(IJACSA) International Journal of Advanced Computer Science and Applications,

Vol. 9, No. 11, 2018

Risk Assessment Method for Insider Threats in Cyber

Security: A Review
Nurul Akmal Hashim1, Zaheera Zainal Abidin2, Nurul Azma Zakaria4, Rabiah Ahmad5
Information Security, Forensic and Networking Research Group (INSFORNET),
Faculty of Information and Communication Technology, Universiti Teknikal Malaysia Melaka, Melaka Malaysia

A.P. Puvanasvaran3
Faculty of Manufacturing Engineering
Universiti Teknikal Malaysia Melaka, Melaka Malaysia

Abstract—Today’s in manufacturing major challenge is to The term insider threat refers to threats originating from
manage large scale of cybersecurity system, which is potentially people who have been given access rights to an IS and misuse
exposed to a multitude of threats. The utmost risky threats are their privileges, thus violating the IS security policy of the
insider threats. An insider threat arises when a person organization. Criminology research has extensively studied this
authorized to perform certain movements in an organization kind of behavior, even though it does not always lead to
decides to mishandle the trust and harm the organization. committing a crime. In the same way, attacks can be non-
Therefore, to overcome these risks, this study evaluates various malicious while performing the tasks in an organization like
risk assessment method to assess the impact of insider threats carelessness, lack of knowledge, or intentional circumvention
and analyses the current gaps in risk assessment method. Based
of security. Internal Intrusion Detection System (IDS) protect
on the literature search done manually, we compare four
methods which are NIST, FRAP, OCTAVE, and CRAMM. The
organizations against insider attacks.
result of the study shows that the most used by an organization is Therefore, to reduce and analyze insider threats is by using
the NIST method. It is because NIST is a method that combines risk assessment. Risk assessment is the procedure that
the involvement between human and system in term of collection evaluates the information system and the security
data. The significance of this study contributes to developing a characteristics of information like confidentiality, integrity, and
new method in analyzing the threats that can be used in any availability [5]. The evaluation is based on related information
organization. security technology and management criteria. Through risk
Keywords—Insider threats; manufacturing; risk assessment;
assessment, we can understand the security situation and take
cyber security; threats; risk targeted security measures which control the risk within an
acceptable range. The basic risk assessment model is shown in
I. INTRODUCTION Fig.1.
The industrial revolution (IR) 4.0 for the manufacturing
area is mostly based on advances in the areas of autonomous
robots, big data, augmented reality, cloud computing, internet 1. Describe Hazards
of thing and cybersecurity [1]. Malaysian as a dependent nation
needs to increase the value chain to become a high-quality
manufacturing base using technology to make the country
more competitive at regional and global levels. Besides that, IR
4.0 encourages companies to use computerization and data 2.Identify Community Assets
exchange in manufacturing technologies that create smart robot
where machines are linked to the internet and to a system that
can depict the whole production chain[2].
However, nowadays it shows that cybercrimes cases are 3. Analyze Risks
reported and increased over than 40%. Organizational security
professionals are worried about workers with low-security
awareness may provide required information accidentally
under the trickery hackers [3]. The insider threat is considered
as a part of social engineering, which we also call as 4.Summarize Vulnerability
unintentional insider threat (UIT). It is worth noting that insider
threat about intentional leakage has begun to raise the courtesy
of researchers recently [3], [4]. Fig. 1. Risk Assessment Basic Model [6]

