A Model-based Information Security Risk Assessment Method for Science Gateways Evert Mouw Guido van ’t Noordende Baas Louter Silvia Delgado Olabarriaga University of Amsterdam University of Amsterdam University of Amsterdam University of Amsterdam The Netherlands The Netherlands The Netherlands The Netherlands Email: post@evert.net Email: guido@science.uva.nl Email: baas.louter@amc.uva.nl Email: s.d.olabarriaga@amc.uva.nl Abstract—BACKGROUND: Information Security is impor- Science Gateway Primer recently published by the EGI-Inspire tant for e-Science research groups and other small organisations Virtual Team on Science Gateways1 . that design and operate science gateways and virtual research environments, especially when such environments are being used The e-BioScience group in the Academic Medical Center for (bio)medical research. We propose a novel method to do risk (AMC) in Amsterdam, the Netherlands, offers a science gate- assessments: MISRAM, the Model-based Information Security way, coined e-BioInfra gateway, for experimental data analysis Risk Assessment Method. It uses an information architecture in the fields of high-resolution medical imaging, genomics, and model, a method to assign values to information assets and IT proteomics [1]. The backend is based on scientific workflow components, and a method to calculate risks. The output of management technology [2], and makes use of grid-based MISRAM is a ranked list of risks and a list of actionable tasks to solve the main issues. computing resources. Using such distributed resources for sensitive medical data requires a solid security policy. This METHODS: MISRAM was applied as a test case to an e- is particularly true when intrinsically identifyable DNA data Science research group at a Dutch research hospital. Meetings is involved [3]. Ideally, the gateway should be subject to and surveys were used to create and evaluate lists of information Risk Management [4] following recommendations given by assets and IT components. One meeting was used to create a list standards such as ISO 27002 and the related Dutch standard of practical task recommendations. for information security management in healthcare, NEN 7510. RESULTS: Good insight into the information architecture An important element of both standards is the execution of a and security problems of the IT infrastructure was gained. Also good Risk Assessment (RA), where a systematic analysis of the participating group members confirmed that the identified security aspects of the system is carried out. security issues were realistic. Concerned with the security features of the e-BioInfra CONCLUSIONS: Our approach raises awareness about se- curity among the developers and operators of e-Science envi- gateway, and driven by the increasing awareness of biomedical ronments. It also gives insight in how the technical architecture researchers about privacy and ethical issues related to the affects information security. Traditional questionnaires are an information that they process through this system, it was important part of any risk assessment, and MISRAM’s inclusion decided to conduct a risk assessment of the e-BioInfra gateway. of such generic questionnaires is an important aspect to create In this paper, our risk assessment method is presented, together an integrated information security risk assessment. with an example based on a simplified version of the risk Keywords—MISRAM, risk assessment, information security, e- calculations to illustrate the approach. The experience obtained Science, science gateway, DCRA, IT&T. by applying a modified risk assessment method at the AMC is also presented. The method worked well for this e-Science environment, providing insights and raising awareness about I. I NTRODUCTION the security of the e-BioInfra gateway. The method could also Science gateways are community tools, typically web por- be useful to other groups that develop and operate science tals, that enable and facilitate access to distributed infrastruc- gateway services. tures such as computational Grids. These portals are developed by teams of e-Science experts in various fields (distributed A. Some specific needs for science gateways computing, user interfaces, data management, visualisation, etc), and are typically operated by (subsets of) the same The distributed nature of the data processing, the amount teams as a service for the end-users, which are experts in of data and computing, and the organisational characteristics other scientific domains, not necessarily in computing. Typical of a science gateway are unique. A particular aspect for services include high-throughput or -performance computing, science gateways is that components can be internal or external visualisation, and access to data or application repositories. information processing systems which are owned by different Science gateways are therefore complex systems that combine organisations. Therefore, the method applied should facilitate a large number and variety of software components under the the analysis of these interdependencies, following a model- same ‘container’. Very often some of these components are based approach. packages developed by other parties or services provided re- motely. For a detailed discussion about the types, technologies, 1 https://documents.egi.eu/public/RetrieveFile?docid=1463&version= and required properties of science gateways, please refer to the 10&filename=Science