See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/261348080

A model for asset valuation in security risk analysis regarding assets'

dependencies

Conference Paper · May 2012

DOI: 10.1109/IranianCEE.2012.6292456

CITATIONS READS

14 1,897

3 authors, including:

Hamid Reza Shahriari

Amirkabir University of Technology
57 PUBLICATIONS   793 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

A Framework for Ransomware Detection Based on Behavioral Analysis View project

PhD thesis View project

All content following this page was uploaded by Hamid Reza Shahriari on 25 October 2017.

The user has requested enhancement of the downloaded file.

 20th Iranian Conference on Electrical Engineering,(ICEE2012),May 15-17,2012,Tehran,Iran
A Model for Asset Valuation in Security Risk
Analysis Regarding Assets' Dependencies
Iman Loloei Hamid Reza Shahriari
i.loloei @gmail.com shahriari@aut. ac.ir
Abstract-Organizations leverage security risk analysis methods
to detect and prioritize the security risks. One of the main
parameters in risk analysis is assets value which is used to
calculate the security impact of probable threats. Although,
assets are not independent and their values usually depend to
other assets, most of the current approaches do not consider the
interdependency of assets in the valuation process. In this paper,
a model for asset valuation regarding dependencies between
assets is presented. The model is based on a meta-model which
dependencies between assets and asset types are well-specified.
Then, the value propagation graph is defined to represent the
effects of different asset� to each other value and then an
algorithm is presented to calculate assets value. Finally, the
effectiveness of the model is verified by a real case study. The
presented approach gains a meta-model to address any
dependency between assets in different layers of an organization.
Also, use of the value propagation graph assures that all types of
assets that affect value of an asset are considered for valuating
assets.
key words: Security risk analysis, Impact analysis, Asset
valuation, Assets dependencies.
1. INTRODUCTION
All security risk assessment processes, whether quantitative
or qualitative, have similar basic details including: threat
analysis, asset valuation, vulnerability analysis, and risk
assessment. Any process for evaluation of existing security
controls and their effectiveness for protection of organization
assets is a security risk assessment method.
A key step in the security risk assessment is identification
of assets should be protected. Identification of assets can be a
simple work such as: listing items need to be protected based
on a series of checklists and engineering judgments or a
process that may include the need for inventory of capital
equipment, system resources tracking matrix, reviewing legal
documents, and effort for listing all intangible assets such as
reputation of organization [I].
After identifying assets, it is required to determine values of
assets. Valuation of assets is an important part of business
accounting and planning within an organization and may be
done for variety of reasons. These reasons may include: legal
compliance, planning for future, insurance, records
management, budgeting, information classification and
criticality assignment. In security risk assessment, asset
valuation would be performed for information classification
and criticality assignment [I].
978-1-4673-1148-9/l2/$31.00©2012IEEE
Abolghasem Sadeghi
a_saadeghi@yahoo. com
In the security risk analysis process, considering the value
of assets is important because the correct calculation of the
value of an asset can help management in the decision-making
stage about the level of risks. But independent calculation of
the value of assets is not adequate for security risk analysis and
also dependencies between the assets must be considered. For
example, if a computer is damaged in an organization, due to
dependences of the other assets to this computer, the value of
this computer could not be calculated independently but
calculation must be done by considering the value of those
dependent assets.
There are some works that consider dependency for asset
valuation [2, 3] but they have weaknesses such as: (1) there is
no specified and certain framework for considering various
types of assets and their dependencies and (2) it was not shown
that how they can consider all type of organization assets and
inter-dependency of them.
In this paper, dependencies are defined from availability
aspect. According to this definition, for identifying
dependencies in an organization, a meta-model presented in [4
and 5] is used. The meta-model shows various types of assets
and dependencies between them well. In continuation of
valuation process, a value propagation graph has been defined
that shows propagation of value among the elements of the
organization. In valuation phase, this graph helps to indicate
which assets affect the value of an asset. Finally, a relation and
an algorithm have been shown for valuation. The advantage of
this work than the other similar previous works is that
dependencies between types of assets have been defined well
using the meta-model. Moreover, the asset value is calculated
in a way that all assets that affect value of an asset have been
considered using the value propagation graph.
The following sections are structured as follows. Section 2
discusses related work. The core of the paper is section 3
presenting the asset valuation model. The model is illustrated
by means of a case study in section 4. In section 5 our approach
is compared with existing methods and finally in section 6
conclusions and future works are presented.
II. RELATED WORK
There is little related work such as [2, 3, 6, 7, and 8] in
assets valuation for security risk management. The related
work can be divided into two groups: valuation with regard to
dependency and valuation without considering dependency.
763
 In [2] the asset value has been computed from operational
continuation aspect. It states that asset value could not be
calculated without consideration of the other assets values.
Therefore, dependencies of that asset on the other assets should
be considered in asset valuation analysis. In the asset valuation
