CONTENTS

WHAT IS THE EBIOS RISK MANAGER METHOD? page 2

AN ITERATIVE APPROACH IN 5 WORKSHOPS page 3
DIFFERENT USES OF EBIOS RISK MANAGER page 13

WORKSHOP 1 – Scope AND Security baseline page 15

WORKSHOP 2 – RISK ORIGINS page 31
WORKSHOP 3 – STRATEGIC SCENARIOS page 39
WORKSHOP 4 – OPERATIONAL SCENARIOS page 55
WORKSHOP 5 – RISK TREATMENT page 67

BIBLIOGRAPHY page 79
TERMS AND DEFINITIONS page 81

Ebios risk manager — 1

 WHAT IS THE EBIOS RISK MANAGER METHOD?

E BIOS Risk Manager1 (EBIOS RM) is the method for assessing and treating
digital risks published by National Cybersecurity Agency of France (ANSSI)
with the support of Club EBIOS2. It proposes a toolbox that can be adapted,
of which the use varies according to the objective of the project, and is com-
patible with the reference standards in effect, in terms of risk management3
as well as in terms of cybersecurity4.

EBIOS RM makes it possible to assess digital risks and to identify the security
measures to be taken in order to control them. It also makes it possible to
validate the acceptable level of risk and to carry on in the longer term in a
continuous improvement approach. Finally, this method makes it possible
to bring about resources and arguments that are useful for communication
and decision-making within the organisation and with regards to its partners.

The EBIOS RM method can be used for several purposes:

■■ setting up or reinforcing a management process of the digital risk within
an organisation;
■■ assess and treat the risks relating to a digital project, in particular with
the aim of a security accreditation;
■■ define the level of security to be achieved for a product or service accor-
ding to its use cases and the risks to be countered, in the perspective of
a certification or accreditation for example.

It applies to public as well as private organisations, regardless of their size,

their sector of activity and whether their information systems are being de-
veloped or already exist.

1  EBIOS is a registered trademark of the Secrétariat général de la défense et de la sécurité natio-

nale (General Secretariat for Defence and National Security).
2  Club EBIOS is an association governed by the law of 1901 bringing together individual experts
and bodies, coming from public or private sectors. It has been supporting and enriching the French
reference standards for managing risks since 2003.
3  In particular, standard ISO 31000:2018
4  In particular the standards in the series ISO/IEC 27000.

2 — Ebios risk manager / An iterative approach in 5 workshops

 An iterative
approach in 5
workshops
 T he EBIOS Risk Manager method adopts an approach
to the management of the digital risk starting from
the highest level (major missions of the studied object) to
progressively reach the business and technical functions,
by studying possible risk scenarios. It aims to obtain a
synthesis between "compliance" and "scenarios", by
positioning these two complementary approaches where
they provide the highest value added. This approach is
symbolised by the digital risk management pyramid (cf.
figure 1).

The approach through compliance is used to determine

the security baseline on which the approach through
scenarios is based in order to develop particularly targe-
ted or sophisticated risk scenarios. This assumes that the
accidental and environmental risks are treated a priori
via an approach through compliance within the security
baseline. The assessment of the risks through scenarios,
such as described by the EBIOS RM method, therefore
focuses on the intentional threats.

4 — Ebios risk manager / An iterative approach in 5 workshops

ADVANCED
TARGETED

Approach through
"scenarios"
DIGITAL RISK
ASSESSMENT
ELABORATED LEVEL OF CYBER ATTACKS
ELABORATED

REGULATORY AND
STANDARDS FRAMEWORK

Approach through
"conformity"
WIDE SPECTRUM
SIMPLE

BASIC PRINCIPLES AND HYGIENE

Figure 1 — Digital risk management pyramid

An iterative approach in 5 workshops / Ebios risk manager — 5

The EBIOS RM METHOD ADOPTS AN ITERATIVE APPROACH THAT REVOLVES
AROUND FIVE WORKSHOPS.
Figure 2 — An iterative approach in 5 workshops

WORKSHOP 1 WORKSHOP 2
SCOPE AND RISK ORIGINS
SECURITY BASELINE

STRATEGIC CYCLE

6 — Ebios risk manager / An iterative approach in 5 workshops

 ECOSYSTEM

WORKSHOP 3
STRATEGIC
SCENARIOS
WORKSHOP 5
RISK TREATMENT

WORKSHOP 4
OPERATIONAL
SCENARIOS

SYSTEM

RISK ASSESSMENT

OPERATIONAL CYCLE

An iterative approach in 5 workshops / Ebios risk manager — 7

 WORKSHOP 1
Scope and security baseline
The first workshop aims to identify the studied object, the participants in
the workshops and the timeframe. During this workshop, you will list the
missions, business assets5 and supporting assets related to the studied object.
You identify the feared events associated with the business assets and assess
the severity of their impacts. You also define the security baseline and the
differencial.

Note: workshop 1 makes it possible to follow an approach by "com-

pliance", corresponding to the first two stages of the digital risk mana-
gement pyramid and to address the study from the "defence" viewpoint.

WORKSHOP 2
Risk origins
In the second workshop, you identify and characterise the risk origins (RO)
and their high-level targets, called target objectives (TO). The RO/TO pairs
deemed the most relevant are selected at the end of this workshop. The
results are formalised in a mapping of the risk origins.

5  The "business assets" correspond to the "essential assets" of the EBIOS 2010 method.

8 — Ebios risk manager / An iterative approach in 5 workshops

 WORKSHOP 3
Strategic scenarios
In workshop 3, you will get a clear view of the ecosystem and establish a
mapping of the digital threat of the latter with respect to the studied object.
This will allow you to construct high-level scenarios, called strategic scenarios.
They represent the attack paths that a risk origin is likely to take to reach its
target. These scenarios are designed at the scale of the ecosystem and the
business assets of the studied object. They are assessed in terms of severity.
At the end of this workshop, you can already define the security measures
on the ecosystem.

WORKSHOP 4
Operational scenarios
The purpose of workshop 4 is to construct technical scenarios that include
the methods of attack that are likely to be used by the risk origins to carry
out the strategic scenarios. This workshop adopts an approach similar to the
one of the preceding workshop but focuses on critical supporting assets. You
then assess the level of likelihood of the operational scenarios obtained.

Notes
■■ Workshops 3 and 4 are naturally supplied during successive
iterations.
■■ Workshops 2, 3 and 4 make it possible to assess the risks, which
constitutes the last stage of the digital risk management pyramid.
They use the security baseline according to different attack paths,
which are relevant with regards to the threats considered and as
a limited number in order to facilitate the analysis.

An iterative approach in 5 workshops / Ebios risk manager — 9

 WORKSHOP 5
Risk treatment
The last workshop consists in creating a summary of all of the risks studied
in order to define a risk treatment strategy. The latter is then broken down
into security measures written into a continuous improvement plan. During
this workshop, you establish the summary of the residual risks and define
the framework for monitoring risks.

WORKSHOP 2 Risk origin / target objective pair

(SR/OV)

Strategic scenario

SEVERITY OF THE IMPACTS

WORKSHOP 3 (identical for the strategic scenario
and all of its attack routes)

Attack route (1) Attack route (n)

LIKELIHOOD OF THE SCENARIO

WORKSHOP 4 Operational scenario (1) Operational scenario (n) (proper to each operational scenario)

RISK LEVEL
(proper to each risk scenario,
WORKSHOP 5 assessed on the basis of
Risk scenario (1) Risk scenario (n)
its severity and its likelihood)

Figure 3 — Link between the various workshops

NOTE : each attack path of a strategic scenario gives rise to an opera-

tional scenario. A risk scenario corresponds to the association of an
attack path and its operational scenario.

10 — Ebios risk manager / An iterative approach in 5 workshops

 THE CYCLES

The approach calls for two cycles, of which the durations are defined during
the first workshop:
■■ a strategic cycle that revisits the entire study and in particular the
strategic scenarios;
■■ an operational cycle that returns to the operational scenarios in light
of the security incidents that have occurred, the appearance of new
vulnerabilities and changes in the methods of attack.

AN EXAMPLE FOLLOWED STEP-BY-STEP

The method is illustrated using an example that depicts a fictive company,

namely a biotechnology company that manufactures vaccines. This example
aims to be realistic with the objective of providing the reader with a concrete
and pedagogical illustration of the method.

BIOTECHNOLOGY COMPANY MANUFACTURING VACCINES

Estimation of a low level of maturity in terms of digital security

Basic awareness in cybersecurity when employees take up their jobs

Existence of an IT charter

An iterative approach in 5 workshops / Ebios risk manager — 11

Different uses
of EBIOS Risk
Manager
E BIOS RM is a method that can be adapted. It constitutes a genuine
toolbox, of which the activities to be carried out, their level of detail
and their sequencing, will be adapted to the desired use. Indeed, the way
in which the method is applied differs according to the subject studied, the
expected deliverables, the degree of knowledge of the perimeter of the study
or the sector to which it is applied. The chart hereinafter suggests use cases
according to the target objective.

MAIN WORKSHOPS TO BE CONDUCTED OR USED

TARGET OF THE STUDY 1 2 3 4 5

Identify the security baseline
adapted to the studied object x
Be in compliance with the digital
security reference standards x x
Assess the threat level of the ecosystem
with respect to the object studied
x
(note 1)
Identify and analyse the high-level
scenarios, integrating the ecosystem x x
Conduct a preliminary risk study in
order to identify the priority axes x x x x
for security improvement (note 2) (note 3)
Conduct a complete and fine risk study,
for example on a security product or for
the purpose of a system accreditation
x x x x x
Direct a security audit and in
particular a penetration test x x
Direct the detection and reaction
systems, for example at the level of a
security operating centre (SOC)
x x

Note 1: step a) of the workshop only; this does not require having
conducted workshops 1 and 2 beforehand.
Note 2: in the framework of a preliminary study, the degree of depth of
workshop 1 is to be adapted (example: listing only the business assets,
conducting a summary analysis of the security baseline).
Note 3: step b) of the workshop only.

