=Paper=
{{Paper
|id=None
|storemode=property
|title=A Model-based Information Security Risk Assessment Method for Science Gateways
|pdfUrl=https://ceur-ws.org/Vol-993/paper15.pdf
|volume=Vol-993
|dblpUrl=https://dblp.org/rec/conf/iwsg/MouwNLO13
}}
==A Model-based Information Security Risk Assessment Method for Science Gateways==
https://ceur-ws.org/Vol-993/paper15.pdf
A Model-based Information Security Risk
Assessment Method for Science Gateways
Evert Mouw Guido van ’t Noordende Baas Louter Silvia Delgado Olabarriaga
University of Amsterdam University of Amsterdam University of Amsterdam University of Amsterdam
The Netherlands The Netherlands The Netherlands The Netherlands
Email: post@evert.net Email: guido@science.uva.nl Email: baas.louter@amc.uva.nl Email: s.d.olabarriaga@amc.uva.nl
Abstract—BACKGROUND: Information Security is impor- Science Gateway Primer recently published by the EGI-Inspire
tant for e-Science research groups and other small organisations Virtual Team on Science Gateways1 .
that design and operate science gateways and virtual research
environments, especially when such environments are being used The e-BioScience group in the Academic Medical Center
for (bio)medical research. We propose a novel method to do risk (AMC) in Amsterdam, the Netherlands, offers a science gate-
assessments: MISRAM, the Model-based Information Security way, coined e-BioInfra gateway, for experimental data analysis
Risk Assessment Method. It uses an information architecture in the fields of high-resolution medical imaging, genomics, and
model, a method to assign values to information assets and IT proteomics [1]. The backend is based on scientific workflow
components, and a method to calculate risks. The output of management technology [2], and makes use of grid-based
MISRAM is a ranked list of risks and a list of actionable tasks
to solve the main issues.
computing resources. Using such distributed resources for
sensitive medical data requires a solid security policy. This
METHODS: MISRAM was applied as a test case to an e- is particularly true when intrinsically identifyable DNA data
Science research group at a Dutch research hospital. Meetings is involved [3]. Ideally, the gateway should be subject to
and surveys were used to create and evaluate lists of information Risk Management [4] following recommendations given by
assets and IT components. One meeting was used to create a list standards such as ISO 27002 and the related Dutch standard
of practical task recommendations.
for information security management in healthcare, NEN 7510.
RESULTS: Good insight into the information architecture An important element of both standards is the execution of a
and security problems of the IT infrastructure was gained. Also good Risk Assessment (RA), where a systematic analysis of
the participating group members confirmed that the identified security aspects of the system is carried out.
security issues were realistic.
Concerned with the security features of the e-BioInfra
CONCLUSIONS: Our approach raises awareness about se-
curity among the developers and operators of e-Science envi- gateway, and driven by the increasing awareness of biomedical
ronments. It also gives insight in how the technical architecture researchers about privacy and ethical issues related to the
affects information security. Traditional questionnaires are an information that they process through this system, it was
important part of any risk assessment, and MISRAM’s inclusion decided to conduct a risk assessment of the e-BioInfra gateway.
of such generic questionnaires is an important aspect to create In this paper, our risk assessment method is presented, together
an integrated information security risk assessment. with an example based on a simplified version of the risk
Keywords—MISRAM, risk assessment, information security, e-
calculations to illustrate the approach. The experience obtained
Science, science gateway, DCRA, IT&T. by applying a modified risk assessment method at the AMC
is also presented. The method worked well for this e-Science
environment, providing insights and raising awareness about
I. I NTRODUCTION the security of the e-BioInfra gateway. The method could also
Science gateways are community tools, typically web por- be useful to other groups that develop and operate science
tals, that enable and facilitate access to distributed infrastruc- gateway services.
tures such as computational Grids. These portals are developed
by teams of e-Science experts in various fields (distributed
A. Some specific needs for science gateways
computing, user interfaces, data management, visualisation,
etc), and are typically operated by (subsets of) the same The distributed nature of the data processing, the amount
teams as a service for the end-users, which are experts in of data and computing, and the organisational characteristics
other scientific domains, not necessarily in computing. Typical of a science gateway are unique. A particular aspect for
services include high-throughput or -performance computing, science gateways is that components can be internal or external
visualisation, and access to data or application repositories. information processing systems which are owned by different
Science gateways are therefore complex systems that combine organisations. Therefore, the method applied should facilitate
a large number and variety of software components under the the analysis of these interdependencies, following a model-
same ‘container’. Very often some of these components are based approach.
