- Risk types
- Inherent Risk = Impact * Likelihood
- Inherit risk calculation use case
- Current risk = Inherent risk - sum(controls risk reduction) + risk increment
- Current risk calculation use case
- Projected risk = Inherent risk - sum(all controls risk reduction)
- Projected risk calculation use case
- Planned mitigation percentage
- Calculate planned mitigation percentage use case
- When to re-calculate threat risks
In this section, we will dive into the amazing world of risk calculation. So put on your seatbelts and let's go for it.
Risk types
Each threat in Irius has three different risk values all of them with a max value of 100 and a min value of 0.
- Inherent risk: This is the "starter" risk the one that represents the risk natural to affected assets and it's exposure.
- Current risk: This is the risk value in this right instant. It's is calculated by subtracting from the inherent risk the risk reduction produced for each implemented countermeasure.
- Projected risk: This is our goal risk the one we will have once we have already implemented all required countermeasures. It's calculated by subtracting from the inherent risk the risk reduction produced for all implemented and required countermeasures. It's exactly like calculate the current risk assuming that all required countermeasures are already implemented.
Inherent Risk = Impact * Likelihood
The inherent risk is constant, meaning that, it does not change with the implementation of controls. The common way to describe its formula is impact times the likelihood. So how do we calculate impact and likelihood?
Impact = Threat technical impact + Asset value
The impact represents the damage that this threat might cause as a number from 0 to 100 . Depends on the impact of the threat and the significance of the assets referenced by the threat.
Threat's technical impact
A technical impact is a number between 0 and 100. It can be calculated by multiplying the weakness greatest impact and the business impact.
- Weaknesses greatest impact: Each weakness has an impact value, so we just need to select the greatest one of all.
- Bussiness impact: The business impact is a value between 0 and 100 that represents the potential damage of the attack. This is the most complicated part of the risk calculation and we recommend to check the use case section to clarify. It depends on the threat's and assets' security classification values. We calculate the business impact by applying the impact formula (The one we are currently explaining Impact=Threat technical impact + Asset value) using threat's security classification as threat impact and asset security classification as asset value to each threat - asset combination. Then we select the greatest value of all the calculated values. Seriously don't panic check the use case.
| Name | Confidentiality | Integrity | Availability |
| Asset1 | 50 | 25 | 75 |
| Asset2 | 75 | 100 | 25 |
| Name | Confidentiality | Integrity | Availability |
| Threat1 | 50 | 25 | 35 |
We assume that weakness impact is 100
| Combination | Confidentiality | Integrity | Availability |
| Threat1-Asset1 | 50+50/2=50 | 25+25/2=25 | 35+75/2=60 |
| Threat1-Asset2 | 75+50/2=65.5 | 25+100/2=75 | 35+25/2=30 |
Asset value
The assets value express the importance of the threaten asserts as a value between 0 and 100. We calculate this value by selecting the greatest average classification value from the referenced assets. Let's see an instance of this selection:
| Name | Confidentiality | Integrity | Availability | AVG |
| Asset1 | 50 | 25 | 75 | 50 |
| Asset2 | 75 | 100 | 50 | 75 |
Likelihood = Exposure rating + Ease of exploitation rating
The probability expresses in a number from 0 to 100 the odds of this threat to become a reality. Depends on how accessible is the trust zone where the threat's component is located (Exposure rating) and how easy to exploit the threat is (Ease of exploitation rating). Where are this values allocated in Irius?
- Exposure rating: Our threat belongs to a component that is located inside a trust zone, such trust zone has a trust rating. The exposure rating is 100 - trust zone's trust level.
- Ease of exploitation rating: Each threat has an ease of exploitation value in its risk rating.
Inherit risk calculation use case
Now let's do the math for a real case as it is done in our code.