Gateway Primer v092 nComments.pdf) A typical e-Science group is small and consists of highly • Business value for an organisation or an individual skilled experts who develop and maintain their own software. (e.g. a patient). This also includes scientific value. In These properties make it hard for external security experts to this text, this will just be called value. carry out a Risk Assessment. In fact, such outside analysts often lack inside information and good working knowledge • Confidentiality of the information. Who should have on the technical components used by a science gateway. Our access (scope or domain) and who should have not? method takes a multiple-stakeholder approach, also favoured by Zambon et al. [5], where people who manage the system For example, the fire brigade needs to know where a fire and the users of the system are involved in the risk assessment. started in order to send the fire engine to the right location. That is of high business value, so such information should be reliable and available to the fire fighters. But it isn’t B. Introduction to Risk Assessments confidential at all. Banks holding the money of their clients do The goal of doing a Risk Assessment (RA) is to get store information with both business value and confidentiality. an overview of the most relevant risks threatening some But even if there is little business value, some information system, person or organisation. For example, when playing can still be confidential, e.g. bank transfers to a small savings chess, a simple risk assessment would include the dangers account. associated with losing the center pawns early in the game. Risks and dangers are measured as probabilities. Even in a deterministic game like chess, risk assessments come down C. Vulnerability to unintentional errors and intentional attacks to probabilities [6]. Calculating such probabilities, and thus An information asset can be stolen and sold (e.g. creditcard risk, can become a messy business if the situation becomes information), but it can also be damaged. A component in an complicated [6]: “A complicated chess position requires deep IT infrastructure can be vulnerable to intentional attacks and calculations and is more likely to cause a human player to also to unintentional errors, also called unintentional mistakes. make an error.” Experts can indicate the confidence they have in the security A risk assessment is a method to estimate risks. In this of components by estimating the probability of intentional paper, we will focus on estimating the most important risks for and unintentional failures. These factors are used to measure information systems used in science, such as science gateways. vulnerability by NIST SP 800-33 [8, p. 18] and Cisco [9]. Which information security risks threaten such gateways and The total vulnerability is a summation of the vulnerability to how to estimate them? How does one identify the main risks unintentional errors and the vulnerability to intentional attacks. and causes of such risk? Risk exists when something of value (e.g. an asset) could D. Model-based vs. checklist-based Risk Assessments be lost or damaged. Many different definitions of risk are being used2 . ISO 31000:2009 defines risk as effect of uncertainty There are many methods to choose from to perform a on objectives. A common idea is that risk is a probability or Risk Assessment (RA). Most of them consist of a list of potential that some unwanted event will happen in the future. ‘items’ to check or score. According to Morali et al. [10], We use the following definition: risk is the chance of some current mainstream risk assessment methods “do not take bad event happening multiplied with the impact of that event. the IT architecture of the system under examination”. In So, risk is likelihood multiplied with impact costs (damage). contrast to the checklist-based RA methods, a model-based or architecture-based method provides richer possibilities for The “something of value”, which we will call an asset, the analysis of complex systems. must be defined for the risk assessment. Assets include infor- mation (such as patient data, customer lists, software, source Architecture-based RA methods start from a model of code, process data) and IT assets (such as server hardware). an information system, taking into account aspects such as The value of an asset is linked to the impact when such an dependencies between components and value of the infor- asset would become unavailable (e.g. due to a computer virus mation manipulated by them. This makes it possible to take or hardware failure) or would be compromised (such as theft architectural aspects into account. of data). For an information security risk assessment, we will focus solely on information assets. We found only four RA methods recently described in the literature which use a model-based approach, namely: Information assets are abstract assets that are stored in CORAS [11], Qualitative Time Dependency (QualTD) [5], some concrete form. An example is the knowledge a worker RiskM (‘Risk Method’) [12], and Distributed Confidentiality has about the production process. This knowledge is an in- Risk Assessment (DCRA) [13]. A thorough analysis of model- formation asset, but it cannot be easily backed up or copied. based RA methods is described by Mouw [14]. We concluded Another information asset could be instructions (information) on on the basis