Machine Translated by Google

Information Security Risk Assessment Model Based

on OCTAVE for E-Government
CHEN Xin-ming WEN Ning

Information Department, Hunan University of Commerce Changsha, Hunan, People's Republic of China. E&M Department, Hunan Women's University Changsha, Hunan, People's Republic

410205 [email protected], [email protected] of China. 410007 [email protected]

Abstract—Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) is introduced, together with its feasibility and
deficiency when used in information security risk assessing for E-Government. AHP is imported to build a Risk Assessment Model of
Information Security for E-Government based on OCTAVE, the value of information assets is defined by significance, confidentiality,
integrity and usability, the risk assessment procedure is divided into four phases including assets evaluation, threats evaluation,
vulnerability evaluation and risk measuring, the general risk value of information assets can be calculated together with its risk level.
At last, a case study is given to show the feasibility of the information security risk assessment model.

Keywords-E-Government; risk assessment; OCTAVE; AHP

Research on e-government information security risk assessment model based on OCTAVE

Chen Xinming1 , Wen Ning2

1.School of Information, Hunan University of Business, Changsha, Hunan, China, 410205

2. Department of Economics and Management, Hunan Women’s University, Changsha, Hunan, China, 410007

[Abstract] This paper introduces the principles and characteristics of the information security risk analysis method OCTAVE, and analyzes the effectiveness of this method in assessing e-government information security risks.

feasibility and shortcomings; the analytic hierarchy process was introduced to construct an e-government information security risk assessment model based on OCTAVE, from the importance, mechanism

Confidentiality, integrity and availability define the security value of information assets, and the risk assessment process is divided into asset assessment, threat assessment, vulnerability

The four stages of assessment and risk quantification are used to assess the comprehensive risk score and risk level for key information assets. Finally, the feasibility of the model is proved with examples.

ÿKey wordsÿe-government; risk assessment; OCTAVE; analytic hierarchy process

1 Introduction The full name of OCTAVE is Operationally Critical Threat.

Asset and Vulnerability Evaluation, or “actionable critical threats,

E-government information security management is to build an e-government security system
Asset and Vulnerability Assessment Method,” developed by Carnegie Mellon University Software Engineering
important link, the purpose of which is to reduce security risks to an acceptable level,
A set of systematic and highly operational safety risk assessment developed by the Engineering Research Institute
and conduct effective, objective and scientific analysis and assessment of threats to information systems.
How to establish an assessment system. Autonomy or "self-direction" is the key to this approach
It is the first step in information security management. In order to overcome existing qualitative risk assessment methods,
At its core, it emphasizes the guidance of information security risk assessments by people within the organization,
subjectivity of the method and the complexity of the quantitative risk assessment method, the OCTAVE method
Establish a multidisciplinary and multi-field analysis team composed of key business and technical personnel
Based on the law and incorporating the AHP method, a new e-government information security risk
The team leads the entire assessment process and combines risk management from both organizational and technical levels.
Risk assessment model and assessment index system.
risk assessment. In addition, OCTAVE-based assessments are “asset-driven”

2 OCTAVE Introduction
characteristics, which are based on the organization's key information assets and the specific environment in which they are located

to construct an information security risk framework.

2.1 Characteristics and specific methods of OCTAVE
The OCTAVE method adopts a three-stage theory (including 10 sub-processes) to

978-1-4244-5143-2/10/$26.00 ©2010 IEEE

Machine Translated by Google

Organizational and technical issues are studied and analyzed. 2.1.1 It can also use the judgment matrix in AHP to convert qualitative judgment results into quantitative values to accurately

The first stage and objectively analyze the degree of risk hazard, thus effectively making up for OCTAVE's shortcomings in

Establishing an asset-based threat profile includes four processes: identifying key assets and their security quantification in risk analysis.

requirements, identifying threats to key assets, analyzing existing security measures, and analyzing organizational
3.2 E-government information security assessment process based on OCTAVE
weaknesses. It is mainly an assessment from an organizational perspective. 2.1.2 Second stage