14 — Ebios risk manager / DIFFERENT USES OF EBIOS RISK MANAGER

 Workshop

1
Scope and
security baseline
1/ Objectives of the workshop
The purpose of this first workshop is to define the framework of the study,
its business and technical scope, the associated feared events and the security
baseline. This workshop is a prerequisite for producing a risk assessment. The
period to be considered for this workshop is the same as the strategic cycle.

2/ Participants in the workshop6

■■ Top management;
■■ Business teams;
■■ CISO (Chief Information Security Officer);
■■ IT department / Information management team.

3/ Outputs
At the end of this workshop, you must have identified:
■■ the framework elements : objectives, roles and responsibilities, time frame;
■■ the business and technical scope : missions, business assets, supporting
assets;
■■ feared events and their level of severity;
■■ the security baseline: list of applicable requirements, implementation
status, gaps identification and justification.

6  The team can be supplemented with any person deemed helpful.

16 — Ebios risk manager / WORKSHOP 1 - Scope and security baseline

4/ Steps of the workshop
This workshop can for example take place over one to three half-day sessions7.
The objective will be to:

a. define the framework of the study;

b. define the business and technical perimeter of the studied object;
c. identify the feared events and assess their level of severity;
d. determine the security baseline.

5/ How to proceed?
a Define the framework of the study

To initiate the workshop, start with disclosing the purpose and the expecta-
tions of the meeting to the participants. Agree on the objectives of the study.
The latter can be, for example, the setting up of a cyber risk management
process in the organisation, the accreditation of an information system or
the identification of a level of security to be achieved in order to obtain a
product certification. According to the objective defined, the level of detail of
the study is deduced therefrom, along with the workshops to be conducted.

Then, identify the participants in the various workshops, their roles and
their responsibilities in the framework of the study (workshop facilitator,
contributor, decision-maker, etc.). To do so, you can for example create a
responsibility assignment matrix (RAM).

7  The duration of the workshop is suggested as an indication. It does not include the preparatory
and formalisation work to be carried out upstream and downstream.

WORKSHOP 1 - Scope and security baseline / Ebios risk manager — 17

At this step, it is essential to identify who is the person accountable for ac-
cepting the residual risks at the end of the study.

Then define the timeframe of the study (durations of the operational and
strategic cycles). These durations must be adapted to the project constraints
and be consistent with the standards, legal and regulatory frameworks in effect.
Ordinarily, for an information system accreditation, the generic durations
are three years for the strategic cycle and one year for the operational cycle.

Aspects relating to project management such as the planning of the workshops

to be conducted or resources constraints can also be addressed.

b DEFINe THE BUSINESS AND TECHNICAL PERIMETER

In a second step, you will list the missions, business assets and supporting
assets regarding the studied object8. The questions that may be raised are:

■■ What is the object of the study? What are its main missions, its purposes?
■■ What are the major processes and information that enable the studied
object to carry out its missions?
■■ What are the digital services, applications, IT networks, organisational
structures, human resources, premises, etc. which enable to carry out these
processes or process this information?

Start by listing all of the missions of the studied object, i.e. the end purposes
and major goals of the latter (the way it participates in creating value, for
example). According to the level of detail of the study, the missions to be
identified can sometimes be intrinsic to the studied object but are generally
those of the organisation of which the object is part of.

8  In order to carry out this activity, you can use the model suggested in methodological sheet no. 1.

18 — Ebios risk manager / WORKSHOP 1 - Scope and security baseline

In the same way, then list all of the business assets associated with the stu-
died object, namely the information or processes deemed important, in the
framework of the study, and that should be protected. The business assets
represent the informational assets that a risk origin would have an interest
in attacking in order to achieve its objectives (example: on-line reservation
cancelling service, customer information, results of R&D work, deployment
phase of a project, know-how in designing aeronautical parts, etc.).

At this stage, the objective is not to be exhaustive but rather to limit the
number of business assets in order to retain only those identified as essential
or sensitive. Proceeding as such makes it possible to keep a certain agility in
the study and to reduce the work to a useful and acceptable level. In order
to reach this end, you can for example:
■■ consider sets of information rather than isolated pieces of information;
■■ rank the business assets according to their security needs (availability,
integrity, confidentiality, etc.)9.
In terms of volume, 5 to 10 business assets generally form a base that is
sufficient for orienting the rest of the study. The business assets that are
not selected can however inherit the measures taken to protect the other
business assets.

9  To rank the business assets, it is possible to judge whether their security needs are "very high",
"notable" or "negligible". It is also possible for the assessment of the security needs of a business
asset to use scales for scoring, for example those with 3 or 4 levels used in the examples of the EBIOS
2010 method. However, the objective is not to seek an absolute value but rather a relative position
of the business assets in relation to one another.

WORKSHOP 1 - Scope and security baseline / Ebios risk manager — 19

Then list the supporting assets regarding each business asset. These are
elements of the information system on which the business assets are based.
For this, use the mapping of the organisation's information system10. You
can structure your listing according to the main categories suggested in
methodological sheet no. 2.

Note : at this stage, you can limit the identification of the supporting
assets to the most important ones, for example one to three supporting
assets for each business asset. They will then be supplemented during
the drawing up of operational scenarios.

10  To construct it, it is possible to refer to guide from the French National Cybersecurity Agency,
ANSSI, Mapping the information system - How-to guide in 5 steps, 2018

20 — Ebios risk manager / WORKSHOP 1 - Scope and security baseline

EXAMPLE  : Biotechnology company manufacturing vaccines.

Mission IDENTIFY AND MANUFACTURE VACCINES

DENOMINATION Research & development (R&D)

OF THE BUSINESS ASSET

NATURE OF THE
BUSINESS ASSET Process
(PROCESS OR INFORMATION)

Vaccine research and development activity requiring:

■■ the identification of antigens;
■■ the production of antigens (attenuated live virus, inactivated
Description virus): fermentation (harvest), purification, inactivation, filtra-
tion, storage;
■■ preclinical assessment;
■■ clinical development.

ENTITY OR PERSON
RESPONSIBLE Pharmacist
(INTERNAL/EXTERNAL)

Denomination Desktop appli- Desktop appli-

Antigen produc-
of associated cation servers cation servers
tion systems
supporting asset(s) (internal) (external)

Set of IT equip-
Desktop appli- Desktop applica-
ment and ma-
cation servers tion servers sto-
Description storing all of the ring a portion of
chines that make
it possible to pro-
R&D data the R&D data
duce antigens

ENTITY OR PERSON IT department /

RESPONSIBLE Information ma- Laboratories Laboratories
(INTERNAL/EXTERNAL) nagement team

22 — Ebios risk manager / WORKSHOP 1 - Scope and security baseline

Manufacturing vaccines Traceability and control

Process Information

Activity consisting in :
Information enabling to ensure the quality
■■ filling syringes (sterilisation, filling;
control and the batch release (examples:
labelling);
antigen, aseptic distribution, conditioning,
■■ conditioning (labelling and packa-
final release…)
ging).

Production manager Quality Manager

Production systems Desktop application servers (internal)

Set of IT equipment and machines that Desktop application servers storing all of the
make it possible to produce vaccines on data regarding traceability and control, for the
a large scale various processes

IT department / Information management

IT department / Information management team
team + Equipment suppliers

WORKSHOP 1 - Scope and security baseline / Ebios risk manager — 23

 Note: during this step, you may need to identify the business assets or
supporting assets placed under the responsibility of entities that are
outside your organisation. These elements can be included in workshop
3, when creating the ecosystem digital threat mapping.

c IDENTIFY THE FEARED EVENTS

Identifying and characterising the feared events (FE) enable the stakehol-
ders to objectively compare the importance of the missions and the business
assets while becoming aware of the security issues. In EBIOS Risk Manager,
feared events are associated with business assets and reveal a harmful breach
for the organisation. The degree of harm or impact is assessed according to
a severity scale that makes it possible to rank feared events.

In order to reveal the FEs, you can, for each business asset listed in the
preceding step, conduct research on the harmful effects subsequent, for
example, to a breach:
■■ affecting the availability of the business asset (example: inaccessible
information, total or partial interruption of service, impossibility to
conduct a phase of a process);
■■ its integrity (example: forgery or modification of information, function
creep of a service, alteration of a process);
■■ its confidentiality (example: disclosure of information, unauthorised
access to a service, compromising of a secret);
■■ its traceability (example: loss of traceability of an action or of a modifi-
cation of information, impossibility to track the chaining of a process);
■■ and more globally the quality of service and the performance that the
business asset must satisfy.

24 — Ebios risk manager / WORKSHOP 1 - Scope and security baseline

Estimating the severity of each FE depends on the criticality of the business
asset with regards to:
■■ the missions of the organisation;
■■ the regulations;
■■ the nature and the intensity of the direct impacts, and even indirect
impacts.

Methodological sheet no. 3 is proposed to help you carry out this activity.

