**2.1 Hand book of information security**

According to D. Kaye, risk mitigation is a process aimed at limiting the likelihood of risks and the potential losses those risks can cause (Kaye, 2002, p.100).

The following step summarization is from the Hand Book of Information Security (Bidgoli, 2006, p.750).

Avoid the causes

Risks are caused by many types of instances. If the risk is technological, we can avoid the risk by updating or replacing the related system by more robust and reliable one.

Reduce the frequency

Risk is usually assessed by the frequency it occurs and the impact it may cause. By adopting a control which mainly reduces the occurrence frequency of the risk, the risk can be mitigated.

Minimize the impact

Since the frequency of the risk can not be reduced to zero, we should consider the impact of the risk to the organization's activities as the other important factor of risk. The impact related to a risk has various aspects depending on the organization under mind, and try to minimize the impact not only from each aspects but also from the total point of view.

Reduce the duration

The duration of the exposure to a risk may cause more serious risks. The recovery time of data or system, for instance, is important matter.

The risks are usually evaluated as the pair of two factors such as the frequency and the impact, then the second and the third steps are usual steps for risk evaluation. The cause avoidance and the duration reduction are sometimes treated as concrete measures of mitigation controls.

In the book, the risk transfer, such as insurance or outsourcing, is dealt as the different step from the risk mitigation.

#### **2.2 OCTAVE-S**

SEI (Software Engineering Institute) of Carnegie Melon University developed OCTAVESM (Operationally Critical Threat, Asset, and Vulnerability Evaluation System) (Alberts & Dorofee, 2003) as a security evaluation system based on organizational assets. OCTAVE-S is a variation of the approach tailored to relatively small organizations (less than 100 people) which have the limited means and unique constraints.

In the implementation guide (Alberts et al., 2005), the key differences between OCTAVE and other traditional information risk evaluation and management approaches are described as in the table 1.

Ordinary risk assessment has three important aspects such as operational risk, security risk, and technology risk. OCTAVE developers say that other evaluation systems are tend to evaluate the organizational systems and to focus on the technology. In OCTAVE, the technology is examined as the part of security practice, and other two aspects mainly drive OCTAVE approach.


Table 1. The key Differences

112 Security Enhanced Applications for Information Systems

Throughout this chapter, we define a risk mitigation control to be a measure which could reduce the current or potential risk degree. However the risk degree is evaluated in various aspects and from different point of views, and each mitigation control has its own property, characteristic, and merit, the total process of risk mitigation can be summarized in several similar steps. In this section, we will see some risk evaluation and management

According to D. Kaye, risk mitigation is a process aimed at limiting the likelihood of risks

The following step summarization is from the Hand Book of Information Security (Bidgoli,

Risks are caused by many types of instances. If the risk is technological, we can avoid the

Risk is usually assessed by the frequency it occurs and the impact it may cause. By adopting a control which mainly reduces the occurrence frequency of the risk, the risk can be

Since the frequency of the risk can not be reduced to zero, we should consider the impact of the risk to the organization's activities as the other important factor of risk. The impact related to a risk has various aspects depending on the organization under mind, and try to

The duration of the exposure to a risk may cause more serious risks. The recovery time of

The risks are usually evaluated as the pair of two factors such as the frequency and the impact, then the second and the third steps are usual steps for risk evaluation. The cause avoidance and the duration reduction are sometimes treated as concrete measures of

In the book, the risk transfer, such as insurance or outsourcing, is dealt as the different step

SEI (Software Engineering Institute) of Carnegie Melon University developed OCTAVESM (Operationally Critical Threat, Asset, and Vulnerability Evaluation System) (Alberts &

minimize the impact not only from each aspects but also from the total point of view.

risk by updating or replacing the related system by more robust and reliable one.

**2. Overview and investigation of existent information risk management** 

**systems and their mitigation controls** 

**2.1 Hand book of information security** 

and the potential losses those risks can cause (Kaye, 2002, p.100).

methodologies.

2006, p.750).

mitigated.

Avoid the causes

Reduce the frequency

Minimize the impact

Reduce the duration

mitigation controls.

**2.2 OCTAVE-S** 

from the risk mitigation.

data or system, for instance, is important matter.