of that work [14] that the DCRA [13] is the contained in a manual, which would be far easier to copy. most adequate for our use-case. According to the UK National Archives [7], there are two dimensions to value an information asset: E. Enterprise layers DCRA uses a modelling of the ‘enterprise’ that resembles the ArchiMate modelling language [15, p. 3] and distinguishes 2 For more definitions of risk, see http://en.wikipedia.org/wiki/Risk three main layers [13]: • The Information layer consists of Information As- including implicit knowledge, of the e-Science group members sets. 3 to assess the security of the IT components of the science gateway. We used (and recommend) surveys to assess all • The Application layer supports the information layer components of the IT infrastructure. with services that are realised by (software) applica- tions. Our method was not designed to easily find so-called “low-hanging fruit” (easy to fix problems), but to find those • The Technology layer offers infrastructural services problems that are most likely to cause real damage. The (e.g., processing, storage and communication services) method generates a prioritised list of issues that need to be needed to run applications, and is realised by computer addressed for security improvement. and communication hardware and system software. We call our modified method ‘MISRAM’, an acronym for F. DCRA’s IT&I model “Model-based Information Security Risk Assessment Method”. It is based on an enterprise information model proposed At the heart of DCRA lies the IT assets and Information by DCRA [16], and an overview of the whole MISRAM (IT&I) model. The information assets (I) are distributed over procedure is presented shortly. supporting IT assets (IT). For an example, see fig. 1. To do a risk assessment for an organisation, one first needs to create an information model. The model should workflow system (service) Information Assets contain indicative numbers for business values, confidentiality (information layer) indicators, attack vulnerabilities, and chances of unintentional errors. One could use surveys or other methods to obtain those numbers. And then, after the calculations are done and a ranking of relative risks is made, one needs to translate these web client workflow activity for a user database Applications relative risks to a risk classification, such that this information (application layer) can serve as input for the risk management coordinator. A. MISRAM: the whole picture Hardware & system software (technology layer) We have broken down the whole MISRAM process in ten laptop server steps. Part of these can be executed in parallel. See fig. 2 for a graphical representation of the workflow. Fig. 1: Simplified example of an DCRA IT&I information architecture. 1. Preparation In the example (fig. 1), 100% of the information asset “workflows” could be assigned to the application “workflow 2. Create a list of 3. Create an overview information assets of all IT components activity database”, and 10% of “workflows” could be assigned to the application “web client”. Both of these applications, which reside in the application layer, are mapped to com- 4. Assign values to 5. Measure trust in ponents in the technology layer. E.g., the web client could information assets the IT components be running on a laptop. For DCRA, if the database server is vulnerable, then the impact is higher then when the laptop is vulnerable, because more of the information asset is mapped 6. Create an information architecture 8. Do questionnaire-based interviews to the workflow database. and IT&I model II. A NOVEL RA METHOD : MISRAM 7. Calculate risks Although DCRA [13] provides an excellent foundation, it is not optimised for the context of science gateways. The method 9. Analyse high-risk components is labour-intensive due to its detailed information model and and problem areas somewhat complex calculations, and only measures risk of confidentiality breaches. MISRAM simplifies the calculation model for pragmatic reasons, which comes at the cost of 10. Write an integrated risk assessment report precision reduction (see the Discussion). We extended the model to measure both the confidentiality and business value of information [7]. Furthermore, we decided to use the expertise, Fig. 2: Workflow of an architecture-based information security 3 In AchiMate, the Information layer is called the Business layer. It of- risk assessment project. fers products and services to external customers, which are realised in the organisation by business processes performed by business actors. In DCRA and MISRAM, this business layer is replaced by an information layer. An 1) Preparation: Form a project team, agree on roles and information layer has not all the entities a business layer has, and some are responsibilities, and make a project plan. Determine the scope: simplified. For example, actors will become abstract users. what is the unit or group that will be assessed, who are the stakeholders internal and external to that unit, and what is the renamed “Advanced Beginner” to “Capable” [19]. The five environment of the unit? levels of expertise of Dreyfus-Schempp are: Novice, Capable, Competent, Proficient, Expert. 