This is the set of data we are going to use:
Component 1
-->Trust zone (Trust rate: 20)
→Asset 1 (confidentiality: 100, integrity: 20, availability: 30)
→Asset 2 (confidentiality: 50, integrity: 70, availability: 90)
→Threat1 (ease of exploitation: 70, confidentiality: 100, integrity: 80, availability: 70)
→Weakness 1 (impact: 80)
→Control 1 (mitigation: 80, state: implemented, test: passed)
→Control 2 (mitigation: 20, state: required, test: not tested)
→Control 3 (mitigation: 30, state: recommended, test: not tested)
Let's start calculating the impact factor
Calculate impact factor
We have to point out that the real form used in our code to calculate the probability is actually:
BUSINESS_IMPACT_WEIGHTING(3)* ((bussinesImpact(X1) * weaknessImpact(80) / 100)) + (ASSET_VALUE_WEIGHTING(1) * assetValue(X2)) = Y
- BUSINESS_IMPACT_WEIGHTING: Is a configurable value used by users to modify the importance of business impact in risk calculation. Its default value is 3
- ASSET_VALUE_WEIGHTING: Is a configurable value used by users to modify the importance of asset value in risk calculation. Its default value is 1
- bussinesImpact: The way to calculate it's value is explained in the following lines
- weaknessImpact: Greatest impact value from all weaknesses. In this case 80
- assetValue: Greatest average asset classification values.
Since we want impact to be an integer between 0 and 100 we are going to multiply it for 100 and divide the result by its max value [3*((100*100)/100)+100 = 400]
IMPACT(X)*100 / MAX_IMACT(400) = Y
First of all, we are going to calculate the greatest average of the asset's classification values. It is as easy as follows:
| Asset | Confidentiality | Integrity | Availability | Avg |
| Asset1 | 100 | 20 | 30 | 50 |
| Asset2 | 50 | 70 | 90 | 70 |
Secondly, we are going to calculate the impact factor we need to calculate the business impact(X) for each asset witch is calculated using the same impact formula but replacing threat impact for a threat's security classification and assets value for a threats asset.
BUSINESS_IMPACT_WEIGHTING(3)* ((threatClassificationValue(X1) * weaknessImpact(80) / 100)) + (ASSET_VALUE_WEIGHTING(1) * assetClassificationValue(X2)) = Y
Since we have 2 assets each of them with 2 security classifications we need to calculate 6 values:
| Asset | Classification value | BUSINESS_IMPACT_WEIGHTING | threats classification valu | weaknessImpact | ASSET_VALUE_WEIGHTING | asset classification value | result |
| Asset1 | Confidentiality | 3 | 100 | 80 | 1 | 100 | 340 |
| Asset1 | Integrity | 3 | 80 | 80 | 1 | 20 | 212 |
| Asset1 | Availability | 3 | 70 | 80 | 1 | 30 | 198 |
| Asset2 | Confidentiality | 3 | 100 | 80 | 1 | 50 | 290 |
| Asset2 | Integrity | 3 | 80 | 80 | 1 | 70 | 262 |
| Asset2 | Availability | 3 | 70 | 80 | 1 | 90 |
258 |
As we can see the max value is 340 but since we want it to be a number between 0 and 100 we do BUSSINESS_IMPACT(340)*100 / BUSSINESS_MAX_IMACT(400) = 85
Now we have the businnes impact value we just need to replace it in the first formula:
BUSINESS_IMPACT_WEIGHTING(3)* ((bussinesImpact(85) * weaknessImpact(80) / 100)) + (ASSET_VALUE_WEIGHTING(1) * assetValue(70)) = 274
As we can see the impact values is 274 but since we want it to be an integer value between 0 and 100 we do:
IMPACT(274)*100 / MAX_IMACT(400) = 68,5 → 68
Calculate probability factor
We have to point out that the real form used in our code to calculate the probability is actually:
EXPOSURE_WEIGHTING(1) * exposureRating (80)+ EASE_OF_EXPLOITATION_WEIGHTING(1) * easeOfExploitation(70) = 150
- EXPOSURE_WEIGHTING: Is a configurable value used by users to modify the importance of exposure in risk calculation. Its default value is 1
- EASE_OF_EXPLOITATION_WEIGHTING: Is a configurable value used by users to modify the importance of ease of exploitation in risk calculation. Its default value is 1
- exposure rating: As we have mentioned before it's value is 100 - trust rate(20).
