Introduction
This article explores the three primaries types of risk calculated in IriusRisk and explores how inherent risk is calculated.
Risk types - Inherent, Current, and Projected
Each threat in IriusRisk has three different risk values all of them with a maximum value of 100 and a minimum value of 0.
Inherent risk: This is the "starter" risk the one that represents the risk natural to affected assets and it's exposure. Inherent risk represents the complete risk with zero mitigations being applied to this given scenario.
Formula 1 - Inherent Risk = impact x likelihood (NOTE: the formula for inherent risk is independent of currently in place mitigations or planned mitigations. It is based solely on the threats, assets, and weaknesses associated within).
Current risk: This is the current risk value which is equal to inherent risk minus currently implemented mitigations or countermeasures.
Formula 2 - Current Risk = Inherent Risk - implemented mitigation
Projected risk: This is our goal risk the one we will have once we have already implemented all required countermeasures. It's calculated by subtracting from the inherent risk the risk reduction produced for all implemented and required countermeasures. It's exactly like calculate the current risk assuming that all required countermeasures are already implemented.
Formula 3 - Projected Risk = Current risk - planned mitigations (countermeasures in a required status)
The qualitative output of these three variables can be seen within the threats interface within IriusRisk.
Quantitative values are translated into qualitative outputs of very low (0 - 20), low (>20 - 40), medium (>40 - 60) , high (>60 - 80), and critical (>80).
Calculating Inherent Risk
Calculating Impact -
Impact is calculated by the threats technical impact with a final output ranging from 0 - 100.
Formula 1a - Impact = (Threat Technical Impact x Business impact weighting x Weakness Impact)/100 + (Asset Value x Asset Weighting)
Impacts are related to confidentiality, impact, and availability within a given threat. These items are set by the rules engine (configured by the security library content or by the end user on the threat model). These values are very low (0-20), low (20-40), medium (40-60), high (60-80), very high (80-100).
By default the business impact weighting is set to 1.
Threat Weakness values are derived from the weakness added to each individual threat.
If a threat has multiple weaknesses, the inherent calculation will use the greatest weakness.
NOTE - calculating the impact value will require determining the high-water mark of each threat impact type (confidentiality or integrity or availability) combination with the greatest weakness with the greatest average asset.
For Example:
- (Threat Impact (Confidentiality) x weighting (1) x Weakness)/100 + (Asset Confidentiality x Asset weighting)
- (Threat Impact (Integrity x weighting (1) x Weakness)/100 + (Asset Integrity x Asset weighting)
- (Threat Impact (Availability x weighting (1) x Weakness)/100 + (Asset Impact x Asset weighting)
This would need to be repeated for every Threat/Asset combination and then the highest combination would be used to in the final impact formula for the threat impact.
Formula 1b - Asset Value = highest value of the average of asset values pertaining to a given threat
Assets are assigned per component and since multiple assets can be assigned to any given component, the asset that has the highest averaged score of confidentiality, integrity, and availability for a given asset. This high-water mark is used to ensure that a lower asset class does not accidentally minimize the inherent risk of a threat that might pertain to a higher impacting or more sensitive asset on the same component.
If a given component has three different assets assigned with the following security classifications, the final calculation would proceed as follows:
All three assets were assigned on a component with several potential threats and weaknesses:
Asset | Confidentiality | Integrity | Availability | Average |
Asset 1 - Advertising Information | 0 | 20 | 0 | 6.671 |
Asset 2 - Customer Data | 100 | 100 | 20 | 73.3 |
Asset 3 - Protected Health Information | 100 | 100 | 20 | 73.3 |
Using the high-water mark, we would use the highest average asset score (in this example, we have a two way tie of 73.3).
Assets also have a default weighting of 1 in the impact formula.
The final impact value must be adjusted by using the following equation.
Adjustment Formula 1= (value) x 100 / maximum possible value
This formula effectively expresses our raw formula as a percentage of its maximum value.
The maximum value for formula 1a is (Threat Technical Impact (100) x Business impact weighting (1) x Weakness Impact (100))/100 + (Asset Value(100) x Asset Weighting (1) = 200. As default values are changed this value will be adjusted.