2) Create a list of information assets: It is important to obtain a detailed list. The best way to collect such a list is 5) Measure trust in the IT components: Confidence or trust to interview different stakeholders such as internal developers in the reliability or security of components that are in the and administrators, business managers, clients, and suppliers. application and the technology layers of the architecture can be The detailed list should be reduced to a list that is clear, short, measured by surveying or interviewing experts: the developers, and has no overlaps. These information assets will comprise administrators and expert users of those components. The the information layer. same comments on designing surveys from step 4 are equally important here. 3) Create an overview of all IT components: The IT components of an organisation typically comprise (business) For all components, ask the experts how they assess applications, operating (system) software, and hardware. The security and reliability of a component, based on two factors: applications will comprise the application layer. The system the vulnerability of the components for intentional attacks and software and the hardware will comprise the technology layer. the vulnerability for unintentional errors. Also external computation and storage facilities such as cloud 6) Create an information architecture and IT&I model: or grid resources must be listed. The method described in section I-F can be applied here. All 4) Assign values to information assets: All stakeholders main information assets and IT components should be included should be invited to score the value of the information assets, if their risks and effects are of interest, but it is not advisable to e.g. by using a small survey. For each information asset, add too much detail; it is considered most productive to focus participants are asked to score the importance of two di- on the big picture. If architectural documents already exist, be mensions: business value and confidentiality. Many scoring careful to examine whether they are up-to-date. systems are possible; we suggest a relative value on a five- 7) Calculate risks: The likelihood of trouble happening point Likert scale [17], using the values none, low, moderate, is probed by the measured trust in the IT components. The high, very high. Also provide a no answer option. Additionally, costs are determined by the value and confidentiality of the you should include a question on the type of stakeholder, information assets. The method used to calculate risks in such as end-user or scientist or developer or manager, if MISRAM is described in section II-C. you want to differentiate on stakeholders later in the process. This differentiation, however, will not be further discussed The result of this process is a ranked list of information here. Finally, when using a survey, keep it short to promote assets that are under risk (in our model, the risk of losing participation and to avoid selection bias – busy people don’t business value or losing confidentiality). have time for extensive surveys. Always include a comment field to allow free-text comments. The calculated risk values lack a risk classification to determine whether a particular asset is in fact at ‘high’, The calculation of values from scores depends largely on ‘medium’, or ‘low’ risk. For example, if the complete system the number of interviews. Using the median is not such a good is already highly trusted by the interviewees, even the largest idea because a survey often uses discrete responses. When value coming out of the calculation might be in practice e.g. six of the respondents assign value ‘3’, and the seven considered at “low risk”. The risk classification should be others assign ‘4’, then the mean (3.5) represents the average carried out in e.g. a group meeting. opinion better than the median (4). A ‘no answer’ value does not influence the mean, but many ‘no answer’ scores on an 8) Do questionnaire-based interviews: Some security re- component could raise a red flag: the respondents don’t feel lated issues fall outside the scope of the architecture-based sure about such a component. approach. Examples are password and clean desk policies, employee screening, and so on. Furthermore, some specific In a small group, just one person with a somewhat extreme issues might be required to assess because of sector-specific opinion can have a large influence on the mean score, which regulations, such as the NEN 7510 in the Dutch healthcare might be undesirable. A good method to reduce the influence system. A questionnaire based on local needs and legal re- of such outliers is to use a truncated (trimmed) mean. The x% quirements should be created, and then used for interviews trimmed mean leaves out the highest and the lowest values. with employees. Often a value of 20% for x is chosen, in which case the 10% highest values and the 10% lowest values are removed and the The interviews could reveal vulnerabilities that were not mean is taken over the remaining values4 . found using the earlier steps. One example is the handling of user data; although the group members could in theory give Some group members might have more knowledge and ex- a low score to the business value and/or the confidentiality of perience than others. To take into account their expertise level, user data, often a legal liability exists. a question can be included in the survey asking the respondent to estimate her/his level of expertise or experience. There are 9) Analyse high-risk IT components and problem areas: various methods to classify expert levels. One well-known IT