OCTAVE aims to evaluate the organization itself in aspect of information assets, threats and vulnerabilities, and focus on their practices to obtain the information security, which eventually lead the organization to strategic protection issues rather than tactical ones. The expert led system is managed by a team of experts in risk analysis, or in information technologies from outside or inside. OCTAVE is self-directed system lead by a small interdisciplinary team, called the analysis team, consist of members in the organization.

OCTAVE(-S) has three phases in each of which the analysis team outputs the corresponding matters as follows.

Phase1. Build Asset-Based Threat Profiles

Outputs: Critical assets, security requirements for critical assets, threats to critical assets, and current security practices

Phase2. Identify Infrastructure Vulnerabilities

Outputs: Key components and current technology vulnerabilities

Phase3. Develop Security Strategy and Plans

Outputs: Risks to critical asset, risk measures, protection strategy, and risk mitigation plans

Each phase has some process consist of several steps, which we show in the table2 from the guide (Alberts et al., 2005).

In the series of our research project, we first proposed a method to identify the set of critical assets from huge number of possible information related assets in correspondence of the step S2.1 in the table (Nagata et al., 2007). In the method we used FSM (Fuzzy Structural Modelling) based the modified structural modelling method described in the following

Construction of Effective Database System for Information Risk Mitigation 115

Other (facilities) are considered for the non-negligible threats as the result of examination. According to the volume 3 of the OCTAVE-S Implementation Guide (Alberts, et al., 2005), the three impact measure (High, Medium, or Low) are adopted, and probability values are also measured as one of them (H, M, or L) by considering a frequencies such as daily, weekly, monthly, 4 times per year, 2 times per year, once per year, once very 2 years, and so on. Fig1 is an example of the risk profile worksheet for the Human Actors Using Network

At first, put one of critical assets in the left-hand side box, and trace the dotted line considering the possibility of access, actor, motive, and outcome. Then, for each threat on the possible path, the impact values related to given subjects and the probability value are

Financial

Reputation

Productive

**Impact Values** 

Fines

Safety

Other

**Probability**

**Value Confidence** 

**Very**

**Somewhat** 

**Not At All** 

disclosure modification loss,destruction interruption

Access.

determined with confidence level.

network

**Asset Access Actor Outcome** 

**Threat**

accidental

**Motive** 

deliberate

accidental

inside

outside

(source: the Volume 5 of OCTAVE-S Implementation Guide, Version1) Fig. 1. Risk profile worksheet for human actors with network access

deliberate

We use the worksheet, but we adopt much more numerical evaluation method without loss of human related, consensus based, and organizational strategic concept. Our proposed total

section. Next we proposed a risk evaluation system for a chosen critical asset with fuzzy inference mechanism corresponding to the process S4 (Nagata, et al., 2008B).

One of important roles of any risk management system is to develop a mitigation plan in which effective and proper mitigation controls are set up. For this purpose, a method to select effective risk mitigation controls is proposed using fuzzy outranking in correspondence of the process S5 (Nagata, et al., 2009). This method works under the assumption that there is a database of mitigation controls with some kind of vector whose entries are numerical values assigned to the attributes in OCTAVE's threat path. We also proposed a method for constructing that kind of database (Nagata, 2011).


Table 2. Phase, Process, and Group of Steps in OCTAVE-S

When proceeding in risk evaluation steps, the risk profile worksheet plays a big role in order to recognize the information related threat, and to evaluate the impact and the frequency the threat may cause.

In the worksheet shown in Fig. 1, threats are classified into three types such as "Human actors", "System problems", and "Other problems" in the first place. For the human actors causing threats, the access path (network or physical), actors (inside or outside), motive (accidental or deliberate), and outcome (disclosure or modification or loss and destruction or interruption) are examined in this order. For the System problems causing threats, actors (software defects or system crashes or hardware defects or malicious code), and outcome are examined. For the "Other problems", various actors (e.g. problems related to power supply, telecommunication, third-party, natural disasters, physical configuration etc.) are examined. Each impact area of Reputation, Financial, Productivity, Fines/legal penalties, Safety and

section. Next we proposed a risk evaluation system for a chosen critical asset with fuzzy