- ease of exploitation: Threat's ease of exploitation 70
Since we want probability to be a number between 0 and 100 we are going to multiply it for 100 and divide the result by its max value [1*100+1*100 = 200]
PROBABILITY(150) * 100 / MAX_PROBABILITY(200) = 75
Putting all together
Now that we have the two necessary values to calculate the risk impact (68) and probability (75) we use the formula to calculate:
impact(68) * probability(75) = 5100
Again since we want it to be an integer between 0 and 100 we do:
SQRT(impact(68) * probability(75)) = 71,4 → 71
Current risk = Inherent risk - sum(controls risk reduction) + risk increment
The current risk of a threat is an integer value between 0 and 100 that represents the risk that this threat implies at this very moment. Is calculated by subtracting from the inherent risk the risk reduction produced by each countermeasure and adding a risk increment threat represents the increment in the risk produced for failing weakness. So how do we calculate the risk reduction of each threat's control?
Inherent risk
Represents the natural risk of a threat and depends on the probability and the impact of the threat. The correct way to calculate inherent risk is explained in the previous section
Control risk reduction
Risk reduction is a value between 0 and 100 and represents the decrement in the threat's risk produced by each of its countermeasures. In the following flow diagram, we can see how is calculated:
Mitigation is a percentage value that represents the share of the risk reduced by the implementation of a control
Risk increment
The risk increment is an integer value between 0 and 100 that represents the increase on the threat's risk produced by failing weakness tests. Among all weakness with failed tests we will select the one with a higher impact rating and we will multiply that of a configurable factor (by default 0) to get the risk increment value.
| Weakness | Test result | Impact rating |
| Weakness1 | PASSED | 100 |
| Weakness2 | FAILED | 50 |
| Weakness3 | FAILED | 80 |
Since the default factor for risk increment is 0 the result would be 0 * 80 = 0. But we need to be aware that customers might configure a different value for this factor.
By default, a weakness is created with an impact rating of 100.
Current risk calculation use case
Now we are going to do the math in the real case describes in the section "Inherent risk calculation use case" and the inherent risk calculated in it.
As we already know the inherent risk is 71 and we have 3 controls of the same weakness :
→Weakness 1 (impact: 80)
→Control 1 (mitigation: 80, state: implemented, test: passed)
→Control 2 (mitigation: 20, state: required, test: not tested)
→Control 3 (mitigation: 30, state: recommended, test: not tested)
Calculate risk reduction for each countermeasure
We have to point out that in our code the real formula used for calculating the risk reduction value is:
factor * mitigation / 100 *inheritRisk
We have two different configurable values for factor:
- MITIGATION_FACTOR_CONTROL_TEST_PASSED: The one used when the countermeasure's test is passed. By default 1.
-
MITIGATION_FACTOR_CONTROL_IMPLEMENTED: The one used when the countermeasure is in state implemented and its test is not failed. By default 1.
Since by default the value for factor in all cases is 1 it doesn't make a difference in this calculation, but we must be aware that our costumers might have configured different values.
Following the decision diagram for control's risk calculation and using the default factor values we can get the following risk reductions:
- Control1: mitigation(80) * factor(1) / 100 * inherentRisk(71) = 56.8 → 57
- Control2: 0
- Control3: 0
Being the sum of all of them 57 + 0 + 0 = 57
Calculate risk increment
Since we don't have any weakness with a failed test result, the value or risk increment is 0. As a matter of fact, even if we had a weakness of such type the configurable factor for risk increment is 0 by default so it would be 0 anyway. The only case when this value has an impact on the current risk calculation is when the customer has set a different value for the configurable factor.
Putting all together
Since we already have the values for inherent risk, the sum of all control's risk reduction values and the risk increment value we can calculate the current risk like this:
inherentRisk(71) - controlsRiskReduction(57) + riskIncrement(0) = 14
Projected risk = Inherent risk - sum(all controls risk reduction)
The projected risk is our goal risk the one we will achieve once we get to correctly implement all required countermeasures. Therefore, the way we calculate the projected risk is quite similar to the way we calculate the current risk, the only difference is that in this calculation we are going to assume that all required countermeasures are correctly implemented.
Inherent risk
Represents the natural risk of a threat and depends on the probability and the impact of the threat. The correct way to calculate inherent risk is explained in the previous section.
Control risk reduction
Risk reduction is a value between 0 and 100 and represents the decrement in the threat's risk produced by each of its countermeasures.
