9.4 Evaluate the Impact of Threats to Critical Assets

This activity builds upon the first two. You use the evaluation criteria that you created previously to evaluate the impact descriptions that you developed earlier during the first activity of process 7. By doing this, you are able to estimate the impact on the organization for each threat to a critical asset. The ultimate result is that you can now establish priorities to guide your risk mitigation activities during process 8.

Step 1: Review Information

Before you evaluate your risks, you need to review the information gathered so far from earlier processes. Specifically, we suggest that you look at the evaluation criteria and the following for each critical asset:

• Threat profiles

• Impact descriptions

These data provide you with scenarios that threaten your critical assets (threat profiles), the resulting impact (impact descriptions), and risk measures for your organization (evaluation criteria). Together, they provide you with a picture of the information security risks that your organization is facing.

Step 2: Evaluate Risk Impact

For each critical asset, first review the impact descriptions for each threat outcome (disclosure, modification, destruction/loss, interruption). Some outcomes will have more than one impact description associated with them. Next evaluate each impact description by assigning it an impact measure (high, medium, or low). Using the qualitative evaluation criteria that you created during the previous activity as a guide, continue evaluating impacts until you have evaluated all of the impacts for each critical asset. Make sure you record your results.

Finally, when you add impact values to the threat profile, you create a risk profile. Essentially, you have created a set of risk scenarios for a critical asset.

Let's see how the team at MedSite evaluated impacts. The analysis team and the representative from MedSite's risk management department started with PIDS. They reviewed its threat profiles and impact descriptions, as well as the evaluation criteria, and evaluated each impact that they recorded for PIDS.

Let's specifically look at how the team evaluated the impact of modification of PIDS information. In reviewing the PIDS threat profile, they found the following threats with an outcome of modification in the profile:

• People inside MedSite can use network access to modify PIDS information accidentally.

• People inside MedSite can use network access to modify PIDS information deliberately.

• Outsiders (i.e., attackers) can use network access to modify PIDS information deliberately.

• People inside MedSite can use physical access to modify PIDS information deliberately.

• People outside MedSite can use physical access to modify PIDS information deliberately.

• A virus can modify PIDS information.

Note that the above threats are textual versions of PIDS threat profile branches. Next, the team reviewed the various types of impact. Consider the following impact from Figure 9-1:

Medical treatment facility could lose credibility, causing patients to seek care from another source.

This impact is related to the area of reputation/customer confidence, for which the evaluation criteria are shown in Figure 9-1. After the team discussed this impact and examined it in relation to these criteria, they felt that MedSite's reputation would be damaged, but that it could be recovered with some effort and expense. Thus, the team assigned the value of "medium" to this impact. Figure 9-3 shows the impact values for the levels of impact resulting from modification of PIDS information.

Notice that there are four levels of impact associated with modification of PIDS information. Each impact was evaluated, and its value recorded in the right column. Three were assigned a value of medium, while the fourth was judged to be high. The team evaluated all levels of impact for PIDS and the other critical assets. You will find the complete set of evaluation results in Appendix A.

The final step is to create what we call a risk profile. To do this, you simply append the impact values to the trees in the threat profile and record the range on the risk profile—in this case, high to medium. Figure 9-4 shows the threat tree for human actors using network access for PIDS with all impact values added. Note that a solid line in Figure 9-4 indicates the existence of a risk, while a dashed line indicates no risk to the asset.

If you have difficulty using the evaluation criteria as you evaluate the impact descriptions, then one of the following might be occurring:

• The impact description might be too vague to enable you to match it to the evaluation criteria. If this is the case, you need to refine the impact descriptions by making them more specific.

• The evaluation criteria might not be specific enough to enable you to assign measures to impact descriptions. In this case you need to refine the evaluation criteria by making them more specific.

In the second case you might also want to check any impact values that were assigned using the first set of criteria to make sure that they are consistent with the refined criteria.

This completes the basic risk analysis activities for OCTAVE. The next section presents a special topic: incorporating probability into the risk analysis.