E-government information security risk assessment based on OCTAVE mainly involves four processes:

Identify information infrastructure weaknesses, including identification of critical systems and analysis asset analysis, threat analysis, vulnerability analysis and risk analysis. 3.2.1 Asset analysis

Two processes of technical weaknesses, mainly assessment from a technical perspective, 2.1.3 The

third stage Based on the characteristics of e-government, the key assets of e-government can be divided into five basic

Developing security strategies and plans includes four processes: identifying security risks of key assets, categories: information, systems, software, hardware and personnel. Adopting a valuation method that combines the

measuring security risks, developing security protection strategies, and formulating risk mitigation plans, mainly risk importance of assets to the business and the confidentiality, availability, and integrity of the assets, e-government

and countermeasure analysis. information assets are divided into 5 categories based on their importance and their four attributes of confidentiality,

integrity, and availability. A level is used as the standard for assignment, as shown in Table 1.
2.2 Feasibility of applying OCTAVE to information security risk analysis

Since there is a large amount of confidential information in e-government systems, OCTAVE's "self-directed"

feature allows this method to use internal personnel of the organization to assess system security risks, eliminating Table1. Evaluation table of Assets, Threats & Vulnerability

the possibility of information leakage. In addition, considering that most users and managers of e-government Table 1. Common assignment table for assets/threats/weaknesses

systems are not computer professionals, OCTAVE security risk assessment, which focuses on both technical and
Assign value 5 4 3 2 1
management levels, has strong adaptability and operability and can truly meet the needs of e-government systems.

Safety requirements. Very high level, medium level, low level, very low level

2.3 Disadvantages of OCTAVE Considering the characteristics of e-government, formula (1) is used to calculate its asset value Va , where

S represents the importance of the asset to the business, C represents the confidentiality of the asset, I represents
The OCTAVE method although developed from a systems and organizational perspective is new
the integrity of the asset, and U represents the availability of the asset.
type of information security assessment method, but there are still deficiencies in the following aspects.
Va=log2[(2S +2C +2I +2U)/4] (1)
The assessment process is cumbersome: OCTAVE requires multiple departments and
3.2.2 Threat analysis
Multiple personnel are involved, so it is not easy to establish a complete operational view.
A threat is a possible factor or event that may cause potential damage to an information system and its
Lack of quantitative analysis: OCTAVE focuses on qualitative analysis of issues such as the value,
assets. Common sources of threats to e-government information security mainly include: System problems: hardware
weaknesses, and threats of information systems. Difficulties in defining the
and software
scope of the assessment: OCTAVE emphasizes the need to
failures, viruses, system crashes, etc. Unauthorized access and operation of systems through the
Work focuses on key actionable areas of the organization.
network. The act of gaining unauthorized access through the physical environment.
Simple assessment criteria: The criteria against which the assessment is performed are relatively simple
Natural disasters, third-party system unavailability and other issues.
Simple and may even contain subjective assumptions.
Taking into account the possibility of a threat occurring and its impact on

3 E-government information security risk assessment method based information assets, we can compare and assign a relative value based on the impact of each threat on each

on OCTAVE asset. Use AHP to calculate the threat factor of each threat for each asset, and establish the hierarchical structure

diagram shown in Figure 1. The top layer (target layer) is the threat factor, that is, the threat of each asset must be
3.1 Improved risk assessment ideas based on OCTAVE
calculated; the second layer ( The third layer (criteria layer) is the key assets; the third layer (program layer) is the

