Professional Documents
Culture Documents
net/publication/261348080
CITATIONS READS
14 1,897
3 authors, including:
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Hamid Reza Shahriari on 25 October 2017.
Abstract-Organizations leverage security risk analysis methods In the security risk analysis process, considering the value
to detect and prioritize the security risks. One of the main of assets is important because the correct calculation of the
parameters in risk analysis is assets value which is used to value of an asset can help management in the decision-making
calculate the security impact of probable threats. Although, stage about the level of risks. But independent calculation of
assets are not independent and their values usually depend to the value of assets is not adequate for security risk analysis and
other assets, most of the current approaches do not consider the also dependencies between the assets must be considered. For
interdependency of assets in the valuation process. In this paper,
example, if a computer is damaged in an organization, due to
a model for asset valuation regarding dependencies between
dependences of the other assets to this computer, the value of
assets is presented. The model is based on a meta-model which
this computer could not be calculated independently but
dependencies between assets and asset types are well-specified.
calculation must be done by considering the value of those
Then, the value propagation graph is defined to represent the
dependent assets.
effects of different asset� to each other value and then an
algorithm is presented to calculate assets value. Finally, the There are some works that consider dependency for asset
effectiveness of the model is verified by a real case study. The valuation [2, 3] but they have weaknesses such as: (1) there is
presented approach gains a meta-model to address any
no specified and certain framework for considering various
dependency between assets in different layers of an organization.
types of assets and their dependencies and (2) it was not shown
Also, use of the value propagation graph assures that all types of
that how they can consider all type of organization assets and
assets that affect value of an asset are considered for valuating
inter-dependency of them.
assets.
In this paper, dependencies are defined from availability
key words: Security risk analysis, Impact analysis, Asset aspect. According to this definition, for identifying
valuation, Assets dependencies. dependencies in an organization, a meta-model presented in [4
and 5] is used. The meta-model shows various types of assets
1. INTRODUCTION
and dependencies between them well. In continuation of
All security risk assessment processes, whether quantitative valuation process, a value propagation graph has been defined
or qualitative, have similar basic details including: threat that shows propagation of value among the elements of the
analysis, asset valuation, vulnerability analysis, and risk organization. In valuation phase, this graph helps to indicate
assessment. Any process for evaluation of existing security which assets affect the value of an asset. Finally, a relation and
controls and their effectiveness for protection of organization an algorithm have been shown for valuation. The advantage of
assets is a security risk assessment method. this work than the other similar previous works is that
dependencies between types of assets have been defined well
A key step in the security risk assessment is identification
using the meta-model. Moreover, the asset value is calculated
of assets should be protected. Identification of assets can be a
in a way that all assets that affect value of an asset have been
simple work such as: listing items need to be protected based
considered using the value propagation graph.
on a series of checklists and engineering judgments or a
process that may include the need for inventory of capital The following sections are structured as follows. Section 2
equipment, system resources tracking matrix, reviewing legal discusses related work. The core of the paper is section 3
documents, and effort for listing all intangible assets such as presenting the asset valuation model. The model is illustrated
reputation of organization [I]. by means of a case study in section 4. In section 5 our approach
is compared with existing methods and finally in section 6
After identifying assets, it is required to determine values of
conclusions and future works are presented.
assets. Valuation of assets is an important part of business
accounting and planning within an organization and may be II. RELATED WORK
done for variety of reasons. These reasons may include: legal
compliance, planning for future, insurance, records There is little related work such as [2, 3, 6, 7, and 8] in
management, budgeting, information classification and assets valuation for security risk management. The related
criticality assignment. In security risk assessment, asset work can be divided into two groups: valuation with regard to
valuation would be performed for information classification dependency and valuation without considering dependency.
and criticality assignment [I].
978-1-4673-1148-9/l2/$31.00©2012IEEE 763
In [2] the asset value has been computed from operational Two parameters are involved in independent value of
continuation aspect. It states that asset value could not be assets: (I) cost parameters such as: the initial asset cost,
calculated without consideration of the other assets values. maintenance cost and replacement cost [2, 6, 8, 9, and 10] and
Therefore, dependencies of that asset on the other assets should (2) the importance of an asset in the business process and that
be considered in asset valuation analysis. In the asset valuation is the importance of an asset for organization and their business
process in this paper, two parameters are very important: the according to their needs [2, 7, and 8]. In the second parameter,
importance of business processes and contribution of an asset impact of damage upon security parameters and external
in the objectives of a business process. environment can be considered [9, 10, and II].
