ContextDefinition.adoc

By clicking on number 1, the following menu appears:

1. Link to the contextual management pop-ups, see the following chapters.

2. Checkboxes indicate that a selected stage has been completed. This feature helps track the progress of the risk analysis project and displays the risk representation graph on the dashboard.

3. A link enables the generation of the context deliverable (Context validation) Validation of the context for validation. As part of a consultancy assignment, for instance, it may be helpful to get the client to validate it.

Risk analysis context

This view offers text encoding and formatting functions, enabling the risk analysis target to be contextualised with well-formatted texts that will be documented in the deliverables.

1. Access to the text formatting functions (bold, italics, paragraph, text size, etc.). The quality of the encoding has a direct impact on the quality of the deliverable.

2. To display or delete the help area.

3. Help area on the content which is recommended for data entry (Additional information).

4. Chapters recommended by ISO27005. Clicking on the label will place it automatically in the data entry area.

Evaluation of the trends, threats and synthesis

This stage is divided into three parts to structure the data collection needed for understanding the analysis context. It is recommended to lead a working group of 5 to 10 people (depending on the organization), bringing together management members, IT staff, the risk management department (if applicable), and heads of departments or key personnel.

1. Trends Assessment: MONARC provides a series of questions to establish the context from a very general perspective (see Trends Assessment).

2. Threats Assessment: It allows threats to be reviewed from a general perspective and, if necessary, to be evaluated by default in the future model (for more information, see Threats Assessment).

3. Summary of key points determined during stages 1 and 2 (for more information, see Summary).

Trends Assessment

The assessment of trends provides a series of questions to establish the context from a very general perspective. These questions highlight the selection of key assets which must be taken into account during the analysis, the security criteria, as well as a few indicators concerning the motives of the attack and the external context of the target. This list is not exhaustive; you can add questions of your choice at the end of the page.

Threats Assessment

The assessment of threats, in a similar fashion to the assessment of trends, takes the form of a meeting involving key personnel in the organisation. The goal is to review the majority of threats by gathering information from the past and examining the general observations made by the group. The objective is to reach a consensus on the likelihood of each threat, using a scale that is easy to interpret:

• Relatively -: Never occurred, really not likely

• Normal n: No clear position, no opinion

• Relatively +: Already occurred

• Relatively ++: Already occurred on one or two occasions The security expert is responsible for converting the consensus into a probability value of 1 to n which shall be used in the model.

1. Click on the Threats assessment tab.

2. Heading of the threat.

3. Information on the threat.

4. Observation to encode, information gathering from a group of people.

5. Information on the security criteria affected by the threat.

6. Selection of the trend, determined by group consensus.

7. Selection of the probability deduced from point 6 by the security expert.

8. The option to run the threats in the model later, after they have been developed.

9. Save the information and browse the threats.

Warning

For points 7 and 8, you have to set the scales of your risk analysis to unhide this funtion (see Definition of the risk evaluation criteria)

Summary

Similar to the context of the risk analysis, this view allows the user to summarize the relevant information gathered during the assessment of trends and threats. This text enables the user to enrich the deliverable.

Risks management organisation

This view enables the user to encode the information in the context of the risk management, for instance, concerning the roles and responsibilities, the stakeholders, etc.

Note	For more information, please see Chapter 7.4, of ISO/IEC 27005:2011

Definition of the risk evaluation criteria

This involves personalising the scales, impact criteria, and consequences. MONARC provides values by default which can be personalised depending on the context. All the scales can be modified and the levels personalised. However, it is no longer possible to modify the scales when an assessment has been encoded.

Impact scale

1. Click to modify the number of scales.

2. Click on Show hidden impacts to show or hide the criteria not used in the analysis.

3. Click on the symbol to hide an unused column.

4. Click on the New column name to add a new impact criteria.

5. Click to edit the headings of each scale.

Note	Managing the headings is similar to working with an Excel table. By clicking on a heading, you can edit it. Clicking on another heading will automatically save the first one, and so on.

By default, the impact and consequence scale includes the following criteria:

• Confidentiality

• Integrity

• Availability

• Reputation

• Operation

• Legal

• Financial

• Person (impact on the person)

It is also possible to add personalised consequences as well as impact criteria.

The same scales are used to assess both information risk and operational risk; the difference lies in their interpretation:

• The information risks are evaluated on the CIA^[1] criteria by taking into account the ROLFP^[2] consequences.

• Operational risks are directly evaluated on the ROLFP^[3] criteria

Likelihood scale

The scale of threats is used to calculate information risks and the probability of scenarios relating to operational risks

1. Click to modify the number of scales

2. Click to edit the heading on each scale (Management identical to the impact scale).

Vulnerabilities scale

The scale of vulnerabilities is only used for calculating information risks.

1. Click to modify the number of scales

2. Click to edit the heading on each scale (Management identical to the impact scale).

Acceptance thresholds

There are two separate tables for acceptability thresholds, as operational risk and information risk are calculated differently. Information risks are calculated using three criteria:

1. Modification of threshold levels of informations risks. The table displayed above (as well as the risk analysis tables) is updated automatically.

2. Information risks are calculated using three criteria: Impact x Threat x Vulnerability.

3. Modification of threshold levels of operational risks. The table displayed above (as well as the risk analysis tables) is updated automatically.

4. Operational risks are calculated using two criteria: Impact x Probability.

Deliverable: Context validation

This deliverable includes all information gathered and entered in the context establishment phase. It can be used to validate the information provided by the client, before initiating risk identification. A form has to be filled in. When the user clicks on Save, a Word file is generated.

---

1. CIA,Confidentiality, Integrity and Availability.

2. rolfp,Reputation, Operational, Legal, Financial and Personal

3. rolfp