Notes
■■ A feared event is described in the form of a short expression or
scenario that allows for an easy understanding of the harm linked
to reaching the business asset concerned. The prior assessment of
the security needs can help in estimating the severity.
■■ For feared events (FE) that affect availability, we recommend that
you specify beyond which loss of service the severity mentioned
is reached (example: unavailability of the service for a duration
exceeding 2 hours, impossibility to distribute data flows greater
than 1 Mbps). This approach will in particular enable you to anchor
in your risk assessment the notion of degraded operating mode.
■■ In order to estimate the severity, consider all of the possible types
of impacts – internal, external, direct, indirect – in order to push
the stakeholders into considering impacts of which they may have
never initially thought of.
■■ At this stage, the FEs are identified from the organisation's view
point, outside any attack scenario. They will then be useful in
developing strategic scenarios (workshop 3), from the attacker's
view point, and can be updated in this framework.

WORKSHOP 1 - Scope and security baseline / Ebios risk manager — 25

EXAMPLE  : biotechnology company manufacturing vaccines.

The scoring of the severity of the impacts is carried out based on the fol-
lowing matrix:

SCALE CONSEQUENCES

Incapacity for the company to ensure all or a portion of its

G4 activity, with possible serious impacts on the safety of persons
CRITICAL and assets. The company will most likely not overcome the
situation (its survival is threatened).

High degradation in the performance of the activity, with

G3 possible significant impacts on the safety of persons and
SERIOUS assets. The company will overcome the situation with serious
difficulties (operation in a highly degraded mode).

Degradation in the performance of the activity with no im-

G2 pact on the safety of persons and assets. The company will
SIGNIFICANT overcome the situation despite a few difficulties (operation
in degraded mode).

No impact on operations or the performance of the activity

G1 or on the safety of persons and assets. The company will
MINOR overcome the situation without too many difficulties (margins
will be consumed).

26 — Ebios risk manager / WORKSHOP 1 - Scope and security baseline

The company has listed a portion of the feared events in the following table:

BUSINESS
FEARED EVENT IMPACTS SEVERITY
ASSET

■■ Impacts on the missions and

Loss or destruction of analyses and
services of the organisation
research information resulting in
■■ Impacts on the costs of de-
a high impact, in particular on the 3
velopment
company's future marketing autho-
■■ Impacts on the organisation's
risation procedure
governance

■■ Impacts on the safety or on

Alteration of analyses and research the health of persons
information resulting in an er- ■■ Impacts on the image and 3
R&D
roneous vaccine formula trust
■■ Legal impacts

■■ Impacts on the organisation's

Leaking of the company's analyses
governance 3
and research information
■■ Financial impacts

■■ Impacts on the missions and

Interruption of the vaccine test
services of the organisation 2
phases for more than one week
■■ Financial impacts

Leaking of the company's know-

how regarding the process for
Financial impacts 2
manufacturing vaccines and their
quality tests
Manu-
facturing
■■ Impacts on the safety or on
vaccines Interruption of the vaccine pro-
the health of persons
duction or distribution for more
■■ Impacts on the image and 4
than one week during the peak of
trust
the epidemic
■■ Financial impacts

■■ Impacts on the safety or on

Alteration of the quality control re- the health of persons
Traceability
sults leading to a sanitary non-com- ■■ Impacts on the image and 4
and control
pliance trust
■■ Legal impacts

WORKSHOP 1 - Scope and security baseline / Ebios risk manager — 27

 d DETERMINE THE Security baseline

Determining the security baseline and the gaps assumes adopting a compliance
approach, corresponding to the first two stages of the risk management py-
ramid. For this, you must identify all of the security reference standards
that apply to the studied object.
These reference standards can be:
■■ healthy information system rules and security best practices : ANSSI's
recommendation guides11, the organisation's internal security rules, etc.;
■■ standards: ISO 27000 family, etc.;
■■ current regulations: you can refer to ANSSI's website12 that lists a spec-
trum of regulatory texts in terms of digital security.

If the studied object is a system or a product that already exists, then assess
the implementation status of the various reference standards listed, for
example thanks to a colour indicator (green for "applied without restriction",
orange for "applied with restrictions", red for "not applied", etc.) and clearly
identify the gaps, as well as the causes of the latter.

11 www.ssi.gouv.fr/en/best-practices
12 www.ssi.gouv.fr/en/regulation

28 — Ebios risk manager / WORKSHOP 1 - Scope and security baseline

The security baseline can be formalised in a table, such as the one suggested
hereinbelow for the purposes of illustration:

TYPE OF NAME OF THE

implementa-
REFERENCE REFERENCE gaps JUSTIFICATION FOR gaps
tion status
STANDARD STANDARD

Existence of a
Rule 8: identify non-nominative
each individual admin account for
accessing the the administration
system by of the ERP (pro-
name and dis- prietary solution
healthy tinguish the that does not allow
informa- guideline user/adminis- for administra-
tion system for a trator roles tion via another
Applied with
rules and healthy account)
restrictions
security informa-
best tion system
practices Rule 37: define
and apply a Backup policy cur-
backup policy rently being written
for critical by a working group
components

The gaps observed with respect to the security baseline will be included
in the risk assessment conducted in the following workshops in order
to identify the risks that they pose on the organisation. Security mea-
sures can then be defined during workshop 5 in order to limit them.

Note: the results of the risk studies conducted previously will be inte-
grated in this step. Indeed, these studies permited you to identify and
to implement security measures. The latter are now part of the security
baseline of your organisation and can be tested in the following risk
assessment workshops.

WORKSHOP 1 - Scope and security baseline / Ebios risk manager — 29

 Workshop

2
Risk origins
1 / Objectives of the workshop
The purpose of workshop 2 is to identify the risk origins (RO) and their target
objectives (TO), linked with the particular context of the study. The workshop
aims to answer the following question: who or what can infringe upon the
missions and business assets identified in workshop 1, and for what purposes?

The risk origins and the target objectives are then characterised and assessed
in order to retain the most relevant ones. They will be useful for constructing
scenarios for workshops 3 and 4.

2 / Participants in the workshop13

■■ Top management (at least during the last step of the workshop);
■■ Business teams;
■■ CISO;
■■ A specialist in analysing the digital threat will possibly supplement
your working group, according to the team's level of knowledge and the
desired level of precision.

3 / Outputs
At the end of the workshop, you must have established the following elements:
■■ the list of priority RO/TO pairs selected for the rest of the study;

13  The team can be supplemented with any person deemed useful.

32 — Ebios risk manager / WORKSHOP 2 - RISK ORIGINS

■■ the list of the secondary RO/TO pairs that can be studied in a second
step and which will, if possible, be the subject of attentive surveillance;
■■ a mapping of the risk origins.

4 / Steps of the workshop

This workshop, of variable length, can require 2 hours to one working day14
in order to:
a. identify the risk origins and the target objectives;
b. assess the RO/TO pairs;
c. select the RO/TO pairs that are deemed as deserving priority in order
to continue the analysis.

5 / How to proceed?
To conduct this workshop, you need to know the missions and the business
assets of the studied object, coming from workshop 1.

The fine characterisation of the risk origins and of their target objectives re-
quires having precise information on the state of the threat and must ideally
turn to the sector involved: attackers or groups of attackers, assumed resources
and motivation, methods of attack, the most exposed activities, etc. The daily
cyber attack watch bulletins and the news regarding cybersecurity are also
precious sources of information that make it possible to supplement and

14  The duration of the workshop is suggested as an indication. It does not include the preparatory
and formalisation work to be carried out upstream and downstream.

WORKSHOP 2 - RISK ORIGINS / Ebios risk manager —33

specify the knowledge of the threat and to contextualise it.
Methodological sheet no. 4 directs you in organising this information so as to
be able to take action based on it in order to assess the risks in the framework
of workshop 2.

a IDENTIFY THE RISK ORIGINS AND THE TARGET OBJECTIVES

To conduct the workshop, you must ask yourself the following questions:
■■ what are the risk origins that can harm the organisation's missions or
high-level interests (sector-related, state-related, etc.)?
■■ what can the target objectives be for each risk origin in terms of the
effects sought?

One way of doing this is to review the categories of risk origins and target
objectives suggested in methodological sheet no. 4: for each category of
risk origin, determine what the attacker's profile is and what types of objec-
tives the attacker wants to reach. The same risk origin can generate, where
applicable, several RO/TO pairs, with target objectives of different natures.

Notes
One of the keys to success consists in searching varied categories
■■
of RO/TO pairs in order to have a differentiated panel of attacker
profiles and target objectives from which the strategic scenarios
of workshop 3 will be established. It is also important not to leave
any blind spots: ensure that you cover the organisation's business
assets as widely as possible.
The target aimed by a risk origin can be beyond the sole perimeter
■■
of the studied object. In this case, the latter may be used as an
intermediary to reach the TO or be subjected to collateral impacts
due to its exposure to the risk.

34 — Ebios risk manager / WORKSHOP 2 - RISK ORIGINS

EXAMPLE  : biotechnology company manufacturing vaccines.

RISK ORIGINS TARGET OBJECTIVES

Sabotage the next national vaccination campaign

by disturbing the production or the distribution
Hacktivist of vaccines, in order to generate a psychological
shock on the population and discredit the public
authorities.

Steal information by spying on the R&D work in

Competitor
order to obtain a competitive advantage.

Disclose to the general public information on the

way in which the vaccines are designed by collecting
Hacktivist
photos and videos of animal tests in order to rally
the public opinion to its cause.

Alter the composition of the vaccines distributed

Cyber-terrorist during a national vaccination campaign for the
purposes of bioterrorism.

