Security - Telenor
Security - Telenor
Security - Telenor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
70<br />
financial, social, environmental, humanitarian<br />
and/or organisational information;<br />
• A clearly stated boundary between what is<br />
included and what is not included in the risk<br />
analysis.<br />
The quality of the analysis is heavily influenced<br />
by this first step. If a critical part of the TOE is<br />
forgotten or deliberately omitted the analysis<br />
may be invalidated. Missing or inadequately described<br />
parts of the TOE usually produce confusion<br />
and arguments instead of a good understanding<br />
of the TOE. Arguments are also common<br />
when people do not accept the limits of the<br />
analysis.<br />
This step is important, because it synchronises<br />
people’s understanding of the TOE and lays<br />
down the ground rules for the threat identification<br />
phase.<br />
Unfortunately, the layperson is seldom prepared<br />
to spend time on this step because “everyone<br />
knows what the TOE is”. Maybe, but it is a rare<br />
occasion when everyone knows what the TOE<br />
actually is, understands what it really does, correctly<br />
describes the critical success factors, precisely<br />
describes the customer, etc.<br />
Threat Analysis<br />
The second step is the threat analysis, which<br />
<strong>Telenor</strong> splits into two half steps.<br />
The first half step involves identifying the threats<br />
to the TOE. A threat is a present or future vulnerability,<br />
activity, accomplishment or event that<br />
could have a negative future impact on the TOE.<br />
It is essential to use a structured approach in the<br />
threat identification phase. Significant threats are<br />
usually overlooked when the threat identification<br />
phase is unstructured, thus lowering the credibility<br />
of the analysis. An unstructured approach<br />
also leads to repeatedly returning to the threat<br />
identification process, thus increasing costs.<br />
<strong>Telenor</strong> recommends Hazard and Operability<br />
studies (Hazop) [4] as a basis for threat identification.<br />
Hazop is a technique for structuring a<br />
brainstorming process, and is well suited when<br />
analysing complex objects. A skilfully executed<br />
Hazop will supply an exhaustive list of threats,<br />
what causes the threats to materialise and to a<br />
certain extent the consequences of the threats.<br />
However, Hazop is not recommended if the analyst<br />
does not have previous experience with this<br />
technique.<br />
For the layperson, <strong>Telenor</strong> recommends using<br />
specially designed threat identification tech-<br />
niques [5] even though this is a less structured<br />
approach to threat identification.<br />
The next half step is an analysis of what causes a<br />
threat to occur. A separate brainstorming session<br />
may be necessary unless the causes were established<br />
during the threat identification phase. In<br />
this session one tries to answer the question<br />
“what can cause this threat to materialise”.<br />
The depth of the causal analysis is determined<br />
by the length of the causal chain. The direct<br />
cause of the threat is sometimes enough, but it<br />
may be necessary to establish a chain of causes<br />
before the causality is sufficiently examined.<br />
Frequency and<br />
Consequence Analysis<br />
The third and fourth step consists of analysing<br />
the frequencies and consequences related to each<br />
threat. The model shows these steps side by side,<br />
because it is a matter of personal preference and<br />
practicality whether one is completed before the<br />
other begins, or if they are analysed in parallel.<br />
The frequency analysis examines each threat to<br />
determine how often the threat is likely to occur.<br />
The frequency analysis should be quantitative,<br />
but lack of time and hard data usually prevents<br />
this. The preferable alternative is to quantify a<br />
range of frequencies – for instance high, medium,<br />
low – and allocate each threat to one of the<br />
labelled ranges. If this is impossible, a qualitative<br />
description of the likelihood of each threat<br />
is called for.<br />
The consequence analysis focuses on the damage<br />
a threat can set off, preferably expressed in<br />
economic terms. An indirect consequence occurs<br />
when the triggered threat sets off a chain of<br />
events before the consequence shows up, whereas<br />
a direct consequence is set off by the triggering<br />
threat. Sometimes it is necessary to look for<br />
both direct and indirect consequences before the<br />
total loss is determined. In any case, it is essential<br />
to determine the consequences because no<br />
loss prevention measure should cost more than<br />
the loss it prevents.<br />
The consequence analysis should also outline<br />
the mechanisms or barriers that are supposed to<br />
prevent the damage. This knowledge is useful<br />
when selecting measures to minimise the consequences<br />
when a threat is set off.<br />
Exposure Description<br />
The previous steps analysed threats, frequencies<br />
and consequences. The next step is to present the<br />
threats in terms of risk exposure. The risk exposure<br />
is a description of the impact a materialised<br />
risk will have. There are three main points to<br />
consider:<br />
Telektronikk 3.2000