packages developed by other parties or services provided re-
motely. For a detailed discussion about the types, technologies, 1 https://documents.egi.eu/public/RetrieveFile?docid=1463&version=
and required properties of science gateways, please refer to the 10&filename=Science Gateway Primer v092 nComments.pdf)
� A typical e-Science group is small and consists of highly • Business value for an organisation or an individual
skilled experts who develop and maintain their own software. (e.g. a patient). This also includes scientific value. In
These properties make it hard for external security experts to this text, this will just be called value.
carry out a Risk Assessment. In fact, such outside analysts
often lack inside information and good working knowledge • Confidentiality of the information. Who should have
on the technical components used by a science gateway. Our access (scope or domain) and who should have not?
method takes a multiple-stakeholder approach, also favoured
by Zambon et al. [5], where people who manage the system For example, the fire brigade needs to know where a fire
and the users of the system are involved in the risk assessment. started in order to send the fire engine to the right location.
That is of high business value, so such information should
be reliable and available to the fire fighters. But it isn’t
B. Introduction to Risk Assessments confidential at all. Banks holding the money of their clients do
The goal of doing a Risk Assessment (RA) is to get store information with both business value and confidentiality.
an overview of the most relevant risks threatening some But even if there is little business value, some information
system, person or organisation. For example, when playing can still be confidential, e.g. bank transfers to a small savings
chess, a simple risk assessment would include the dangers account.
associated with losing the center pawns early in the game.
Risks and dangers are measured as probabilities. Even in a
deterministic game like chess, risk assessments come down C. Vulnerability to unintentional errors and intentional attacks
to probabilities [6]. Calculating such probabilities, and thus An information asset can be stolen and sold (e.g. creditcard
risk, can become a messy business if the situation becomes information), but it can also be damaged. A component in an
complicated [6]: “A complicated chess position requires deep IT infrastructure can be vulnerable to intentional attacks and
calculations and is more likely to cause a human player to also to unintentional errors, also called unintentional mistakes.
make an error.” Experts can indicate the confidence they have in the security
A risk assessment is a method to estimate risks. In this of components by estimating the probability of intentional
paper, we will focus on estimating the most important risks for and unintentional failures. These factors are used to measure
information systems used in science, such as science gateways. vulnerability by NIST SP 800-33 [8, p. 18] and Cisco [9].
Which information security risks threaten such gateways and The total vulnerability is a summation of the vulnerability to
how to estimate them? How does one identify the main risks unintentional errors and the vulnerability to intentional attacks.
and causes of such risk?
Risk exists when something of value (e.g. an asset) could D. Model-based vs. checklist-based Risk Assessments
be lost or damaged. Many different definitions of risk are being
used2 . ISO 31000:2009 defines risk as effect of uncertainty There are many methods to choose from to perform a
on objectives. A common idea is that risk is a probability or Risk Assessment (RA). Most of them consist of a list of
potential that some unwanted event will happen in the future. ‘items’ to check or score. According to Morali et al. [10],
We use the following definition: risk is the chance of some current mainstream risk assessment methods “do not take
bad event happening multiplied with the impact of that event. the IT architecture of the system under examination”. In
So, risk is likelihood multiplied with impact costs (damage). contrast to the checklist-based RA methods, a model-based
or architecture-based method provides richer possibilities for
The “something of value”, which we will call an asset, the analysis of complex systems.
must be defined for the risk assessment. Assets include infor-
mation (such as patient data, customer lists, software, source Architecture-based RA methods start from a model of
code, process data) and IT assets (such as server hardware). an information system, taking into account aspects such as
The value of an asset is linked to the impact when such an dependencies between components and value of the infor-
asset would become unavailable (e.g. due to a computer virus mation manipulated by them. This makes it possible to take
or hardware failure) or would be compromised (such as theft architectural aspects into account.
of data). For an information security risk assessment, we will
focus solely on information assets. We found only four RA methods recently described in
the literature which use a model-based approach, namely:
Information assets are abstract assets that are stored in CORAS [11], Qualitative Time Dependency (QualTD) [5],
some concrete form. An example is the knowledge a worker RiskM (‘Risk Method’) [12], and Distributed Confidentiality
has about the production process. This knowledge is an in- Risk Assessment (DCRA) [13]. A thorough analysis of model-
formation asset, but it cannot be easily backed up or copied. based RA methods is described by Mouw [14]. We concluded
Another information asset could be instructions (information) on on the basis of that work [14] that the DCRA [13] is the
contained in a manual, which would be far easier to copy. most adequate for our use-case.