The shortcomings of OCTAVE determine that it is not suitable for independent use in e-government
threats existing in the assets. 3.2.3 Weakness analysis

information security risk analysis. Therefore, it is considered to introduce the analytic hierarchy process AHP and

combine it with it to construct a new method that combines qualitative and quantitative methods to establish a

method that can meet the needs of different types of e-government. The information security analysis framework for
Weaknesses are weak links in information assets that may be exploited by threats, including business

information security requirements uses computer tools to greatly shorten the execution time of risk analysis. The
processes, personnel, hardware, software, and other aspects. The analysis of information asset weaknesses can start

improved information security risk assessment based on OCTAVE can take advantage of OCTAVE's "self-direction"
from two aspects: Analyze technical weaknesses: physical, network,

and the combination of management and technology.

system and application security.
Machine Translated by Google

Analyze management weaknesses: security policies, personnel security, access control, etc. 14 prefectures and states, complete daily business processing work, and provide users with

Assigning a value to a weakness mainly considers how easy it is to exploit the weakness, etc. To provide services to customers, the quantitative risk management method based on OCTAVE proposed in this article is now used.

The higher the level, the easier it is to be exploited and the greater the risk to the asset. count The risk assessment model evaluates its safety.

When calculating asset vulnerability, you can refer to Figure 1 to establish a vulnerability hierarchy diagram.

Calculate the exposure of each vulnerability to each threat, known as the vulnerability factor. Table2. Evaluation table of risk level

Table 2. Risk level assignment table

Risk value assignment level meaning

target layer Threat factor

30 and above 4 Extremely high suffered very severe effects

… 20.1-30 3 Gao suffered severe effects

Criterion layer Asset 1 Asset 2 Asset n

10.1—20 2 Moderately and severely affected

power power power

5.1-10 1 Low to moderate impact
…
threaten threaten threaten

Solution layer
1 2 n
0—5 0 Very low Suffering minor impact or no impact

Figure 1. Threats hiberarchyFigure

1. Threat hierarchy diagram
4.1 Key asset identification and security value assessment

3.2.4 Risk quantification

Through questionnaires and interviews with users, the relationships shown in Table 3 were determined.

A risk is a threat that exploits a weakness to cause an asset or group of assets to

key asset and assign a security value to it, and then calculate it according to formula (1)

damage, causing direct or indirect damage to the tissue. The risk is subject to
Relative asset security value of four types of servers.

The security value of the asset, the size of the threat, and the vulnerability’s exploitability limits

, so the risk mathematical model can be constructed as follows:

Table3. Evaluation table of assets

Rijk =××i ATV

Table 3. Asset valuation table
jj (2)

importance Confidentiality integrity Availability Safety

R = max ij k Asset Name
{Rijk, k=l to the total number of weaknesses exploited by threat j} (3) S C I U value

R i = ÿ Rij Database server A1 5 5 5 5 5.00

j =1 , m is the total number of threats on asset i (4)

Ai represents the security value of asset i; Tj represents the threat factor of threat j; Web server A2 4 3 4 5 4.17

Vjk represents the vulnerability factor of vulnerability Vk relative to threat Tj ;

Mail server A3 4 4 4 4 4.00
Rijk represents the risk value caused by threat j using weakness k on asset i;

Rij represents the comprehensive risk value caused by threat j on asset i;

Office Server A4 4 4 4 5 4.32

Ri represents the total risk value caused by all threats on asset i.

Using formulas (2)-(4), we can calculate how much each threat j exploits the weakness k in the resource.

The risk value caused on asset i, the maximum value is the risk value caused by threat j on asset i 4.2 Threat identification and quantitative assessment

The comprehensive risk value Rij; Ri is the sum of the risks of each threat to asset i.
Through various threats to the unit’s information assets and their sources
After determining the total risk value of each key asset, it is also necessary to determine the different
Conduct analysis based on the likelihood of a threat occurring and the impact it will have if it occurs
Risk prioritization among assets. On the basis of learning from other risk assessment methods,
Assign a value to each threat and use the square root method to calculate the impact of each threat on each
Based on this, the risk levels are divided into five levels, as shown in Table 2.