WORKSHOP 2 - RISK ORIGINS / Ebios risk manager —35

 b ASSESS THE RO/TO PAIRS

When the team has stopped producing new RO/TO pairs, you can assess
the pertinence of each pair. The objective is to identify, in the pool of risk
origins and target objectives listed, those that you feel are the most relevant.
Although the feedback from participants can form a first basis for assessment,
we also recommend that you use criteria and metrics for characterisation
that will provide a certain degree of objectivity. The assessment criteria that
are generally used are:
■■ the motivation of the risk origin to reach its target;
■■ its resources (financial, skills, attack infrastructures);
■■ its activity (is it active within the perimeter of the studied object, in the
ecosystem, in the industry concerned, in a similar industry, etc.).

c SELECT THE RO/TO PAIRS Selected FOR THE REST OF THE ANALYSIS

Based on the preceding work, you can then finalise the workshop by se-
lecting the RO/TO pairs for the rest of the study. One of the choice criteria
is obviously the level of relevance assessed in the preceding step. Favour
RO/TO pairs that are sufficiently distinct from one another and that will
likely affect different business assets and supporting assets. In terms of vo-
lume, 3 to 6 RO/TO pairs generally form a base that is sufficient to develop
strategic scenarios.

36 — Ebios risk manager / WORKSHOP 2 - RISK ORIGINS

EXAMPLE  : biotechnology company manufacturing vaccines.

RISK ORIGINS TARGET OBJECTIVES MOTIVATION RESOURCES ACTIVITY PERTINENCE

Sabotage the
Hacktivist national vaccina- ++ + ++ Moderate
tion campaign

Information
Competitor +++ +++ +++ High
theft

Disclosing
Hacktivist information on ++ + + Low
animal tests

Altering the
composition
Cyber-terrorist of vaccines + ++ + Low
for bioterrorist
purposes

The working group will retain as a priority the pairs with high and moderate
pertinence, and will initially set aside the cyber-terrorist threat and that lin-
ked to hacktivists who want to disclose information on animal tests, which
are deemed to be less significant.

WORKSHOP 2 - RISK ORIGINS / Ebios risk manager —37

 Workshop

3
Strategic
scenarios
1 / Objectives of the workshop
The ecosystem includes all of the stakeholders that orbit the studied object
and participate in carrying out its missions (partners, subcontractors, subsi-
diaries, etc.). More and more cyberattack modus operandi leverages the most
vulnerable links in this ecosystem in order to reach their target (example:
affecting the availability of a service by attacking the Cloud service supplier,
booby-trapping the logistics supply chain of servers that facilitate sensitive
data exfiltration).

The objective of workshop 3 is to obtain a clear view of the ecosystem, in

order to identify the most vulnerable stakeholders in it. This will then entail
building high-level scenarios, called strategic scenarios. These scenarios are
attack paths that a risk origin can use to reach its target (i.e. one of the RO/
TO pairs selected during workshop 2).

Workshop 3 is to be addressed as a preliminary risk study. This can

lead to identifying the security measures to be applied with regards to the
ecosystem. The strategic scenarios selected in workshop 3 form the base of
operational scenarios for workshop 4.

2 / Participants in the workshop15

■■ Business teams;
■■ Functional architects;
■■ CISO (Chief Information Security Officer);

15  The team can be supplemented with any person deemed helpful.

40 — Ebios risk manager / WORKSHOP 3 - STRATEGIC SCENARIOS

■■ A specialist in cybersecurity will possibly supplement your working
group, according to the team's level of knowledge and the desired level
of precision.

3 / Outputs
At the end of the workshop, you must have established and identified the
following elements:
■■ the ecosystem digital threat mapping and the critical stakeholders;
■■ the strategic scenarios;
■■ the security measures chosen for the ecosystem.

4 / Steps of the workshop

This workshop, of variable length, can require one to three half-days16 in
order to:
a. build the ecosystem digital threat mapping and select the critical stakehol-
ders;
b. develop strategic scenarios;
c. define the security measures on the ecosystem.

16  The duration of the workshop is suggested as an indication. It does not include the preparatory
and formalisation work to be carried out upstream and downstream.

WORKSHOP 3 - STRATEGIC SCENARIOS / Ebios risk manager — 41

5 / How to proceed?
To conduct this workshop, you need to know:
■■ the missions and business assets of the studied object (workshop 1);
■■ the feared events and their severity (workshop 1);
■■ the risk origins and target objectives selected (workshop 2);
■■ the mapping of the information system and in particular its ecosystem
view (see note).

Note : the ecosystem view presents the various stakeholders with which
the studied object interacts directly or indirectly in order to perform
its missions and services. For the sake of efficency, it can be limited to
the interactions associated with the business assets. When possible,
it is in your interest to use an existing mapping and to supplement it
if needed. For more information, you can refer to the mapping guide
proposed by ANSSI.

a build THE ECOSYSTEM DIGITAL THREAT MAPPING AND SELECT THE

CRITICAL STAKEHOLDERS

A stakeholder is said to be critical when it is likely to form a relevant vector

for attack, due for example to its privileged digital access to the studied object,
its vulnerability or its exposure. A well-informed risk origin (i.e. that knows
the ecosystem of the target) will attempt, following a logic of least effort, to
attack the stakeholder that appears to be the "weakest link". The objective
is therefore to identify these critical stakeholders in order to include them
in the development of strategic scenarios.

42 — Ebios risk manager / WORKSHOP 3 - STRATEGIC SCENARIOS

You will first assess the threat level induced by each stakeholder of the
ecosystem on the studied object. It is preferable that the assessment of the
stakeholders is based on criteria rather than solely on the judgement of
experts or feedback.

You will then establish the ecosystem digital threat mapping17 on which all
of the stakeholders of interest have to appear in terms of their threat level
with regards to the studied object.

Finally, you will be able to select the critical stakeholders. Using risk accep-
tance thresholds will facilitate this selection work. A simple approach for
creating the digital threat mapping and for selecting the critical stakehol-
ders is suggested in methodological sheet no. 5. Stakeholders are assessed
here based on the exposure criteria (dependency, penetration) and cyber
reliability (maturity, trust).

17  This tool will facilitate on the one hand selecting the critical stakeholders and on the other hand
identifying the security measures to be implemented and to be written into contracts. The digital
threat mapping is a variant, from a digital risk management standpoint, of the mapping of the infor-
mation system. It is useful in conducting many projects and reflects your governance in terms of the
digital risk management of the ecosystem.

WORKSHOP 3 - STRATEGIC SCENARIOS / Ebios risk manager — 43

EXAMPLE  : biotechnology company manufacturing vaccines.

The team has decided to focus initially on the stakeholders external to the
company. It has identified the following stakeholders:

CATEGORY STAKEHOLDER

C1 – Healthcare institutions

Clients C2 – Pharmacies

C3 – Depositories and wholesale distributors

P1 – Universities

Partners P2 – Regulators

P3 – Laboratories

F1 – Industrial chemical suppliers

Service
F2 – Production equipment suppliers
providers

F3 – IT service provider

44 — Ebios risk manager / WORKSHOP 3 - STRATEGIC SCENARIOS

The assessment of each stakeholder has made it possible to draw up the
digital threat mapping hereinafter:

Clients Partners

C1 – HEALTHCARE
INSTITUTIONS P1 – UNIVERSITIES

C2 – PHARMACIES
P2 – REGULATORS

C3 – DEPOSITORIES
AND WHOLESALE P3 – LABORATORIES
DISTRIBUTORS

Studied object

5
F3 – IT SERVICE
PROVIDER 4

3
F2 – EQUIPMENT 2
SUPPLIERS
1

F1 – INDUSTRIAL 0
CHEMICAL SUPPLIERS

Service providers

Watch zone Control zone Danger zone

(Threshold: 0.2) (Threshold: 0.9) (Threshold: 2.5)

EXPOSURE CYBER RELIABILITY

<3 3-6 7-9 >9 <4 4-5 6-7 >7

The team has retained F3 – IT service provider as a critical stakeholder.

Stakeholders P3 and F2 are also selected as critical stakeholders.
The other stakeholders were not retained as critical. After discussion
with the CISO, although P1 and F1 are located in the control zone,
they were not selected by the project manager, in light of the context
and of the nature of the risk origins at stake18.

18  As indicated in the preamble, it shows that the analysis and the assessment carried out provide
assistance in making decisions, but the latter reverts to project governance which can decide to set
aside such and such threat element for contextual or policy reasons.

WORKSHOP 3 - STRATEGIC SCENARIOS / Ebios risk manager — 45

 b DEVELOP STRATEGIC SCENARIOS

In the previous step, you constructed the ecosystem digital threat mapping
and selected the critical stakeholders. The objective now is to imagine rea-
listic high-level scenarios, indicating in what way an attacker could proceed
to reach its target. It could for example go through the ecosystem or divert
some business processes.

These so-called strategic scenarios are identified by deduction. In this ap-

proach, the analysis elements from the previous steps will provide precious
assistance. In order to run this workshop, use as a starting point the RO/TO
pairs selected in workshop 2. Then, for each RO/TO pair, engage the discus-
sions by asking (yourself) the following questions from the standpoint of
the attacker:
■■ what is the organisation's business asset(s) that I have to aim for in order
to reach my target?
■■ in order to make my attack possible or facilitate it, am I likely to attack
the critical stakeholders of the ecosystem that have privileged access to
the business assets?

Once the most exposed elements have been identified, you can draw up the
strategic scenario stemming from the RO/TO pair by describing the sequencing
of the events generated by the risk origin in order to reach its target. Infrin-
gement on the business assets corresponds to feared events for the studied
object while the events regarding the ecosystem are intermediate events.

Examples of events (intermediate or feared) of a strategic scenario: creation

of an exfiltration channel from the service provider's infrastructure, modification
of a critical parameter of the industrial process (high temperature threshold),
denial of service attack of the cloud service supplier, deletion or alteration of
a database, identity theft of a support service.

