├── 00-a-title.md ├── 00-b-toc.md ├── 00-c-intro.md ├── 00-d-supporting.md ├── 01-a-sources.md ├── 02-a-frequency-factors.md ├── 03-a-events.md ├── 04-a-consequence-factors.md ├── 05-a-consequences.md ├── CNAME ├── LICENSE ├── README.md ├── _config.yml ├── basic-bowtie.jpg ├── buildpdf.sh ├── complicated-bowtie.jpg ├── control-bowtie.jpg ├── cover.jpg ├── examples └── ISO Based Controls Playbook.pdf ├── oisru.pdf ├── osiru-coverage.png ├── oss2020 ├── OSS2020_-_OISRU_Activity_Slides.pdf └── OSS2020_-_Open_Information_Security_Risk_Universe_(OISRU).pdf ├── pagebreak.tex ├── riskmanagement.png ├── toc-template.markdown ├── universe-scope.jpg └── universe-scope.png /00-a-title.md: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | title: Open Information Security Risk Universe 4 | ... 5 | 6 | ![](cover.jpg "A light in the storm.") 7 | 8 | -------------------------------------------------------------------------------- /00-b-toc.md: -------------------------------------------------------------------------------- 1 | # Table of Contents 2 | 3 | - [Introduction](#introduction) 4 | - [Overview of the Risk Universe](#overview-of-the-risk-universe) 5 | - [Definitions](#definitions) 6 | - [Other Relevant Standards](#other-relevant-standards) 7 | - [Contributors](#contributors) 8 | - [License](#license) 9 | - [Supporting Approaches](#supporting-approaches) 10 | - [Risk Statements](#risk-statements) 11 | - [Sources of Risk](#sources-of-risk) 12 | - [Internal vs External Sources](#internal-vs-external-sources) 13 | - [Malicious vs Non-Malicious](#malicious-vs-non-malicious) 14 | - [Characteristics](#characteristics) 15 | - [Frequency Risk Factors](#frequency-risk-factors) 16 | - [External Frequency Risk 17 | Factors](#external-frequency-risk-factors) 18 | - [Internal Frequency Risk 19 | Factors](#internal-frequency-risk-factors) 20 | - [Risk Events](#risk-events) 21 | - [External Risk Events](#external-risk-events) 22 | - [Internal Risk Events](#internal-risk-events) 23 | - [Severity Risk Factors](#severity-risk-factors) 24 | - [External Severity Risk 25 | Factors](#external-severity-risk-factors) 26 | - [Internal Severity Risk 27 | Factors](#internal-severity-risk-factors) 28 | - [Consequences](#consequences) 29 | -------------------------------------------------------------------------------- /00-c-intro.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | A Risk Universe provides a comprehensive view of the possible risks we face. This view is designed to aid in categorisation but also to act as a check on the scope of our risk identification exercises to ensure we don’t miss risks that then take us by surprise when they occur. 4 | 5 | ![Risk Management](./riskmanagement.png) 6 | 7 | The goal of the Open Information Security Risk Universe (OISRU) is to provide a model and method independent framework and taxonomy for expressing and categorising security risk. 8 | 9 | This framework should be complementary to the Basel II operational risk event types, recognising that information security risk permeates operational risk. 10 | 11 | ## Overview of the Risk Universe 12 | 13 | The Open Information Security Risk Universe comprises, at it's core, Sources of Risk Events, Risk Events and Consequences of Risk Events. These are supplemented by Risk Factors that drive the Frequency or Severity of the Risks. 14 | 15 | ![OISRU Scope](./universe-scope.png) 16 | 17 | The Open Information Security Risk Universe does not directly address likelihood or controls as these are covered in other relevant analysis and evaluation methods. 18 | 19 | ## Definitions 20 | 21 | **Risk**: *The effect of uncertainty on objectives. Usually expressed in terms of risk sources, possible events and their consequences and likelihood.* (Source: ISO 31000) 22 | 23 | **Sources of Risk**: *Element which alone or in combination has the potential to give risk to risk.* (Source: ISO 31000) 24 | 25 | **Risk Event**: *Occurence or a change of a particular set of circumstances.* (Source: ISO 31000) 26 | 27 | **Consequences**: *Outcome of an event affecting objectives.