126 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 9, No. 11, 2018

Risk assessment considers four factors: hazards, assets, information gathering techniques to solicit information related
threats, and vulnerabilities. This research focuses on assets, to the IT system process environment. Common information
analyzing assets, the relationship between threats and gathering techniques include questionnaires, live interviews,
vulnerabilities, and the value of the risk of computing document review and the use of automated scanning tools. The
systems[7]. Many security techniques and mechanism have target asset can be a single or multiple interrelated system. In
been developed to counter the insider threats such as National the latter case, the domain of interest and all interfaces and
Institute of Standards & Technology Special Publication 800- dependencies must be well defined before applying the
30 (NIST SP 800-30), The Operationally Critical, Threat, Asset method. Fig. 2 below shown a basic NIST step.
and Vulnerability Evaluation (OCTAVE) process, The
Facilitated Risk Assessment Process (FRAP), and The Central
Risk Analysis and Management Method (CRAMM).
System Threat Vulnerability
Currently, risk assessment has been applied to almost every Characterization Identification Identification
aspect of the industry. A risk is defined as the impact on the
uncertain target; the impact can be positive or negative [8].
According to Hubbard, risk management includes risk
identification, assessment and prioritization, and subsequent
reduction, monitoring, and control of negative events [8]. With Likelihood
Impact Analysis Control Analysis
the joint efforts of scholars and experts, there are several Determination
popular risk assessment models that can meet different needs.
Rest of the paper consists of following sections: Section 2
presents the related work that unveils the methods of the risk
assessment. Result and Discussion are covered in section 3.
Finally, section 4 concludes the paper and discusses future Risk Control
Determination Recommendations
work.
II. RELATED WORKS: REVIEW OF THE RISK ASSESSMENT
METHODS
The studied-on risk assessment method in cybersecurity Results
have been used to identify insider threats will be discussed. Documentation
Furthermore, an analysis of the related works of the risk
assessment method to ease the security condition task is
offered.
Fig. 2. NIST Basic Model [12]
A. National Institute of Standards & Technology (NIST)
The method described in NIST SP800-30 is a combination B. The Operational Critical, Threat, Asset and Vulnerability
of quantitative and qualitative. The NIST 800-30 is primarily a Evaluation Process (OCTAVE)
model rather than a specialized method [9], [10]. It still The OCTAVE method was developed by the Software
contains a complete guide to defining all aspects of an effective Engineering Institute (SEI) at Carnegie Mellon University.
risk management plan. It also contains the criteria and This approach was established to help organizations identify
processes needed to assess and mitigate risk. It is suitable for and assess the risks of information systems, improve their
better large organizations such as government agencies and capabilities and protect themselves from these risks [13]. The
large corporations. NIST SP800 supports organizations, CIOs OCTAVE method consists of a set of rules and a skilled
(CIOs), security officers, IT consultants, and anyone who is analysis team. The team is made up of people within the
generally involved with risk management in the organization organization and is designed to conduct risk assessment
[11]. procedures. Collect opinions from the analysis team and
The first step in NIST is to identify assets. System participants through questionnaires and surveys [15], [16].
characteristics describe the boundaries of the system and the Based on the inputs provided, the analysis is done in a
resources and information that make up the system. The structured and organized manner. There are several pre- and
characterization system defines the scope of the risk post-assessment activities. The risk assessment process consists
assessment effort, describes the operational authorization (or of three main steps and eight of these three steps.
certification) boundaries, and provides the information
necessary to define the risk (eg, hardware, software, system The OCTAVE method can be extended to the OCTAVE
connectivity, and responsible department or support staff). standard, which is designed to meet the requirements of
There are two ways to identify an asset [12]. First, system- various situations. For example, a standard set can be applied
related information can be applied to describe the IT system to large organizations to small organizations. But the method is
and its operating environment. The second method is to use still the same and can be described as four main phases. The
OCTAVE basic model is shown in the Fig. 3 below.