According to the UK National Archives [7], there are two
dimensions to value an information asset:
E. Enterprise layers
DCRA uses a modelling of the ‘enterprise’ that resembles
the ArchiMate modelling language [15, p. 3] and distinguishes
2 For more definitions of risk, see http://en.wikipedia.org/wiki/Risk three main layers [13]:
� • The Information layer consists of Information As- including implicit knowledge, of the e-Science group members
sets. 3 to assess the security of the IT components of the science
gateway. We used (and recommend) surveys to assess all
• The Application layer supports the information layer components of the IT infrastructure.
with services that are realised by (software) applica-
tions. Our method was not designed to easily find so-called
“low-hanging fruit” (easy to fix problems), but to find those
• The Technology layer offers infrastructural services problems that are most likely to cause real damage. The
(e.g., processing, storage and communication services) method generates a prioritised list of issues that need to be
needed to run applications, and is realised by computer addressed for security improvement.
and communication hardware and system software.
We call our modified method ‘MISRAM’, an acronym for
F. DCRA’s IT&I model “Model-based Information Security Risk Assessment Method”.
It is based on an enterprise information model proposed
At the heart of DCRA lies the IT assets and Information by DCRA [16], and an overview of the whole MISRAM
(IT&I) model. The information assets (I) are distributed over procedure is presented shortly.
supporting IT assets (IT). For an example, see fig. 1.
To do a risk assessment for an organisation, one first
needs to create an information model. The model should
workflow system (service) Information Assets contain indicative numbers for business values, confidentiality
(information layer)
indicators, attack vulnerabilities, and chances of unintentional
errors. One could use surveys or other methods to obtain
those numbers. And then, after the calculations are done and a
ranking of relative risks is made, one needs to translate these
web client workflow activity
for a user database
Applications relative risks to a risk classification, such that this information
(application layer)
can serve as input for the risk management coordinator.
A. MISRAM: the whole picture
Hardware & system software
(technology layer) We have broken down the whole MISRAM process in ten
laptop server steps. Part of these can be executed in parallel. See fig. 2 for
a graphical representation of the workflow.
Fig. 1: Simplified example of an DCRA IT&I information
architecture.
1. Preparation
In the example (fig. 1), 100% of the information asset
“workflows” could be assigned to the application “workflow 2. Create a list of 3. Create an overview
information assets of all IT components
activity database”, and 10% of “workflows” could be assigned
to the application “web client”. Both of these applications,
which reside in the application layer, are mapped to com-
4. Assign values to 5. Measure trust in
ponents in the technology layer. E.g., the web client could information assets the IT components
be running on a laptop. For DCRA, if the database server is
vulnerable, then the impact is higher then when the laptop is
vulnerable, because more of the information asset is mapped 6. Create an
information architecture
8. Do questionnaire-based
interviews
to the workflow database. and IT&I model
II. A NOVEL RA METHOD : MISRAM
7. Calculate risks
Although DCRA [13] provides an excellent foundation, it is
not optimised for the context of science gateways. The method
9. Analyse high-risk components
is labour-intensive due to its detailed information model and and problem areas
somewhat complex calculations, and only measures risk of
confidentiality breaches. MISRAM simplifies the calculation
model for pragmatic reasons, which comes at the cost of 10. Write an integrated
risk assessment report
precision reduction (see the Discussion). We extended the
model to measure both the confidentiality and business value of
information [7]. Furthermore, we decided to use the expertise,
Fig. 2: Workflow of an architecture-based information security
3 In AchiMate, the Information layer is called the Business layer. It of-
risk assessment project.
fers products and services to external customers, which are realised in the
organisation by business processes performed by business actors. In DCRA
and MISRAM, this business layer is replaced by an information layer. An 1) Preparation: Form a project team, agree on roles and
information layer has not all the entities a business layer has, and some are responsibilities, and make a project plan. Determine the scope:
simplified. For example, actors will become abstract users. what is the unit or group that will be assessed, who are the
�stakeholders internal and external to that unit, and what is the renamed “Advanced Beginner” to “Capable” [19]. The five
environment of the unit? levels of expertise of Dreyfus-Schempp are: Novice, Capable,
Competent, Proficient, Expert.
2) Create a list of information assets: It is important to
obtain a detailed list. The best way to collect such a list is 5) Measure trust in the IT components: Confidence or trust
to interview different stakeholders such as internal developers in the reliability or security of components that are in the
and administrators, business managers, clients, and suppliers. application and the technology layers of the architecture can be
The detailed list should be reduced to a list that is clear, short, measured by surveying or interviewing experts: the developers,
and has no overlaps. These information assets will comprise administrators and expert users of those components. The
the information layer. same comments on designing surveys from step 4 are equally
important here.
