- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Thu, 13 Jul 2023 22:21:01 +0100
- To: "public-dpvcg@w3.org" <public-dpvcg@w3.org>
- Cc: Delaram Golpayegani <delaram.golpayegani@adaptcentre.ie>
Hi. This email discusses the risk management / assessment related concepts in DPV following today's meeting. See https://w3c.github.io/dpv/meetings/meeting-2023-07-13#t04 for minutes. The goal is to provide sufficient concepts to enable a simplified risk assessment, and to document its causes and consequences. Please let us know your thoughts, criticisms, suggestions. A) Current Risk related concepts Risk as the central concept, which can have a RiskLevel, Severity, and Likelihood. RiskMitigationMeasure which mitigates a risk, and ResidualRisk which represents a risk remaining after mitigation. Consequence is the effect of a risk which could be on a system, process, or entity, which then leads to an Impact on an entity. The RISK extension extends each of these concepts. It provides quantified risk levels, severity levels, and likelihood levels, categories of RiskMitigationMeasures as types of controls (e.g. avoiding risk source), and a taxonomy of Consequences and Impacts. It also provides a list of Risk Assessment Techniques and Risk Methodologies. B) Existing Proposed Concepts These concepts were discussed in previous meetings and have been proposed. RiskThreat to represent incidents or conditions which lead to the risk being realised or taking place. For example, for a Risk of Data Breach, the Threat would be Unauthorised Access. RiskVulnerability to represent weaknesses or limitations within a system or a process which lead to the threat being realised or taking place. In the above example, the vulnerability would be a software condition or weak password policy which leads to unauthorised access. RiskSource to represent conditions or events (or lack of them) which lead a RiskThreat being realised. In the above example, the risk source would be lack of appropriate software update routines or staff security training. C) Complete Example The example from the incident reporting proposal (see https://lists.w3.org/Archives/Public/public-dpvcg/2023Jul/0006.html) is reused here in a shortened form. An organisation provides a service, called "NewsRHere", which is served by using its internal information management system or CRM called "newsDB" that stores the news articles as well as subscription information. This system has a vulnerability resulting in 'weak authentication' that arises because of the software not being updated as well as a 'lack of security training' being provided to the employees. As a result, there is a threat of 'unauthorised system access' where a 'malicious hacker' exploits this vulnerability and gains access to newDB and deletes or corrupts data resulting in 'data loss'. As a consequence, there is 'service disruption' to NewsRHere, which results in 'financial loss' for the organisation and Scams for readers of the service. This can be expressed as the following concepts: Risk: Data Loss (or Data Breach) Threat: Unauthorised System Access Vulnerability: Weak Authentication Risk Source: Software not updated, and Lack of Security Training Threat Actor: External Malicious Hacker Consequence: Service Disruption Impact: Financial Loss (Organisation), Scams (Subscribers) Mitigations (or Controls) are applied at each point as follows: First, to fix vulnerabilities, the risk sources are mitigated either by avoiding or removing it, for example by using auto-updates, and by putting in monitors to detect when software is out of date. Second, the Threat can be similarly mitigating by putting in measures to make it more difficult for the Threat Actor to act. For example, limiting access to known IP addresses (removing), or limiting password retries (reducing). D) Questions raised 1) Does the above make sense? Are there aspects that should be fixed or improved? 2) Do we need more risk specific concepts? What are they? For example, the list of terms from ISO 31073:2022 are https://github.com/coolharsh55/riskonto/blob/master/riskos.ttl 3) Should we increase the taxonomies provided? For example, add specific vulnerabilities, threats, sources similar to how we have consequences and impacts? E) Additional Risk Management Concepts The below concepts relate to Risk Management and are from ISO risk management standards. They represent organisational processes related to management of risk in relation to the above discussed concepts. In the ISO Risks Management framework, they represent various steps / tasks in addition to risk assessment. These were not included within the 'simplified' risk assessment vocabulary present in DPV, but are included here for completeness of proposed concepts. RiskAssessment RiskIdentification RiskAnalysis RiskEvaluation RiskAcceptance ThreatIdentification ThreatEvaluation RiskControlAssessment RiskTreatment RiskPerception RiskCriteria RiskOwner Regards, -- --- Harshvardhan J. Pandit, Ph.D Assistant Professor ADAPT Centre, Dublin City University https://harshp.com/
Received on Thursday, 13 July 2023 21:21:09 UTC