components cause high risk because, for example, they are way to do this is the Dreyfus model of skill acquisition [18]. not trusted or they store or process valuable or confidential A modification to that model was made by Schempp, who information. Such high-risk components are identified in the earlier steps and they should now be further investigated. Also 4 A short introduction to trimmed means: important vulnerabilities that emerged from the questionnaire- http://en.wikipedia.org/wiki/Truncated mean based interviews should likewise be given extra attention. The goal in this step is to create a list of specific, concrete security problems that can be contained or fixed by specified actions. A good way to discuss and investigate the high-risk IT information layer components and vulnerabilities is to organise a group meeting. workflows 10) Write an integrated risk assessment report: A risk ~ assessment report should be written to document the methods value = 2 and results and to serve as a starting point for actions directed conf. = 4 ~ to mitigate risk. The report should include an overview of risk{v} = 36 the organisation that was assessed and the general approach risk{c} = 72 that was being used, present the results for each step, and summarise the main security risks and their causes. This report application layer should also contain a ranked list of information assets that are under risk. web client workflow database ~ ~ B. Calculations attacks = 1 attacks = 2 errors = 2 errors = 1 MISRAM first limits its goal to finding a relative ranking ~ ~ of risks. We estimate risk using the value of an information sum{v} = 6 sum{v} = 6 asset multiplied with the vulnerability of the IT components sum{c} = 12 sum{c} = 12 concerning two factors, intentional attacks and unintentional errors. A weighted average can be used to give more emphasis to one or the other. For example, a reason to give more technology layer emphasis to unintentional errors could be that one expects that the group members are better at scoring the risk of unintentional errors than scoring the risk of intentional attacks. laptop server ~ ~ The vulnerability score Θ is calculated as follows: attacks = 4 attacks = 3 errors = 4 errors = 1 Θ = 2 × ((α) × attacks + (1 − α) × errors) ~ ~ sum{v} = 16 sum{v} = 8 sum{c} = 32 sum{c} = 16 with α ∈ [0.0, 1.0] representing the weight given to the risk of attacks relative to errors estimated by the experts. With α = 0.5, the formula simply becomes: Θ = attacks + errors Fig. 3: Example of an DCRA IT&I risk calculation in our mod- C. Example of a calculation in MISRAM ified and simplified fashion. Three layers can be recognised: We will use a simple example to clarify the method of the boxes on top represent information assets (information calculation. See fig. 3 to understand the following example. layer), the ellipses in the middle represent software appli- We are going to calculate the risk of losing business value cations (application layer), and the bottom ellipses represent risk{v}. Note that risk{v} must be calculated separately from system-level software and hardware (technology layer). ‘Value’ the risk of losing confidentiality risk{c}. The latter will not is business value, ‘conf.’ is confidentiality, ‘risk{v}’ is the be calculated in this example. risk of losing business value for that information asset, and ‘risk{c}’ is the risk of losing confidentiality. See the main text Each component has a vulnerability score Θ that consists on how the calculations are done. of a vulnerability to intentional attacks and a chance of unintended errors. For the server, the equation would be: survey), multiplied with the summed vulnerability scores of the IT components that process or store workflows: Θserver = attacks + errors = 3 + 1 = 4 The information asset workflows has business value 2. It risk{v}workf lows is stored and processed using a web client (vulnerability score = value of workf lows · sum of vulnerabilities for intentional attacks = 1 and for unintentional errors = 2) with Θwebclient = 1 + 2, on a laptop with Θlaptop = 4 + 4. = 2 · (Θwebclient + Θlaptop + Θdb + Θserver ) Also, all workflows are processed by a database server with = 2 · ((1 + 2) + (4 + 4) + (2 + 1) + (3 + 1)) Θdb = 2 + 1, which runs on the physical server with Θserver = 36 (see above). The total risk for the business value risk{v} of workflows Doing this for all information assets will create a list of all is calculated as the value of workflows (as estimated with a business value risks and will show which information assets are most at risk. The same method can be used for confidentiality and (intentional) attacks associated with the IT components in risk (not shown here). the application and technology layers. To calculate how much risk for business value a component causes, one needs to sum all the partial risks that it causes for all the information assets that it stores or processes (is B. Identifying risks connected to). In the example, server has a sum{v} = 8, A simple C++ program was developed to calculate the risks because it is connected to one information asset workflows from the IT&I relations, the survey data about the business with value 2 and server itself has a vulnerability of 3+1 = 4. value and confidentiality of the information assets and the vulnerability to errors and attacks of the IT components. III. C ASE STUDY: MISRAM APPLIED TO THE Trimmed means were used to compensate for