process in this paper, two parameters are very important: the
importance of business processes and contribution of an asset
in the objectives of a business process.
In [3] for modeling dependencies of the network
infrastructure and calculation of network assets values a model
has been presented that considers assets dependencies. In this
model, a graph is used for modeling dependencies in which the
nodes of the graph are assets and the edges are functional
requirements. Edges are labeled with dependency weights. A
key node to represent user services also exists in the graph.
This node is an interface for connecting business users to
network.
There are some other works that calculate the assets values
without considering assets dependencies. They just use some
cost parameters based on business importance of asset and the
impact on the organization.
In [6] a method for valuation of information assets is
presented. It considers some parameters such as exclusive
possession, utility, cost of creation or re-creation, potential
liability, convertibility, and operational impact. These
parameters, in the calculation process, are categorized based on
security information aspects and the value is calculated for
each of security information aspects independently. The
information value in this study would be identified according
to an interval of two values: one of them is the positive value
for situation that information is exact and usable and the other
is the negative value when there is a problem such as data is
incorrect or opposite of the agreements.
In [7 and 8] for asset valuation, a qualitative procedure
regarding the business process has been presented. In these
papers, assets classification is performed via two aspects: the
type of asset and business process criteria such as department
use, business contribution and the using amounts. This kind of
classification shows that assets value may differ regarding the
criteria. This paper states that because business criteria are
calculated in the qualitative form the final valuation is
expressed in qualitative. The stages of calculation are as
follows: (1) calculation of tangible assets value, (2) calculation
of intangible assets value, (3) changing of calculated
quantitative amounts in the first and second stages to the
qualitative amounts, (4) considering business process criteria
and assigning a level for them via consideration of assets, and
(5) final calculation of asset value.
III. VALUATlON MODEL
For asset valuation we must first understand what factors
should be involved. Thus, the value of an asset is composed of
two extents: independent value and dependent value.
The independent asset value is value of an asset regardless
of its dependency and the dependent value is value of an asset
which depends to other assets and is affected by relationship
type to them. .
764
Two parameters are involved in independent value of
assets: (I) cost parameters such as: the initial asset cost,
maintenance cost and replacement cost [2, 6, 8, 9, and 10] and
(2) the importance of an asset in the business process and that
is the importance of an asset for organization and their business
according to their needs [2, 7, and 8]. In the second parameter,
impact of damage upon security parameters and external
environment can be considered [9, 10, and II].
A. Dependencies Between the Assets
Dependencies between assets may affect assets value. For
example, the value of physical assets should be considered
according to the logical assets that are stored on it. For
instance, the relative importance of a hard disk without
considering its dependencies may be only 0.5%. But its content
may be so valuable that its relative importance is 5%. The hard
disk failure causes data stored to be inaccessible. Therefore, the
value of this hard disk could not be calculated alone and should
be calculated according to dependent assets. Therefore, we
should determine dependencies between assets for asset
valuation.
Here we can discuss that lack of considering dependencies
between processes and assets in methodologies such as COBIT
and ISO 17799 have caused management to encounter
difficulties in the risk management phase because:
"It is standard practice to protect the processes whose
availability has a greater direct impact on the organization
goals, while a more accurate analysis in many cases reveals
that it is more cost effective to protect some of the processes
that have an indirect impact as well."
Dependencies between assets can be defined in terms of
security parameters (confidentiality, integrity and availability) .
In this paper, the dependency is defined in terms of availability.
Definition 1: Source asset has availability dependency to
target asset(s) if the source asset for its type of association with
target asset(s) needs the existence of them.
a
We use notation a --- b for dependency where a is source
asset, b is target asset(s) and a is association type (i.e. using,
execution and etc).
When an asset is dependent to another asset(s) , this
dependency is not essentially complete. However, an asset may
depend to some assets partially. Thus, for any dependency, a
dependency percent is defined.
Definition 2: A dependency percent shows that how much a
source asset is dependent to target asset(s) for their association.
Dependency percent is a number between 0 and I and can
be determined by the owners of asset or related managers.
B. A Meta-Model for Considering Dependency
In order to be able to evaluate assets and their
dependencies, we should first identify asset types. Based on
ISO 27005 [9] assets are divided to eight types: Business
processes and activities, Information, Hardware, Software,
Network, Personnel, Site, Organization's structure. In this
paper, we do not consider site.
 After asset identification, we should determine their
dependencies. To model dependencies well, we model
elements of an organization based on a meta-model which has
been presented in [4 and 5]. The meta-model is simple and
organization's assets and their dependencies can be defined
well. In this paper we just outline the main concepts of the
approach which are relevant for the current paper. Those who
are interested in a more detailed discussion about the modeling
we refer to [4 and 5].