* (Source: ISO 31000) 28 | 29 | **Likelihood**: *Chance of something occuring*. (Source: ISO 31000) 30 | 31 | **Control**: *Measure that maintains or modifies risk*. (Source: ISO 31000) 32 | 33 | ## Other Relevant Standards 34 | 35 | * NIST Special Publication 800-30 R1 Guide for conducting risk assessments* has a comprehensive set of threat sources (Risk Sources) in Appendix D, a *very* comprehensive set of threat events (Risk Events) in Appendix E and a list of effects of threat events (Consequences) in Appendix H. 36 | 37 | * Octave Allegro has an indicative set of threat trees in Step 5 (Risk Sources) and in Appendix B includes the Impact Areas (Consequences) and in Appendix C includes Threat Scenarios (Risk Events). 38 | 39 | Both of these standards are very useful and highly recommended sources but they do tie their taxonomy into specific qualitative methods for risk analysis. The goal of OSIRU is to be independent of any particular analysis model, whether quantitative or qualitative. 40 | 41 | * ISO27005 includes a list of consequences in Appendix B.2.3 and Appendix C includes a mixed list of events and sources. Appendix C seems to use the term consequences in a somewhat muddled way. 42 | 43 | ## Contributors 44 | 45 | The following people have contributed to this document: 46 | 47 | * Phil Huggins 48 | * Paul De Luca 49 | * Robin Oldham 50 | * Jordan M. Schroeder 51 | * Tony Richards 52 | * Alex Lucas 53 | 54 | ## License 55 | 56 | The Open Information Security Risk Universe is licensed under the Creative Commons Zero v1.0 Universal license. Please the project Github repository [https://github.com/oracuk/oisru](https://github.com/oracuk/oisru) for details. 57 | 58 | 59 | -------------------------------------------------------------------------------- /00-d-supporting.md: -------------------------------------------------------------------------------- 1 | # How to use 2 | 3 | ## Risks 4 | 5 | It’s key to understand that a risk event alone is not a risk, at it's simplest a risk can be a single risk event and the single consequence of that event. 6 | 7 | However, it is likely as we develop our risk scenario that they will consist of the combination or one or more sources, one or more risk events and one or more consequences. 8 | 9 | Risk events may lead to other risk events within the scenario. For example a *software exploit* may lead to *unauthorised access to a system* that then causes consequences. 10 | 11 | ## Risk Scenarios 12 | 13 | Risk scenarios are the business-context descriptive narrative form of the risks facing your business. The risk scenarios are useful in communicating with stakeholders about the risk as they feel like real-world stories they recognise from their own experience. Risk scenarios tend to be specific to business functions and their environment. 14 | 15 | For example: 16 | 17 | **Title:** *"Accidental Market Sensitive Information Leak.*" 18 | **Description:** *"During the reporting period a member of the accounting team, under time pressure, accidentally sends a draft of the annual report to an employee at our technology outsourcer who has the same name as our Chief Financial Officer as a result of address auto-complete in their email software. If the draft leaks it could lead to market sensitive information being published ahead of the publication of the report which could lead to a regulatory sanction and trigger insider trading*". 19 | 20 | When writing relevant risk scenarios the analyst should consider: 21 | 22 | * **Context** - *'Who'* - Groups, Individuals, Organisations 23 | * **Triggers** - *'Why'*, - Motivations, Goals 24 | * **Event** - *'What, How'* - Activities, Objectives, Targets 25 | * **Timelines** - *'When, How long'* - Triggering Events, Opportunity 26 | * **Location** - *'Where'* - Geography, Networks 27 | * **Responses** - *'So what'* - Harms, Likely following events 28 | 29 | While the description of the risk scenario under consideration can be tailored to use language appropriate to the organisation in scope and the stakeholders or experts that must consider it the underlying statement of the risk that scenario represents can, and should, be standardised using the Open Information Security Risk Universe. 30 | 31 | ## Risk Statements 32 | 33 | At it's simplest a risk scenario can be translated into a risk statement using the following structure: 34 | 35 | There is a risk that \<**source**> causes \<**event**> occurs leading to \<**outcome**> that causes \<**consequence**>. 