127 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 9, No. 11, 2018

meeting. The first step is to browse the logistics, introduce the

entire team and briefly repeat what was discussed in the pre-
FRAP meeting. The scope statement will then be exposed. In
the second step, the FRAP team will review the elements to be
reviewed, such as integrity, confidentiality and availability.
The team also identifies threats, issues, and any other issues
that may pose a vulnerability to the system. Next, the team will
recommend controlling these vulnerabilities. After the FRAP
meeting, the business manager, project leader and moderator
will hold a meeting after the FRAP meeting and complete the
action plan. The deliverables for this meeting include a
summary of threats and existing controls, as well as a final
report. The basic FRAP cycle model is shown in Fig. 4 below.
D. The Central Risk Analysis and Management Method
(CRAMM)
The Central Computer and Telecommunications Authority
(CCTA) Risk Analysis and Management Method (CRAMM)
was developed by the British government in 1985. This tool
has been developed and has been commercialized by Insight
Fig. 3. OCTAVE Basic Model [13] Consulting [19]. CRAMM is a qualitative tool that provides
methods, calculations, and reports for security risk assessment.
C. The Facilitated Risk Assessment Process (FRAP)
The method and tool were developed mainly for
application in large-scale organizations, but can be also applied
6. Monitor 1. Categorize to SMEs [20]. CRAMM can also be used to (a) Justify
Security Information investment decisions in the security of information systems and
Controls System
networks, based on measurable results and (b) demonstrate the
compatibility of the organizations’ information systems with
the British standard during an auditing process. CRAMM
consists of five phases which shown in the Fig. 5.

5. Authorize 2. Select Initiate Evaluation

Information Security
System Controls

Selected Data Input

Selected Threats
Values

3.
4. Assess
Implement
Security
Security Risk Analysis
Controls
Controls

Fig. 4. FRAP Basic Model [18]

The Facilitating Risk Assessment Program (FRAP) was

established by Thomas Peltier [17]. Peltier aims to implement Risk Management
risk management techniques in a cost-effective manner to
adapt to the rapid development of the business sector. Peltier
also emphasizes the involvement of employees in the Fig. 5. CRAMM Basic Model [20]
organization, rather than the advice of external experts. Since
the model is designed to prioritize time-cost efficiency, the III. DISCUSSION
program includes only the pre-FRAP meeting, the FRAP In general, OCTAVE and CRAMM methods are qualitative
meeting and the FRAP meeting. In the pre-FRAP meeting methods while FRAP is quantitative. NIST method is a
phase, the goal is to introduce participants to FRAP and combination of qualitative and quantitative types which is
announce the procedures and goals of the meeting. Once the more dynamic and suitable for an organization. This makes the
participants reach an agreement, they can hold a FRAP NIST model suitable for quantitative or qualitative research.
meeting. There are two steps involved during the FRAP

128 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 9, No. 11, 2018

NIST risk assessment method is the most well-formed

method. Each step has a specific target and enumerates several
approaches to facilitate the procedure. Unlike the OCTAVE,
Comparison of Four
CRAMM and the FRAP method, NIST method’s collection to Method
the data is not limited to participants’ knowledge; it also
includes conclusions and discoveries mentioned in other 10
related documentation.