3) Create an overview of all IT components: The IT
components of an organisation typically comprise (business) For all components, ask the experts how they assess
applications, operating (system) software, and hardware. The security and reliability of a component, based on two factors:
applications will comprise the application layer. The system the vulnerability of the components for intentional attacks and
software and the hardware will comprise the technology layer. the vulnerability for unintentional errors.
Also external computation and storage facilities such as cloud
6) Create an information architecture and IT&I model:
or grid resources must be listed.
The method described in section I-F can be applied here. All
4) Assign values to information assets: All stakeholders main information assets and IT components should be included
should be invited to score the value of the information assets, if their risks and effects are of interest, but it is not advisable to
e.g. by using a small survey. For each information asset, add too much detail; it is considered most productive to focus
participants are asked to score the importance of two di- on the big picture. If architectural documents already exist, be
mensions: business value and confidentiality. Many scoring careful to examine whether they are up-to-date.
systems are possible; we suggest a relative value on a five-
7) Calculate risks: The likelihood of trouble happening
point Likert scale [17], using the values none, low, moderate,
is probed by the measured trust in the IT components. The
high, very high. Also provide a no answer option. Additionally,
costs are determined by the value and confidentiality of the
you should include a question on the type of stakeholder,
information assets. The method used to calculate risks in
such as end-user or scientist or developer or manager, if
MISRAM is described in section II-C.
you want to differentiate on stakeholders later in the process.
This differentiation, however, will not be further discussed The result of this process is a ranked list of information
here. Finally, when using a survey, keep it short to promote assets that are under risk (in our model, the risk of losing
participation and to avoid selection bias – busy people don’t business value or losing confidentiality).
have time for extensive surveys. Always include a comment
field to allow free-text comments. The calculated risk values lack a risk classification to
determine whether a particular asset is in fact at ‘high’,
The calculation of values from scores depends largely on ‘medium’, or ‘low’ risk. For example, if the complete system
the number of interviews. Using the median is not such a good is already highly trusted by the interviewees, even the largest
idea because a survey often uses discrete responses. When value coming out of the calculation might be in practice
e.g. six of the respondents assign value ‘3’, and the seven considered at “low risk”. The risk classification should be
others assign ‘4’, then the mean (3.5) represents the average carried out in e.g. a group meeting.
opinion better than the median (4). A ‘no answer’ value does
not influence the mean, but many ‘no answer’ scores on an 8) Do questionnaire-based interviews: Some security re-
component could raise a red flag: the respondents don’t feel lated issues fall outside the scope of the architecture-based
sure about such a component. approach. Examples are password and clean desk policies,
employee screening, and so on. Furthermore, some specific
In a small group, just one person with a somewhat extreme issues might be required to assess because of sector-specific
opinion can have a large influence on the mean score, which regulations, such as the NEN 7510 in the Dutch healthcare
might be undesirable. A good method to reduce the influence system. A questionnaire based on local needs and legal re-
of such outliers is to use a truncated (trimmed) mean. The x% quirements should be created, and then used for interviews
trimmed mean leaves out the highest and the lowest values. with employees.
Often a value of 20% for x is chosen, in which case the 10%
highest values and the 10% lowest values are removed and the The interviews could reveal vulnerabilities that were not
mean is taken over the remaining values4 . found using the earlier steps. One example is the handling of
user data; although the group members could in theory give
Some group members might have more knowledge and ex- a low score to the business value and/or the confidentiality of
perience than others. To take into account their expertise level, user data, often a legal liability exists.
a question can be included in the survey asking the respondent
to estimate her/his level of expertise or experience. There are 9) Analyse high-risk IT components and problem areas:
various methods to classify expert levels. One well-known IT components cause high risk because, for example, they are
way to do this is the Dreyfus model of skill acquisition [18]. not trusted or they store or process valuable or confidential
A modification to that model was made by Schempp, who information. Such high-risk components are identified in the
earlier steps and they should now be further investigated. Also
4 A short introduction to trimmed means: important vulnerabilities that emerged from the questionnaire-
http://en.wikipedia.org/wiki/Truncated mean based interviews should likewise be given extra attention.