In [3] for modeling dependencies of the network A. Dependencies Between the Assets
infrastructure and calculation of network assets values a model Dependencies between assets may affect assets value. For
has been presented that considers assets dependencies. In this example, the value of physical assets should be considered
model, a graph is used for modeling dependencies in which the according to the logical assets that are stored on it. For
nodes of the graph are assets and the edges are functional instance, the relative importance of a hard disk without
requirements. Edges are labeled with dependency weights. A considering its dependencies may be only 0.5%. But its content
key node to represent user services also exists in the graph. may be so valuable that its relative importance is 5%. The hard
This node is an interface for connecting business users to disk failure causes data stored to be inaccessible. Therefore, the
network. value of this hard disk could not be calculated alone and should
There are some other works that calculate the assets values be calculated according to dependent assets. Therefore, we
without considering assets dependencies. They just use some should determine dependencies between assets for asset
cost parameters based on business importance of asset and the valuation.
impact on the organization. Here we can discuss that lack of considering dependencies
In [6] a method for valuation of information assets is between processes and assets in methodologies such as COBIT
presented. It considers some parameters such as exclusive and ISO 17799 have caused management to encounter
possession, utility, cost of creation or re-creation, potential difficulties in the risk management phase because:
liability, convertibility, and operational impact. These "It is standard practice to protect the processes whose
parameters, in the calculation process, are categorized based on availability has a greater direct impact on the organization
security information aspects and the value is calculated for goals, while a more accurate analysis in many cases reveals
each of security information aspects independently. The that it is more cost effective to protect some of the processes
information value in this study would be identified according that have an indirect impact as well."
to an interval of two values: one of them is the positive value
for situation that information is exact and usable and the other Dependencies between assets can be defined in terms of
is the negative value when there is a problem such as data is security parameters (confidentiality, integrity and availability) .
incorrect or opposite of the agreements. In this paper, the dependency is defined in terms of availability.
In [7 and 8] for asset valuation, a qualitative procedure Definition 1: Source asset has availability dependency to
regarding the business process has been presented. In these target asset(s) if the source asset for its type of association with
papers, assets classification is performed via two aspects: the target asset(s) needs the existence of them.
type of asset and business process criteria such as department a
use, business contribution and the using amounts. This kind of We use notation a --- b for dependency where a is source
classification shows that assets value may differ regarding the asset, b is target asset(s) and a is association type (i.e. using,
criteria. This paper states that because business criteria are execution and etc).
calculated in the qualitative form the final valuation is When an asset is dependent to another asset(s) , this
expressed in qualitative. The stages of calculation are as dependency is not essentially complete. However, an asset may
follows: (1) calculation of tangible assets value, (2) calculation depend to some assets partially. Thus, for any dependency, a
of intangible assets value, (3) changing of calculated dependency percent is defined.
quantitative amounts in the first and second stages to the
qualitative amounts, (4) considering business process criteria Definition 2: A dependency percent shows that how much a
and assigning a level for them via consideration of assets, and source asset is dependent to target asset(s) for their association.
(5) final calculation of asset value.
Dependency percent is a number between 0 and I and can
III. VALUATlON MODEL be determined by the owners of asset or related managers.
For asset valuation we must first understand what factors B. A Meta-Model for Considering Dependency
should be involved. Thus, the value of an asset is composed of In order to be able to evaluate assets and their
two extents: independent value and dependent value. dependencies, we should first identify asset types. Based on
ISO 27005 [9] assets are divided to eight types: Business
The independent asset value is value of an asset regardless
processes and activities, Information, Hardware, Software,
of its dependency and the dependent value is value of an asset
Network, Personnel, Site, Organization's structure. In this
which depends to other assets and is affected by relationship
paper, we do not consider site.
type to them. .
764
After asset identification, we should determine their
dependencies. To model dependencies well, we model
elements of an organization based on a meta-model which has
been presented in [4 and 5]. The meta-model is simple and
organization's assets and their dependencies can be defined
well. In this paper we just outline the main concepts of the
approach which are relevant for the current paper. Those who
are interested in a more detailed discussion about the modeling
we refer to [4 and 5].