One of important roles of any risk management system is to develop a mitigation plan in which effective and proper mitigation controls are set up. For this purpose, a method to select effective risk mitigation controls is proposed using fuzzy outranking in correspondence of the process S5 (Nagata, et al., 2009). This method works under the assumption that there is a database of mitigation controls with some kind of vector whose entries are numerical values assigned to the attributes in OCTAVE's threat path. We also

> S1.1:Establish impact evaluation criteria S1.2: Identify organizational assets

S2.3: Identify threats to critical assets

S3.2: Analyze technology-related process

S4.2: Establish probability evaluation criteria

S2.1: Select Critical Assets

S3.1: Examine access path

S5.5: Identify next steps

When proceeding in risk evaluation steps, the risk profile worksheet plays a big role in order to recognize the information related threat, and to evaluate the impact and the

In the worksheet shown in Fig. 1, threats are classified into three types such as "Human actors", "System problems", and "Other problems" in the first place. For the human actors causing threats, the access path (network or physical), actors (inside or outside), motive (accidental or deliberate), and outcome (disclosure or modification or loss and destruction or interruption) are examined in this order. For the System problems causing threats, actors (software defects or system crashes or hardware defects or malicious code), and outcome are examined. For the "Other problems", various actors (e.g. problems related to power supply, telecommunication, third-party, natural disasters, physical configuration etc.) are examined. Each impact area of Reputation, Financial, Productivity, Fines/legal penalties, Safety and

S4.1: Evaluate impact of threats

S4.3: Evaluate probabilities of threats

S5.1: Describe current protection strategy S5.2: Select mitigation approaches S5.3: Develop risk mitigation plans

S5.4: Identify changes to protection strategy

S1.3: Evaluate organizational security practices

S2.2: Identify security requirements for critical

inference mechanism corresponding to the process S4 (Nagata, et al., 2008B).

proposed a method for constructing that kind of database (Nagata, 2011).

Phase1

Phase2

Phase3

S1:

S2:

S3:

S4:

S5:

frequency the threat may cause.

Information

Critical Assets

Identify Organizational

Create Threat Profiles

Examine the Computing infrastructure in Relation to

Identify and Analyse Risks

Develop Protection Strategy

Table 2. Phase, Process, and Group of Steps in OCTAVE-S

and Mitigation Plans

**Phase Process Group of Steps**

assets

Other (facilities) are considered for the non-negligible threats as the result of examination. According to the volume 3 of the OCTAVE-S Implementation Guide (Alberts, et al., 2005), the three impact measure (High, Medium, or Low) are adopted, and probability values are also measured as one of them (H, M, or L) by considering a frequencies such as daily, weekly, monthly, 4 times per year, 2 times per year, once per year, once very 2 years, and so on. Fig1 is an example of the risk profile worksheet for the Human Actors Using Network Access.

At first, put one of critical assets in the left-hand side box, and trace the dotted line considering the possibility of access, actor, motive, and outcome. Then, for each threat on the possible path, the impact values related to given subjects and the probability value are determined with confidence level.


(source: the Volume 5 of OCTAVE-S Implementation Guide, Version1)

Fig. 1. Risk profile worksheet for human actors with network access

We use the worksheet, but we adopt much more numerical evaluation method without loss of human related, consensus based, and organizational strategic concept. Our proposed total

Construction of Effective Database System for Information Risk Mitigation 117

The risk profiling is done using the risk evaluation matrix in which risk areas are specified as "Legal and Regulatory", "Productivity", "Financial Stability", and "Reputation and Loss of Customer Confidence". The possible risk levels are "High", "Medium", and "Low", and each level is clearly defined according to the risk area. For instance, if the organization's yearly revenue is of excess of 25 million Euros or/and financial transactions with third parties or customers are taking place as part of the business as usual process, then the risk area of financial stability is "High". If the yearly revenue exceeds 5 million Euros and not exceeds 25 million Euros, then the risk level is "Medium". Otherwise it is "Low". After identifying the risk levels for all the risk areas, the risk profile of the organization is defined

In SME, the number of critical assets is fixed as five, and the analysis team choose them considering a large adverse impact on the organization caused by "disclosure" or "modification" or "loss and destruction" or "interruption" of the asset. These scenarios are same as the outcomes in OCTAVE's risk profile worksheet shown in Figure 1. The assets are categorised into "systems", "network", "people", and "applications", then the rationale and security requirement for selecting each critical asset are described. Here the security requirements are three ordinary information security aspects, i.e. Confidentiality, Integrity,

