Verfasst am: 07. 03. 2017 [11:08]
Dabei seit: 06.09.2016
I came across what i believe is an error in risk calculation.
An asset has Impact set at CIA: 1-1-1
A linked scenario to the asset has Threat and Vulnerability set at 1-1
A linked control to the asset modifies CIA with 2-1-2
I would expect the result to be:
Risk on asset after linking the scenario: 3-3-3
Risk on asset after applying control: 1-2-1
Instead the risk on asset after applying control in Verinice is: 2-2-2
It seems that Verinice FIRST reduces the risk by implementing the control and THEN increases the risk by linking the scenario. In this case:
Risk on asset after applying control: 0-0-0 (1-1-1 minus 2-1-2). The risk cannot be less than zero?
Risk on asset after linking the scenario: 2-2-2
It does not seem right but maybe i am missing the point here?
Verfasst am: 13. 04. 2017 [12:05]
Dabei seit: 05.08.2015
In verinice you have two options to link controls. Depending on how you link this, you get a different result, that is so desired:
1. Linking to the asset:
This reduces Business Impact.
In your example:
Asset Business Impact CIA: 1-1-1
- Control: 2-1-2
Control reduces the Business Impact of the asset: 0-0-0 (since no negative values are possible)
+ Scenario: 1-1 = 2
The values from the scenario remain unaffected: 1-1 = 2
Results after applying: 2-2-2
2. Link to the Scenario:
This reduces the probability of the scenario.
In your example:
Scenario: 1-1 = 2
- Control: 2 (Here you must decide for a value as this affects the probability - and not CIA)
Control reduces the probability of the scenario: 0-0 = 0
+ Asset Business Impact CIA: 1-1-1
The values from the asset remain unaffected: 1-1-1
Results after applying: 1-1-1
Note: On our youtube channel (https://www.youtube.com/channel/UCtBIMOtfziqFgI0pyAPHNww) you will find many videos for the handling with verinice - including one for risk assessment (https://www.youtube.com/watch?v=xdR7lVd_K7o&list=PLYG8Ez-PzQxvTh860o4qy1h3yilzA3gVj&index=2).
Your verinice team