Operating System
Definition 3: In this paper, elements are Organizational
Unit, Role, Business Process, Information, Component, COlnputer Hardware
Node, and Edge.
Figure 2. Node element in the meta-model
765
Definition 4: Value propagation graph G is a triple In this relation:
< El, E, W > where El is set of meta-model's element and E is
set of edges. Each edge is a pair < el, el' > where el is the - n is the number of input edges to asset j.
element that value propagates from and el' is element that - Vi is current value of asset i that has an input edge to
value propagates to. W is a weighting function that assigns a asset j and calculated based on relation 1.
weight (dependency percent) to each edge. - Ui is dependency percent between asset i and asset j.
By analyzing dependencies in dependency graph, the value In Fig. 4, we can see that the graph is hierarchal and so it
propagation graph that is indicated in Fig. 4 is obtained. does not have cycle. According to this, we create the algorithm
I for calculating the value of each asset.
The Fig. 4 describes that:
Algorithm 1- Valuation algorithm
- The value of an edge is affected by two asset types:
G = < El, E, W > : Value propagation graph;
The value of information transmitted over and for all el EEL (
The values of nodes use the edge to vee/) = vind(e/);
communicate.
- The value of a node is affected by two asset types: Enum Elements[] = {OU, BP, R, C, I, N, E};
The value of components executed on and Enum x[]; II element of any Elements type;
Set all sources of x is visited if x is in OU type and does not have any
The value of information stored on.
source;
- The value of a component is affected by the value of
While Elements is not empty {
business processes use the component. x = Elements.next;
- The value of information is affected by the value of the while x is not empty {
components and business processes process the el = x.next;
information. if all sources of el is visited{
Qualitative value
Description
Level Scale
Asset value based on cost parameters is
Very low I
less than $100.
Asset value based on cost parameters is
Low 2
$100 - $400.
Asset value based on cost parameters is
Medium 3
$400 - $700.
Figure 4. value propagation graph for the meta-model High 4 Asset value based on cost parameters is
766
$700 - $1000. OSI 2 4 = 2+4 = 6
Asset value based on cost parameters is OS2 2 5 = 2+5 = 7
more than $1000. OS3 2 5 = 2+5 = 7
Work Station 1 4 4 = 4+4 = 8
TABLE II. LEVELS OF BUSINESS CONTRIHUTION Work Station2 4 5 = 4+5 = 9
Work Station3 4 5 = 4+5 = 9
Business
Router 2 5 = 2+5 = 7
contribution Description
Level Scale
Assets have no impact on organization TABLE IV. DEPENDENT AND TOTAL VALUE or Fm. l ASSETS
Very low 1
operation.
Asset Dependent valne Total value
Assets are the most basic assets related to
Low 2 Purchase application = 0 = 0+8 = 8
an organization.
Sales application = 0 = 0+9 = 9
Medium 3 Assets to ease organization operations.
DBMS = 8+9 17
= = 17+9 = 26
High 4 Assets are essential to the organization.
OSI =8 = 8+ 6 = 14
Assets are critical for organization
Very high 5 OS2 9 9 +7 16
operation.
= = =
OS3 = 26 = 2 6+7 = 33
The steps of asset valuation process are: Work StationI = 14 = 14+8 = 22
Work Station2 = 16 = 1 6+9 = 25
1- The meta-model of mentioned corporation is as Fig. 5. Work Station3 = 33 = 33+9 = 42
The business layer is not considered. Since the assets Router = 22 + 25 +42 89
= = 89+7 = 96
767
g all g all considering these controls. Another work is calculating assets
dependenc dependenc value by considering these controls.
ies ies
HW, Another work which proposed is defining dependency
HW, SW,
SW, Bas between assets in terms of confidentiality and integrity aspects.
data,
Networ ed
personnel, Then the presented model can be checked if it is suitable for
HW, SW, k, Info., on
Asset types documenta Info. the definitions.
Network 1 App.', ISO
tion,
user, 270
various REFERENCES
Enviro 05
facilities
nment [I] J. F. Fuller, E. F. Fuchs, and K. J. Roesler, "Influence of harmonics on
Assume a power distribution system protection," IEEE Trans. Power Delivery, vol.
value but 3, pp. 549-557, Apr. 1988.