� The goal in this step is to create a list of specific, concrete
security problems that can be contained or fixed by specified
actions. A good way to discuss and investigate the high-risk IT
information layer
components and vulnerabilities is to organise a group meeting.
workflows
10) Write an integrated risk assessment report: A risk ~
assessment report should be written to document the methods value = 2
and results and to serve as a starting point for actions directed conf. = 4
~
to mitigate risk. The report should include an overview of risk{v} = 36
the organisation that was assessed and the general approach risk{c} = 72
that was being used, present the results for each step, and
summarise the main security risks and their causes. This report application layer
should also contain a ranked list of information assets that are
under risk.
web client workflow database
~ ~
B. Calculations attacks = 1 attacks = 2
errors = 2 errors = 1
MISRAM first limits its goal to finding a relative ranking ~ ~
of risks. We estimate risk using the value of an information sum{v} = 6 sum{v} = 6
asset multiplied with the vulnerability of the IT components sum{c} = 12 sum{c} = 12
concerning two factors, intentional attacks and unintentional
errors. A weighted average can be used to give more emphasis
to one or the other. For example, a reason to give more technology layer
emphasis to unintentional errors could be that one expects
that the group members are better at scoring the risk of
unintentional errors than scoring the risk of intentional attacks. laptop server
~ ~
The vulnerability score Θ is calculated as follows: attacks = 4 attacks = 3
errors = 4 errors = 1
Θ = 2 × ((α) × attacks + (1 − α) × errors) ~ ~
sum{v} = 16 sum{v} = 8
sum{c} = 32 sum{c} = 16
with α ∈ [0.0, 1.0] representing the weight given to the
risk of attacks relative to errors estimated by the experts. With
α = 0.5, the formula simply becomes:
Θ = attacks + errors
Fig. 3: Example of an DCRA IT&I risk calculation in our mod-
C. Example of a calculation in MISRAM ified and simplified fashion. Three layers can be recognised:
We will use a simple example to clarify the method of the boxes on top represent information assets (information
calculation. See fig. 3 to understand the following example. layer), the ellipses in the middle represent software appli-
We are going to calculate the risk of losing business value cations (application layer), and the bottom ellipses represent
risk{v}. Note that risk{v} must be calculated separately from system-level software and hardware (technology layer). ‘Value’
the risk of losing confidentiality risk{c}. The latter will not is business value, ‘conf.’ is confidentiality, ‘risk{v}’ is the
be calculated in this example. risk of losing business value for that information asset, and
‘risk{c}’ is the risk of losing confidentiality. See the main text
Each component has a vulnerability score Θ that consists on how the calculations are done.
of a vulnerability to intentional attacks and a chance of
unintended errors. For the server, the equation would be:
survey), multiplied with the summed vulnerability scores of
the IT components that process or store workflows:
Θserver = attacks + errors = 3 + 1 = 4
The information asset workflows has business value 2. It risk{v}workf lows
is stored and processed using a web client (vulnerability score = value of workf lows · sum of vulnerabilities
for intentional attacks = 1 and for unintentional errors = 2)
with Θwebclient = 1 + 2, on a laptop with Θlaptop = 4 + 4. = 2 · (Θwebclient + Θlaptop + Θdb + Θserver )
Also, all workflows are processed by a database server with = 2 · ((1 + 2) + (4 + 4) + (2 + 1) + (3 + 1))
Θdb = 2 + 1, which runs on the physical server with Θserver = 36
(see above).
The total risk for the business value risk{v} of workflows Doing this for all information assets will create a list of all
is calculated as the value of workflows (as estimated with a business value risks and will show which information assets are
�most at risk. The same method can be used for confidentiality and (intentional) attacks associated with the IT components in
risk (not shown here). the application and technology layers.
To calculate how much risk for business value a component
causes, one needs to sum all the partial risks that it causes
for all the information assets that it stores or processes (is B. Identifying risks
connected to). In the example, server has a sum{v} = 8,
A simple C++ program was developed to calculate the risks
because it is connected to one information asset workflows
from the IT&I relations, the survey data about the business
with value 2 and server itself has a vulnerability of 3+1 = 4.
value and confidentiality of the information assets and the
vulnerability to errors and attacks of the IT components.