36 | 37 | An example of a minimal risk statement structured as above is: 38 | 39 | “_There is a risk that an employee accidentally emails data to an external recipient leading to an accidental market sensitive information leak which causes regulatory fines._” 40 | 41 | “_There is a risk that an **employee accidentally** (\) **emails data to an external recipient** (\) leading to an **accidental market sensitive information leak** (\) which causes **regulatory fines** (\)._” 42 | 43 | By ensuring that every risk scenario is also formally stated as a risk statement it allows comparison between scenarios as well as identifying what coverage of the OSIRU is currently being considered by the organisation and whether that is appropriate. 44 | 45 | ## Bow-Tie Diagrams 46 | 47 | Bow-Tie diagrams can be a very useful way to visualise the components of a risk. A bow-tie diagram uses the risk as the 'knot' of the tie with two trees either side, the left hand tree is a fault tree showing the causal relationships that cause the risk and the right hand tree is an event tree showing the consequences of the risk. 48 | 49 | A simple risk such as the example given above can be represented as follows: 50 | 51 | \ -> \ -> \ -> \ 52 | 53 | ![A Very Basic Bow-Tie](basic-bowtie.jpg) 54 | 55 | This is much simpler than most bow-tie diagrams, a more complicated example includes the following that shows many events and consequences: 56 | 57 | ![A more complicated Bow-Tie](complicated-bowtie.jpg) 58 | 59 | The real value of a bow-tie diagram is in evaluating the available controls and mitigations. In this context a control is a limiting factor that influences the fault tree on the left hand side whereas a mitigation is a limiting factor that influences the event tree on the right hand side. 60 | 61 | The diagram below shows some example controls but the OSIRU is independent of control frameworks and as such to draw a bow-tie diagram such as this you would need to use both the OSIRU and your choice of control framework. 62 | 63 | ![Bow-Tie Including Controls](control-bowtie.jpg) 64 | 65 | A bow-tie can be extended with concepts of frequency/likelihood, control/mitigation effectiveness and quantified consequences but these are beyond the scope of the OSIRU. 66 | 67 | ## Risk Coverage 68 | 69 | A key use of the OISRU is to check the coverage of existing identified risks to identify any gaps. It does not take long to translate an existing risk register into the OISRU taxonomy of\ 70 | \ -> \ -> \ \ 71 | This then allows the contents of a risk register to be easily compared to the OISRU to see gaps. 72 | 73 | Below is an example of translating the top ten security risks for a firm into the universe. Red components were referenced in an existing risk, grey components were not referenced in an existing risk. 74 | 75 | ![Coverage Example](osiru-coverage.png) 76 | 77 | This allowed the CISO to confirm if they were comfortable with their choice of top ten risks. In this example the CISO walked through the gaps and identified the lack of hacktivists as a source of risk and the lack of malware, especially ransomware, as a risk event both worthy of generating new risk scenarios, new risk statements and performing the analysis of their expected outcomes. 78 | 79 | This sort of comparison is also useful for IT Auditors when they provide oversight of security risk processes and security risk registers as it provides a basis for challenge and communication with the security management team. 80 | -------------------------------------------------------------------------------- /01-a-sources.md: -------------------------------------------------------------------------------- 1 | 2 | # Sources of Risk 3 | 4 | These are the various sources that cause a risk event to occur. 5 | 6 | ## Internal vs External Sources 7 | 8 | Internal sources are within the trust and control boundary of the organisation whereas External sources exist outside the trust and control boundary of the organisation. 