The meta-model contains three layers (Fig. 1):

Business Layer: This layer includes business

artifacts like organizational units, roles, business
processes and information objects. An Organizational
Unit shows an organization as a whole, its business
units, and its departments. In relation to
organizational unit Role is defined. A role is involved
in execution of business process actIvItIes.
Organizational units have some objectives for their
businesses. Associated with the objectives Business
Process is defined. Business processes are activities
that describe the dynamic behavior of an
organization. The business processes can be executed
by components. Also the business processes may use
some Information to perform their activities.
Information is used to model information assets. The
information can be processed by information systems
and can be stored on nodes. Also the information can
be transmitted over edges.
Application Layer: Information system and
component are modeled in this layer. A Component
usually is an application that supports business
processes and executes on one or more node.
Technical Layer: In this layer physical hardware,
supporting software for components, and
communication systems are modeled. A Node
represents physical and technical infrastructure that is
used to store information assets or support execution
of component. An Edge is a communication device.
Nodes can communicate each other via the edge.
Also, information can be transmitted over nodes via
the edge.
Figure I. organization meta-model
In order to indicate asset types better and help the managers
to show assets in the meta-model well, we explain node more.
Node includes hardware, operating systems, and system
software. In operating texts relation between these is described.
By using [13] relations can be indicated as Fig. 2.
In the reminder of the paper, we use following symbols for
elements of the meta-model: OU (Organizational Unit), R
(Role), BP (Business Units), I (Information), C (Component),
N (Node) , and E (Edge) .
C. Value Propagation Graph and a Valuation Relation
Because we need the dependencies that are indicated in the
meta-model for valuation, we summarize the meta-model as
Fig. 3.
To determine value of each asset we should specify which
assets affect value of an asset. To perform this, we define value
propagation graph. This graph is used to represent how assets
affect the value of each other, and how an asset value
propagates through other assets.
Other
System Programs

Operating System
Definition 3: In this paper, elements are Organizational
Unit, Role, Business Process, Information, Component, COlnputer Hardware
Node, and Edge.
Figure 2. Node element in the meta-model

Figure 3. dependency graph

765
 Definition 4: Value propagation graph G is a triple In this relation:
< El, E, W > where El is set of meta-model's element and E is
set of edges. Each edge is a pair < el, el' > where el is the - n is the number of input edges to asset j.
element that value propagates from and el' is element that - Vi is current value of asset i that has an input edge to

value propagates to. W is a weighting function that assigns a asset j and calculated based on relation 1.
weight (dependency percent) to each edge. - Ui is dependency percent between asset i and asset j.

