system. First, the function of information system is to complete the organization missions. Second, it is a component of information system to coordinate and complete the organization mission. Information system security The purpose of the informatization is to complete the operation mission by information system. At the same time, the information system relies on its constitution elements and information in the process of achieving organization mission. In a word, the information system security can be used in elements of information system coordinating and achieving information system mission. Risk evaluation Risk management is the process of establishing and maintaining information system security within an organization[2], which aims to “identify, measure and control uncertain events” in order to minimize loss and optimize the return on the capital invested for security purposes[4][5]. As the core of risk management, risk assessment is the means by which risks to systems are identified and evaluated to justify security controls[2]. It contains why to implements risk evaluationˈwhat to evaluate as well as how to evaluate and other issues. 3.Analysis on development phase of risk evaluation for information system security It has been over 20 years of the world wide research on risk evaluation of information system, while it has been started in recent years in china. The content involved in the information system risk evaluation is extremely complex. Even though main contents related to risk evaluation have been summarized and analyzed in [6]. There is lack of analysis and judgment to overall development tendency of risk evaluation. According to [2,7,8], the risk evaluation had been undertaken through two generations. The third generation of it is continuing in respect of “the whole system“. The development of risk evaluation are divided into three generations in the light of computer history in[9,10]. These divisions are based on the 1289 1290 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294 constitution and environment of the very information system and fail to take function and goal of information system in organization into consideration, which indicates that the basic problem of why to carry on risk evaluation has been not solved. Apparently, safeguarding information itself is not, or should not be the target of information system security, the real purpose of which is to guarantee the reliability and security in the process of the goal of operation in organization. Information system security and risk evaluation have been developing with the progress in constitution and environment of information system, as well as function vicissitude of information system in organization. Figure 2 presents differences in function, constitution and environment of information system., which cause the differences of contents, process and method of risk evaluation. momentum the role of IS the structure of IS the environment of IS risk evaluation the purpose of risk evaluation the contents of risk evaluation the processes and methods of risk evaluation FIGURE. 2. THE DRIVE MODEL OF RISK EVALUATION 3.1.The first stage In this stage, the information system was formed by the relatively isolated mainframes. It was used to conduct scientific calculating and batch processing in place of human beings. Computers themselves were the protected by the information system as rare tools. The protection of the computing facilities was conducted by implementing physical countermeasures around and within the mainframe room. Computing facility security was measured by assessing how well the facility adhered to a prescribed set of security controls. Checklist and basic risk assessment methods for selecting discretionary IS security controls were introduced. Peter S. Browne’s Checklist for computer Center Self-Audits is an example of a first stage risk assessment method [2]. The first stage risk evaluation method was simple and partial for mainframe with manual operations, which mostly relied on the experience. 3.2.The second stage With the wide use of LANs and the development of the computing environment, the information which computer processed began to be shared in relevant departments in organizations. Protecting information and information technology assets of processing information are included in risk evaluation. Risk evaluation of the first stage was obsolete because the new requirement from the objects and change of the environment. Therefore, new contents and methods of risk evaluation were put forward. Other fields, such as nuclear power, weapons, and aviation, were taking a systems view and using analytical risk analyses; their success provided encouragement for a risk-assessment approach. As a result of all this, a new view of risk has emerged for software system, and NIST played a prominent role in prompting this view to coalesce. Six concepts in risk assessment were formalized: assets, vulnerabilities, threats, likehoods, impacts, and safeguards. This emerging view of risk says “A threat is realized through a vulnerability, which impacts an asset.”