9 | 10 | ## Malicious vs Non-Malicious 11 | 12 | Malicious sources are those with intent to cause harm whereas Non-Malicious sources do not have intent to cause harm. 13 | 14 | |Source|Internal/External|Malicious/Non-Malicious| 15 | |------|-----------------|-----------------------| 16 | |Disgruntled|Internal|Malicious| 17 | |Accidental|Internal|Non-Malicious| 18 | |Ineffective|Internal|Non-Malicious| 19 | |Criminal|Internal|Malicious| 20 | |Coerced|Internal|Malicious| 21 | |Criminals|External|Malicious| 22 | |Hacktivists|External|Malicious| 23 | |Compromised suppliers|External|Non-Malicious| 24 | |State-Sponsored|External|Malicious| 25 | |Competitor|External|Malicious| 26 | |Press|External|Non-Malicious| 27 | |Researcher|External|Non-Malicious| 28 | |Regulator|External|Non-Malicious| 29 | 30 | 31 | ## Characteristics 32 | 33 | It can be useful to consider characteristics of each source when analysing risks, the following charcteristics can be useful to bear in mind: 34 | 35 | * **Goals** (Curiosity, Personal Fame, Personal Gain, National Interests, Revenge, etc) 36 | * **Skills** (No technical skills, End user, Power user, Developer, Researcher) 37 | * **Knowledge** (External to organisation, Ex-Organisation insider, Organisation partner, Customer, Employee, Other insider) 38 | * **Opportunity** (Connected to Internet, Physically nearby, Access to connected partner, Access to organisation, Access to specific network / system) 39 | * **Deterrability** (Unconcerned criminal, Careful criminal, Careless law-abiding, Careful law-abiding) 40 | -------------------------------------------------------------------------------- /02-a-frequency-factors.md: -------------------------------------------------------------------------------- 1 | 2 | # Frequency Risk Factors 3 | 4 | Risk Factors are estimable values that are correlational but may not be directly causal to the risk. An increase in a risk factor may not directly drive an increase in the risk but is indicative of an increase of the risk and will be useful for better informing expert estimation of the overall risk. A positively correlated risk factor increases as the risk increases. 5 | 6 | Frequency risk factors are relevant to the estimation of the frequency, or likelihood, by which a risk is expected to occur. 7 | 8 | ## External Frequency Risk Factors 9 | 10 | External Frequency Risk Factors are risk factors that are outside of your scope of control that may affect frequency of the risks you manage. 11 | 12 | These are stated as questions to ask yourself or your organisation. The ability to estimate or measure these risk factors will vary between organisations. 13 | 14 | * Will an attacker attack us? 15 | * Will an attacker attack our supplier/s? 16 | * Does an attacker have the ability to attack us? 17 | * Are there any hacking campaigns targeting our sector? 18 | * Are there any hacking campaigns targeting our geography? 19 | * Are the tools / knowledge required to attack us readily available? 20 | * Has there been any change in staff stressors (financial, emotional, medical, etc)? 21 | * Have any of the suppliers we trust been compromised? 22 | * How easy is it to impersonate our suppliers' staff or company? 23 | * How aware of security are our suplliers' staff? 24 | * How quickly do our suppliers patch their systems? 25 | * Do our suppliers have effective governance of security? 26 | 27 | ## Internal Frequency Risk Factors 28 | 29 | Internal Frequency Risk Factors are risk factors that are within your scope of control and that may affect the frequency of the risks you manage. These are factors that can be subject to an internal control. 30 | 31 | * Will an attacker be successful a exploiting a vulnerability? 32 | * How many software or architecture flaws do we have in our code or systems? 33 | * How many unpatched and unmitigated vulnerabilities are there in third-party software we rely upon? 34 | * How quickly can we patch software flaws in our systems? 35 | * How many unsupported systems do we operate? 36 | * How many suppliers do we trust? 37 | * How exposed are our systems to exploitation? 38 | * How quickly does our movers and leavers processes, for our Identity & Access Management, operate? 39 | * How aware of security are our staff? 40 | * How easy is it to impersonate our staff or our company? 41 | * How often do we assure the effectiveness of our security controls and processes? 42 | * Can we detect changes in staff stressors (financial, emotional, medical etc) and intervene effectively? 43 | * Do our security staff have appropriate training and skills? 44 | * Do we have enough security staff to meet our needs? 