SME adopts OCTAVE's mitigation controls as their control cards. This phase proceeds in three steps such as "Step1: select organization control cards", "Step2: select asset base control cards", and "Step3: document list of selected controls and rationale". Here the organization control cards correspond to the mitigation controls of strategic practice (SP), and the asset base control cards correspond to those of operational practice (OP). The step1 is performed according to the risk profile in phase 1, and some control cards are selected beforehand. For instance, if the risk area "legal and regulatory" is low, then the control SP1.1 is adopted. The step2 is performed according to the critical asset category, and control card consist of security requirements and type of controls is prepared for each asset category and

Critical Assets High Risk Cards Medium Risk Cards Low Risk Cards

For instance, CC-1A contains OP2.1.3, OP2.1.4, and OP2.1.6 for security requirement of confidentiality, integrity, and availability respectively as system and network management

Application CC-1A CC-2A CC-3A System CC-1S CC-2S CC-3S Network CC-1N CC-2N CC-3N People CC-1P CC-2P CC-3P

as the highest level in the risk evaluation matrix overall the risk areas.

Phase1: Select Risk Profiles

Phase2: Identify Critical Assets

and Availability.

Phase3: Select Control Cards

risk level. The table below is the list of control cards:

Table 3. Asset based control selection

related controls.

system for evaluation of threat is based on Modified Structural Modeling Method (MSMM), fuzzy integral, and fuzzy inference mechanism. In our system, the input values for impact values and for probability which should be marked in the box or on the scale bar as linguistic values in the OCTAVE are all numerical crisp values between 0 and 1, and the human related, consensus based, and organizational strategic concept are mounted and integrated with them in the process of fuzzification.

In the final process, selection of mitigation plans comes up, and listed up in the OCTAVE's catalogue of practices (Alberts & Dorofee, 2003, pp. 443—454).

The followings are classified groups of them.

	- Security awareness and training (SP1)
	- Security strategy (SP2)
	- Security management (SP3)
	- Security policies and regulations (SP4)
	- Collaborative security management (SP5)
	- Contingency planning/disaster recovery (SP6)
	- Physical security (OP1): "Physical security plans and procedures (OP1.1)", "Physical access control (OP1.2)", "Monitoring and auditing physical security (OP1.3)"
	- Information technology security (OP2): "System and network management (OP2.1)", "System administration (OP2.2)", "Monitoring and auditing IT security (OP2.3)", "Authentication and authorization (OP2.4)", "Vulnerability management (OP2.5)", "Encryption (OP2.6)", "Security architecture and design (OP2.7)"
	- Staff security (OP3): "Incident management (OP3.1)", "General staff practice (OP3.2)"

In each subcategories listed above, there are several controls. For instance, SP1.1 of SP1 is "Staff members understand their security roles and responsibilities. This is documented and verified". OP2.1 contains 10 controls, e.g. OP2.1.3 is "Sensitive information is protected by secure storage such as…", OP2.1.4 is "The integrity of installed software is regularly refined", and OP2.1.6 is "There is a documented data backup plan that …".

### **2.3 ENISA**

European Network and Information Security Agency, ENISA, provides risk management related documents in one of which risk mitigation is took up as a risk treatment. They define the risk treatment as a process of selecting and implementing measures to modify risk, and the process is composed of five steps such as, "Identification of Options", "Development of the Action Plan", "Approval of the Action Plan", "Implementation of the Action Plan" and "Identification of Residual Risks".

ENISA also provides a document named "Information Package for SMEs", where "SMEs" denotes "Small or Medium sized Enterprises". In the document, the risk management process is composed of four phases.

