Quantifying Software Security Risk
What are the frameworks out there that organizations can use to quantify risk?
Risk management is a hot topic across many boardrooms, so much so that the insurance and financial sectors have established frameworks that organizations can use to quantify risks. Across other sectors, however, organizations remain challenged with establishing how to calculate the risks that stem out of developing or using software.
When it comes to software, security cannot trump getting the product to market. Rather, using frameworks to determine potential risks not only pose a threat to enterprise security, but also can negatively impact software operations on both the customer and vendor side. Avoiding the risk all together is the best solution, but highly unlikely. Sometimes the best you can hope for is to minimize risk by trying to quantify the potential impact and degree of risk to software projects and products.
Several folks have put forth frameworks for evaluating risks through the software lifecycle, though there are no established industry standards. Key to any risk assessment strategy, though, is first identifying the likelihood of a vulnerability being discovered and also understanding the impact of that discovery.
In order to reduce and respond to risk effectively, enterprises must rely on some framework to better quantify risk. Here are a few suggested frameworks for how your company can better measure their risks.
- For those responsible for assessing and managing risk in development and operational settings, Carnegie Mellon University Software Engineering Institute (SEI) risk management framework authored by Christopher J. Alberts Audrey J. Dorofee, August 2010.
- Designed to manage software-induced business risks, Build Security In: Risk Management Framework, is a condensed version of the Cigital RMF designed to manage software-induced business risks authored by Gary McGraw in 2005 and revised in July 2013.
- Risk Management in Software Development, authored by Aihua Yan in November 2008, proposes a model for applying a risk management approach to software development projects.
- For risk analysis from the point of view of the software vulnerability lifecycle, A Framework for Software Security Risk Evaluation using the Vulnerability Lifecycle and CVSS Metrics by HyunChulJoh and Yashwant K. Malaiya proposes an approach to software risk evaluation.
- The FAIR Institute’s Value at Risk model (VAR) is a community that shares best practices and “provides information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk from the business perspective.”