45 | 46 | -------------------------------------------------------------------------------- /03-a-events.md: -------------------------------------------------------------------------------- 1 | 2 | # Risk Events 3 | 4 | Risk events are events that can occur and may cause consequences. 5 | 6 | Risk events may lead to other risk events. For example a *software exploit* may lead to *unauthorised access to a system*. 7 | 8 | We use a simple hierarchy to provide convenient groupings of events. We recommend using the framework at the appropriate level of granularity with regards to the risk scenarios being considered. 9 | 10 | Indicative impacts on the information security goals of Confidentiality, Integrity and Availability have been added where appropriate. 11 | 12 | 13 | ## External Risk Events 14 | 15 | External Risk Events are events that may occur outside your scope of control but may still cause consequences for your organisation or it's stakeholders. 16 | 17 | |Level 1|Level2|CIA| 18 | |-------|------|---| 19 | |Supplier|Service Unavailability|Availability| 20 | ||Service Compromise|Confidentiality, Integrity| 21 | ||Information Breach|Confidentiality| 22 | ||Access to Our System Breach|Confidentiality, Integrity| 23 | ||Compliance Failure|| 24 | |Regulatory|Rules Change|| 25 | |Research|Critical Vulnerability Published|| 26 | 27 | ## Internal Risk Events 28 | 29 | Internal Risk Events are events that may occur within your scope of control and cause consequences for your organisation or it's stakeholders. 30 | 31 | The Internal Risk Events are largely derived from this [ENISA](https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy/at_download/fullReport) [PDF] review of CSIRT incident taxonomies across Europe. 32 | 33 | 34 | |Level 1|Level 2|CIA| 35 | |-------|-------|---| 36 | |Abusive Content|Harmful Speech|| 37 | ||Child / Sexual / Violent Content| 38 | ||Harassment| 39 | |Malware|Ransomware|Availability| 40 | ||Worm|Confidentiality, Integrity, Availability| 41 | ||Spyware|Confidentiality| 42 | ||Rootkit|Confidentiality, Integrity, Availability| 43 | ||Dialler|| 44 | |Availability Interruption|Distributed / Denial of Service|Availability| 45 | ||Sabotage|Integrity, Availability| 46 | |Information Gathering|Open Source Intelligence Analysis|Confidentiality| 47 | ||Network Scanning|| 48 | ||Network Sniffing|Confidentiality| 49 | || 50 | Social Engineering|Lies|Confidentiality, Integrity| 51 | ||Threats|Confidentiality, Integrity| 52 | ||Phishing|Confidentiality, Integrity| 53 | ||Bribes|Confidentiality, Integrity| 54 | |Information Breach|Unathorised access to system / component|Confidentiality, Integrity| 55 | ||Unauthorised access to information|Confidentiality| 56 | ||Unauthorised sharing of information|Confidentiality| 57 | ||Unauthorised modification of information|Integrity| 58 | ||Unauthorised deletion of information|Integrity, Availability| 59 | |Fraud|Misappropriation / misuse of resources|| 60 | ||False representation|| 61 | ||Theft of money|| 62 | |System Intrusion|Software Exploit|Confidentiality, Integrity| 63 | ||SQL injection|Confidentiality, Integrity| 64 | ||Cross-site scripting (XSS)|Confidentiality, Integrity| 65 | ||File Inclusion|Confidentiality, Integrity| 66 | ||Control System Bypass|Confidentiality, Integrity| 67 | ||Use of stolen credentials|Confidentiality, Integrity| 68 | ||Password brute force|Confidentiality, Integrity| 69 | |Governance Failure|Process failure|Confidentiality, Integrity| 70 | ||Audit Failure|Confidentiality, Integrity| 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /04-a-consequence-factors.md: -------------------------------------------------------------------------------- 1 | 2 | # Severity Risk Factors 3 | 4 | Severity risk factors are relevant to the estimation of therange and severity of consequences that a risk event may cause to occur. 5 | 6 | ## External Severity Risk Factors 7 | 8 | External Severity Risk Factors are risk factors that are outside of your scope of control that may affect the consequences of the risks you manage. 9 | 10 | These are stated as questions to ask yourself or your organisation. The ability to estimate or measure these risk factors will vary between organisations. 11 | 12 | * How much is the business worth? 13 | * How many customers does the business have? 14 | * What could be the level of fines we must pay? 15 | * How much money will an attacker steal? 