#### Phase1: Select Risk Profiles

116 Security Enhanced Applications for Information Systems

system for evaluation of threat is based on Modified Structural Modeling Method (MSMM), fuzzy integral, and fuzzy inference mechanism. In our system, the input values for impact values and for probability which should be marked in the box or on the scale bar as linguistic values in the OCTAVE are all numerical crisp values between 0 and 1, and the human related, consensus based, and organizational strategic concept are mounted and

In the final process, selection of mitigation plans comes up, and listed up in the OCTAVE's



(OP2.5)", "Encryption (OP2.6)", "Security architecture and design (OP2.7)" - Staff security (OP3): "Incident management (OP3.1)", "General staff practice

In each subcategories listed above, there are several controls. For instance, SP1.1 of SP1 is "Staff members understand their security roles and responsibilities. This is documented and verified". OP2.1 contains 10 controls, e.g. OP2.1.3 is "Sensitive information is protected by secure storage such as…", OP2.1.4 is "The integrity of installed software is regularly

European Network and Information Security Agency, ENISA, provides risk management related documents in one of which risk mitigation is took up as a risk treatment. They define the risk treatment as a process of selecting and implementing measures to modify risk, and the process is composed of five steps such as, "Identification of Options", "Development of the Action Plan", "Approval of the Action Plan", "Implementation of the Action Plan" and

ENISA also provides a document named "Information Package for SMEs", where "SMEs" denotes "Small or Medium sized Enterprises". In the document, the risk management

refined", and OP2.1.6 is "There is a documented data backup plan that …".

integrated with them in the process of fuzzification.



The followings are classified groups of them.

Strategic Practices (SP)


Operational Practices (OP)

(OP1.3)"

(OP3.2)"

"Identification of Residual Risks".

process is composed of four phases.

**2.3 ENISA** 

catalogue of practices (Alberts & Dorofee, 2003, pp. 443—454).

The risk profiling is done using the risk evaluation matrix in which risk areas are specified as "Legal and Regulatory", "Productivity", "Financial Stability", and "Reputation and Loss of Customer Confidence". The possible risk levels are "High", "Medium", and "Low", and each level is clearly defined according to the risk area. For instance, if the organization's yearly revenue is of excess of 25 million Euros or/and financial transactions with third parties or customers are taking place as part of the business as usual process, then the risk area of financial stability is "High". If the yearly revenue exceeds 5 million Euros and not exceeds 25 million Euros, then the risk level is "Medium". Otherwise it is "Low". After identifying the risk levels for all the risk areas, the risk profile of the organization is defined as the highest level in the risk evaluation matrix overall the risk areas.

#### Phase2: Identify Critical Assets

In SME, the number of critical assets is fixed as five, and the analysis team choose them considering a large adverse impact on the organization caused by "disclosure" or "modification" or "loss and destruction" or "interruption" of the asset. These scenarios are same as the outcomes in OCTAVE's risk profile worksheet shown in Figure 1. The assets are categorised into "systems", "network", "people", and "applications", then the rationale and security requirement for selecting each critical asset are described. Here the security requirements are three ordinary information security aspects, i.e. Confidentiality, Integrity, and Availability.

#### Phase3: Select Control Cards

SME adopts OCTAVE's mitigation controls as their control cards. This phase proceeds in three steps such as "Step1: select organization control cards", "Step2: select asset base control cards", and "Step3: document list of selected controls and rationale". Here the organization control cards correspond to the mitigation controls of strategic practice (SP), and the asset base control cards correspond to those of operational practice (OP). The step1 is performed according to the risk profile in phase 1, and some control cards are selected beforehand. For instance, if the risk area "legal and regulatory" is low, then the control SP1.1 is adopted. The step2 is performed according to the critical asset category, and control card consist of security requirements and type of controls is prepared for each asset category and risk level. The table below is the list of control cards:


Table 3. Asset based control selection

For instance, CC-1A contains OP2.1.3, OP2.1.4, and OP2.1.6 for security requirement of confidentiality, integrity, and availability respectively as system and network management related controls.

Construction of Effective Database System for Information Risk Mitigation 119

7. Security and architecture of systems: "Control of access to systems (07A)", "Containment of environment (07B)", "Management and saving of logs (07C)",

8. IT Protection environment: "Security of operational procedures (08A)", "Control of hardware and software configurations (08B)", "Management of storage media for data and problems (08C)", "Service continuity (08D)", "Management and handling of incidents (08E)", "Control of administrative right (08F)", "Audits and control procedures relative to information systems (08G)", "Management of IT related archives

9. Application security: "Application access control (09A)", "Control of data integrity (09B)", "Control of data confidentiality (09C)", "Data availability (09D)", "Service continuity (09E)", "Control of origin and receipt of data (09F)", "Detection and management of application incident and anomalies (09G)", "Security of the e-