46 — Ebios risk manager / WORKSHOP 3 - STRATEGIC SCENARIOS

 Note: the feared events that intervene in the strategic scenarios are
to be found in the list of FEs established during workshop 1. Howe-
ver, contrary to the workshop 1, the FEs here are exploited from the
standpoint of the attacker. As the standpoint is different, the list of
FEs may need to be updated.

You can represent your scenarios in the form of attack graphs or directly on
the ecosystem view of the mapping of the information system by superposing
thereon the attack path(s).

You will then assess the level of severity of each scenario, with regards to the
potential impacts associated with the feared events on the business assets.

Notes
■■ Keep in mind that the end purpose is to identify the most rele-
vant entry points, dissemination relays and attack vectors, in a
logic of least effort, and to describe them in the form of events
that correspond to intermediate goals for the attacker in order to
reach their target. Avoid however developing strategic scenarios
that are excessively detailed.
■■ In general, one to three attack paths for each RO/TO pair are
enough to explore the relevant risk field. Take care to favour a
variety of scenarios in which different critical stakeholders inter-
vene and with various categories of business assets.

WORKSHOP 3 - STRATEGIC SCENARIOS / Ebios risk manager — 47

EXAMPLE  : biotechnology company manufacturing vaccines.

The working group addressed first the RO/TO pair "A competitor wants to
steal information by spying on the R&D work in order to obtain a competi-
tive advantage" (see workshop 2). The three attack paths hereinafter were
deemed relevant.

The competitor steals the research work:

1. by creating a data exfiltration channel that directly affects R&D's infor-
mation system;
2. by creating a data exfiltration channel on the laboratory's information
system, that holds a portion of the work (stakeholder P3 identified as a
critical stakeholder in the previous step);
3. by creating a data exfiltration channel passing through the IT service
provider (critical stakeholder F3).

The associated strategic scenario is shown hereinafter. It is of severity 3

(serious) according to the scoring carried out during workshop 1 on the
feared events.

ECOSYSTEM BIOTECHNOLOGY COMPANY

DIRECT EXFILTRATION CHANNEL

A portion R&D
of the R&D information
information
EXFILTRATION CHANNEL

LABORATORY (P3)

COMPETITOR

EXFILTRATION CHANNEL

IT SERVICE PROVIDER (F3)

48 — Ebios risk manager / WORKSHOP 3 - STRATEGIC SCENARIOS

Then the working group focussed on the RO/TO pair: "A hacktivist organi-
sation wants to sabotage the next national vaccination campaign by distur-
bing the production or the distribution of vaccines, in order to generate a
psychological shock on the population and discredit public authorities". Two
attack paths were identified as relevant.

The hacktivist disturbs the production or the distribution of the vaccines:

1. by causing an interruption of industrial production by compromising the
maintenance equipment of the equipment supplier F2 (consequence:
the manufacture of the vaccines is highly disturbed);
2. by modifying the labelling of the vaccines (consequence: the vaccines
are not delivered to the correct location).

The associated strategic scenario is shown hereinafter. It is of severity 4

(critical) according to the scoring carried out during workshop 1, as the most
unfavourable case is considered since the incident occurs during the peak of
an epidemic and lasts more than one week.

ECOSYSTEM BIOTECHNOLOGY COMPANY

COMPROMISING OF FAILURE AND STOPPAGE
THE MAINTENANCE TOOL OF THE PRODUCTION LINE

EQUIPMENT SUPPLIER (F2)

Production
of vaccines

HACKTIVIST

ALTERATION OF THE LABELLING

WORKSHOP 3 - STRATEGIC SCENARIOS / Ebios risk manager — 49

In summary, two strategic scenarios were selected:

RISK ORIGINS TARGET OBJECTIVES STRATEGIC ATTACK paths SEVERITY

Three attack paths to be investigated.

A competitor steals research work by
creating a data exfiltration channel:
Steal information by
1. directly affecting R&D's infor-
spying on the R&D
mation system; 3
Competitor work in order to ob-
2. on the information system of Serious
tain a competitive
the laboratory (P3), that holds
advantage
a portion of the work;
3. passing through IT service
provider (F3).

Two attack paths to be investigated.

A hacktivist disturbs the production
Sabotage the next
or the distribution of vaccines:
national vaccination
1. by causing an interruption of
campaign in order to
industrial production by com- 4
Hacktivist generate a psycholo-
promising the maintenance Critical
gical shock on the po-
equipment of the equipment
pulation and discredit
supplier (F2);
the public authorities
2. by modifying the labels of the
vaccines.

50 — Ebios risk manager / WORKSHOP 3 - STRATEGIC SCENARIOS

 c DEFINE SECURITY MEASURES ON THE ECOSYSTEM

The work carried out previously may have brought to light structural vulne-
rabilities linked to the internal and external stakeholders, that attackers will
try to exploit in order to achieve their purposes. You may have also identified
a scenario in which your organisation would be affected collaterally from
an cyberattack targeting one of your partners. The aim of the last step of
workshop 3 is looking for ways to reduce these risks and translating them
into security measures.

The purpose of the security measures is to reduce the intrinsic threat level
induced by the critical stakeholders (example: reduce the dependency on a
subcontractor)19. They can also act on the unfolding of strategic scenarios.

Note: the security measures will likely have an impact on the governance
of your organisation, and even on the one of your external stakehol-
ders. Consequently, decision from the management is to be foreseen.

19  Simple rules are suggested in methodological sheet no. 6.

WORKSHOP 3 - STRATEGIC SCENARIOS / Ebios risk manager — 51

EXAMPLE  : biotechnology company manufacturing vaccines.

Security measures have been defined in priority for the service providers
F2, F3 and P3. The latter are indeed involved in strategic scenarios that are
particularly problematic.

STRATEGIC INITIAL RESIDUAL

STAKEHOLDER SECURITY MEASURES
ATTACK paths THREAT THREAT

Reduce the risk of booby-trap-

ping the maintenance equip-
ment used on the industrial
system.
Interruption of Allocation of maintenance
F2 production by equipment administered by the
Equipment co m p r o m i s i n g IT department / Information 2 1.3
suppliers the maintenance management team and that will
equipment be made available to the service
provider on the site (makes it
possible to reduce the penetration
of suppliers from 3 to 2).

Increase the cyber maturity of

the service provider (2 --> 3):
■■ security audit (to be in-
cluded in the contract);
Information theft
F3 ■■ following of the internal
by passing through
IT service action plan. 3 2
the IT service pro-
provider Reinforce the protection of
vider
R&D data.
Solutions to be investigated:
encryption, partitioning of the
R&D network.

Decrease the penetration of the

Information theft laboratories (3 --> 2):
P3 on the information limiting the data transmitted to
2.25 1.5
Laboratories system of the labo- the laboratories to the bare mini-
ratory mum needed (current bad habit
of distributing "everything").

Applying the objectives hereinabove should make it possible within 9 to 12

months to reduce the risk, with a residual digital threat mapping as follows:

52 — Ebios risk manager / WORKSHOP 3 - STRATEGIC SCENARIOS

 INITIAL
Clients Partners

(P3)

Studied object

5
(F3) 4

(F2) 2

Service providers

RESIDUAL
Clients Partners

(P3)

Studied object

5
(F3) 4

(F2) 2

Service providers

EXPOSURE CYBER RELIABILITY

<3 3-6 7-9 >9 <4 4-5 6-7 >7

WORKSHOP 3 - STRATEGIC SCENARIOS / Ebios risk manager — 53

 Workshop

4
Operational
scenarios
1 / Objectives of the workshop
The objective of workshop 4 is to build operational scenarios. They diagram
the methods of attack that the risk origins could use to carry out the strate-
gic scenarios. This workshop adopts an approach similar to the one of the
preceding workshop but focuses on the supporting assets. The operational
scenarios obtained are assessed in terms of likelihood. At the end of this
workshop, you will create a summary of all of the risks of the study.

The period to be considered for this workshop is the one of the operational
cycle.

2 / Participants in the workshop20

■■ CISO;
■■ IT department/Information management team;
■■ A specialist in cybersecurity will possibly supplement the working
group, according to the team's level of knowledge and the desired level
of precision.

3 / Outputs
At the end of the workshop, you must have established:
■■ the list of operational scenarios and their likelihood.

20  The team can be supplemented with any person deemed useful.

56 — Ebios risk manager / WORKSHOP 4 - OPERATIONAL SCENARIOS

4 / Steps of the workshop
This workshop, of variable length, can require one to three half-days21 in
order to:
a. develop the operational scenarios;
b. assess their likelihood.

5 / How to proceed?
To conduct this workshop, you need to know:
■■ the missions, business assets and supporting assets related to the studied
object (workshop 1);
■■ the security baseline (workshop 1);
■■ the risk origins and target objectives selected (workshop 2);
■■ the strategic scenarios selected (workshop 3);
■■ the application and logical infrastructure views of the mapping of the
IT system.

a DEVELOP THE OPERATIONAL SCENARIOS

A successful attack is often the fruit of exploiting several flaws. Intentional

attacks generally follow a sequenced approach. The latter exploits in a coor-
dinated manner several vulnerabilities of an IT, organisational or physical
nature. Such an approach based on the simultaneous exploitation of separate
flaws can have heavy consequences even though the exploited vulnerabilities
may seem insignificant when they are considered individually.

21  The duration of the workshop is suggested as an indication. It does not include the preparatory
and formalisation work to be carried out upstream and downstream.