In this case, we are going to do exactly the same that in current risk but assuming the following statements:
- All required countermeasures are implemented
- All weakness tests are passed
- All tests for required and implemented countermeasures are passed
Therefore the risk reduction is mitigation / 100 * inherentRisk for all required and implemented countermeasures and 0 for all other cases.
Projected risk calculation use case
Now we are going to do the math with the real case described in the section "Inherent risk calculation use case" and the inherent risk calculated in it.
As we already know the inherent risk is 71 and we have 3 controls of the same weakness :
→Weakness 1 (impact: 80)
→Control 1 (mitigation: 80, state: implemented, test: passed)
→Control 2 (mitigation: 20, state: required, test: not tested)
→Control 3 (mitigation: 30, state: recommended, test: not tested)
Calculate risk reduction for each countermeasure
We have to point out that in our code the real formula used for calculating the risk reduction value is:
factor * mitigation / 100 * inheritRisk
We have two different configurable values for factor:
- MITIGATION_FACTOR_CONTROL_TEST_PASSED: The one used when the countermeasure's test is passed. By default 1.
-
MITIGATION_FACTOR_CONTROL_IMPLEMENTED: The one used when the countermeasure is in state implemented and its test is not failed. By default 1.
Since by default the value for factor in all cases is 1 it doesn't make a difference in this calculation, but we must be aware that our costumers might have configured different values.
The projected risk reduction for each countermeasure would be:
- Control1: mitigation(80) * factor(1) / 100 * inherentRisk(71) = 56,8 → 57
- Control2: mitigation(20) * factor(1) / 100 * inherentRisk(71) = 14,2 → 15
- Control3: 0
Being the sum of all of them 57 + 15 + 0 = 72
Putting all together
Since we already have the values for inherent risk, the sum of all control's risk reduction values and the risk increment value we can calculate the current risk like this:
inherentRisk(71) - controlsRiskReduction(72) + riskIncrement(0) = -1 → 0
Planned mitigation percentage
This percentage is shown in the threats table an represents the progress within the threat's mitigation. It's calculated by adding all the mitigation values from all the required threads which tests results are not passed
Calculate planned mitigation percentage use case
Now we are going to do the math with the real case described in the section "Inherent risk calculation use case".
As we already know we have 3 controls:
→Control 1 (mitigation: 80, state: implemented, test: passed)
→Control 2 (mitigation: 20, state: required, test: not tested)
→Control 3 (mitigation: 30, state: recommended, test: not tested)
The only required and not passed control is Control 2 so:
sumOfRequredNotPassedMitigations(20) = 20
When to re-calculate threat risks
The risks of a threat are re-calculated when...
- ...a project...
- ...is updated with changes from template.
- ...is updated with changes from library.
- ...a template...
- ...is imported to a project.
- ...is imported from XML file.
- ...is updated from XML file.
- ...a component...
- ...is duplicated.
- ...rules are executed.
- ...a trust zone...
- ...is added to a component.
- ...an asset...
- ...is added to a component.
- ...from a component is updated.
- ...is removed from a component.
- ...a use case...
- ...is copied to a component.
- ...a threat...
- ...from a library or template is updated.
- ...is updated.
- ...is created.
- ...is accepted.
- ...is marked as not applicable.
- ...is marked as applicable.
- ...is exposed.
- ...at project scope is imported from rules.
- ...is copied to a use case.
- ...a countermeasure...
- ...is saved.
- ...is applied.
- ...is deleted.
- ...test result is updated.
- ...is associated to a weakness.
- ...is removed from a weakness.
- ...is associated to a threat.
- ...is removed from a threat.
- ...is recommended.
- ...is rejected.
- ...is synchronized with issue tracker and its state changes to Implemented, Rejected or Required.
- ...a weakness...
- ...test result is updated.
- ...is added to a threat.
- ...is removed from a threat.
- ...is removed.
- ...the mitigation...
- ...is updated.
- ...tests results...
- ...are imported from external sources.
- ...import a Microsoft Threat Model from XML...
- ...in version 5.
- ...in version 7.
- ...in migration...
- ...RecalculateThreatRiskRatingMigration.
- ...ThreatRiskRatingZeroToOneMigration.
Comments
0 comments
Article is closed for comments.