No. of Organization
8
Furthermore, OCTAVE, CRAMM and FRAP merely offer
descriptions of each step; while for the NIST method, each step 6
enumerates all the possible approaches to process the data. On
the other hand, the OCTAVE and FRAP method are usually 4
applied to the business area while CRAMM specifically for an
aviation area. Especially for the FRAP method, the author of 2
the FRAP method, explicitly stated that the FRAP method is
not designed to assess the compliance of security requirements. 0
NIST FRAP CRAMM OCTAVE
TABLE I. COMPARISON AMONG SEVERAL RISK ASSESSMENT METHODS Risk Assessment Method
Risk
Refere Resource
Assessment Types Approach Phases Fig. 6. Graph of four method
nces Required
Methods
Both the FRAP and OCTAVE method is implemented to
 System meet the business need and requires less time and resources. As
characterization
 Threat
mentioned earlier, the OCTAVE method has eight steps and
identification needs knowledge from three levels – senior management,
[1], operational area management and staff. The FRAP method
[4],  Vulnerability
[12],
Identification only has a pre-Frap meeting, FRAP session and post-FRAP
[11], Qualita  Control analysis discussion, which can be accomplished by the FRAP team in
Non-
[21], tive  Likelihood one day. Obviously, the OCTAVE method is more complicated
government
NIST and Determination
[10], organizatio than the FRAP method and requires more people’s corporation.
[22], Quantit  Impact analysis n
[23] ative  Risk In a word, the OCTAVE method is a workshop-oriented
Determination method and requires the participation from a different
 Control
Recommendatio
department. The FRAP method is designed for business
ns analysis instead of a security assessment. The OCTAVE,
 Result CRAMM and FRAP is largely dependent on the participants’
Documentation knowledge. As for the NIST method, the risk assessment
process is refined into nine steps. Each step has a clear goal
Internal and and all the possible approaches to accomplish the goal, which
 Profile threats non-expert alleviate the bias brought by merely depend on participants’ or
[13],  Identify security evaluator’s knowledge.
[14], infrastructure
Qualita
OCTAVE [15], vulnerability The differences between all four methods have been
tive
[20],  Develop a simplified in Table I.
[24] security strategy
and plan Figure 6 shows the comparison of the used method in the
industry. Based on the graph it shows that NIST has 8 number
of an organization has been used. Compared with FRAP 4
[16],  Pre-FRAP organization, CRAMM 2 organization and OCTAVE 5
[17], meeting
[25], Quantit  FRAP Session Internal organization. Findings of this study indicate that the NIST
FRAP method more famous and well known used in an organization
[26] ative  Post-FRAP Manager
Process for risk assessment.
NIST method allows organizations to individually assess
threats most relevant to their operations “and to develop a risk-
 Asset
Identification based approach to resource allocation”. It enables organizations
 Threat and to express their insider threat management efforts in terms of
Qualified
vulnerability critical assets (identify); implemented controls and safeguards
[18], Qualita and
CRAMM
[19] tive
assessment
experienced (protect); manifested threats (detect); formulated incident
 Countermeasure participant response strategies (respond); and business continuity plans
selection and (recover).
recommendation