outliers. From E -B IO I NFRA GATEWAY the ranked list of calculated risks, it became clear that three We tested MISRAM at the e-BioScience group at the IT components have the highest cumulative risk: AMC, from now on simply referred to as ‘group’. With the cooperation of the group members, who were regarded as 1) The server that hosts the science gateway software experts and were being surveyed, we assessed the information and other e-BioInfra applications, including a work- security risks for the whole infrastructure for which the group flow engine. is responsible, including a science gateway. The first author 2) The external computations done on the grid. of this paper was responsible for carrying out the assessment 3) The workflow system itself. and also participated in the group as an IT administrator at the time. The group members participated in the various meetings, The server itself scored very reasonably on the vulnerability interviews and surveys described below. The full report on this survey, as the group experts showed trust in its security. Still, case study [20] is not public for security reasons, but details the server ended up as one of the main causes of risk because might be requested by contacting the authors. of all the applications it hosts. A. Creating an inventory and a model A generic questionnaire based on NEN 7510 was also applied. It helped to identify a number of additional security A meeting was held to determine the enterprise archi- issues, mostly related to behaviour and to organisational poli- tecture, including business services. The proposed enterprise cies, such as account management and desktop policies. A few architecture model was later modified based on individual major problems became clear from the generic questionnaire, interviews with developers. Finally, agreement was reached on which could be solved by these concrete actions: the main IT components and connections between them. The technology layer of the e-BioInfra is split in a ‘physical • All group members should lock their screens when and system’ layers and an external ‘grid’ layer. Grid resources they leave their desk. Controls and incentives should include computing elements and storage elements. The whole be put in place to enforce this. model appears as having four layers, with an additional sep- arate grid layer, which better represents the separation of the • All mobile devices should use encrypted storage. grid services from the technical and organisational aspects of the e-BioInfra. • Let those not on payroll and apprentices sign an non-disclosure agreement. Note that this is standard Another group meeting was held to identify the information procedure for AMC employees. assets, during which the concept of information assets was ex- plained and discussed. Later, in private interviews, suggestions • When an employee leaves, accounts should be were made by some group members to add information assets promptly revoked. or to add more detail by splitting up some assets. One group member commented on the generic nature of one information • There should be a reporting and logging facility for asset, arguing for more detail. Such discussions should be security incidents. closed before the information asset survey starts. Otherwise, the list of information assets might change after the survey, • Web applications should use SSL (HTTPS). and the survey needs to be repeated. A meeting or a group manager decision can help to determine a final list. Although these actions seem quite obvious, they sometimes are not carried out in academic settings, where mutual trust and The enterprise architecture (modelled using ArchiMate) intellectual curiosity characterise the culture on the workplace. was combined with the information assets to create an informa- tion architecture, modelled using IT&I. Most group members The results of the risk calculation and the questionnaire understood the IT&I without much explanation. The IT&I were discussed during a meeting. The group members agreed diagram was created using Archi (http://archi.cetis.ac.uk/). that the three identified high-risk IT components were impor- tant, and voiced their trust in the method used to identify the Then, a survey was carried out to assign business values components and formalise the implicit knowledge in the group. and confidentiality values to the information assets. Most group A few actionable measures were proposed, but also a small members (5) participated in the survey. generic discussion on information security started. The meeting Another survey asked the group members to give their helped to raise awareness and to identify the most important opinion on the risk or vulnerability of (unintentional) errors practical tasks. IV. D ISCUSSION are those of simple models: MISRAM is easy to work with and the reasoning and results are easy to communicate. The proposed MISRAM method has been successfully applied at the e-Science group at the AMC to assess the risks Note that MISRAM can easily be extended to include the of the e-BioInfra platform and its science gateway. The group full DCRA model, which could be benefitial to assess more was satisfied with the insights delivered by MISRAM, which complex systems or environments. indicated practical measures to better address the security regulations for digital processing of medical data. Although D. Connectivity we are encouraged by this first result, MISRAM needs