WORKSHOP 4 - OPERATIONAL SCENARIOS / Ebios risk manager — 57

The operational scenarios defined in this workshop can be structured ac-
cording to a typical attack sequence. Several models22 exist and can be used
(example: the cyber kill chain model from Lockheed Martin). The approach
must allow you to identify the critical supporting assets that can be used as
vectors for entry or exploitation or as a propagation relay for the modelled
attack. During workshop 5, the security measures will naturally concern these
more particularly targeted supporting assets. However, the other supporting
assets can inherit these measures.

Construct the operational scenarios by using as a base the strategic scenarios

selected in workshop 3 and by using the mapping of the IT system. A good
approach consists in representing your scenarios in the form of graphs or
attack diagrams, useful for representing the attacker's methods of attack.
You can use methodological sheet no. 7 in order to carry out this step.

Note: each strategic attack path selected in workshop 3 corresponds to

an operational scenario that allows the risk origin to reach its target.

The diagram hereinafter shows the typical method of attack for a so-called
"waterhole" attack of which the objective is to allow a risk origin to establish
a data exfiltration channel.

22  A typical model is suggested in methodological sheet no. 7.

58 — Ebios risk manager / WORKSHOP 4 - OPERATIONAL SCENARIOS

 Taking control and depositing
booby-trapped iframes

1 VICTIM OR THIRD-PARTY
INTERNET SITE

Site visit and redirection via

ATTACKER 2 the iframe to malware

Infection and opening

of a backdoor

4
WORK STATIONS
OF THE VICTIM

Taking control and

depositing attack tools

5 Propagation
of the infection

6 KEY ELEMENTS OF THE INTERNAL NETWORK

(DOMAIN CONTROLLER, MESSAGE SYSTEM,
DIRECTORY, FILE SERVER...)

EXFILTRATION
SERVER
VICTIM
Data
exfiltration

Figure 4 — Illustration of a so-called "waterhole" attack diagram

WORKSHOP 4 - OPERATIONAL SCENARIOS / Ebios risk manager — 59

 Note: in your operational scenarios, adjust the granularity of the me-
thod of attack in terms of the maturity of the organisation and the
depth of analysis sought. This variable geometry approach makes it
possible to include macroscopic elementary actions (example: attack
of the "WannaCry" type) or more refined actions according to the
level of detail desired for the sequence of the studied scenario or the
sensitivity of the group of supporting assets considered.

In order to avoid an excessive quantity of combinations of attack

methods, give priority to those of least effort for the risk origin and
which solicit a representative panel of the supporting assets present
in the organisation.

EXAMPLE  : biotechnology company manufacturing vaccines.

The project team has decided to represent the operational scenarios in the
form of attack graphs. It decided to focus on carrying out a first operational
scenario corresponding to a strategic attack path identified in workshop 3.

Operational scenario relative to the attack path "A competitor steals research
work by creating a data exfiltration channel that directly concerns the infor-
mation system of R&D (of the biotechnology company)":

60 — Ebios risk manager / WORKSHOP 4 - OPERATIONAL SCENARIOS

 KNOWING ENTERING FINDING EXPLOITING

Intrusion via
a pre-existing
access channel
1

Internal
Intrusion via
Open source reconnaissance of Exploiting malware
a phishing email
external office environment for collection
on the HR
reconnaissance and IT networks, and exfiltration
department
Paris site

Creation
Intrusion via and maintaining
the Work Council of an exfiltration
site (waterhole) channel via an
Internet station

2 Corruption Lateralisation
of the personnel to the R&D LAN
of the R&D team network

Corruption
Booby-trapped Theft and
Advanced external of a premises
USB key in exploitation
reconnaissance maintenance
a R&D station of R&D data
service provider
3

WORKSHOP 4 - OPERATIONAL SCENARIOS / Ebios risk manager — 61

The project team has studied several access techniques, among which collusion
actions, that allow the attacker to enter the IT system. The exploiting of any
pre-existing channel was considered after the feedback from the CISO, but
remains to be further investigated. If such a hidden channel exists, then it
could also be used as an exfiltration channel (dotted arrow). 3 methods of
attack were deemed relevant.

1. The attacker gets into the information system via a targeted attack on the
message system of the human resources department by booby-trapping
the website of the works council or by exploiting a pre-existing hidden
channel. The attacker then accesses the strategic R&D data due in par-
ticular to the absence of partitioning between the internal networks
then exfilters by using the hidden channel or even a legitimate channel.

2. The attacker corrupts an employee of the R&D team who then easily
recovers the information from his work station, since no supervision
measure or action is carried out.

3. The attacker corrupts a member of the premises maintenance personnel

and asks that person to plug in a USB key into an R&D workstation,
that key being beforehand booby-trapped. This operation is facilitated
by the fact that the maintaining of the premises takes place outside the
working hours, the maintenance personnel has free access to the research
department, and the USB ports are not subjected to any restrictions.

During the workshop, it was noted many times that the current lack of
rigour in applying security patches substantially facilitated the exploitation
of vulnerabilities.

62 — Ebios risk manager / WORKSHOP 4 - OPERATIONAL SCENARIOS

b assess THE LIKELIHOOD OF OPERATIONAL SCENARIOS

For each operational scenario, you will assess its overall likelihood, which
reflects its probability of success or its feasibility.

Note: you may recall that the severity of the operational scenario cor-
responds to the severity of the associated strategic scenario, assessed
during workshop 3.

Begin by assessing the elementary likelihood of each elementary action

of your scenario. The latter can be estimated according to the judgement of
an expert or using metrics. The assessment confronts on the one hand the
assumed resources and motivation of the risk origin and, on the other hand,
the security baseline of the studied object and the level of vulnerability of
the ecosystem (exposed attack surface, structural and organisational vulne-
rabilities, capacities for detecting and reacting, etc.).

Then assess the overall likelihood of the scenario using elementary likeli-
hoods. The assessment can, for example, focus on the method of attack of
least effort for the risk origin. You can refer to methodological sheet no. 8
in order to carry out this assessment.

Note: you can also conduct a direct assessment of the overall likelihood
of the scenario, without going through a detailed scoring of the ele-
mentary actions. Consider for example the likelihood of the various
methods of attack as a whole. This express method however loses
precision compared to assessing elementary likelihoods.

WORKSHOP 4 - OPERATIONAL SCENARIOS / Ebios risk manager — 63

EXAMPLE  : biotechnology company manufacturing vaccines.

The five operational scenarios were developed during the preceding step by
the project team (they will not be shown again here). They were assessed
according to their level of likelihood, based on the following scoring grid:

OVERALL LIKELIHOOD SCALE OF AN OPERATIONAL SCENARIO

SCALE Description

The risk origin will certainly reach its target objective by one of
V4
the considered methods of attack.
Nearly certain
The likelihood of the scenario is very high.

The risk origin will probably reach its target objective by one of
V3
the considered methods of attack.
Very likely
The likelihood of the scenario is high.

The risk origin could reach its target objective by one of the consi-
V2
dered methods of attack.
Likely
The likelihood of the scenario is significant.

The risk origin has little chance of reaching its objective by one
V1
of the considered methods of attack.
Rather unlikely
The likelihood of the scenario is low.

64 — Ebios risk manager / WORKSHOP 4 - OPERATIONAL SCENARIOS

 STRATEGIC Attack pathS (ASSOCIATED WITH OPERATIONAL SCENARIOS) OVERALL LIKELIHOOD

A competitor steals research work by creating a data exfiltration V3

channel that directly concerns R&D's information system Very likely

A competitor steals research work by creating a data exfiltration V2

channel on the laboratory's IT system, which holds a part of the work Likely

A competitor steals research work by creating a data exfiltration V4

channel passing through the IT service provider Nearly certain

A hacktivist disturbs the production of vaccines by provoking a

V2
stoppage of industrial production by compromising the mainte-
Likely
nance equipment of the equipment supplier

A hacktivist disturbs the distribution of vaccines by modifying V1

their labelling Rather unlikely

The theft of R&D research data by the intermediary of the IT service provider
is considered to be nearly certain. On the one hand, the service provider in
question has high access rights to the biotechnology company's IT system
and on the other hand the security of its IT system is weak. The combination
of these aggravating factors makes an operation of intrusion and exfiltration
very easy for an attacker with minimum engagement of resources.

WORKSHOP 4 - OPERATIONAL SCENARIOS / Ebios risk manager — 65

The theft of data via direct exfiltration is considered to be very likely in
light of the many technical and organisational vulnerabilities observed in
the organisation: users that are hardly informed of digital risks (example:
phishing), website of the works council that is easily accessed from the Inter-
net, maintaining in a security condition that is quasi non-existent, networks
that are not partitioned and that are administered from stations that are
connected to the Internet, unsupervised outgoing flows, R&D data that is
not protected and centralised on a server that can easily be identified.

Note: during the elaboration of operational scenarios in this workshop,

you may be led to update or supplement the strategic scenarios of
workshop 3, for example if you identify a vulnerability that affects
a stakeholder that was not considered or an alternative method of
attack that you did not think of. The participants in workshop 3 will
then be able to choose to retain or not the propositions put forth.
Workshops 3 and 4 are thus supplied during successive iterations.
Ensure however that you do not exceed two iterations in order to
avoid complicating the analysis.

66 — Ebios risk manager / WORKSHOP 4 - OPERATIONAL SCENARIOS

 Workshop

5
Risk treatment
1 / Objectives of the workshop
The purpose of this workshop is to create a summary of the risk scenarios
identified and to define a risk treatment strategy. This strategy results in the
defining of security measures, listed in a security continuous improvement
plan (SCIP). The residual risks are then identified as well as the framework
for following these risks.