III. C ASE STUDY: MISRAM APPLIED TO THE
Trimmed means were used to compensate for outliers. From
E -B IO I NFRA GATEWAY
the ranked list of calculated risks, it became clear that three
We tested MISRAM at the e-BioScience group at the IT components have the highest cumulative risk:
AMC, from now on simply referred to as ‘group’. With the
cooperation of the group members, who were regarded as 1) The server that hosts the science gateway software
experts and were being surveyed, we assessed the information and other e-BioInfra applications, including a work-
security risks for the whole infrastructure for which the group flow engine.
is responsible, including a science gateway. The first author 2) The external computations done on the grid.
of this paper was responsible for carrying out the assessment 3) The workflow system itself.
and also participated in the group as an IT administrator at the
time. The group members participated in the various meetings, The server itself scored very reasonably on the vulnerability
interviews and surveys described below. The full report on this survey, as the group experts showed trust in its security. Still,
case study [20] is not public for security reasons, but details the server ended up as one of the main causes of risk because
might be requested by contacting the authors. of all the applications it hosts.
A. Creating an inventory and a model A generic questionnaire based on NEN 7510 was also
applied. It helped to identify a number of additional security
A meeting was held to determine the enterprise archi-
issues, mostly related to behaviour and to organisational poli-
tecture, including business services. The proposed enterprise
cies, such as account management and desktop policies. A few
architecture model was later modified based on individual
major problems became clear from the generic questionnaire,
interviews with developers. Finally, agreement was reached on
which could be solved by these concrete actions:
the main IT components and connections between them.
The technology layer of the e-BioInfra is split in a ‘physical • All group members should lock their screens when
and system’ layers and an external ‘grid’ layer. Grid resources they leave their desk. Controls and incentives should
include computing elements and storage elements. The whole be put in place to enforce this.
model appears as having four layers, with an additional sep-
arate grid layer, which better represents the separation of the • All mobile devices should use encrypted storage.
grid services from the technical and organisational aspects of
the e-BioInfra. • Let those not on payroll and apprentices sign an
non-disclosure agreement. Note that this is standard
Another group meeting was held to identify the information procedure for AMC employees.
assets, during which the concept of information assets was ex-
plained and discussed. Later, in private interviews, suggestions • When an employee leaves, accounts should be
were made by some group members to add information assets promptly revoked.
or to add more detail by splitting up some assets. One group
member commented on the generic nature of one information • There should be a reporting and logging facility for
asset, arguing for more detail. Such discussions should be security incidents.
closed before the information asset survey starts. Otherwise,
the list of information assets might change after the survey, • Web applications should use SSL (HTTPS).
and the survey needs to be repeated. A meeting or a group
manager decision can help to determine a final list. Although these actions seem quite obvious, they sometimes
are not carried out in academic settings, where mutual trust and
The enterprise architecture (modelled using ArchiMate) intellectual curiosity characterise the culture on the workplace.
was combined with the information assets to create an informa-
tion architecture, modelled using IT&I. Most group members The results of the risk calculation and the questionnaire
understood the IT&I without much explanation. The IT&I were discussed during a meeting. The group members agreed
diagram was created using Archi (http://archi.cetis.ac.uk/). that the three identified high-risk IT components were impor-
tant, and voiced their trust in the method used to identify the
Then, a survey was carried out to assign business values
components and formalise the implicit knowledge in the group.
and confidentiality values to the information assets. Most group
A few actionable measures were proposed, but also a small
members (5) participated in the survey.
generic discussion on information security started. The meeting
Another survey asked the group members to give their helped to raise awareness and to identify the most important
opinion on the risk or vulnerability of (unintentional) errors practical tasks.
� IV. D ISCUSSION are those of simple models: MISRAM is easy to work with
and the reasoning and results are easy to communicate.
The proposed MISRAM method has been successfully
applied at the e-Science group at the AMC to assess the risks Note that MISRAM can easily be extended to include the
of the e-BioInfra platform and its science gateway. The group full DCRA model, which could be benefitial to assess more
was satisfied with the insights delivered by MISRAM, which complex systems or environments.
indicated practical measures to better address the security
regulations for digital processing of medical data. Although D. Connectivity
we are encouraged by this first result, MISRAM needs to be
tested with other groups and other types of scientific gateways A component that is linked to many information assets will
for a more conclusive evaluation. Below we present a reflection cause much risk because it is a hub; all information assets are
of aspects that influence the method’s performance. in danger when such a hub is compromised. So, even a well
administered server might cause quite some risk because so
much depends on it. This could be called the “hub effect”. This
A. Usage of expertise in e-Science groups
begs for the question of whether MISRAM measures risk or
MISRAM makes use of the (implicit) knowledge of the just measures the connectivity of a component. Is it reasonable
people that develop, administer and support the e-BioInfra sci- to assign much risk to a hub, even if such a hub is well secured
ence gateway. Information assets and component vulnerabilies and shows little vulnerabilities?
can be determined by interviewing or surveying these group
One way to reduce the influence of this hub effect is to
members.
compensate a component for having many relations (connec-
Typical e-Science groups do their own development and tions) with information assets or with IT components. As an
systems administration, and employ a team of experts on extreme example, one could divide the total risk caused by
the IT components of their own architecture. These experts a component by the number of information assets to which
build the (software) infrastructure that stores and processes the component is connected, resulting in the average risk per
the information. Such information includes both assets of information asset caused by the component. A high average
the group itself and information assets from external parties generated risk indicates that the component itself is vulnerable,
(users). regardless of the number of information assets to which it is
connected.
