A model is the representation of a system that indicates a simplified image of reality (a system of objects, phenomena, concepts), that defines at least one its characteristic element [
6]. The proposed sustainable model for risk management is in concordance with the principles for managing risk, the framework in which it occurs and the risk management process presented in the international standard ISO 31000:2009. The model is based on the recent researches (see [
7] for details) regarding information security risk management and consists of the following steps (see
Figure 2):
Regarding the steps 2 and 3, an equivalence between quantitative and qualitative levels can be done: values 1 and 2 are equivalent to “very low” level; the value 3 is equivalent to low level; the value 4 is equivalent to medium level; the value 5 is equivalent to “high” level; the value 6 is equivalent to “very high” level; the value 7 is equivalent to “critical” level.
Regarding the risk calculation, in this model the following formulas are proposed (based on [
2]):
The level of risk is based on the value which is considered for the resource involved and on the impact of the damages regarding that resource.
It is proposed in this model for a quantitative evaluation of risks, the use of Monte Carlo method (with some modifications) that is described bellow.
2.1. The Monte Carlo Method Adapted for Risk Management Process
The Monte Carlo method is a well known method in the literature, but it is not used for risks management process. This section proposes a use of this method adapted for controlling the risks in an organization.
This method (see more in [
7,
8]) implies the recurrent calculation on a sample of random values and then the calculation of the average value. The method uses the Formula (1), with the following meaning: the probability of the difference between the average value calculated though this method and the average value
µ to be in the error limit
ε, is 99.8%.
where:
N = the number of values,
µ = the average value,
ξ = the random variable.
The Monte Carlo method assures an estimation of the expected value for the random variables and, at the same time, the error for estimation is in proportion as the number of iterations. The total error is (see Formula (2)):
where
σ is the standard deviation of the random variable, and
N is the number of iterations. Superior limit for
σ can be estimated through the calculation of the standard deviation between the minimum, maximum values and the random variable
xi, with the Formula (3) (based on [
8]):
The number of iterations for an error <2% can be calculated as follows (see Formula (4)): it is considered as a brutish value for the random variable the average between the minimum and maximum (
Rmin şi
Rmax of the risk), and for an error <2%, this average is divided with 50.
So, the number of iterations in order to obtain a result with an error <2% is (see Formula (5)):
The level of a risk is determined through the application of the Monte Carlo method described above and the number of iterations is done by the Formula (5). This calculation is applied for each triple values (resource, threat, vulnerability). Facultative, after this calculation for each triple values, an estimation for the standard deviation and the total error can be done. The sample of values is calculated as follows:
- ▪
The impact is a random value between the minimum and the maximum impacts (Imin and Imax) which were defined in the first step (the assessment of resources);
- ▪
The threat represents a random value between the minimum and the maximum levels of the threat (Amin and Amax) which were defined in the second step (the assessment of threats);
- ▪
The vulnerability represents a random value between the minimum and the maximum apparition probability levels of an incident (Vmin and Vmax) which were defined in the third step (the assessment of vulnerabilities);
So, the Formula (6) for the risk calculation is: (Rand = the random generation of a value)
Regarding the risk evaluation, in order to find out the best risk treatment methods for the calculated risks, the impact of risks is estimated with the Formula (7):
and the probability of apparition with the Formula (8):
For the type of the risks, the following table is proposed (
Table 3):
After the risk calculation, these can be viewed in a probability-impact (P-I) diagram.
5) Risk management decisions—risk treatment and countermeasures
The treatment of identified risks and the identification of the countermeasures in order to reduce the vulnerabilities;
The identification of the efficiency for each measure proposed;
The estimation of the costs for each measure proposed;
The preparation of a recommendation for the top management regarding the risks.
It is necessary to analyze the treatment method and the measures in concordance with the resource category which is exposed to a risk. It is proposed the following table (see
Table 4) for risk treatment:
There are lists of countermeasures that can be reviewed with some other countermeasures identified by the evaluation team. At the end of the evaluation period (after 1 year usually), the next analysis is prepared and this action implies:
The transfer of not treated risks;
The transfer of not fully evaluated resources (e.g., the vulnerabilities and threats regarding a resource were not identified in time)
The identification of new resources, threats and vulnerabilities in organization;
2.4. The Application of the RiMM Model to a Practical Example
This section presents an example regarding how the model/software was used (and can be used) to manage risks in an organization. By following the steps proposed in the previous section, we can manage all the risks in an organization. Due to confidentiality reasons, only one example of a risk, together with the measures taken by the company, is presented below: