Cybersecurity risks analysis

ISO 27005

ISO 27005 defines a framework and risk management requirements for the implementation of an information security management system. It is part of a logic of continuous improvement PDCA cycle (Plan, Do, Check, Act). Risk is defined as the effect of uncertainty on the achievement of objectives.

The approach proposed by the standard is as follows:

1. Context setting and defining risk acceptance criteria.
2. Risk assessment: identification of assets, threats, existing security measures, vulnerabilities and their consequences.
3. Treatment of risk by accepting, mitigating, avoiding and transferring it.

This process results in residual risks that may or may not be accepted. It is part of an ongoing communication with stakeholders and periodic monitoring and review of risks.

EBIOS

The EBIOS method is maintained by the French National Agency for the Security of Information Systems (ANSSI). It was reviewed in 2018 and is now titled EBIOS Risk Manager.

The EBIOS Risk Manager method adopts a risk management approach that starts from the highest level (major missions of the object under study) to progressively focus on the business and technical elements, studying the possible paths of attack. It aims to achieve a synthesis between compliance and scenarios by repositioning these two complementary approaches where they add the most value.

According to EBIOS Risk Manager, scenario-based risk assessment therefore focuses on intentional and targeted threats. It fully positions digital security at the level of the strategic and operational stakes of organisations. It thus provides a real framework for digital risk management. The method is modular and adapts to the context of organizations.

A risk arises from a strategic scenario exploited by a source of risk aiming at an objective and generating an event, composed of one or more paths of attack involving several elementary actions forming an operational scenario, whether or not using stakeholders as a vector of attack.

The method is based on five workshops, each with a purpose.

1. Framing and safety base, based on basic safety principles and the regulatory and normative framework.
2. Identification of sources of risk, i.e. an element, a person, a group of persons or an organisation likely to generate a risk, and characterised by its motivation, resources, skills and operating methods.
3. Definition of strategic scenarios, which are paths of attack from a source of risk, through the ecosystem and the business values of the object under study, to a target objective.
4. Definition of operational scenarios, defined as sequences of elementary actions carried out on the support goods of the object under study or its ecosystem.
5. Identification of appropriate security measures in a continuous security improvement plan.

For more information, you can see the description of the EBIOS Risk Manager method on the ANSSI's website.