By analyzing dependencies in dependency graph, the value In Fig. 4, we can see that the graph is hierarchal and so it
propagation graph that is indicated in Fig. 4 is obtained. does not have cycle. According to this, we create the algorithm
I for calculating the value of each asset.
The Fig. 4 describes that:
Algorithm 1- Valuation algorithm
- The value of an edge is affected by two asset types:
G = < El, E, W > : Value propagation graph;
The value of information transmitted over and for all el EEL (
The values of nodes use the edge to vee/) = vind(e/);
communicate.
- The value of a node is affected by two asset types: Enum Elements[] = {OU, BP, R, C, I, N, E};
The value of components executed on and Enum x[]; II element of any Elements type;
Set all sources of x is visited if x is in OU type and does not have any
The value of information stored on.
source;
- The value of a component is affected by the value of
While Elements is not empty {
business processes use the component. x = Elements.next;
- The value of information is affected by the value of the while x is not empty {
components and business processes process the el = x.next;
information. if all sources of el is visited{

- The value of a business process is affected by the value el is visited;

for all < el, el' > E outgoing el {
of organizational unit uses it.
V (el') += W (d, el') * V (d);
- The value of a role is affected by
}II end for
The value of business processes the role is Extract el from x;
responsible for and }llend if
The value of organizational unit that the role is }llend while
part of. Extract x from Elements;
}// end while
In first of section 3 it is mentioned that three parameters is
involved in value of an asset: (I) cost parameter, (2) the IV. CASE STUDY
importance of the business process and impact of damage, and
The model described in Section 3 is now illustrated by
(3) dependencies. We show assets value with this relation:
means of a case study.
Vj = Vdj + Vindj (1) We study a corporation with two objectives. First one is
In this relation vdis value of asset j with considering selling goods, and second one is purchasing goods. The first
j
objective has higher priority. The corporation uses two
dependency and Vindj is initial value of asset j that is computed
applications in order to fulfill its objectives. These applications
without considering dependency and is sum of value of cost use a database via a router. The value of assets can be
parameter and value of the importance of the business process presented in qualitative or quantitative format. The importance
and impact of damage: of an asset in the business process - which is presented in
qualitative format - results in presenting value of an asset
based on cost parameter qualitatively. Table I presents an
example of a conversion table. In order to show the importance
Now we define Vdj as:
of an asset in the business process, we use a business
contribution factor [7 and 8]. Table 2 presents the business
Vdj L�=l ai * Vi (3)
contribution factor.

TABLE I. AN EXAMPLE Or A CONVERSION TABLE

Qualitative value
Description
Level Scale
Asset value based on cost parameters is
Very low I
less than $100.
Asset value based on cost parameters is
Low 2
$100 - $400.
Asset value based on cost parameters is
Medium 3
$400 - $700.
Figure 4. value propagation graph for the meta-model High 4 Asset value based on cost parameters is

766
 $700 - $1000. OSI 2 4 = 2+4 = 6
Asset value based on cost parameters is OS2 2 5 = 2+5 = 7
more than $1000. OS3 2 5 = 2+5 = 7
Work Station 1 4 4 = 4+4 = 8
TABLE II. LEVELS OF BUSINESS CONTRIHUTION Work Station2 4 5 = 4+5 = 9
Work Station3 4 5 = 4+5 = 9
Business
Router 2 5 = 2+5 = 7
contribution Description
Level Scale
Assets have no impact on organization TABLE IV. DEPENDENT AND TOTAL VALUE or Fm. l ASSETS
Very low 1
operation.
Asset Dependent valne Total value
Assets are the most basic assets related to
Low 2 Purchase application = 0 = 0+8 = 8
an organization.
Sales application = 0 = 0+9 = 9
Medium 3 Assets to ease organization operations.
DBMS = 8+9 17
= = 17+9 = 26
High 4 Assets are essential to the organization.
OSI =8 = 8+ 6 = 14
Assets are critical for organization
Very high 5 OS2 9 9 +7 16
operation.
= = =

