IT Architecture-Based Confidentiality Risk Assessment in Networks of Organizations

Today almost every organization benefits from business opportunities created by digitalization. Digitalization allows, among others, to develop software products on shared platforms, to remotely access and alter patient records or remotely control power generators. This change in the technical environment has triggered changes in the legal environment, and introduced new compliance requirements. Consequently, protecting the confidentiality of digital information assets has become a major concern for many organizations. This concern is even bigger for organizations that connect their IT system with other organizations to reduce costs. Risk assessment methodologies provide stakeholders with sound knowledge on security risks that threaten the business. A risk assessment method should satisfy three conflicting requirements: accuracy, cost-efficiency, and inter-subjectivity. These three requirements form the dilemma of confidentiality risk assessment methods. Accuracy has to do with the level of granularity that a method allows when assessing the risk. Cost-efficiency is the crucial real limitation of all risk assessment methods. In practice, even risk assessments of large and information-intensive company sections rarely last longer than two weeks. The third requirement we look at in this dissertation is inter-subjectivity. Nowadays, despite the large use of standardized methods, the very result of a risk assessment is largely subjective, in the sense that other assessors may assess risks differently. This lack of inter-subjectivity means that risk assessments are difficult to replicate and risk assessment results are not comparable. Based on the dilemmas of confidentiality risk assessment methods, in this dissertation we propose five IT confidentiality risk assessment and evaluation methods, each of which extends the previous one. More specifically we present: (1) Extended eTVRA extends the eEurope secure and trusted architecture threat, vulnerability, and risk assessment (eTVRA) method with an information elicitation and structuring step. eTVRA is a model-based method specifically developed for telecom systems. This extension aims at assessing security risks of complex IT systems more accurately than checklist-based approaches. (2) DCRA is a model-based confidentiality method that is automated with a computational tool. It models the information system based on the IT architecture the system relies on, so that one can analyze how confidentiality breaches can propagate through the IT components of the system. DCRA aims at assessing confidentiality risks of complex IT systems more accurately than checklist-based approaches. (3) CRAC is a model-based confidentiality risk assessment method that sorts and compares two alternative technical solutions according to their risks. It analyzes risks according to where in the IT architecture information is accessible (information flow) and how difficult it is for different attackers to access it (attack paths). CRAC aims at increasing the inter-subjectivity of assessment results while reducing the assessment costs. (4) CRAC++ extends CRAC by gaining control over the confidentiality requirements in a network of organizations. Thus, it delivers a set of confidentiality control requirements that can be used for extending SLAs. CRAC++ aims at adapting IT architecture-based confidentiality RA methods to control confidentiality risks. (5) RiskREP is a risk-based security requirement elicitation and prioritization method, which is meant to be used for systems that are under development. It links business goals to IT risks based on the IT architecture. RiskREP aims at eliciting assessment-relevant information cost-efficiently. We validate and evaluate these methods in seven real world case studies at multinational companies from telecommunications, electronics and chemical industries. The results indicate that multinational organizations that are connected to other organizations by means of digitalization can benefit from IT architecture-based confidentiality risk assessment. The methods we propose show that assessing risks based on IT architecture (1) helps to reduce the assessment costs, (2) allows one to adjust the accuracy according to the business-criticality of a system and (3) increases the inter-subjectivity of qualitative risk assessment results.