2 / Participants in the workshop23

The participants are the same as those for workshop 1:
■■ Top management;
■■ Business teams;
■■ CISO;
■■ IT department/Information management team.

3 / Outputs
At the end of the workshop, you must have defined the following elements:
■■ the risk treatment strategy;
■■ the summary of residual risks;
■■ the security continuous improvement plan;
■■ the framework for monitoring risks.

23  The team can be supplemented with any person deemed useful.

68 — Ebios risk manager / WORKSHOP 5 - RISK TREATMENT

4 / Steps of the workshop
This workshop, of variable length, can require two to four half-days of work24
in order to:
a. create the summary of the risk scenarios;
b. define the risk treatment strategy and the security measures;
c. assess and document the residual risks;
d. set up the framework for monitoring risks.

5 / How to proceed?
To conduct this workshop, you need to know:
■■ the security baseline (workshop 1);
■■ the strategic scenarios (workshop 3);
■■ the security measures regarding the ecosystem (coming from workshop 3);
■■ the operational scenarios (workshop 4).

a CREATE A SUMMARY OF RISK SCENARIOS

First create a summary of the risk scenarios identified. A simple representa-

tion of these scenarios will facilitate their use in what follows.

These scenarios are most often positioned on a grid, a radar25 or a Farmer

diagram according to their levels of severity and likelihood. All of the repre-
sentations adopted will form your initial risk mapping, i.e. before treatment.

24  The duration of the workshop is suggested as an indication. It does not include the preparatory
and formalisation work to be carried out upstream and downstream.
25  Kiviat diagram.

WORKSHOP 5 - RISK TREATMENT / Ebios risk manager — 69

EXAMPLE  : biotechnology company manufacturing vaccines.

SEVERITY

4 R5 R4

3 R2 R1 R3

1 2 3 4 LIKELIHOOD

Risk scenarios:
R1: A competitor steals R&D information through a direct exfiltration
channel
R2: A competitor steals R&D information by exfiltering information
held by the laboratory
R3: A competitor steals R&D information through an exfiltration
channel via the IT service provider
R4: A hacktivist provokes the stoppage of the production of vaccines by
compromising the maintenance equipment of the equipment supplier
R5: A hacktivist disturbs the distribution of vaccines by modifying
their labelling

70 — Ebios risk manager / WORKSHOP 5 - RISK TREATMENT

We suggest that you refine this summary work by representing your risk sce-
narios by risk origin and target objective (or according to any other criterion
that seems relevant to you). The objective is to shed light and find analysis
angles that are differentiated, able to assist in the understanding and the
identifying of the most critical risk zones.

Note: covering the feared events identified in workshop 1 is an aspect

to be considered in the summary work that you are conducting. This
entails identifying if FEs of substantial severity – and the underlying
business assets – were not left aside, resulting in a blind spot in the risk
assessment. Review all of the FEs from workshop 1 and identify those
that were not addressed in a risk scenario: according to their severity
and the business assets concerned, you can then decide to conduct
an iteration of workshops 2, 3 and 4 in order to supplement the list
of risk scenarios. Draw up as needed a matrix of coverage between
the feared events from workshop 1 and the risk scenarios treated in
the risk assessment.

WORKSHOP 5 - RISK TREATMENT / Ebios risk manager — 71

b DECIDE THE RISK TREATMENT STRATEGY AND DEFINE THE SECURITY
MEASURES

For each risk scenario, agree on acceptance thresholds of the risk and level of
security to be achieved in case of non-acceptance. This decision is formalised
in the risk treatment strategy. We recommend the following acceptance
classes, commonly used in risk management.

ACCEPTABILITY
RISK LEVEL DESCRIPTION OF THE DECISIONS AND ACTIONS
OF THE RISK

Low Acceptable as is No action is to be undertaken

A follow-up in terms of risk management is to

Tolerable be conducted and actions are to be set up in
Moderate
under control the framework of continuous improvement
over the medium and long term

Measures for reducing the risk must absolu-

High Unacceptable tely be taken in the short term. Otherwise,
all or a portion of the activity will be refused

It is possible for example to represent the risk treatment strategy according

to the diagram hereinafter:

72 — Ebios risk manager / WORKSHOP 5 - RISK TREATMENT

EXAMPLE  : biotechnology company manufacturing vaccines.

SEVERITY

4 R5 R4

3 R2 R1 R3

1 2 3 4 LIKELIHOOD

Risk scenarios:
R1: A competitor steals R&D information through a direct exfiltration
channel
R2: A competitor steals R&D information by exfiltering information
held by the laboratory
R3: A competitor steals R&D information through an exfiltration
channel via the IT service provider
R4: A hacktivist provokes a stoppage of the production of vaccines by
compromising the maintenance equipment of the equipment supplier
R5: A hacktivist disturbs the distribution of vaccines by modifying
their labelling

WORKSHOP 5 - RISK TREATMENT / Ebios risk manager — 73

Once the treatment strategy is validated for each scenario, define the as-
sociated security measures to treat it. This can be ad hoc measures linked
to the context of use and threat, or reinforced measures among measures
included in the security baseline. They supplement the measures on the
ecosystem identified in workshop 3.

The identification of the risk treatment measures must result from the
strategic and operational scenarios. Run through each scenario and ask
yourself the following question: what are the elementary phases or actions
for which it would be relevant to reinforce the security, in order to make the
task more difficult for an attacker and reduce their probability of success? In
the framework of an approach to analysing the asset, give priority to securing
the elementary actions of which the likelihood is the highest as well as the
strategic or operational nodes through which the risk origin could pass. This
then entails giving priority to securing the critical supporting assets involved.

Document all of these treatment measures in a security continuous impro-

vement plan (SCIP), scheduled over time and structured26. Each measure
is associated with the person responsible, the main brakes and difficulties
for implementation, the cost and the timeframe. The SCIP favours elevating
the level of the organisation's IT system security maturity and allows for a
progressive management of the residual risks.

26  Methodological sheet no. 9 proposes a typical structure for security measures.

74 — Ebios risk manager / WORKSHOP 5 - RISK TREATMENT

EXAMPLE  : biotechnology company manufacturing vaccines.

ASSOCIATED
PERSON BRAKES AND DIFFICULTIES COST /
SECURITY MEASURE RISK TIMEFRAME STATUS
RESPONSIBLE FOR IMPLEMENTATION COMPLEXITY
SCENARIOS

GOVERNANCE
Validation from the
Reinforced awareness of phishing by Industrial Health and In
R1 CISO + 6 months
a specialised service provider Safety Committee is progress
indispensable
Technical and organisational security
audit of the entire office environment To be
R1, R5 CISO ++ 3 months
IS by an audit service provider for launched
information system security

Integration of a warranty clause of a Carried out as

R2, R3, 18 In
satisfying security level into contracts Legal team the contracts are ++
R4 months progress
between providers and laboratories renegotiated

Setting up of a procedure for repor-

To be
ting any security incident that takes R2, R3, CISO/ Legal
++ 6 months launched
place at the service provider's or at R4 team
a laboratorye
Organisational security audit of the Acceptance of the
To be
key service providers and laborato- R2, R3, approach by the
CISO ++ 6 months launched
ries. Setting up and following up of R4 service providers
consecutive action plans and laboratories
Limiting the data transmitted to the
Com-
laboratories to the strict minimum R2 R&D team + 3 months
pleted
needed
Protection
Reinforced protection of the R&D
IT depart- In
data on the IS (solutions: encryption, R1, R3 +++ 9 months
ment progress
partitioning)
Com-
Reinforcing of the physical access
R1 Security team ++ 3 months ple-
control to the R&D office
ted
Allocation of maintenance equipment
To be
administered by the IT department IT depart-
R4 ++ 9 months launched
and that will be made available to the ment
service provider on the site

Reinforcing of the security of the in- CISO/ IT Strategy and action To be

12
dustrial system according to ANSSI R4, R5 department/ plan to be defined and +++ launched
months
recommendations Security validated

Identifying the
To be
Encryption of the data exchanges with IT depart- encryption product
R2 ++ 9 months launched
the laboratories ment and getting it accep-
ted by the laboratories
DEFENCE

Reinforced management of the inco-

IT depart- Purchase of a tool, To be
ming and outgoing flows (IDS probe). R1 ++ 9 months
ment budget to be allocated launched
Analysis of event logs using a tool.

RESILIENCE

Reinforcement of the business conti- Business conti- In

R4, R5 ++ 6 months
nuity plan nuity team progress

WORKSHOP 5 - RISK TREATMENT / Ebios risk manager — 75

 c ASSESS AND DOCUMENT THE RESIDUAL RISKS

The assessment of the residual risks (RR) takes place after applying the
treatment measures defined in the preceding step. You can for example
document the residual risks according to the following model:

RR01 — DESCRIPTION OF THE RESIDUAL RISK: […]

Description and analysis of the residual risk:
■■ Summary description (including the feared impacts)
■■ Residual vulnerabilities that can be exploited by the risk origin
■■ Other aggravating causes or factors (negligence, error, combination of circumstances, etc.)
Feared events concerned:
■■ Feared event 1
■■ Feared event 2
■■ […]

Existing and additional risk treatment measures:

■■ Measure 1
■■ Measure 2
■■ […]

Assessment of the residual risk:

Initial severity: Initial likelihood: Initial risk level:

Residual severity: Residual likelihood: Residual risk level:

Management of the residual risk:

■■ Particular measures for monitoring and controlling the residual risk.