OS3 = 26 = 2 6+7 = 33
The steps of asset valuation process are: Work StationI = 14 = 14+8 = 22
Work Station2 = 16 = 1 6+9 = 25
1- The meta-model of mentioned corporation is as Fig. 5. Work Station3 = 33 = 33+9 = 42
The business layer is not considered. Since the assets Router = 22 + 25 +42 89
= = 89+7 = 96

that dependent each other fully need each other to

V. DISCUSSION
complete the jobs, the dependency percent between
them is 1. In this section the features of model would be discussed and
compared with the other similar works.
2- Value of an asset based on cost parameter is calculated
based on the purchase cost. The value of importance of Some of the features of the presented model against others
asset in business process is based on table 2. The result are:
of calculation of independent values of assets is
In the similar studies, dependency between the assets
presented in table 3. has not been modeled exactly. For example in [2] for
3- The value propagation graph is the same as the meta­ indicating dependencies asset dependency diagram is
model which is formed in step I. used but it is not specified what dependency among all
4- The result of calculating dependent value is presented of the assets is. But by using the meta-model that
in table 4. presented, dependencies between assets are well
5- The result of calculating total value is presented in specified.
table 4. In this model regarding the organizational meta­
model presented, there is possibility of analysis of an
asset to detailed assets (complex and simple assets
can be modeled).
In similar works like [6] one type of asset is
considered. But in this model all types of asset is
considered based on ISO 27005 [9].
By using the meta-model and value propagation
graph, we are sure that all assets that affect value of
an asset have been considered.
Here we can mention that in this model, a relation for initial
C value of assets is presented. Also dependency as defined
'-lL/ obviously.
(-���)
E",,'",',;,",,",
N
In table 5, presented model has been compared with the
other similar works.

TABLE V. COMPARINC] THE PRESENTED MODEL WITH SIMILAR WORKS

Figure 5. Meta-Model of a corporation

TABLE III. INDEPENDENT VALUES or Fm. l ASSETS

Asset Cost Importance Independent

parameter in Business value
process
Purchase Dependency
4 4 = 4+4 = 8
application definition
Sales application 4 5 = 4+5 = 9 Modeling Not Not
DBMS 4 5 = 4+5 = 9 dependency considerin considerin