to be tested with other groups and other types of scientific gateways A component that is linked to many information assets will for a more conclusive evaluation. Below we present a reflection cause much risk because it is a hub; all information assets are of aspects that influence the method’s performance. in danger when such a hub is compromised. So, even a well administered server might cause quite some risk because so much depends on it. This could be called the “hub effect”. This A. Usage of expertise in e-Science groups begs for the question of whether MISRAM measures risk or MISRAM makes use of the (implicit) knowledge of the just measures the connectivity of a component. Is it reasonable people that develop, administer and support the e-BioInfra sci- to assign much risk to a hub, even if such a hub is well secured ence gateway. Information assets and component vulnerabilies and shows little vulnerabilities? can be determined by interviewing or surveying these group One way to reduce the influence of this hub effect is to members. compensate a component for having many relations (connec- Typical e-Science groups do their own development and tions) with information assets or with IT components. As an systems administration, and employ a team of experts on extreme example, one could divide the total risk caused by the IT components of their own architecture. These experts a component by the number of information assets to which build the (software) infrastructure that stores and processes the component is connected, resulting in the average risk per the information. Such information includes both assets of information asset caused by the component. A high average the group itself and information assets from external parties generated risk indicates that the component itself is vulnerable, (users). regardless of the number of information assets to which it is connected. The expertise of the developers of a science gateway on the local security situation might exceed the expertise of an Still we argue that IT components that are connected to external security expert. Their knowledge on errors within the many information assets are nearly always for a good reason technical infrastructure is based on their day-to-day experience, on the priority list to harden against security problems. Such so the infrastructure experts can be trusted to have a good connected components are critical to the organisation. If the feeling for the vulnerability to unintentional errors for such average risk per information asset caused by a component is a component. On the other hand, they are not per se security low, but the total risk caused by the same component is high, experts. Their knowledge on specific attack routes and security then it means that the component has a very central function in vulnerabilities (e.g., SQL injection attacks) might be limited. the infrastructure. In such cases one should question whether Therefore, an internal expert’s judgement of the vulnerability the functions of the component could be split up among multi- to intentional attacks might be less dependable. ple components in order to isolate components and information flows. B. Risk for whom? E. CIA vs. business value and confidentiality In the case of the e-BioInfra, only the experts have been interviewed, which could indicate a bias towards internal We have used the business value and confidentiality dimen- information assets of the system. sions of the UK National Archives (UKNA) [7]. The UKNA model is easy to explain to non-experts and is also intuitive – The emphasis given to group members focuses the risk factors that make it also easy to do a stakeholder survey on assessment on the internal stakeholders. MISRAM mainly the information assets and to communicate the outcomes. measures the risk as perceived by the group and the group members. It does not take into account the risk for external Another, very often used, way to describe security dimen- parties such as users and, for example, patients. However, these sions of an information asset is the “CIA” method, which kinds of risk are not at odds with each other. A low-risk science stands for “confidentiality, integrity, and availability”. The CIA gateway is very likely to pose low risk for external parties as approach is often used to describe the three main character- well. istics of information that can have value; they are also called the three main security categories [21, p. 5]. C. Simplifications A mapping of the CIA to the UKNA model is possible. The ‘C’ from CIA is directly mapped to UKNA’s confidentiality, MISRAM leaves out the percentage-based mapping of while both ‘I’ and ‘A’ from CIA are mapped to UKNA’s information assets used in the original DCRA. An information business value. Information with much business value should asset is linked to an IT component, or it is not. MISRAM normally have good availability and integrity. also leaves out the propagation likelihood of worms and other attack vectors between nodes. Both simplifications come at a We chose to focus on integrity. The e-BioInfra is used cost: our model is less precise than DCRA. The advantages to carry out scientific research, so the integrity of the data processed is of paramount importance. High availability is [10] A. Morali, E. Zambon, S. Etalle, and P. L. Overbeek, “IT confidentiality currently not a major concern for us5 . In other words, the risk assessment for an