16 | * What will be the cost for adverse legal action for negligence or liability? 17 | * What would be the cost of reduced growth? 18 | * What would be the cost of increased regulatory scrutiny? 19 | * How much would customer notification cost? 20 | * How much would customer rectification cost? 21 | * Does our supplier have a documented & practised security incident response procedure? 22 | * Does our supplier have a robust BC/DR capability? 23 | * Does our supplier encrypt our data? 24 | 25 | ## Internal Severity Risk Factors 26 | 27 | Internal Severity Risk Factors are risk factors that are within your scope of control and that may affect the consequences of the risks you manage. These are factors that can be subject to an internal control. 28 | 29 | * How long does it take us to detect financial crime? 30 | * How long does it take us to detect security incidents from the initial attack stage? 31 | * How long does it take us to resolve security incidents once detected? 32 | * How much does it cost us to resolve security incidents? 33 | * How often do we practice resolving breach scenarios? 34 | * How many data records do we store? 35 | * How long do we store data records for? 36 | * How much money do we hold in our accounts? 37 | * How much money can we access in our customers accounts? 38 | * How many privileged user accounts do we operate? 39 | * How much cyber insurance cover do we have? 40 | * How long does our BC/DR process take to resume and restore normal operations following a crisis? 41 | * Do we encrypt our data? 42 | * How long does it take us to onboard or switch suppliers? 43 | -------------------------------------------------------------------------------- /05-a-consequences.md: -------------------------------------------------------------------------------- 1 | 2 | # Consequences 3 | 4 | Consequences are the possible harm resulting from a risk event occurring including loss, injury, or other adverse or unwelcome circumstance. 5 | 6 | The use of Level 1 consequences is just a convenient grouping. 7 | 8 | |Level 1 Consequences|Level 2 Consequences| 9 | |--------------------|--------------------| 10 | |Operations|Reduced growth| 11 | ||Business Disruption| 12 | ||Ineffective Change| 13 | ||Slow recovery| 14 | ||Reduced access to staff / skills| 15 | ||Loss of suppliers| 16 | ||Environmental harm| 17 | ||Safety failure| 18 | ||Social harm| 19 | ||Medical harm| 20 | |Compliance|Non-compliance| 21 | ||Poor conduct / integrity| 22 | ||Damaged regulator relations| 23 | ||Regulatory fines| 24 | ||Legal challenge| 25 | |Financial|Theft of money| 26 | ||Unplanned costs| 27 | ||increased costs / inefficiency| 28 | |Strategic|Damaged reputation| 29 | ||Embarrassing reporting| 30 | ||Damaged investor relations| 31 | 32 | -------------------------------------------------------------------------------- /CNAME: -------------------------------------------------------------------------------- 1 | oisru.org -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Open Information Security Risk Universe 2 | 3 | 4 | 5 | The Open Information Security Risk Universe (oisru) is a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. 6 | 7 | Information Security Risks are decomposed into Sources, Events and Consequences. Risk Factors for frequency and severity are included. 8 | 9 | ## How to get the OISRU 10 | 11 | A PDF of the current version of the oisru is available in the repository [here](https://github.com/oracuk/oisru/blob/master/oisru.pdf). 12 | 13 | ## Individual Sections of the OISRU 14 | 15 | - [Introduction](00-c-intro.md) 16 | - [How to use](00-d-supporting.md) 17 | - [Sources of Risk](01-a-sources.md) 18 | - [Frequency Risk Factors](02-a-frequency-factors.md) 19 | - [Risk Events](03-a-events.md) 20 | - [Severity Risk Factors](04-a-consequence-factors.md) 21 | - [Risk Consequences](05-a-consequences.md) 22 | 23 | ## Examples 24 | 25 | We are very happy to see OISRU in use and where we can we will link to or upload examples we are made aware of. 26 | 27 | - [ISO Based Controls Playbook by Rob Dodson](https://github.com/oracuk/oisru/blob/master/examples/ISO%20Based%20Controls%20Playbook.pdf) 28 | 29 | ## Presentations 30 | 31 | We have presented on the OISRU and it's uses and will link to these here, as well as other sessions we are made aware of. 32 | 33 | - [Open Security Summit 2020 - OISRU by Robin Oldham, Phil Huggins & Petra Vukmirovic](https://github.com/oracuk/oisru/blob/master/oss2020/OSS2020_-_Open_Information_Security_Risk_Universe_(OISRU).pdf) 34 | - [Open Security Summit 2020 - Break Out Sessions by Robin Oldham, Phil Huggins & Petra Vukmirovic](https://github.com/oracuk/oisru/blob/master/oss2020/OSS2020_-_OISRU_Activity_Slides.pdf) 35 | 36 | ## Contributing to the OISRU 37 | The OISRU is an open source effort and we welcome contributions and feedback. 