Creation of a Risk Assessment Methodology

• Main Author: Lefebvre, Nicolas
• Format: Others
• Language: English
• Published: KTH, Industriell ekologi 2007
• Subjects: Social Sciences Interdisciplinary; Tvärvetenskapliga studier inom samhällsvetenskap
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-32801

This report is a presentation of the work realised during an internship at the consultancy division of Thales Security Systems from September 2005 to June 2006. Thales Security Systems is part of Thales, an international group in defence, aeronautics, etc. The work realised consisted in the creation of a new risk assessment methodology for a commercial offer called HELP, standing for Human, Environmental, Logical and Physical security. As a basis for the work, 5 existing risk assessment methodologies were studied, summed up and analysed: - Integrated security risk assessment: a methodology created by Thales Security Systems but not used because of its complexity - Ebios: a whole risk assessment methodology created by the French government - Marion: more or less an audit questionnaire - Audit questionnaire ISO 17799: an audit questionnaire created by Thales Security Systems - A confidential methodology: a methodology of another company with interesting concepts So as to complete this first work, many interviews were realised with specialists in risk assessment and strategy: - Counter-admiral Girard who insisted on the preliminary task of the definition of the mission and its limits, the return of experience as well as on the security frame of mind - Guy Dubois for the maintenance of the security level year after year - Thomas Lebouc for the tools used to apply the methodology - Gérard Pesch regarding the commercial offer - Yves le Dauphin for the human issues Afterwards, the different advantages and drawbacks of the studied methodologies have been studied so as to determine the essential characteristics that were necessary to have in the new methodology The new methodology has thus been created taking into account all these advantages, drawbacks and pieces of advice. The new methodology is a five step methodology: - Definition of the mission and its limits: determination of the objectives of the mission and its perimeter - General analysis of the system: study of the system in its environment - Risk analysis: determination of the threats, assets and Vulnerabilities - Protection standards: determination of the protection measures to implement - Budget, action plans and implementation So as to apply the methodology, several tools have been created. They are necessary for the good running of the methodology as they help to show results in a clear way. These tools are for example, a risk analysis board, a vulnerability audit questionnaire, diagrams, or protection standard sheets. === www.ima.kth.se