architecture-based approach,” in 3rd IEEE/IFIP correctness of the data processing is more important than the International Workshop on Business-driven IT Management, 2008, pp. 31–40. [Online]. Available: https://ieeexplore.ieee.org/xpl/freeabs all. timeliness. For our approach, availability was out of scope, jsp?arnumber=4540072 although it could easily be incorporated in MISRAM if needed. [11] J. yvind Aagedal, F. den Braber, T. Dimitrakos, B. A. Gran, D. Raptis, and K. Stlen, “Model-based risk assessment to improve enterprise security,” in EDOC ’02. Proceedings. Sixth International Enterprise F. Future work Distributed Object Computing Conference, 2002, pp. 51–62. [12] S. Strecker, D. Heise, and U. Frank, “RiskM: A multi-perspective We consider it questionable to compare different MISRAM modeling method for IT risk assessment,” Information Systems risk assessments in different organisations because so many Frontiers, vol. 13, no. 4, 2011. [Online]. Available: http://www. variables differ (such as the surveyed people and other so- springerlink.com/content/j52k6071g4164q82/ cial factors, external influences such as news and technical [13] A. Morali, “IT architecture-based confidentiality risk assessment in developments, and so on). Whether different organisations are networks of organizations,” Enschede, 2011, IPA dissertation series; comparable using MISRAM or an extension to our method 2011-06. could be determined by a follow-up project. [14] E. Mouw, “Data protection and privacy in escience,” 2012. [Online]. Available: http://www.scriptiesonline.uba.uva.nl/425083 The right balance between stressing the importance of well- [15] M. Lankhorst and the ArchiMate team, “ArchiMate language connected hubs and compensating for the hub effect is also a primer,” 2004. [Online]. Available: https://doc.novay.nl/dsweb/Get/ Document-43839/ worthy subject of future research. [16] U. Frank, “Multi-perspective enterprise modeling (MEMO) conceptual framework and modeling languages,” in HICSS. Proceedings of the 35th Annual Hawaii International Conference on System Sciences, 2002, pp. V. ACKNOWLEDGEMENT 1258–1267. We thank the members of the e-Science group for their time [17] R. Likert, “A technique for the measurement of attitudes,” Archives of Psychology, vol. 22, no. 140, pp. 1–55, 1932. and valuable suggestions during the development and applica- [18] H. L. Dreyfus and S. E. Dreyfus, Mind over machine: The power of tion of this RA method. This work is partially supported by the human intuition and expertise in the era of the computer. Free Press, COMMIT project “e-Biobanking with imaging for healthcare” 1986. funded by the Nederlandse Organisatie voor Wetenschappelijk [19] P. G. Schempp, “The stages of expertise,” 2011. [Online]. Available: Onderzoek (Netherlands Organisation for Scientific Research, http://www.performancemattersinc.com/posts/stages-of-expertise/ NWO). [20] E. Mouw, “Internal report: Information security risk assessment of the eBioScience infrastructure at the AMC,” eBioScience group, biolab, KEBB, Acedemic Medical Centre, University of Amsterdam, Tech. R EFERENCES Rep., 2012, available on request. Contact the corresponding author. [21] C. S. Division, “NIST special publication 800-53 rev. 3 – recommended [1] S. Shahand, M. Santcroos, A. H. C. van Kampen, and S. D. Olabarriaga, security controls for federal information systems and organizations,” “A grid-enabled gateway for biomedical data analysis,” pp. 725–742. National Institute for Standards and Technology, Tech. Rep., [2] E. Deelman, D. Gannon, M. Shields, and I. Taylor, “Workflows and 2010. [Online]. Available: http://csrc.nist.gov/publications/nistpubs/ e-science: An overview of workflow system features and capabilities,” 800-53-Rev3/sp800-53-rev3-final updated-errata 05-01-2010.pdf Future Generation Computer Systems, vol. 25, no. 5, pp. 528–540, 2009. [3] E. Mouw, G. van ’t Noordende, A. H. van Kampen, B. Louter, M. Santcroos, and S. D. Olabarriaga, “Legal constraints on genetic data processing in European grids,” in HealthGrid Applications and Technologies Meet Science Gateways for Life Sciences, 2012, pp. 49–58. [Online]. Available: http://www.booksonline.iospress.nl/ Content/View.aspx?piid=30469 [4] ISACA, CISA Review Manual 2006 (CISA - Certified Information Systems Auditor). Information Systems Audit and Control Association, 2006. [5] E. Zambon, S. Etalle, R. J. Wieringa, and P. H. Hartel, “Model- based qualitative risk assessment for availability of IT infrastructures,” Software and Systems Modeling, vol. 10, no. 4, pp. 553–580, 2011. [6] I. Postelnik, “Chess: A valuable teaching tool for risk managers?” pp. 40–42, 2008. [7] T. N. A. J. Riley), “What is an information asset?” 2011, factsheet. [Online]. Available: http://www.nationalarchives.gov.uk/ [8] G. Stoneburner, “NIST special publication 800-33 – underlying technical models for information technology security,” National Institute of Standards and Technology, Computer Security Division, Tech. Rep., 2001. [Online]. Available: http://csrc.nist.gov/publications/ nistpubs/800-33/sp800-33.pdf [9] Cisco, “Data sheet technology application support – internal security posture assessment,” 2004. [Online]. Available: http://www.cisco.com/application/pdf/en/us/guest/products/ ps5619/c1262/cdccont 0900aecd800ce53a.pdf 5 It is not a major problem if the e-BioInfra is offline for one or two days. The same seems to be the case of many peer research groups we know.