Modeling not * [2] Douglas J. Lando11, The Security Risk Assessment Handbook,
initial value mention AUERBACH, 2006.
what this
[3] Bomil Suh, Ingoo Han, 'The IS risk analysis based on a business
value is.
model", Information & Management, Vol. 41, Issue 2, pp. 149-158,
Considering
December 2003.
value for
impact of * [4] Luc Beaudoin, P. Eng, "Asset Valuation Technique for Network
damage in Management and Security", Sixth IEEE International Conference on
valuation
Data Mining-Workshops, ICDM Workshops 2006, pp. 718-721, Dec.
2006.
Ava.
Usable for Ava., [5] F Innerhofer-Oberperfler, R Breu, "Using an enterprise architecture for
Ava
types of Ava.' Ava. Conf Conf., IT risk management", Proceedings of the ISSA 2006 conference, 2006.
4
risks Int. [6] R Breu, F Innerhofer-Oberperfler, "Model based business driven IT
IntS security analysis", Proceedings of the Symposium on Requirements
Considering Engineering for Information Security (SREIS), August 2005.
importance * >;: * [7] Ralph Spencer Poore, "Valuing Information Assets for Security Risk
of business Management", Information Security Journal: A Global Perspective, Vol.
processes 9, Issue 4, pp. I -7, September 2000.
Considering
[8] Jung-Ho Eom, Seon-Ho Park, Young-Ju Han, Tai-
cost * * * * Myoung Chung, "Risk Assessment Method Based on Business Process
parameters
Oriented Asset Evaluation for Information System Security", Lecture
in valuation
Notes in Computer Science, Vol. 4489/2007, pp. 1024-1031, July 2007.
Considering
[9] Jung-Ho Eom, Seon-Ho Park, Tae-Kyung Kim, and Tai-Myoung Chung,
all types of
"Two-Dimensional Quantitative Asset Analysis Method based on
assets * Business Process-Oriented Asset Evaluation", International Journal of
affects
Information Processing Systems, Vol.1, No.1, pp. 79-85, 2005.
value of an
asset [10] ISO (International Organization for Standardization), ISO/IEC
27005:2008, Information technology - Security techniques -
Information security risk management, 2008.
VI. CONCLUSION AND FUTURE WORK
[II] ISO (International Organization for Standardization), ISO/lEC TR
The risk management methodologies (such as FAA SRM 13335-3, Information technology -Guidelines for the management of IT
[14], CRAMM [15], OCTAVE [16], and NIST 800-30 [17]) Security - Part 3: Techniques for the management of IT Security, 1998.
usually show limitations during risk assessment and mitigation [12] British Standard, BS7799 -3:2006, Information security management
because they cannot make a suitable decision for selecting systems -Part 3: Guidelines for information security risk management,
2006.
which asset should be considered in risk mitigation. This
problem is because of lack of considering dependencies during [13] Zambon, E. Bolzoni, D. Etalle, S. Salvato, M., "Model-Based
Mitigation of Availability Risks", 2nd IEEEIIFIP International
asset valuation. Workshop on Business-Driven IT Management, pp. 75-83, May
2007.Andrew S. Tanenbaum, Modern Operating Systems, Second
The asset value by regarding dependencies is more realistic
Edition, Prentice Hall, 200I
and it is expected that in the risk mitigation phase this problem
[14] Security Risk Management Guide,
would be solved or reduced. For future works, a security risk http://fastfaa.gov/RiskmgmtlSecriskmgmtldocs/OO-II-a.doc, 2000
management methodology can be selected and this valuation
[IS] Integrating Security into IT Projects and Programs,
method applied and then comparing results with when http://www.cramm.com/tlles/techpaperslIntegrating Security into IT
dependencies are not modeled. Projects and Programmes. pdf, 2005
[16] Christopher Alberts, Audrey Dorofee, Managing Information Security
There are usually series of primary controls to protect Risks: The OCTAVESM Approach, Addison Wesley, 2002
assets. These controls can increase cost parameters and reduce
[17] Gary Stoneburner, Alice Goguen, and Alexis Feringa, Risk Management
impact of damage. In this paper we calculate the value without Guide for Information Technology Systems - Recommendations of the
National Institute of Standards and Technology, NIST Special
Publication 800-30, http://csrc.nist.gov/publications/nistpubs/800-
30/sp800-30.pdf, 2002
Information
Application
Availability
Confidentiality
Integrity
768