The expertise of the developers of a science gateway on
the local security situation might exceed the expertise of an Still we argue that IT components that are connected to
external security expert. Their knowledge on errors within the many information assets are nearly always for a good reason
technical infrastructure is based on their day-to-day experience, on the priority list to harden against security problems. Such
so the infrastructure experts can be trusted to have a good connected components are critical to the organisation. If the
feeling for the vulnerability to unintentional errors for such average risk per information asset caused by a component is
a component. On the other hand, they are not per se security low, but the total risk caused by the same component is high,
experts. Their knowledge on specific attack routes and security then it means that the component has a very central function in
vulnerabilities (e.g., SQL injection attacks) might be limited. the infrastructure. In such cases one should question whether
Therefore, an internal expert’s judgement of the vulnerability the functions of the component could be split up among multi-
to intentional attacks might be less dependable. ple components in order to isolate components and information
flows.
B. Risk for whom?
E. CIA vs. business value and confidentiality
In the case of the e-BioInfra, only the experts have been
interviewed, which could indicate a bias towards internal We have used the business value and confidentiality dimen-
information assets of the system. sions of the UK National Archives (UKNA) [7]. The UKNA
model is easy to explain to non-experts and is also intuitive –
The emphasis given to group members focuses the risk factors that make it also easy to do a stakeholder survey on
assessment on the internal stakeholders. MISRAM mainly the information assets and to communicate the outcomes.
measures the risk as perceived by the group and the group
members. It does not take into account the risk for external Another, very often used, way to describe security dimen-
parties such as users and, for example, patients. However, these sions of an information asset is the “CIA” method, which
kinds of risk are not at odds with each other. A low-risk science stands for “confidentiality, integrity, and availability”. The CIA
gateway is very likely to pose low risk for external parties as approach is often used to describe the three main character-
well. istics of information that can have value; they are also called
the three main security categories [21, p. 5].
C. Simplifications A mapping of the CIA to the UKNA model is possible. The
‘C’ from CIA is directly mapped to UKNA’s confidentiality,
MISRAM leaves out the percentage-based mapping of while both ‘I’ and ‘A’ from CIA are mapped to UKNA’s
information assets used in the original DCRA. An information business value. Information with much business value should
asset is linked to an IT component, or it is not. MISRAM normally have good availability and integrity.
also leaves out the propagation likelihood of worms and other
attack vectors between nodes. Both simplifications come at a We chose to focus on integrity. The e-BioInfra is used
cost: our model is less precise than DCRA. The advantages to carry out scientific research, so the integrity of the data
�processed is of paramount importance. High availability is [10] A. Morali, E. Zambon, S. Etalle, and P. L. Overbeek, “IT confidentiality
currently not a major concern for us5 . In other words, the risk assessment for an architecture-based approach,” in 3rd IEEE/IFIP
correctness of the data processing is more important than the International Workshop on Business-driven IT Management, 2008, pp.
31–40. [Online]. Available: https://ieeexplore.ieee.org/xpl/freeabs all.
timeliness. For our approach, availability was out of scope, jsp?arnumber=4540072
although it could easily be incorporated in MISRAM if needed. [11] J. yvind Aagedal, F. den Braber, T. Dimitrakos, B. A. Gran, D. Raptis,
and K. Stlen, “Model-based risk assessment to improve enterprise
security,” in EDOC ’02. Proceedings. Sixth International Enterprise
F. Future work Distributed Object Computing Conference, 2002, pp. 51–62.
[12] S. Strecker, D. Heise, and U. Frank, “RiskM: A multi-perspective
We consider it questionable to compare different MISRAM modeling method for IT risk assessment,” Information Systems
risk assessments in different organisations because so many Frontiers, vol. 13, no. 4, 2011. [Online]. Available: http://www.
variables differ (such as the surveyed people and other so- springerlink.com/content/j52k6071g4164q82/
cial factors, external influences such as news and technical [13] A. Morali, “IT architecture-based confidentiality risk assessment in
developments, and so on). Whether different organisations are networks of organizations,” Enschede, 2011, IPA dissertation series;
comparable using MISRAM or an extension to our method 2011-06.
could be determined by a follow-up project. [14] E. Mouw, “Data protection and privacy in escience,” 2012. [Online].
