Risk Modeling

You, Mon Sep 23 2024 • Risk Risk Management Security ERM Risk Modeling

Introduction

Most, if not all, enterprise risk management (ERM) frameworks require some form of risk analysis or risk assessment. Risk modeling is a critical part of the risk analysis process for many analysts and organizations (Haimes, 2004). Risk modeling can take many different forms depending on the industry, analyst, framework, nature of risk, etc. This paper will examine how risk modeling is applied in various environments, the importance of risk modeling, the shortcomings of risk modeling, and how organizations can apply these risk modeling concepts for themselves.

Threat Modeling

Threat modeling is an important form of risk modeling in the context of information systems due to its usefulness in the processes of planning security requirements and understanding the risks that exist in a system (Department of Health and Human Services, 2020). There are several frameworks that exist to help structure a firm's threat modeling efforts, such as STRIDE, PASTA, and OCTAVE.

STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges (Department of Health and Human Services, 2020). Each component of the acronym is a focus area for the users to develop threat models around (Department of Health and Human Services, 2020). In the STRIDE model, each component of a given system is broken down into its fundamental components so that associated risks can be identified along with subsequent risk mitigation strategies (Department of Health and Human Services, 2020).

The PASTA model was developed in 2012 (Balamurugan et al., 2023) and stands for “Process for Attack Simulation and Threat Analysis.” The model is made up of the following seven stages: “Define the Objectives,” “Define the Technical Scope,” “Decompose the Application,” “Analyze the Threats,” “Vulnerability Analysis,” “Attack Analysis,” and “Risk and Impact Analysis” (Pape & Mansour, 2024, Section III). Some of the key points that differentiate this framework from other threat modeling frameworks include the focus on input from a range of stakeholders (operations, governance, designers, engineers, etc.) and the fact that it puts potential attackers and risks at the center of the whole approach (Balamurugan et al., 2023).

Finally, OCTAVE stands for “Operationally Critical Threat, Asset, and Vulnerability Evaluation” (Mackita, 2019, Section 2.1). There are three primary phases in OCTAVE: “Build asset-based threat profiles,” “Identify infrastructure vulnerabilities,” and “Develop security strategy and plans” (Mackita, 2019, Section 2.1). These main phases all have several sub-processes associated with them, for a total of eight processes (Mackita, 2019). The OCTAVE approach to risk modeling requires users to create threat models and classify each of them into one of the following four categories: network-based, physical, system, and other (Butcher-Powell, 2006).

Each of these approaches to threat modeling is a form of risk modeling that is generally applied to organizations working to secure their information systems. Firms looking to apply these concepts themselves can choose to adopt any of these modeling frameworks. Alternatively, case studies are available to study organizations that have leveraged these frameworks in the past. Firms can study these case studies and choose what concepts may or may not be useful to their own business processes.

Other Forms of Risk Modeling

Various industries have different approaches to risk modeling based on their unique needs. Some organizations are tasked with modeling risk for niche scenarios. Civil engineers, for example, may be tasked with modeling the risk of flooding to determine engineering requirements (Aerts et al., 2013). These forms of risk modeling may be operationalized and regulated to the point that there is a mandated or traditionally accepted approach to modeling risk that must be replicated.

Financial industries face a unique risk modeling challenge. Firms operating in these industries might be tasked with modeling credit risk (Bhat et al., 2019) or systemic risk to the financial system (Chen et al., 2016). Banks might use credit risk models to determine the financial risk in their portfolio of loans and make decisions to mitigate those risks (Bhat et al., 2019). Additionally, those banks may use credit risk models to satisfy certain regulatory requirements (Bhat et al., 2019).

Depending on the nature of the risk being addressed, organizations may take one of several approaches to risk modeling. One approach to risk modeling is based on creating and analyzing scenarios that could pose risk to the firm. These scenario-based approaches are commonly seen in modeling frameworks like STRIDE, PASTA, or OCTAVE. Another approach is a more mathematical or algorithmic method to determine risk levels given certain circumstances. Chen and Zhu (2019) make an attempt to apply an algorithmic approach to risk modeling in the Internet of Things (IoT) domain by modeling the behaviors of network participants given certain constraints such as the bounded rationality of users participating in the network.

