Managing Information Security Risks: The OCTAVE Approach

Authors: Christopher Alberts and Audrey Dorofee
Pages: 512
Publisher: Addison-Wesley
ISBN: 0321118863

Available for download is chapter 9 entitled “Conducting the Risk Analysis”.


Authors of this book are very experienced in this field: Mr. Alberts worked on the initial “OCTAVE Framework, Version 1.0” and together with Dorofree cooperated on the “OCTAVE Method Implementation Guide v.2.0” and “Operationally Critical Threat, Asset and Vulnerability Evaluation Criteria” publications. Because of its specific content, I’ll focus on the key phases of OCTAVE approach, that are covered within this book.

About the authors

Christopher Alberts is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). He and Audrey Dorofee are the principal developers of OCTAVE. Before joining the SEI, Christopher was a scientist at Carnegie Mellon Research Institute, where he developed mobile robots for hazardous environments. He also worked at AT&T Bell Laboratories, where he designed information systems to support AT&T’s advanced manufacturing processes.

An interview with Christopher Alberts is available here.

Audrey Dorofee is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). She and Christopher Alberts are the principal developers of OCTAVE. Audrey previously was project lead for risk management in the Risk Program at the SEI. Prior to joining the SEI, she worked for the MITRE Corporation, supporting various projects for NASA, including Space Station software environments, user interfaces, and expert systems.

Inside the book

From the title of this book, “Managing Information Security Risks: The OCTAVE Approach”, you can see that the book will cover specific issues regarding usage of the well known OCTAVE method. OCTAVE, which stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation, enables an organization to sort through the complex web of organizational and technological issues to understand and address its informational security risks. This comprehensive and self-directed approach to information security risk evaluations is meant to put organizations in charge; balance critical information assets, business needs, threats, and vulnerabilities; measure the organization against known or accepted good security practices and establish an organization-wide protection strategy and information security risk mitigation plans. As the authors note, this book is intended for a varied audience:

  • People who need to perform information security risk evaluation
  • Managers, staff members and Information Technology personnel concerned about and responsible for protecting critical information assets
  • Consultants who provide security services to other organizations and are interested how the OCTAVE approach might be incorporated into their products and services
Before starting the organization evaluation, preparations for OCTAVE Method must be completed. These include obtaining senior management sponsorship of OCTAVE, selecting analysis team members, selecting operational areas that will participate in OCTAVE, selecting the participants and coordinating logistics. Detailed discussion on these activities is presented in the fourth chapter of the book.

After these requirements are met, OCTAVE can be started. The whole evaluation is divided into three phases, each covering a separate aspect of the organization. The first phase deals with the organizational view and covers identification of management and staff knowledge and creating the threat profile by detailing the assets that are most critical to the organization and the possible threats to these assets. The second phase focuses on the technological view of the organization, where key components are being identified and evaluated. This process comprises of running vulnerability evaluation tools on selected components and summarizing the outcome. In the third phase risk analysis is being conducted and the goal is to identify and analyze the risks to the organization’s critical assets. The final process in the risk analysis phase is to develop a protection strategy. The three phases mentioned in the paragraph above, receive the biggest exposure in the book, as the whole Part II covers all these processes in details. The last part of the book talks about variations on the OCTAVE approach – it examines the contextual nature of information security risk evaluations by addressing the possibility of tailoring OCTAVE and looks how to improve your organization’s security posture by using the results of the evaluation. The book spreads over 450 pages of text, divided into the mentioned three parts. Actually these three sections spread over 300 pages, while the rest is divided into several useful appendixes. Appendix A describes a case scenario, produced by the analysis team and based on the OCTAVE approach. As it follows up with the content of this book, this appendix provides a wealth of practical information based on the approach this book focuses on. Appendix B contains a set of worksheets that are used during the OCTAVE Method.

The authors classified the worksheets into the following groups:

  • Knowledge elicitation – worksheets used during identifying knowledge in the first phase
  • Asset profile – set of worksheets that includes all of the information gathered or created for a critical asset
  • Strategies and action – worksheets used when developing the organization-wide protection strategy
The final appendix contains the catalog of practices used in the OCTAVE approach, divided into strategic and operational practices. The authors note that this is a general catalog, and as it is not specific to any domain or organization, it can be modified or extended to suit any other business environment.

What I think of it

This book provides a powerful documentation on CERT/CC’s Operationally Critical Threat, Asset, and Vulnerability Evaluation. It offers all the information you need to know while thinking about or starting the implementation of the OCTAVE into your organization.

Don't miss