The overall ranking of threats Vij to individual assets and threats to the entire e-government system

4 Examples of E-Government Information Security Risk Assessment The results are shown in Table 4. Multiply the total ranking of the results by 10 to get the threat

The threat factor Tij of Tj to asset Ai and the size of each threat Tj. Sort from
The e-government system of a certain government department connects to the competent department on the intranet, and then

The results show that the threat of malicious code attacks is the greatest, which is consistent with the actual situation.
Machine Translated by Google

The main reason is that the unit did not install network anti-virus software. Use risk calculation models (2)-(4) to calculate various threats to each key asset.

The comprehensive risk value and risk level caused by threats exploiting various weaknesses, the results are as shown in the table

Table 4. Evaluation table of threats 6-9.

Table 4. Threat assignment table

Table5. Evaluation table of vulnerability

threaten operate privilege network usurp reject malicious Configuration Behavior nature

Table 5. Weakness assignment table

type Mistake upgrade Counterfeit change Serve code threaten deny disaster
Weakness name Overall ranking of utilization levels

Assignment 2 5 2 4 2 3 3 2 1

Improper software configuration 3 high 0.30

Total ranking 0.04 0.17 0.20 0.10 0.10 0.22 0.07 0.06 0.02

weak password 4 Extremely high 0.11

No backup or incomplete backup 3 high 0.11

4.3 Weakness identification and quantitative assessment

Too many services are enabled 3 high 0.28

The weaknesses of the e-government system, assignments and calculations using the root method

The overall ranking results of each vulnerability to each threat are shown in Table 5. general plan No logs or incomplete logs 2 middle 0.02

The calculated weight is multiplied by 10 to obtain the vulnerability factor for threat Ti to exploit weakness j.
Not upgraded and patched 4 Very high 0.07
Sub- Vij; the results show that the operating system and applications are improperly configured and enabled

The two weaknesses of too many services are the easiest to exploit.
Safety management is not in place 3 High 0.10

4.4 Risk calculation and rating

Table6. Risk level of DB server

Table 6. Database server risk value and risk level

Threat Type Network Phishing, Tampering, Denial of Service, Privilege Escalation, Malicious Code Configuration Threats, Operation Error, Natural Disasters

Comprehensive risk value 15.50 37.51 13.02 18.14 51.32 26.21 21.84 11.50 4.20

risk level middle extremely high middle middle extremely high high high middle extremely low

Table7. Risk level of WEB server

Table 7. Network server risk value and risk level

Threat Type Network Phishing, Tampering, Denial of Service, Privilege Escalation, Malicious Code Configuration Threats, Operation Error, Natural Disasters

Comprehensive risk value 11.28 11.75 6.20 25.65 16.45 34.80 8.00 4.13 2.50

risk level middle middle Low high middle extremely high Low extremely low extremely low

Table8. Risk level of mail server

Table 8. Mail server risk value and risk level

Threat Type Network Phishing, Tampering, Denial of Service, Privilege Escalation, Malicious Code Configuration Threats, Operation Error, Natural Disasters

Comprehensive risk value 12.30 5.64 3.72 9.72 11.28 17.28 2.52 3.30 2.25

risk level middle Low extremely low Low middle middle extremely low extremely low extremely low
Machine Translated by Google

Table9. Risk level of OA server

Table 9. Office server risk value and risk level

Threat Type Network Phishing, Tampering, Denial of Service, Privilege Escalation, Malicious Code Configuration Threats, Operation Error, Natural Disasters

Comprehensive risk value 26.16 10.34 13.64 4.75 17.58 20.06 3.52 6.05 2.20

risk level high middle middle extremely low middle high extremely low Low extremely low

The above evaluation process and data results show that among the four servers, [4] WANG Qiong-xiao, JING Ji-wu, GAO Neng. Research on the

The database server has the largest total risk value. The main reason is that the database server has application of OCTAVE risk evaluation for E-government[J]. Security

Several systems were not upgraded in a timely manner; in addition, the server also had multiple high-level of Information Network, 2006, (9):39-42.