767
 g all g all considering these controls. Another work is calculating assets
dependenc dependenc value by considering these controls.
ies ies
HW, Another work which proposed is defining dependency
HW, SW,
SW, Bas between assets in terms of confidentiality and integrity aspects.
data,
Networ ed
personnel, Then the presented model can be checked if it is suitable for
HW, SW, k, Info., on
Asset types documenta Info. the definitions.
Network 1 App.', ISO
tion,
user, 270
various REFERENCES
Enviro 05
facilities
nment [I] J. F. Fuller, E. F. Fuchs, and K. J. Roesler, "Influence of harmonics on
Assume a power distribution system protection," IEEE Trans. Power Delivery, vol.
value but 3, pp. 549-557, Apr. 1988.
Modeling not * [2] Douglas J. Lando11, The Security Risk Assessment Handbook,
initial value mention AUERBACH, 2006.
what this
[3] Bomil Suh, Ingoo Han, 'The IS risk analysis based on a business
value is.
model", Information & Management, Vol. 41, Issue 2, pp. 149-158,
Considering
December 2003.
value for
impact of * [4] Luc Beaudoin, P. Eng, "Asset Valuation Technique for Network
damage in Management and Security", Sixth IEEE International Conference on
valuation
Data Mining-Workshops, ICDM Workshops 2006, pp. 718-721, Dec.
2006.
Ava.
Usable for Ava., [5] F Innerhofer-Oberperfler, R Breu, "Using an enterprise architecture for
Ava
types of Ava.' Ava. Conf Conf., IT risk management", Proceedings of the ISSA 2006 conference, 2006.
4
risks Int. [6] R Breu, F Innerhofer-Oberperfler, "Model based business driven IT
IntS security analysis", Proceedings of the Symposium on Requirements
Considering Engineering for Information Security (SREIS), August 2005.
importance * >;: * [7] Ralph Spencer Poore, "Valuing Information Assets for Security Risk
of business Management", Information Security Journal: A Global Perspective, Vol.
processes 9, Issue 4, pp. I -7, September 2000.
Considering
[8] Jung-Ho Eom, Seon-Ho Park, Young-Ju Han, Tai-
cost * * * * Myoung Chung, "Risk Assessment Method Based on Business Process­
parameters
Oriented Asset Evaluation for Information System Security", Lecture
in valuation
Notes in Computer Science, Vol. 4489/2007, pp. 1024-1031, July 2007.
Considering
[9] Jung-Ho Eom, Seon-Ho Park, Tae-Kyung Kim, and Tai-Myoung Chung,
all types of
"Two-Dimensional Quantitative Asset Analysis Method based on
assets * Business Process-Oriented Asset Evaluation", International Journal of
affects
Information Processing Systems, Vol.1, No.1, pp. 79-85, 2005.
value of an
asset [10] ISO (International Organization for Standardization), ISO/IEC
27005:2008, Information technology - Security techniques -
Information security risk management, 2008.
VI. CONCLUSION AND FUTURE WORK
[II] ISO (International Organization for Standardization), ISO/lEC TR
The risk management methodologies (such as FAA SRM 13335-3, Information technology -Guidelines for the management of IT
[14], CRAMM [15], OCTAVE [16], and NIST 800-30 [17]) Security - Part 3: Techniques for the management of IT Security, 1998.
usually show limitations during risk assessment and mitigation [12] British Standard, BS7799 -3:2006, Information security management
because they cannot make a suitable decision for selecting systems -Part 3: Guidelines for information security risk management,
2006.
which asset should be considered in risk mitigation. This
problem is because of lack of considering dependencies during [13] Zambon, E. Bolzoni, D. Etalle, S. Salvato, M., "Model-Based
Mitigation of Availability Risks", 2nd IEEEIIFIP International
asset valuation. Workshop on Business-Driven IT Management, pp. 75-83, May
2007.Andrew S. Tanenbaum, Modern Operating Systems, Second
The asset value by regarding dependencies is more realistic
Edition, Prentice Hall, 200I
and it is expected that in the risk mitigation phase this problem
[14] Security Risk Management Guide,
would be solved or reduced. For future works, a security risk http://fastfaa.gov/RiskmgmtlSecriskmgmtldocs/OO-II-a.doc, 2000
management methodology can be selected and this valuation
[IS] Integrating Security into IT Projects and Programs,
method applied and then comparing results with when http://www.cramm.com/tlles/techpaperslIntegrating Security into IT
dependencies are not modeled. Projects and Programmes. pdf, 2005
[16] Christopher Alberts, Audrey Dorofee, Managing Information Security
There are usually series of primary controls to protect Risks: The OCTAVESM Approach, Addison Wesley, 2002
assets. These controls can increase cost parameters and reduce
[17] Gary Stoneburner, Alice Goguen, and Alexis Feringa, Risk Management
impact of damage. In this paper we calculate the value without Guide for Information Technology Systems - Recommendations of the
National Institute of Standards and Technology, NIST Special
Publication 800-30, http://csrc.nist.gov/publications/nistpubs/800-
30/sp800-30.pdf, 2002
Information
Application
Availability
Confidentiality
Integrity

768

View publication stats