There are many other resources available that offer structure, guidance, and techniques for modeling risk in various contexts. These resources include risk management frameworks, which often include a risk modeling sub-component, such as COSO, ISO 31000, or NIST Risk Management Framework (RMF). Moving beyond frameworks, specific techniques and methodologies that organizations can leverage include Bayesian Networks, Monte Carlo Simulations, and Stress Testing.

Importance of Risk Modeling

While the financial and engineering use cases mentioned in the previous section may seem completely distinct from the risk modeling efforts that might be performed in other more IT-focused ERM frameworks, the core objective is the same. Organizations need to develop an understanding of scenarios that could prevent them from achieving their goals and how they might mitigate those scenarios. Risk modeling is an important resource for many organizations; however, some researchers have also pointed out its limitations, including psychological biases in the development and interpretation of risk profiles (Crawford & Jabbour, 2023).

Conclusion

Risk modeling has an immense range of applications, methods, and resources across different industries and focus areas; however, the core principle is the same. Organizations can use risk modeling to come to a better understanding of the risks that their enterprises face and use that enhanced understanding to develop risk mitigation strategies. The literature is rich with information on how to apply risk modeling to different problems while using a range of techniques. Professionals who are charged with securing information systems specifically can leverage tools such as threat modeling, which do a great job at applying the concepts of risk modeling to the domain.

References

Aerts, J. C. J. H., Lin, N., Botzen, W., Emanuel, K., & de Moel, H. (2013). Low-Probability Flood Risk Modeling for New York City. Risk Analysis, 33(5), 772–788. https://doi.org/10.1111/risa.12008

Balamurugan, K., Sudalaimuthu, T., & Sherlin Solomi, V. (2023). An analysis of various cyber threat modeling. 2023 Third International Conference on Artificial Intelligence and Smart Energy (ICAIS). https://doi.org/10.1109/icais56108.2023.10073771

Bhat, G., Ryan, S. G., & Vyas, D. (2019). The Implications of Credit Risk Modeling for Banks’ Loan Loss Provisions and Loan-Origination Procyclicality. Management Science, 65(5), 2116–2141. https://doi.org/10.1287/mnsc.2018.3041

Butcher-Powell, L. M. (2006). Better Securing an Infrastructure for Telework. Journal of Cases on Information Technology, 8(4), 71–86. https://doi.org/10.4018/jcit.2006100106

Chen, J., & Zhu, Q. (2019). Interdependent Strategic Security Risk Management with Bounded Rationality in the Internet of Things. arXiv.Org. https://doi.org/10.48550/arxiv.1905.09341

Chen, N., Liu, X., & Yao, D. D. (2016). An Optimization View of Financial Systemic Risk Modeling: Network Effect and Market Liquidity Effect. Operations Research, 64(5), 1089–1108. https://doi.org/10.1287/opre.2016.1497

Crawford, J., & Jabbour, M. (2023). The relationship between enterprise risk management and managerial judgement in decision‐making: A systematic literature review. International Journal of Management Reviews, 26(1), 110–136. https://doi.org/10.1111/ijmr.12337

Department of Health and Human Services. (2020). Threat modeling for mobile health systems (No. 202004301030). Retrieved July 20, 2024, from https://www.hhs.gov/sites/default/files/threat-modeling-mobile-health-systems.pdf

Haimes, Y. Y. (2004). Risk modeling, assessment, and management. https://doi.org/10.1002/0471723908

Mackita, M., Soo-Young, S., & Tae-Young, C. (2019). ERMOCTAVE: A Risk Management Framework for IT Systems Which Adopt Cloud Computing. Future Internet, 11(9), 195. https://doi.org/10.3390/fi11090195

Pape, N., & Mansour, C. (2024). PASTA threat modeling for vehicular networks security. https://doi.org/10.1109/icict62343.2024.00083