Risk services, these high-risk vulnerabilities and services pose great security risks. Wang Qiongxiao, Jing Jiwu, Gao Neng. Application of OCTAVE risk assessment method in e-government

Since almost all business data is stored in the database server, once the
Yong[J]. Information Network Security, 2006, (9): 39-42.

Server paralysis will have a great impact on the normal operation of the entire system.
[5] YANG Zhi-xin. Security risk assessment of government network[J].

Network servers are the next most risky, having a higher risk. A weak password is
Systems Engineering, 2005, 23(4): 58-60.

The biggest problem, in addition, is that the APACHE software is not upgraded in time.
Yang Zhixin. Government network security risk assessment[J]. Systems Engineering, 2005, 23(4): 58-60.

Large security risks create conditions for hackers to invade.

[6] CHENG Zhong, SHU Hua-ying. Security risk management the
Mail servers and office servers are relatively low risk, but weak passwords
E-government system[J]. Computer Systems Applications, 2005, (3):
The problems are also very serious, such as the account has no password, the username and password are the same, the password is
2-5.
If the password length is insufficient, etc., these weak passwords should be deleted or modified as soon as possible, and the system
Chen Zhong, Shu Huaying. Security risk management in e-government systems[J]. Computer System
and applications are upgraded to the latest versions.
Applications, 2005, (3): 2-5.

5 Conclusion [7] TANG Zhi-wei, DU Ren-jie. Risk analysis of E-government

information system based on ISM[J]. Journal of University of

This article is based on the evaluation and research of various domestic and foreign standards, combined with

Electronic Science and Technology of China, 2005, 34(2):251-254.

The relatively new OCTAVE evaluation theory has great impact on e-government information security.

Tang Zhiwei, Du Renjie. Risk analysis of e-government information system based on ISM model[J].
A full risk assessment model was studied. It mainly uses AHP and

Journal of University of Electronic Science and Technology of China, 2005, 34(2): 251-254.
OCTAVE established an e-government information security risk assessment model and detailed

Each modeling process is explained in detail. Combined with the case as a background, the e-government [8] LIU Huai-xing. Research on the application of AHP for security risk

The system assessment model was validated. This model is based on asset assessment, threat assessment, assessment[J]. Journal of Information, 2006,(5): 14-16.

Based on vulnerability assessment and risk calculation, its advantage is that it has good operability Liu Huaixing. Application of analytic hierarchy process in information security risk assessment[J]. Intelligence Magazine,

nature, using the AHP method to transition qualitative data to quantitative data, so that 2006, (5): 14-16.

The evaluation results are more objective and practical. [9] CHEN Lian, HU Zuo-jin, CAI Shu-zhen. Research on information

system security risk evaluation model[J].Computer Applications and

Software, 2007, 24(6): 73-77..

References _ Chen Lian, Hu Zuojin, Cai Shuzhen. Research on information system security risk assessment model[J]. Computing

Computer Applications and Software, 2007, 24(6): 73-77.

[1] ALBERTS C, DOROFEE A. Managing information security risks:
[10] TANG Zhi-wei, GAO Tian-peng. OCTAVE-Based Risk Evaluation
The OCTAVE approach[M]. Boston: Addison Wesley Inc, 2002.14-45
for E-Government Information Systems[J]. Journal of University of
[2] KARABACAK B, SOGUKPINAR I. ISRAM: information security
Electronic Science and Technology of China, 2009, 38(1):130-133.
risk analysis method[J]. Computers & Security,2005, (24): 147-159.
Tang Zhiwei, Gao Tianpeng. Risk assessment of e-government information system using OCTAVE model
[3] JOHNSTON R G. Adversarial safety analysis: Borrowing the methods
Evaluation[J]. Journal of University of Electronic Science and Technology of China, 2009, 38(1):130-133.
of security vulnerability assessments[J]. Journal of Safety Research,

2004, (35): 245-248