38 | To report an error or suggest an improvement, please create an [issue](https://github.com/oracuk/oisru/issues "Github issues") or create a Pull Request. 39 | 40 | Contributors will be added to an acknowledgements table based on their contributions logged by GitHub. The list of names is sorted by the number of lines added. 41 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-slate -------------------------------------------------------------------------------- /basic-bowtie.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/basic-bowtie.jpg -------------------------------------------------------------------------------- /buildpdf.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rm 00-b-toc.md 4 | pandoc -s -t gfm --toc -V toc-title:"Table of Contents" --template=toc-template.markdown -o00-b-toc.md *.md 5 | pandoc -o oisru.pdf --number-sections -H pagebreak.tex -f markdown -t pdf *.md -------------------------------------------------------------------------------- /complicated-bowtie.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/complicated-bowtie.jpg -------------------------------------------------------------------------------- /control-bowtie.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/control-bowtie.jpg -------------------------------------------------------------------------------- /cover.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/cover.jpg -------------------------------------------------------------------------------- /examples/ISO Based Controls Playbook.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/examples/ISO Based Controls Playbook.pdf -------------------------------------------------------------------------------- /oisru.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/oisru.pdf -------------------------------------------------------------------------------- /osiru-coverage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/osiru-coverage.png -------------------------------------------------------------------------------- /oss2020/OSS2020_-_OISRU_Activity_Slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/oss2020/OSS2020_-_OISRU_Activity_Slides.pdf -------------------------------------------------------------------------------- /oss2020/OSS2020_-_Open_Information_Security_Risk_Universe_(OISRU).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/oss2020/OSS2020_-_Open_Information_Security_Risk_Universe_(OISRU).pdf -------------------------------------------------------------------------------- /pagebreak.tex: -------------------------------------------------------------------------------- 1 | \usepackage{sectsty} 2 | \sectionfont{\clearpage} 3 | \usepackage{fancyhdr} 4 | \pagestyle{fancy} 5 | \fancyhead{} 6 | \fancyhead[RO,RE]{\thepage} 7 | \fancyhead[CO,CE]{Open Information Security Risk Universe} 8 | \fancyfoot{} -------------------------------------------------------------------------------- /riskmanagement.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/riskmanagement.png -------------------------------------------------------------------------------- /toc-template.markdown: -------------------------------------------------------------------------------- 1 | $if(toc)$ 2 | $if(toc-title)$ 3 | # $toc-title$ 4 | $endif$ 5 | 6 | $toc$ 7 | 8 | $endif$ -------------------------------------------------------------------------------- /universe-scope.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/universe-scope.jpg -------------------------------------------------------------------------------- /universe-scope.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/oracuk/oisru/e07f100ebd62c443947a3b897854fd61d64c8dfc/universe-scope.png --------------------------------------------------------------------------------