Risk assessment criteria
Risks & risk criteria in Versio.io
In Versio.io, all violations are referred to as risks. Violations arise from the breach of a policy. A violation is assessed in terms of risk by:
- Severity
- Protection requirement
- Risk score (aggregation of severity and protection requirement)
Severity
A severity level can be set in Versio.io for violations and events. This is represented on a scale of 1-10:
| Severity value | Name | Icon |
|---|---|---|
| 1 | Info |  |
| 2 | Minimal |  |
| 3 | Low |  |
| 4 | Moderate |  |
| 5 | Medium |  |
| 6 | Significant |  |
| 7 | High |  |
| 8 | Very High |  |
| 9 | Critical |  |
| 10 | Outage |  |
Table: Versio.io internal severity scala
Violation
A violation occurs on the basis of a breach of a policy. A fixed severity level can be defined in the policy for potential violations, which is created when the policy is breached.
If the policy concerns a vulnerability check (CVE), the severity of the violation is replaced by the CVE score (1-10) if the CVE score is greater than the severity defined in the policy. The CVE score is rounded mathematically.
Event
When a violation is created or closed, a corresponding start and end event can be generated. The event adopts the severity of the violation 1:1.
If an event is created via OneAPI, the severity can be freely defined (see Severity Table).
When importing syslog events with a severity scale of 0-7, the mappings to the Versio.io scale can be defined for each Versio.io environment under Environment settings -> Event processing -> Tab: Syslog.
Protection requirement index
The BSI protection requirements assessment is a central and early step in the IT baseline protection concept of the Federal Office for Information Security (BSI). It involves systematically assessing the level of protection required for the information, applications and IT systems of an organisation or public authority. The damage that would occur if the confidentiality, integrity or availability of data were compromised is determined. Based on this potential damage, the respective objects are classified into the protection requirement categories ‘normal’, “high” or ‘very high’. This classification determines which of the security measures defined in the IT-Grundschutz Compendium must be implemented.
Versio.io enables the recording of protection requirements assessments (PRA) and the expression of the direct relationship to a piece of information, an application or an IT system. Based on the Versio.io topology, each underlying component can inherit this protection requirement. This means that the protection requirement (PR) for each component can be calculated based on all protection requirements assessments located above it in the topology. For better integration into Versio.io risk management, the protection requirement can be calculated for each violation based on the protection requirement index (PRI). The protection requirement index can take a value between 3 (minimum) and 11 (maximum).
When determining a protection requirement assessment, a distinction can be made between the following values:
| PRA category value | Description |
|---|---|
| low | Damage effects are limited and manageable. |
| medium | Damage impact can be significant. |
| high | Damage can reach existentially threatening, catastrophic proportions. |
Table: Meaning of PRA category values
The protection requirement index (PRI) is calculated based on the sum of the weighting of the PRA category values:
| PRA category | PRA category value | Weighting for PRI calculation |
PRA description |
|---|---|---|---|
| Confidentiality | low | 1 | Confidential information is taken note of or passed on without authorization. |
| medium | 2 | ||
| high | 3 | ||
| Availability | low | 1 | Authorized users are prevented from accessing information and systems. |
| medium | 3 | ||
| high | 5 | ||
| Integrity | low | 1 | The correctness of the information and the functioning of systems is no longer given. |
| medium | 2 | ||
| high | 3 |
Table: PRA categorie values and weighting for PRI calculation
The PRI can be calculated as follows by weighting the PRA categories: $ProtectionRequirementIndex=Confidentiality+Availability+Integrity$
Risk score
The aim of the Risk Score is to provide a basis for assessment per violation and can take a value between 1 and 100. The Risk Score is calculated from the severity (1-10) and the normalised Protection Requirement Index (1-10):
$RiskScore = Severity * NormalisedProtectionRequirementIndex$
Group risk score
The Group Risk Score makes it easier to analyse and evaluate the need for action based on the aggregation of all risk scores for a policy. This makes it easier, for example, to find out where I can eliminate many open violations (risks) with a single measure. The calculation is performed as follows:
$GroupRiskScore[Policy] = Sum(Risk Score[Policy])$
Risk matrix
A risk matrix is a matrix used in risk assessment to analyse the current risk level in a simple and timely manner.
Versio.io uses a 5:5 risk matrix. The X-axis (horizontal) shows the severity and the Y-axis (vertical) shows the protection requirement (index, PRI) of the risk. This classification means that the risks positioned at the top right are rated as the highest risk (urgency of cause correction). The risk then decreases towards the bottom left.
The following graphic illustrates the assignment of PRI and severity values:
Figure: Assignment of PRI and severity values in the risk matrix