[8]ˈwhich was called asset-based risk assessment. The risk Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294 assessment method in this stage aimed to protect the whole information system by identifying and analyzing the threats, the vulnerabilities, the likehoods and the impacts. The ALE(Annual Loss Exception) method was used to calculate the economic loss on condition that safeguards was used or not. But in practical application, there was much difficulty obtaining quantitative data of the asset value and likehoods of threat occurring. Estimating cost on safeguards was not realistic. Consequently, computing asset risk with quantitative methods is theoretically persuasive. Although risk evaluation has not been widely used in practice at this stage, it had provided a set of asset-based risk evaluation theory, had formed several risk elements including assets, vulnerabilities and threats, which laid the theoretical foundation for the third stage risk evaluation. 3.3.The third stage With the use of communication networks, such as internet, became the backbone for inter-organizational communication, E-commerce and on-line services have become the reality. The structure and environment of information systems have become quite complex. New threats to information systems are increasing .The exchange and sharing of information between organizations and entities outside have been expanded. Therefore, information systems risk not only affects the security attributes of information, causes direct economic losses in organizations, but takes into account the operational and productivity implications and the reputation and public image of the organization. It is an important symbol to consider the business impact analysis (BIA) during analyzing the impact of risk of assets. In addition, the risk evaluation in this stage was not essentially improved comparing with that in the second stage. It became more complicated because of structural and environment complexity of information system and an expansion of the role. The basic theory of risk evaluation in this stage rooted from that in the second stage. Easy-to-understand and with a long history of research, the theory was widely applied in research institutions and many enterprises engaged in the field of security management. For instance, Bomil Suh, Ingoo Han [11] studied business process-oriented risk evaluation methodology of information systems security. The security resolution from SYMANTEC[12], FOUNDSTONE[13] not only considered the effect on the business of the risk of information systems. OCTAVETM framework [14] also considered the risk to information system assets that could cause loss and influence on organization business. CORAS regarded the huge loss to business as one of the most important factors [15]. Because it is difficult to quantify the risk, the qualitative analysis was used in this stage to measure the levels of risks and the impacts of assets. The consequences should be given a value in CORAS in terms of expected loss, on a relative scale, such as: {Low, Medium, High}, {Insignificant, Minor, Moderate, Major, Catastrophic} or specific {No Consequence, Destroyed Data}. And the values of the probabilities was described by using {rare, unlikely, possible, likely, almost certain}[15]. Accordingly, OCTAVE uses {High, Medium, Low} to measure the impacts and likehoods[14]. Likert Scale[16] is a good qualitative description of the measure. Quantitative methods are not without merit, a more detailed comparison has been presented in the literature [16,17]. As the complexity of threats, vulnerabilities and impacts, some traditional analysis methods were used to support the various stages of risk evaluation. CORAS used HazOp, FTA, FMECA and other methods to help the risk assessment [15]. The driving force and brief summary of the information system risk evaluation at different stages have been summarized in table 1. From this we can find the order of nature of information system security risk evaluation with the development of the role and construction of information systems. TABLE 1. THE ANALYSIS OF RISK EVALUATION IN DIFFERENT STAGES stage the first stage the role of IS batch jobs and scientific calculation the structure and background of IS centralized mainframes the purpose and objectives of risk evaluation computer itself the process of risk evaluation and typical method by assessing how well the facility adhered to a prescribed set of security controls; 1291 1292 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294 gy ( ) Browne’s Checklist. the second stage information exchange and shared in departments LANs distributed environment the third stage information exchange and shared in organizations communication networks and to protect the assets of information systems. to protect the assets and the impacts on business process by evaluating the assets by calculating the threats, the vulnerabilities, the likehoods of assets; ALE is a typical method. similarly to the second stage, but BIA was implementing during the risk evaluation. And some traditional qualitative method were used to help the risk evaluation; CORAS are the OCTAVETM representative methods. 