Risk Assessment Methods: Mehari, Ebios, Octave

Risk Assessment Methods

Since the financial crisis that began in 2008, risk analysis has taken on special relevance in the internal management of organizations. Previously, work in this area was carried out in a non-systematic and isolated manner in all entities. However, since that date, companies began to strengthen internal control using risk management in all areas and departments.

Currently, multiple risk analysis methodologies are used to ensure systematic management. Within the scope of a company’s corporate risk analysis, it is very important to consider risks that may compromise information security. To address this analysis, there are various risk assessment methodologies; in this article, we will consider 3 of the best-known: Mehari, Ebios, and Octave.

MEHARI Methodology

MEHARI is a methodology developed by CUSIF (Club de la Securité De L’information Français) in 1998 that became Open Source in 2007.

The objective of this methodology is to allow a direct and individual analysis of risk situations described in different scenarios and to provide a complete set of tools specifically designed for short, medium, and long-term security management, adaptable to different levels of maturity.

The phases of the MEHARI methodology are as follows:

1. Risk analysis or assessment

A risk situation can be characterized by different factors:

• Structural (or organizational) factors, which do not depend on security measures, but on the main activity of the organization, its environment, and its context.
• Risk reduction factors, which are a direct function of the implemented security measures.

MEHARI allows for the qualitative and quantitative evaluation of these factors, obtaining risk levels as a consequence.

For this, it integrates tools (such as evaluation criteria, formulas, etc.) and knowledge databases (particularly for the diagnosis of security measures), as an essential complement to the risk analysis framework.

It is necessary to carry out a structured approach that allows identifying all potential risk situations, in order to analyze the most critical ones and be able to identify actions to reduce risk to acceptable levels.

2. Security assessments

MEHARI integrates security control questionnaires, which allows evaluating the quality level of mechanisms and solutions aimed at risk reduction. Controls or security measures are grouped into services and security domains. To carry out this evaluation, it is necessary to follow these steps:

• Vulnerability review or evaluation of security services: MEHARI provides a structured risk model that considers risk reduction factors in the form of security services.

The result of the vulnerability assessment will aim to ensure that security services truly fulfill their purpose.

The assessment is based on an expert knowledge database provided by MEHARI to evaluate the quality level of security measures.

• Security plans based on vulnerability review: security plans will be prepared as a direct result of the assessment of the state of security services.

The security management process focuses on executing an assessment and deciding to improve all those services that do not have a sufficient level of quality.

MEHARI provides diagnostic questionnaires that can be used for this type of approach.

• Support in databases for creating a security reference framework: MEHARI knowledge databases can be used directly to create a security reference framework that will contain and describe the set of security rules and instructions that the organization must follow.

MEHARI evaluation questionnaires are a good working basis for security managers to decide what should be applied in the organization.

The creation of a set of rules, through a security reference framework, often faces difficulties in local implementation, so exemptions and exceptions must be managed.

• Domains covered by the vulnerability assessment module: from a risk analysis point of view, based on the identification of all risk situations and with the desire to cover all unacceptable risks, MEHARI is not limited simply to the IT domain.

The evaluation module covers, in addition to information systems, the entire organization, such as general site protection, work environment, and legal and regulatory aspects.

3. Threat analysis

Whatever the orientation of the security policy, there is one principle on which all managers agree: there must be a balance between security investments on one side and the importance of key business challenges on the other.

This means that understanding business threats is fundamental, and that analyzing the security context deserves a priority level and a strict and rigorous evaluation method.

The purpose of security threat analysis is to answer the following double question What can happen, and if it happens, can it be serious?

MEHARI provides a threat analysis module with two types of results:

• A scale of values of possible malfunctions in their operational processes.
• A classification of information and IT assets: it consists of the definition, for each type of information, for each type of IT asset, and for each classification criterion (usually Confidentiality, Integrity, and Availability). The classification of information assets is the scale of malfunction values defined previously translated into sensitivity indicators associated with IT assets.

The scale of malfunction values and the classification of information and assets are two distinct ways of expressing security threats. The first is more detailed and provides more information to CISOs, and the second is more general and more useful for awareness and information campaigns.

EBIOS Methodology

EBIOS is a method promoted by the DCSSI (Direction centrale de la sécurité des systèmes d’information) for use in French public administrations. The objective of this methodology is to provide a global and coherent vision of information systems security, allowing the determination of company security objectives and requirements.

The EBIOS methodology has 5 fundamental principles

1. Context study

It is necessary to conduct a study of the company’s context, its evolution throughout its history, and thus identify all the essential elements that are linked to the company, such as: hardware, software, networks, organizations, personnel, and facilities.

2. Express security needs

Each identified element has different security needs. These needs are expressed according to different security parameters such as availability, integrity, and confidentiality. The needs will be evaluated based on predefined criteria, taking into account the impact that the loss or lack of any of these parameters can cause.

3. Study of threats

Each organization is exposed to various dangerous elements or threats, depending on its natural environment, culture, image, area of activity, etc. Therefore, it is necessary to identify all the dangerous elements and attack methods that may exist.

Depending on the attack method, each company will have different vulnerabilities that can be used by the corresponding dangerous elements.

4. Express security objectives

It only remains to determine the risk, defined as how dangerous elements and their attack methods can affect the essential elements.

The risk represents a possible incident, consisting of the possibility that a dangerous element affects the essential elements by taking advantage of the vulnerabilities of entities on which these essential elements are based and using a particular attack method.

Security objectives will allow covering the vulnerabilities detected in the entity.

On the other hand, it is useless to protect what is not exposed. Therefore, the more important the risk, the more important the security objectives will be, and it will not be necessary to establish objectives for what is not exposed.

5. Determine security requirements

The team in charge of applying the EBIOS procedure must specify, in a precise manner, the expected security functionalities. With these functional requirements, it must demonstrate perfect coverage of the security objectives.

The team in charge must specify the security requirements that allow obtaining the necessary level of confidence to then be able to demonstrate it.

OCTAVE Methodology

The conceptual framework that formed the basis of the original OCTAVE approach was published by the SEI (Software Engineering Institute) at Carnegie Mellon University in 1999. The objective of this methodology was to address the security compliance challenges faced by the U.S. Department of Defense.

OCTAVE is aimed at medium and large companies with more than 300 employees and that meet the following characteristics:

• Multi-level organizational chart
• They have their own IT infrastructure
• They have the capacity to assess vulnerabilities
• They have the capacity to interpret the results of vulnerability assessments

The OCTAVE methodology has 3 phases:

1. Asset Identification

The organization must identify the most important assets intended for information processing. It is important to identify all assets that are part of the company and support IT services, as well as all media containing information.

Once all assets with information have been identified, it will be necessary to evaluate them to identify those that are most critical for the organization’s operation and associate all threats that may interfere with the security of these assets.

2. Infrastructure analysis

To complement the analysis carried out in phase 1, the risk analysis team must conduct an assessment of the infrastructure, both technological and physical, that supports the assets containing company information and likewise identify all threats that may interfere with the security of the infrastructure.

3. Risk analysis

Finally, the risk analysis team must evaluate all threats and identify the most relevant risks for the company. For those higher risks, it will be necessary to develop a mitigation plan, in which controls are implemented or existing ones are improved to reduce the risk level of those assets previously defined as critical.

Using any of these methodologies or a combination of them, it will be possible to obtain the most realistic view of the risks that can affect information security.

At GlobalSuite Solutions, we have an expert team for conducting Information Security Risk Analysis, using the most appropriate methodology depending on the company, which can help you improve security management. The GlobalSuite® software, entirely developed by our team, allows you to keep any risk analysis updated and managed efficiently with full traceability.