Available: http://www.scriptiesonline.uba.uva.nl/425083
The right balance between stressing the importance of well- [15] M. Lankhorst and the ArchiMate team, “ArchiMate language
connected hubs and compensating for the hub effect is also a primer,” 2004. [Online]. Available: https://doc.novay.nl/dsweb/Get/
Document-43839/
worthy subject of future research.
[16] U. Frank, “Multi-perspective enterprise modeling (MEMO) conceptual
framework and modeling languages,” in HICSS. Proceedings of the 35th
Annual Hawaii International Conference on System Sciences, 2002, pp.
V. ACKNOWLEDGEMENT 1258–1267.
We thank the members of the e-Science group for their time [17] R. Likert, “A technique for the measurement of attitudes,” Archives of
Psychology, vol. 22, no. 140, pp. 1–55, 1932.
and valuable suggestions during the development and applica-
[18] H. L. Dreyfus and S. E. Dreyfus, Mind over machine: The power of
tion of this RA method. This work is partially supported by the human intuition and expertise in the era of the computer. Free Press,
COMMIT project “e-Biobanking with imaging for healthcare” 1986.
funded by the Nederlandse Organisatie voor Wetenschappelijk [19] P. G. Schempp, “The stages of expertise,” 2011. [Online]. Available:
Onderzoek (Netherlands Organisation for Scientific Research, http://www.performancemattersinc.com/posts/stages-of-expertise/
NWO). [20] E. Mouw, “Internal report: Information security risk assessment of the
eBioScience infrastructure at the AMC,” eBioScience group, biolab,
KEBB, Acedemic Medical Centre, University of Amsterdam, Tech.
R EFERENCES Rep., 2012, available on request. Contact the corresponding author.
[21] C. S. Division, “NIST special publication 800-53 rev. 3 – recommended
[1] S. Shahand, M. Santcroos, A. H. C. van Kampen, and S. D. Olabarriaga, security controls for federal information systems and organizations,”
“A grid-enabled gateway for biomedical data analysis,” pp. 725–742. National Institute for Standards and Technology, Tech. Rep.,
[2] E. Deelman, D. Gannon, M. Shields, and I. Taylor, “Workflows and 2010. [Online]. Available: http://csrc.nist.gov/publications/nistpubs/
e-science: An overview of workflow system features and capabilities,” 800-53-Rev3/sp800-53-rev3-final updated-errata 05-01-2010.pdf
Future Generation Computer Systems, vol. 25, no. 5, pp. 528–540, 2009.
[3] E. Mouw, G. van ’t Noordende, A. H. van Kampen, B. Louter,
M. Santcroos, and S. D. Olabarriaga, “Legal constraints on genetic
data processing in European grids,” in HealthGrid Applications
and Technologies Meet Science Gateways for Life Sciences, 2012,
pp. 49–58. [Online]. Available: http://www.booksonline.iospress.nl/
Content/View.aspx?piid=30469
[4] ISACA, CISA Review Manual 2006 (CISA - Certified Information
Systems Auditor). Information Systems Audit and Control Association,
2006.
[5] E. Zambon, S. Etalle, R. J. Wieringa, and P. H. Hartel, “Model-
based qualitative risk assessment for availability of IT infrastructures,”
Software and Systems Modeling, vol. 10, no. 4, pp. 553–580, 2011.
[6] I. Postelnik, “Chess: A valuable teaching tool for risk managers?” pp.
40–42, 2008.
[7] T. N. A. J. Riley), “What is an information asset?” 2011, factsheet.
[Online]. Available: http://www.nationalarchives.gov.uk/
[8] G. Stoneburner, “NIST special publication 800-33 – underlying
technical models for information technology security,” National
Institute of Standards and Technology, Computer Security Division,
Tech. Rep., 2001. [Online]. Available: http://csrc.nist.gov/publications/
nistpubs/800-33/sp800-33.pdf
[9] Cisco, “Data sheet technology application support –
internal security posture assessment,” 2004. [Online].
Available: http://www.cisco.com/application/pdf/en/us/guest/products/
ps5619/c1262/cdccont 0900aecd800ce53a.pdf
5 It is not a major problem if the e-BioInfra is offline for one or two days.
The same seems to be the case of many peer research groups we know.