4.Prospect for the research on security risk evaluation of information system These days, with information technology stimulating industrialization strategy propose, Informatization implementing, business process re-engineering, workflow technology realizing, ERP implementing and its expanding to SCM,CRM, the information system is not only used in exchanging and sharing information as a platform within the organization and entities around, but is an indispensable tool for the day-to-day operations. Information system security is not only the purpose of the protection of information security assets, but it is also necessary to maintain the security in daily operation process of information system. Risk evaluation approaches at all above stages are no longer appropriate under the current information technology environment. Information system risk evaluation enters a new stage. There is lack of appropriate risk evaluation methodology in view of such a complex giant system according to [10]. Risk evaluation should start from understanding the information system on the whole information system. Sharon, karin [21] pointed out the defects of the traditional bottom-up risk evaluation based on the information system assets in the mentioned stages and put forward the top-down risk assessment and information technology risk analysis based on the business. SUSANNE RÖHRIG and KNORR[19] brought forward a method to obtain security protective measure from a business process perspective. . Protecting assets is not the goal of organizations. Assets realize their value by coordinating and achieving operation process and mission. First, these assets are coordinated to work together as a whole. This requires a good grasp of these assets and their mutual relations; Secondly, instead of assets protection, the ultimate goal of information system security is to protect the information system to fulfill their organizational mission as a whole.. Business processes put all the unattached equipments, people and so on to carry out some specific work together. It demonstrates the synergy of these assets. On the one hand, it reflects the interrelated links among the assets. On the other hand, it is the embodiment of the mission of information systems. Therefore, the fourth stage method of risk assessment, which focuses on the business process perspective, will be developed with an important feature of business process. Due to the introduction of business process, risk evaluation in the fourth stage requires additional technologies to support the new method of risk evaluation. Kokolakis [1] implored IS-SAD and information system security analysis based on the technology of BPM and put forward the idea that the risk analysis is combined with the business process and made a theoretical study on the adequacy of the model of security evaluation with the use of the IDEF tools, such as RADǃCADMǃSSMǃDFD. Yu Zhiwei[20,21] put forward DEXVLQHVVSURFHVVEDVHGPHWKod on security requirements analysis of information systems. Furthermore, Yu zhiwei presented a method of analyzing security objectives of business process elements(BPEs)[22] to determine the security requirements of business processes, and proposed an information system security model[23] to protect business activities and describe information systems from security view in order to overcome the shortcomings of the existing information system models. Academician, He Dequan[24], pointed out that more than 80% of the successful invasion took advantage of people’s ignorance, numbness and laziness. Therefore, it is not enough to prevent information systems risk from the technical point. The risk evaluation at the fourth stage should take Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294 technologies and management factors into account to synthetically consider risk recognition and protection of information system. According to the circumstance which information systems support the business process operations, aligning with the technology support when considering the risk assessment method from the view of business processes, the basic requirements of information system risk assessment in the fourth stage can be met from the technology and management. We can conduct the study as follows: y Risk evaluation-oriented business process modeling Generally speaking, business process model is abstract expression of business operations supported by information system, it is also a relation model describing a series of orderly activities which aims to complete scheduled functions. Characteristics of business process risk are not conveyed in general business process model. It is a practical research idea to enlarge information risk factor based on the existing business process model. y Establishing a business process-oriented risk evaluation methodology of information systems. It includes how to confirm and identify specific asset, risk elements, process model of risk evaluation, risk evaluation methodology, how to describe risk and how to measure the risk and so on. Among them, recognition and identification of risk evaluation targets are the important foundation for business process-oriented risk evaluation of information system security project. Risk elements are referring to business process-oriented risk causes. The process model is used for completing process-oriented business activities and their relations. Risk evaluation approaches are to study how to obtain risk factors; and the expression and measurement of risk are indicating how to express and measure business process-oriented risk. Finally, the business process-oriented risk evaluation methodology of information systems security is formed. y Study on the efficiency of the risk evaluation of information systems security. Security is a dynamic process which required regular inspection and maintenance and even checks at any moment. But whether the result of current security evaluation method can actually reflect the security condition of information system is a problem? Whether it is secure enough after safeguard implementations for information systems should be still validated and improved in practice. y Research and development of auxiliary platform for integrated information system security risk evaluation. To improve the efficiency, accuracy, reusability, traceability of risk evaluation project, reduce labor intensity of the risk evaluation, it is necessary to establish process-oriented risk evaluation auxiliary platform with the aid of information technology. 