Calculating Likelihood -
The second half of calculating the inherent risk takes us to the likelihood portion of this equation.
Formula 1c - Likelihood = exposure rating x exposure rating default + ease of exploitation x ease of exploitation weighting
The ease of exploitation rating is taken from the individual threat has five possible values (very low, low, medium, high, and very high which are segmented into 20 unit intervals from 0 - 100).
Formula 1d - exposure rating = 100 - Trust Zone Rating
Using the trust zone that is closest to the component/asset/threat that we are calculating the inherent risk score for, the trust zone rating is leverage to calculate the exposure rating.
The likelihood function must be adjusted by using the following previously mention adjustment formula
Adjustment Formula 1= (value) x 100 / maximum possible value
This formula effectively expresses our raw formula as a percentage of its maximum value.
The maximum value for Formula 1c - Likelihood = exposure rating (100) x exposure rating default (1)+ ease of exploitation (100) x ease of exploitation weighting (1) is 200. As default values are changed this value will be adjusted.
Calculating the final inherent risk value -
Taking the impact value and the likelihood value described above into formula 1 can result in a value outside of the range of 0-100 required for reporting this value. This value must adjusted using the following formula.
Adjustment formula 2 - adjusted value = square root (raw value)
This final adjustment will produce a value from 0 - 100.
EXAMPLE:
Component 1
-->Trust zone (Trust rate: 20)
→Asset 1 (confidentiality: 100, integrity: 20, availability: 30)
→Asset 2 (confidentiality: 50, integrity: 70, availability: 90)
→Threat1 (ease of exploitation: 70, confidentiality: 100, integrity: 80, availability: 70)
→Weakness 1 (impact: 80)
→Control 1 (mitigation: 80, state: implemented, test: passed)
→Control 2 (mitigation: 20, state: required, test: not tested)
→Control 3 (mitigation: 30, state: recommended, test: not tested)
EXAMPLE CALCULATIONS:
Since we have 2 assets each of them with 2 security classifications we need to calculate 6 values using formula 1a.
Asset | Classification value | Business impact default value | threats classification value |
weakness value |
Default asset weightings | asset classification value | result |
Asset1 | Confidentiality |
1 |
100 | 80 | 1 | 100 | 180 |
Asset1 | Integrity | 1 | 80 | 80 | 1 | 20 | 84 |
Asset1 | Availability | 1 | 70 | 80 | 1 | 30 | 86 |
Asset2 | Confidentiality | 1 | 100 | 80 | 1 | 50 | 130 |
Asset2 | Integrity | 1 | 80 | 80 | 1 | 70 | 134 |
Asset2 | Availability | 1 | 70 | 80 | 1 | 90 | 146 |
The highest value will then be adjusted using adjustment formula 1 to a value from 0 - 100 and will be used in the final impact formula as the high-water mark.
Calculating the adjusted value using adjustment formula 1 = (value (180)) x 100 / maximum possible value (200) = 90
Calculating the Asset Value using formula 1b.
Asset | Confidentiality | Integrity | Availability | Avg |
Asset1 | 100 | 20 | 30 | 50 |
Asset2 | 50 | 70 | 90 | 70 |
The final impact is then expressed by formula 1a - Impact = (Threat Technical Impact (90) x Business impact weighting (1) x Weakness Impact(80))/100 + (Asset Value(70) x Asset Weighting(1)) = 142
Calculating the adjusted value using adjustment formula 1 = (value (142)) x 100 / maximum possible value (200) = 71
Next, calculate likelihood which is expressed by formulas 1c and 1d respectively.
Formula 1d - exposure rating = 100 - Trust Zone Rating (20) = 80
Formula 1c - Likelihood = exposure rating(80) x exposure rating default(1) + ease of exploitation(70) x ease of exploitation weighting(1) = 150
Calculating the adjusted value using adjustment formula 1 = (value (150)) x 100 / maximum possible value (200) = 75
And finally inherent risk using formula 1 - Inherent Risk = impact(71) x likelihood(75) = 5,325 and then applying adjustment formula 2 - adjusted value = square root (raw value(5,325)= 72.97 which is equivalent to a "HIGH" inherent risk.
Comments
0 comments
Article is closed for comments.