129 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 9, No. 11, 2018

Therefore, the NIST method provides the most complete [11] J. Kouns and D. Minoli, Information Technology Risk Management in
and scientific approach among all the methods. Enterprise Environments: A Review of Industry Practices and a Practical
Guide to Risk Management Teams. 2010.
IV. CONCLUSION AND FUTURE WORKS [12] National Institute of Standards and Technology, “BEST PRACTICES IN
CYBER SUPPLY CHAIN RISK MANAGEMENT,” Nist, 2016.
Several case studies have been made to provides a risk- [13] R. A. Caralli, J. F. Stevens, L. R. Young, and W. R. Wilson, Introducing
based detection method for insiders threats. It is not only to OCTAVE Allegro : Improving the Information Security Risk Assessment
understand possible threats, but also help reduce overhead in Process. 2007.
the unified monitoring process. The results showed that the [14] M. T. Jufri, M. Hendayun, and T. Suharto, “Risk-assessment based
NIST method is well accepted in many organizations due to the academic information System security policy using octave Allegro and
systematic and convincing risk assessment planning. Besides ISO 27002,” in Proceedings of the 2nd International Conference on
Informatics and Computing, ICIC 2017, 2018.
this method is easy operative and practical. The framework can
[15] D. C. Felegeanu et al., “A combined method for the analysis and
be improved further by assigning users to different classes assessment of risks and industrial safety,” Environ. Eng. Manag. J., 2016.
according to their privileges and assigning different threshold [16] M. Masky, S. S. Young, and T. Y. Choe, “A novel risk identification
values to each class. framework for cloud computing security,” in 2015 IEEE 2nd
International Conference on InformationScience and Security, ICISS
ACKNOWLEDGMENT 2015, 2016.
The authors also would like to acknowledge Universiti [17] T. Peltier, “Information security risk analysis,” Philos. Trans. A. Math.
Phys. Eng. Sci., 2005.
Teknikal Malaysia Melaka. We also would like to thank the
funding of this TRGS research grant: TRGS/1/2016/FKP- [18] T. R. Peltier, “Implementing an information security awareness
program,” Inf. Syst. Secur., 2005.
AMC/01/D00005 for funding this research.
[19] Z. Yazar, “A Qualitative Risk Analysis and Management Tool -
REFERENCES CRAMM,” 2002.
[1] Y. Cherdantseva et al., “A review of cyber security risk assessment [20] T. Yang, E. D. Berger, S. F. Kaplan, and J. E. B. Moss, “CRAMM :
methods for SCADA systems,” Comput. Secur., vol. 56, pp. 1–27, 2016. Virtual Memory Support for Garbage-Collected Applications,” in
[2] Z. Yunos, R. Ahmad, and N. A. Mohd Sabri, “A Qualitative Analysis for Proceedings of the 7th USENIX Symposium on Operating Systems
Evaluating a Cyber Terrorism Framework in Malaysia,” Inf. Secur. J., Design and Implementation - OSDI’06, 2006.
2015. [21] A. Syalim, Y. Hori, and K. Sakurai, “Comparison of risk analysis
[3] L. Xiangyu, L. Qiuyang, and S. Chandel, “Social Engineering and Insider methods: Mehari, magerit, NIST800-30 and microsoft’s security
Threats,” in 2017 International Conference on Cyber-Enabled Distributed management guide,” Proc. - Int. Conf. Availability, Reliab. Secur. ARES
Computing and Knowledge Discovery (CyberC), 2017. 2009, pp. 726–731, 2009.
[4] V. Morgagni, N. Nostro, A. Ceccarelli, and F. Brancati, “Insider Threat [22] V. Jovanovic and J. K. Harris, “Systems and software assurance - A
Assessment : a Model-Based Methodology,” pp. 3–12, 2014. model Cyber Security course,” in 2016 39th International Convention on
Information and Communication Technology, Electronics and
[5] Z. Lai, Y. Shen, and G. Zhang, “A security risk assessment method of Microelectronics, MIPRO 2016 - Proceedings, 2016.
website based on threat analysis combined with AHP and entropy
weight,” in Proceedings of the IEEE International Conference on [23] National Institute of Standards and Technology, “NIST SP 800-37
Software Engineering and Service Sciences, ICSESS, 2017. Revision 1 Guide for Applying the Risk Management Framework to
Federal Information Systems. A Security Life Cycle Approach,” p. 102,
[6] Y. Y. Haimes, Risk Modeling, Assessment, and Management, Third 2010.
Edition. 2008.
[24] A. Sarkheyli and N. Binti Ithnin, “Improving the current Risk analysis
[7] E. Zio, “The future of risk assessment,” Reliab. Eng. Syst. Saf., vol. 177, techniques by study of their process and using the human body’s Immune
no. March, pp. 176–190, 2018. System,” 2010 5th Int. Symp. Telecommun. IST 2010, pp. 651–656,
[8] D. W. Hubbard, The Failure of Risk Management: Why It’s Broken and 2010.
How to Fix It. 2009. [25] M. Tseng, C. Byrne, K. A. Evers, and M. B. Daly, “Dietary intake and
[9] R. K. Abercrombie, F. T. Sheldon, K. R. Hauser, M. W. Lantz, and A. breast density in high-risk women: a cross-sectional study.,” Breast
Mili, “Risk assessment methodology based on the NISTIR 7628 Cancer Res., vol. 9, no. 5, pp. 12–15, 2007.
guidelines,” in Proceedings of the Annual Hawaii International [26] A. Shameli-Sendi, R. Aghababaei-Barzegar, and M. Cheriet, “Taxonomy
Conference on System Sciences, 2013. of information security risk assessment (ISRA),” Comput. Secur., vol. 57,
[10] National Institute of Standards and Technology, “NIST SP 800-53A, pp. 14–30, 2016.
Assessing Security and Privacy Controls in Federal Information Systems
and Organizations,” NIST Spec. Publ., 2014.

130 | P a g e
www.ijacsa.thesai.org