5.Conclusions Information system plays an increasingly important role in the organization with the development and application of computers and network. The information system has become an absolutely necessary tool for many business operations. As the core of security management, risk evaluation had gone through three stages. Now it is in the transition from the third stage of to the fourth with the business-oriented characteristics. When the assets of the information system security are fully assured, the business process supported by information system are still confronted with operation’s and management risk, and new risks also come from the change of business process operations after information technology’s application. All those risks happen to be neglected in current research of information security risk evaluation. In this paper, the current situation and development trend of risk evaluation of information system security were firstly discussed. It has concluded that under the current environment the risk evaluation of information system security has gone into the fourth stage, which focuses on the business processes supported by information systems and analyses of the risks of business processes from both technologic and managerial perspectives. References [1] S.A. Kokolakis,A.J. Demopoulos,E.A. Kiountouzis. The use of business process modelling in information systems security analysis and design, Information Management & Computer Security. Bradford:2000.Vol.8,Iss.3; pg.107 [2] M. Wright, Third Generation risk Management Practices, Computer Fraud & Security, February, 1999 pp. 9-12 1293 1294 Yu Zhiwei and Ji Zhongyuan / Energy Procedia 17 (2012) 1288 – 1294 [3] Dai Zongkun, Luo Wanbo, etc. Information systems security, China:Publishing house of electronics industry, 2002.1 [4] T. Finne, Information Systems Risk Management: Key Concepts and Business Processes, Computers & Security, 19(2000) 234-242 [5] T. Finne, A Conceptual Framework for Information Security Management, computers & Security, 17 (1998) 303-307; [6] Feng Dengguo, Zhang yang, Zhang yuqing, Survey of information securityrisk assessment, Journal of China Institute of Communications, Vol.25 No.7:10-18 [7] Craft R., Wyss, G., Vandewart, R., et al., An Open Framework for Risk Management,(http://csrc.nist.gov/nissc/1998/proceedings/paperE6.pdf 2010-12-5) [8] Fletcher, S., Jansma, R., Halbgewachs, R., et al., Software System Risk Management and Assurance, (http://ieeexplore.ieee.org/iel3/3552/10643/00492345.pdf, 2010-11-5) [9] Stilianos Vidalis, A Critical Discussion of Risk and Threat Analysis Methods and Methodologies, School of Computing Technical Report CS-04-03. July 2004 [10] L. Labuschagne, J.H.P. Eloff, Risk Analysis Generations – The evolution of Risk Analysis, (http://csweb.rau.ac.za/deth/research/articles/ra_generations.pdf, 2007-5-23) [11] B. Suh, I. Han, The IS risk analysis based on a business model, Information & Management 41(2003) 149-158 [12] Assets, Threats and Vulnerabilities: Discovery and Analysis——a comprehensive approach to Enterprise Risk Management, Symantec Corporation, enterprisesecurity.symantec.com/PDF/AxentPDFs/RiskMgmt.pdf 2007-9-12 [13] www.foundstone.com 2010-10-24 [14] C. Alberts, A. Dorofee. Managing Information Security Risks: The OCTAVE Approach Tsinghua University Press, 2003.8 [15] I. Djordjevic, E. Scharf, D. Raptis, B.A. Gran, suitability of risk analysis methods for security assessment of large-scale distributed computer systems, http://www.intracom.gr/ downloads/pdf/news/publications/2002/psam_2002_coras.pdf 2008-5-20 [16]. S.A. Butler, Security Attribute Evaluation Method, May 2003, CMU-CS-03-132 [17] UI Security Risk Assessment Guidebook, Sep. 2001, www.itsc.state.md.us/PDF/S-2-2%20Risk-Assessment-Final.pdf. 2004-10-15 [18] Halliday, Sharon,Badenhorst, Karin,Solms, Rossouw von. A business approach to effective information technology risk analysis and management. Information Management & Computer Security.Bradford:1996.Vol.4,Iss.1: 19-31 [19] S. RÖHRIG, K. KNORR, Security Analysis of Electronic Business Processes, Electronic Commerce Research, 4: 59-81 (2004). [20] YU Zhiwei㧘TANG Renzhong㧘YE Fanbo. A business process-based method on security requirements analysis of information systems[J]㧘IE&EM’2005, Chongqing, CHINA, NOV 06-08, 2005:1005-1009 [21] YU Zhiwei㧘TANG Renzhong㧘Jia Dongjiao et al.,. A Business Process-based Method on Security Requirement Analysis of Information Systems, China Mechanical Engineering[J]. Vol. 18, 2007,(04):457-460 [22] YU Zhiwei㧘TANG Renzhong. Analysis on security objectives of business process elements[J]. Journal of Zhejiang University(Engineering Science), 2007 Vol.41 No.8 P.1244-1248,1270 [23] YU Zhiwei㧘TANG Renzhong. Business activity-oriented security model of information systems[J]. Journal of Zhejiang University(Engineering Science), 2007 Vol.41 No.11 P.1903-1907 [24] He Dequan, No absolute Security, Netinfo Security, 2002(10).-23-23