10. Security of application projects and developments: "Security of application projects and developments (10A)", "Ensuring security in the development and maintenance

11. Protection of users' work equipment: "Security of the operational procedures for the whole set of users' equipment (11A)", "Protection of workstations (11B)", "Protection of data on the workstation (11C)", "Service continuity of the work environment (11D)",

12. Telecommunications operations: "Security of operational procedures (12A)", "Control of hardware and software configurations (12B)", "Service continuity (12C)", "Use of end-user telecommunication

13. Management processes: "Protection of personal information (PPI; 13A)", "Communication of financial data (13B)", "Respect of regulations concerning the verification of computerized accounting (VCA; 13C)", "Protection of Intellectual property rights (IPR; 13D)", "Protection of computerized systems (13E)", "Human safety and protection of the environment (13F)", "Rules related to the use of

14. Information security management: "Establish the management system (14A)", "Implement the management system (14B)", "Monitor the management system (14C)",

We can see that the same or similar expressions appeared in different categories such as "security of operational procedure" is in 06A, 08A, 11A, and 12A, and "service continuity" is in 08D, 09E, 11D, and 12C. This suggests the possibility of different perspective for the

MEHARI describes threat by similar items in OCTAVE's risk profile worksheet as shown in

Events: "Accidents", "Errors", "Voluntary acts, whether malicious or not", etc. For each

"Improve the management system (14D)", "Documentation (14E)"

"Security of the architecture (07D)

(08H)"

commerce sites (09H)"

"Control of administrative rights (11E)"

equipment (12D)", "Control of administrative rights (12E)"

of the events, following aspects are described, - Whether the cause is internal to the entity, - Whether the event is material or immaterial,

processes (10B)"

encryption (13G)"

classification of controls.

Fig. 1.

Phase4: Implementation and Management

In this phase, the gap between the selected control cards and current security practice is analysed at first. Then create risk management plan, and the implementation is done.

The selection of mitigation controls is discussed both in the Phase3 and in the Phase4, and they classify controls into organizational controls shown in annex C, and asset based controls shown in annex D.

#### **2.4 MEHARI**

MEHARI, Method Harmonise d'Analyse de Risque, is developed by CLUSIF, Club de la Securite de L'Information Francais, aimed at providing a set of tools specifically designed for security management.

MEHARI uses a word of risk treatment measures or security services for mitigation controls, and classifies them into four categories, "Retention", "Reduction", "Transfer", and "Avoidance".

The standard scales of measures for likelihood reduction or for reduction of frequency factors are


Each factor has four levels from level1, low or nul, to level4, very high (strong). The list of security services has more than 300 of sub-services classified into several service categories as follows.


In this phase, the gap between the selected control cards and current security practice is analysed at first. Then create risk management plan, and the implementation is done.

The selection of mitigation controls is discussed both in the Phase3 and in the Phase4, and they classify controls into organizational controls shown in annex C, and asset based

MEHARI, Method Harmonise d'Analyse de Risque, is developed by CLUSIF, Club de la Securite de L'Information Francais, aimed at providing a set of tools specifically designed

MEHARI uses a word of risk treatment measures or security services for mitigation controls, and classifies them into four categories, "Retention", "Reduction", "Transfer", and

The standard scales of measures for likelihood reduction or for reduction of frequency

Each factor has four levels from level1, low or nul, to level4, very high (strong). The list of security services has more than 300 of sub-services classified into several service categories

1. Organization of security: "Roles and structures of security (01A)", "Security reference guide (01B)", "Human resource management (01C)", "Insurance (01D)", "Business

2. Sites security: "Physical access control to the site and the building (02A)", "Protection against miscellaneous environmental risks (02B)", "Control of access to office areas

3. Security of Premises: "General maintenance (03A)", "Control of access to sensitive locations (except office zones) (03B)", "Security against water damage (03C)", "Fine

4. Extended Network (intersite): "Security of the extended network architectures and service continuity (04A)", "Control of connections on the extended network (04B)", "Security during data exchange and communication (04C)", "Control, detection and

5. Local Area Network (LAN): "Security of the architecture of the LAN (05A)", "Access control of the LAN (05B)", "Security of data exchange and communication on the LAN

6. Network operations: "Security of operations procedures (06A)", "Parameters setting and control of hardware and software configurations (06B), "Control of administration

(05C)", "Control, detection and resolution of incidents on the LAN (05D)"

Phase4: Implementation and Management

controls shown in annex D.

for security management.

