Presentation of the EBIOS Risk Manager method

The digital has become a vital and universal component of our society and transforms in a irreversible way the political, economical, social and cultural dimensions of organizations and individuals.

First, it upsets the regalian domains so much as certain authors do not hesitate to compare the strategic consequences of the advent of the cyberspace with the distruptions triggered in their times the canon powder, the aviation or even the nuclear weapon.

Second, it transforms the economy : as part of their permanent quest of efficiency and the care for the sustainable development, companies – big or small – are digitizing progressively their processes with many information and communication technologies, so as to change internally their mode of work, their mode of relationship with partners, providers and customers.

Last, the citizen, also an internet user, massively consumes digital services and tools on which he depends more and more.

The most important consequence of this revolution is that trust in the cyberspace is from now on required by everyone, everywhere and at all times, so as the society can benefit of the progress the cyberspace brings, whereas being in control of its danger and its threats.

Cybersecurity is the cornerstone of this trust.

Whatever the environment, the ultimate goal of security is still to control the outcome of potential confrontations.

Being applied in a complexe and ever changing space, cybersecurity takes the form of the resilience based on the robustness of technology associated with the agility of the processes. It needs to define, to design and to deploy with a rational, understood and shared approach, the indispensable evolutions of cultures as well as of organizations, together with economic reasoning and technical choices.

As a matter of fact, implementing cybersecurity requires a strategy that must adjust to the diversity of the risk sources, to the variety of their mode of action, and to various forms of vulnerabilities potentially exploited. In turn, the means that can be mobilized for security are, by essence, limited; it is therefore of utmost importance to define in a rigorous way the security activities and to assess their effectiveness. It is in such way that the concept of risk shows all its sense as to enable the evaluation and the ranking of confrontation situations.

EBIOS 2010 and EBIOS Risk Manager shares in common the alignment with the information security risk management framework, internationally standardized by the ISO/IEC 27005.

They differenciate themselves with the goal of their use. EBIOS 2010 is designed to deliver a systematic identification of the threats on any type of activities, results in a detailed and abundant inventory rather suited to an audience of experts. Besides, its capability to describe attack scenarios is limited.

EBIOS Risk Manager offers at the same time a rigorous analytical process to undertake and optimize the thinking process, and communication approach to share results with decision-making people thanks to several innovations :

1. The introduction to the security baseline allows to consider under control the usual risks as long as good practice and controls are in place, in compliance with international standards and regulatory requirements;
2. The characterization of the ecosystem, using a simple and efficient graphical representation of the scope, allows to identify stakeholders (customers, partners, service providers) and the most likely risk sources;
3. The introduction in the thinking process of the attacker’s perspective allows to reformulate the initial motivations of the risk source (a lucrative goal, sabotage, destruction, etc…) with specific objectives (trade sensitive data, cause an IT disruption, etc.), and then to put them in the context of the information and business functions (breach of customer data confidentiality, disruption of the ordering and delivery IT system, etc.);
4. The introduction of non-technical attack paths, the strategic scenarios, naturally represented in the ecosystem, shows the possibilities to circumvent or to bypass the level of protection provided by the security guidelines whereas keeping very close to the business context. This innovation brings to the analysis an identification step for attack paths that exploit compromised stakeholders;
5. The modelling of operational scenarios helps clarify how the strategic scenarios can realize, relies on elements of technical architectures, learnings from audits or pentests, so as to identify the most likely attacks;
6. All these elements converge towards an efficient selection of controls that are add-ons to the security guidelines, so as to bring to the decision maker the assurance that the security setup matches the best cost / opportunity ratio.

Since several years in France, the success of the risk management using the EBIOS approach is demonstrated amongst business experts and experts in risk management.

The challenge is now solved : it is possible to deliver in a limited time an optimized study on the essential part of an activity, including in the analysis the ecosystem of stakeholders and risk sources, with the goal to end up with a clear and relevant view for the decision maker.

The EBIOS Club, with the support of the French Security Agency ANSSI, gathers a community of experts, institutions, public or private corporations of various size and industry sectors, who are eager to promote, wherever necessary, the information security risk management and its application on scopes of study proceeding from the cyberspace.

To make its action real, the EBIOS Club chose to position itself as the cooking pot of the method for risk management EBIOS Risk Manager, published by ANSSI. Its users community freely share inside the Club their return of experience and proposes to ANSSI suggestions of improvements about its content, its tools and knowledge bases. Furthermore, it maintains the list of individuals acknowledged as trainers and delivers a label to skill certification bodies.

Rich from its various business cultures and organization profiles, the EBIOS Club has participated to the transformation of risk management, first initiated with IT security risks, followed with information security risks, and today performed in the cyberspace where advent new forms of threats and defense strategies.

Thanks to the support of ANSSI, the EBIOS Club wants to be an open hub for best practice sharing in the area of risk management using the EBIOS Risk Manager method, and also a vector of influence in France, in Europe and at the international, following a strategy of cross collaboration with CLUSIF and AFNOR to affirm a contribution to the international standardization as part of the Joint Technical Committee 13 of the CEN/CENELEC and to the SubCommittee 27 of the Joint Technical Committee of the ISO and IEC.

(by the EBIOS Club)