NIST calls for explicit cybersecurity risk methodologies
A new final draft of a National Institute of Standards and Technology special publication calls on agencies to draw on an explicit cybersecurity risk methodology.
The publication, SP 800-30 rev.1 (.pdf), focuses exclusively on cybersecurity risk assessment and characterizes organizational risk as a function of the likelihood of a characterized threat source initiating a threat event that exploits a vulnerability of a certain severity causing, to some degree, an adverse impact.
The risk of the adverse impact itself is a function of impact and the likelihood of it occurring, the publication says.
The risk model outlined by NIST is able to accommodate impacts at the first tier organizational, second tier mission or business process, third tier information system levels--the three layers that make up the well-known NIST strategic risk pyramid.
When it comes to evaluating risk, the special publication advocates following a defined assessment methodology that begins with a framing of the approach--the purpose, assumptions, constraints, risk tolerances, priorities and trade-offs.
Approach will determine methodology, which consists of four subelements: process, risk model (above), assessment approach and analysis approach.
Assessment can be quantitative, qualitative, or semiquantitative. That last case is the assignment of risk on a numerical scale to factors that otherwise aren't quantitative and then assessing overall risk based on the totaling of the factors.
Analysis approach can be oriented around threat, impact or vulnerability.
A threat approach starts with identification of threat sources and events in order to develop threat scenarios, whereas an impact approach starts with an outcome and works backward to identify threat events and sources that could lead to it. A vulnerability-oriented approach begins by identifying a set of predisposing conditions or known weaknesses, and identifies threat events that could exploit those vulnerabilities along with the possible impacts of threat sources doing so.
A threat source, the publication points out, need not be a hostile person; human error is a threat source as well, as are structural failures and disasters, whether natural or man-made.
By making all the elements of the methodology--process, model, assessment approach and analysis approach--explicit, NIST says agencies make their risk assessment reproducible and repeatable.
Agencies need not restrict themselves to one risk assessment, but can make multiple assessments depending on the time frame for investment planning or instituting policy changes, the complexity of an agency organization's processes, information system life-cycle status or the criticality of the system itself.
- download the final draft of SP-800-30 rev. 1 (.pdf)