AGRA: Aggregated risk assessment and management

For most organizations, risk management based on ISO 31000 is an indispensable part of the overall management process, the objective of which is to systematically and proactively identify the current risk picture and to ensure that the necessary controls are in place to maintain risks at an acceptable level. For this purpose, adequate and efficient methods and techniques for risk assessment are required. However, information systems and services become increasingly complex, heterogeneous, dynamic and inte roperable. This is in particular the case for information and services that are provided over the Internet, with cloud services as a prominent example. Managing risks in such a setting is extremely challenging, and established methods and techniques are often inadequate. A main problem is that the overall risk picture becomes too complex to understand, and that the risks quickly and continuously change and evolve. In the AGRA project we addressed this challenge by developing a divide-and-conquer strategy to risk management where separate parts or aspects of a system or organization can be analyzed separately. An important feature of our approach is that the risk model composition may be conducted without having to reconsider or reinvestigate the internal details of the individual risk models. The latter is supported by our principle of risk model encapsulation, which involves hiding the internal details. Only the information that is required for a sound composition is visible via a well-defined risk model interface.

Prosjektet har bidratt til økt fokus på og forståelse av risikoaggregering i sin målgruppe. De deltagende bedriftene har som resultat nye eller bedre prosesser, metoder og verktøy for risikoaggregering. SINTEF forskere har bygget ny kompetanse og resultatene fra prosjektet utgjør fundamentet for SINTEFs deltagelse i EU-prosjektet CYBERWISER.EU som ble startet opp høsten 2018. Prosjektet har også bidratt til å gjøre SINTEF til en attraktiv partner i EU-prosjektet CyberSec4Europe som initieres i 2019. Prosjektet har spredd kunnskap utover prosjektets deltagere så vel nasjonalt (gjennom offentlige seminarer og foredrag) som internasjonalt (gjennom publikasjoner, inkludert en bok utgitt på Springer).

The main objective of the project is to develop a framework for overall unified risk management throughout an organization in order to provide a sound basis for decision making for all levels of management. The framework should facilitate analysis and pre sentation of risks at different levels of abstraction depending on the role of the target group, while ensuring consistency and preservation of essential information in a common underlying risk model. Application of the framework should be practically app licable in organizations without requiring significantly more resources in terms of effort, competence or cost than existing approaches. A component-oriented approach to risk management that allows composition/decomposition and abstraction will be taken . Critical research challenges include the following: - What is a suitable approach for risk model encapsulation to allow risk models to be treated as black boxes? In other words, which elements of risk models are essential for composition and reasoning? - What is a suitable conceptual and mathematical foundation (i.e. semantics) for the approach? - What composition/decomposition rules can be derived from this foundation? - How can we provide guidelines for composition/decomposition that are useful in pr actice for end users based on those rules? - How should we define abstraction formally in such a way that it captures the intuitive meaning? - How can we provide guidelines for abstraction/refinement that are useful in practice for end users based on the formal definition? -What tool support will be most useful for practitioners that want to apply the approach?