 Efficiency of dissuasion measures Efficiency of prevention measures

Efficiency of palliative measures

continuity (01E)"

security (03D)"

Efficiency of protective or confinement measures

(02C)", "Protection of written information (02D)"

handling of incidents on the extended network (04D)"

rights (06C)", "Audit and network control procedures (06D)"

**2.4 MEHARI** 

"Avoidance".

factors are

as follows.


We can see that the same or similar expressions appeared in different categories such as "security of operational procedure" is in 06A, 08A, 11A, and 12A, and "service continuity" is in 08D, 09E, 11D, and 12C. This suggests the possibility of different perspective for the classification of controls.

MEHARI describes threat by similar items in OCTAVE's risk profile worksheet as shown in Fig. 1.

	- Whether the cause is internal to the entity,
	- Whether the event is material or immaterial,

Construction of Effective Database System for Information Risk Mitigation 121

 Compliance: "Compliance with legal requirements (03D, 13A, 13D)", "Compliance with security policies and standards, and technical compliance", "Information systems

knowingly and objectively accepting risks, providing they clearly satisfy the

We refer to NIST SP800--30, where the total process of risk mitigation is described in four phases such as "risk mitigation options", "risk mitigation strategy", "an approach for control implementation, control categories, the cost--benefit analysis", and "residual risk".

Risk Assumption: To accept the potential risk and continue operating the IT system or

Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes,

Research and Acknowledgement: To lower the risk of loss by acknowledging the

Risk Transference: To transfer the risk by using other options to compensate for the

NIST also provides SP800--53, which includes a list of more than 170 recommended security

 Management Class: "Certification, Accreditation, and Security Assessments (CA)", "Planning (PL)", "Risk Assessment (RA)", "System and Services Acquisition (SA)" Operational Class: "Awareness and Training (AT)", "Configuration Management (CM)", "Contingency Planning (CP)", "Incident Response (IR)", "Maintenance (MA)", "Media Protection (MP)", "Physical and Environmental Protection (PE)", "Personnel

Technical Class: "Access Control (AC)", "Audit and Accountability (AU)", "Identification

In this section, some tools based on fuzzy theory such as fuzzy outranking method, fuzzy inference mechanism, modified structural modelling method based on FSM, and fuzzy c-

and Authentication (IA)", "System and Communications Protection (SC)"

vulnerability or flaw and researching controls to correct the vulnerability

 Risk Avoidance: To avoid the risk by eliminating the risk cause and/or consequence Risk Limitation: To limit the risk by implementing controls that minimize the adverse

These controls are selected by considering the possible options including:

 avoiding risks by not allowing actions that would cause the risks to occur transferring the associated risks to other parties, e.g. insurers or suppliers

to implement controls to lower the risk to an acceptable level

applying appropriate controls to reduce the risk

The followings are risk mitigation options.

impact of a threat's exercising a vulnerability

The classes of controls and their families are shown as follows.

Security (PS)", "System and Information Integrity (SI)"

implements, and maintains controls.

loss, such as purchasing insurance.

controls for Federal Information Systems.

**3. Brief explanation of useful tools** 

mean (clustering) are briefly described.

organization's policy and criteria for risk acceptance

audits considerations"

**2.6 NIST** 

	- Process or process steps: modification of files during maintenance operations,
	- Location: theft of media from one location or another, inside or outside the organization,
	- Time: actions occurring during or outside working hours.

A risk scenario is created with the different element, and risk treatment measures effective to the scenario are selected.

## **2.5 ISO/IEC**

BS7799 part1 based ISO/IEC 27002 defines a security control to be a control which should ensure risks are reduced to an acceptable level. The selection of appropriate controls is dependent on organizational decisions based on the criteria for risk acceptance and the general risk management approach. Thus the acceptance level for the organization should be discussed and determined previously.

The categorization of controls in the document is shown below with corresponding number of controls in MEHARIT.


 Compliance: "Compliance with legal requirements (03D, 13A, 13D)", "Compliance with security policies and standards, and technical compliance", "Information systems audits considerations"

These controls are selected by considering the possible options including:

