University of Twente Student Theses


A security risk assessment approach using enterprise architecture models to support decision-making at security operation centres

Narain, S. (2021) A security risk assessment approach using enterprise architecture models to support decision-making at security operation centres.

[img] PDF
Abstract:As the cyber threat landscape rapidly changes, organizations want to stay updated on how they can protect their valuable assets. Carrying out a risk assessment on their critical asset provides for a way in which organizations can gain visibility on threats and use adequate counter measures to protect these assets. Risk is a function of probability of a negative event happening and the impact that event is going to have when it happens. Traditionally risk assessment has been carried out in a qualitative way where risk is assessed on an ordinal scale. This method is widely used in practice however it has its drawbacks. Ordinal scales: (1) ignore the cognitive bias in people’s ability to assess risk, (2) have verbal labels which can be interpreted in a differently by users, (3) are treated as ratios by users which lead to invalid inference, and (4) mostly ignore correlations that would change the relative risks. For managing cyber threats, organizations establish Security Operations Centres (SOC) that monitor their network for activities that may inflict damages. However, with the growing complexity of Information Systems, malicious actors have plenty of opportunities to attack their targets, and businesses are trying hard to protect themselves. Enterprise Architecture (EA) is used by a growing number of organizations to formalize their structure of complex operations. Through this research we propose a risk assessment approach that supports decision-making in SOC by using Enterprise Architecture modelling. We follow a structured approach called Design Science Research Methodology (DSRM) that has five phases. Initially we carried out problem investigation by performing a Systematic Literature Review of existing academic research on the topics of Enterprise Architecture, Cyber security, and Risk analysis. This resulted in 29 studies that were closely examined and from these we extracted 24 artefacts comprising of 10 risk analysis methods, 7 frameworks, and 7 sets of security metrics. The next phase in DSRM was treatment design where we designed the main artefact of this research. We introduce the Model-based Risk and Security Evaluation (MORSE) approach which is a six-stage process that leads to a quantitative risk assessment and supports counter measure selection by risk managers at an SOC. In Stage 1, the organization prepares itself for a risk assessment, according to its risk appetite and risk tolerance, and identifies what assets to perform risk analysis on. In Stage 2, they determine the risk, threats and vulnerabilities to the asset and populate metrics. Our approach uses attack-defence graphs which map the probable path an attacker may take to reach their intended target. These are also created in this stage. In Stage 3, the risk analysis is performed in which, using definitions by FAIR (Factor Analysis of Information Risk), the inherent risk, Loss Event Frequency and Loss Magnitude are calculated. In Stage 4, the risk for the asset is evaluated, with respect to the overall risk in the organization, by colourizing elements in the EA model. In Stage 5, risk treatment is carried out which involves selecting and applying control measures to the risk scenario. This is done by selecting controls from a catalogue displayed in a portfolio scorecard view and adding them to the attack defence graph. The selection of controls is supported by a Return on Security Investment calculation that displays the expected effect of the control in the risk scenario based on control strength and control cost. Finally, the total risk exposure is updated in this stage. The final stage, Stage 6 is a continuous process of monitoring risk. In this stage, relevant decision-makers are periodically informed about the risk in a form through which they can take action to reduce it. Additionally, SOC personnel update the risk scenarios with any change in the risk scenario and the risk assessment can be repeated. Following DSRM, the next phase was for treatment validation that we carried out in BiZZdesign Enterprise Studio. We demonstrated the approach by performing each task in MORSE and then applying it to an example attack scenario. In this phase, we also examined how the initial requirements were satisfied from the proposed design. The result was all the requirements were either completely fulfilled or partially fulfilled. The final stage of DSRM was implementation evaluation that was performed by conducting a mini-workshop. Five experts were gathered and presented with MORSE. They were then asked to fill out a questionnaire consisting of eight questions that measured their intention to use the approach and perception on how it would work in practice. Their responses indicated that the approach can be applied in real-world scenarios. Certain feedback received during the workshop were also incorporated in this report to improve communicating intended use of MORSE. Lastly, this research provides recommendations that the approach can be supplied as an example in BiZZdesign Enterprise Studio. This would require certain areas to be researched in-depth, particularly the calculation of risk using probability density functions, Monte Carlo simulation, sensitivity analysis of the inputs, confidence interval in outputs and further improvements in control measure selection.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science, 85 business administration, organizational science
Programme:Business Information Technology MSc (60025)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page