We recommend that you represent the residual risks in the same way as the
initial risk mapping. The residual risk mapping thus obtained can then be
used as a reference when the formal review of the risks has to be conducted
(during an accreditation commission meeting for example). It forms a deci-
sion-support tool for accepting residual risks.

Note: do not hesitate to associate with each major milestone of the

security improvement plan (T0+3 months, T0+6 months, etc.) a resi-
dual risk mapping. You can thus present your upline management or
an accreditation commission with the evolution of the residual risks
over time, in view of the actions implemented.

76 — Ebios risk manager / WORKSHOP 5 - RISK TREATMENT

EXAMPLE : biotechnology company manufacturing vaccines.

SEVERITY

4 R5 R4

3 R2 R1 R3

1 2 3 4 LIKELIHOOD

SEVERITY

R4
4
R5

3 R2 R1 R3

1 2 3 4 LIKELIHOOD

The management has decided to maintain the risk R3 at a high residual

level, despite the application of the planned remedial measures. This risk is
indeed considered to be particularly problematic, as the IT service provider
is relatively opposed to setting up security measures. The latter indeed entail
a rather profound change in its working methods. The solution considered
for controlling this risk would consist therefore in entering the capital of
this service provider in order to modify the governance in terms of digital
security or in changing service providers.

On the other hand, the top management wants to place under surveillance
the bioterrorist threat which is currently deemed to be not very relevant (see
workshop 2), but the top management sees it as a major concern.

WORKSHOP 5 - RISK TREATMENT / Ebios risk manager — 77

 d SET UP THE FRAMEWORK FOR MONITORING RISKS

The management of the risks, in particular the monitoring of the risks, must
be based on steering indicators in order to ensure for example the main-
taining in security conditions. These indicators make it possible to verify
the effectiveness of the measures taken and their suitability in terms of the
state of the threat.

Once these indicators are listed, define or refine the continuous improve-
ment process for security and the related governance (organisation, roles
and responsibilities, associated committees). It is recommended to form a
steering committee that meets every six months to address this ramping
up or every twelve months at cruising speed in order to ensure follow-up of
the indicators, progress with the SCIP and the change in risks.

Updating the risk study is done in compliance with the scheduled strategic
and operational cycles. In case of major events questionning the relevance of
the scenarios (emergence of a new threat, significant change in the ecosystem
or in the studied object, etc.), the latter will be the subject of an update at
the right level.

78 — Ebios risk manager / WORKSHOP 5 - RISK TREATMENT

Bibliography
INTERNATIONAL STANDARD ORGANISATION, ISO 31000: 2018 – Risk Management –
Principles and guidelines. ISO, February 2018.

INTERNATIONAL STANDARD ORGANISATION, ISO 27001: 2013 corr. 2 (2015) – Infor-

mation security management systems – Requirements. ISO, 2015.

INTERNATIONAL STANDARD ORGANISATION, ISO 27002: 2013 corr. 2 (2015)

– Code of good practices for information security management. ISO, 2015.

INTERNATIONAL STANDARD ORGANISATION, ISO 27005: 2011 – Information security

risk management. ISO, June 2011.

ANSSI, IT hygiene guide – 42 measures to reinforce your IT system's security

Guide, September 2017.

ANSSI, Map of the information system – Guide to drawing up in 5 steps. Guide,

2018.

ANSSI, Guides on cybersecurity for Industrial Systems. Guides, January 2014

and October 2016 for the case study.

80 — Ebios risk manager / BIBLIOGRAPHY

Terms and
definitions
ATTACK PATH
Section of code added to a piece of software in order to correct an
identified vulnerability.

ATTACK SURFACE
All of the supporting assets on which the studied object is based or
which interact with the latter, that could be used to carry out an attack.
The higher the number of supporting assets or the more the latter
have vulnerabilities that can be exploited by an attacker, the larger
the attack surface.

BUSINESS ASSET
In the framework of the study, an important component for the or-
ganisation accomplishing its mission. This can be a service, a support
function, a step in a project and any related information or know-how.
EXAMPLES  : on-line back-up or reservation cancellation service, client informa-
tion, supervision service, results of R&D work, personal data, deployment
phase of a project, know-how in designing aeronautical parts.
Notes  :
■■ business assets represent the information assets that a risk origin
would be interested in attacking in order to harm the studied object;
■■ in EBIOS 2010, this corresponds to the essential assets.

CRITICAL STAKEHOLDER
Stakeholder of the ecosystem that is likely to form a privileged vector
for attack, due for example to its privileged digital access to the studied
object, its vulnerability or its exposure to the risk. The critical stakehol-
ders are identified in the ecosystem digital threat mapping.

82 — Ebios risk manager / TERMS AND DEFINITIONS

 CRITICAL SUPPORTING ASSET
Supporting asset that is deemed to be very likely to be targeted by a
risk origin attempting to reach its target. Critical supporting assets are
those that appear in the operational scenarios.

DENIAL OF SERVICE
A denial of service attack aims to render one or several services una-
vailable via the exploitation, for example, of a software or hardware
vulnerability. The term distributed denial of service (or DDoS) is used
when the attack makes use of a network of machines – most of the time
compromised – in order to interrupt the targeted service or services.

ECOSYSTEM
All of the stakeholders with interactions with the studied object. Inte-
raction means any relationship that takes place in the normal operation
of the studied object. The risk origins are not considered a priori as
stakeholders, unless they can affect the operation of the studied object.

ECOSYSTEM DIGITAL THREAT MAPPING

Visual representation (example: radar) of the digital threat level
of the stakeholders of the ecosystem with regards to the studied object.

ELEMENTARY ACTION
Unitary action executed by a risk origin on a supporting asset in the
framework of an operational scenario.
EXAMPLES  : exploiting a vulnerability, sending a booby-trapped email, erasing
trails, increasing privileges.

TERMS AND DEFINITIONS / Ebios risk manager — 83

ELEMENTARY LIKELIHOOD
Likelihood of an elementary action identified in an operational scena-
rio. It can be determined by the judgement of an expert or using scales.
The assessment confronts on the one hand the assumed resources and
motivation of the risk origin and, on the other hand, the security base-
line of the studied object and the level of vulnerability of the ecosystem
(exposed attack surface, structural and organisational vulnerabilities,
capacities for detecting and reacting, etc.).

FEARED EVENT
A feared event is associated with a business asset and harms a security
need or criterion of the business asset (examples: unavailability of a
service, illegitimate modification of a high temperature threshold of
an industrial process, disclosure of classified data, modification of a
database). The feared events to be exploited are those of the strategic
scenarios and relate to the impact of an attack on a business asset.
Each feared event is assessed according to the level of severity of the
consequences, using metrics.

INITIAL RISK
Risk scenario assessed before application of the risk treatment strategy.
This assessment is based on the severity and the likelihood of the risk.

INTERMEDIATE EVENT
In the sequence of a strategic scenario, an intermediate event can be
generated by the risk origin with regards to a stakeholder of the eco-
system for the purpose of facilitating reaching its objective.
EXAMPLES  : creating an exfiltration channel from the service provider's in-
frastructure, denial of service attack of the cloud IT supplier of the target.

84 — Ebios risk manager / TERMS AND DEFINITIONS

LIKELIHOOD
Estimation of the feasibility or of the probability that a risk occurs, accor-
ding to an adopted scale (very low, rather unlikely, nearly certain, etc.).

MISSION
Function, end purpose, reason of existence of the studied object.

OPERATIONAL SCENARIO
Chain of elementary actions regarding the supporting assets of the
studied object or of its ecosystem. Planned by the risk origin for the
purpose of achieving a determined objective, operational scenarios are
assessed in terms of likelihood

OPERATING MODE
Series of elementary events that the risk origin will probably have
to carry out in order to reach its target. This terminology relates to
operational scenarios.

PENETRATION TEST, PENTEST

Method generally consisting in simulating an attack by an ill-intentioned
user, by trying several operating codes in order to determine those that
give positive results. This is both a defensive intention (provide better
protection) and an offensive action (attack one's own information
system). The potential risks due to a poor configuration (infrastructure
audit) or to a programming fault (product audit) are thus analysed.

TERMS AND DEFINITIONS / Ebios risk manager — 85

RESIDUAL RISK
Risk scenario remaining after application of the risk treatment strategy.
This assessment is based on the severity and the likelihood of the risk.

RISK
Possibility of a feared event occurring and that its effects affect the
missions of the studied object. In the cyber context in which EBIOS
Risk Manager fits, a risk is described in the form of a risk scenario.

RISK ASSESSMENT
Set of processes for identifying, analysing and assessing risks (ISO
31000:2018). In the EBIOS RM approach, this corresponds to workshops
2 (risk origins), 3 (strategic scenarios) and 4 (operational scenarios).

RISK LEVEL
Measurement of the extent of the risk, expressed by combining the
severity and the likelihood.

RISK MAPPING
Visual representation (example: radar, Farmer diagram) of the risks
stemming from the risk assessment activities.

RISK ORIGIN (RO)

Element, person, group of persons or an organisation that can generate
a risk. A risk origin can be characterised by its motivation, its resources,
its skills, its preferred methods of attack.
EXAMPLES  : state services, hacktivists, competitors, vengeful employees.

86 — Ebios risk manager / TERMS AND DEFINITIONS

 RISK SCENARIO
Complete scenario, ranging from the risk origin to the target objective
of the latter, describing an attack path and the associated operational
scenario.
Note  : in the framework of this guide, only digital risk scenarios of an
intentional nature are considered.

RISK TREATMENT STRATEGY

The risk treatment strategy formalises the acceptance thresholds of
the risk and level of security to be achieved in case of non-acceptance.
It is carried out using the initial risk mapping: for each risk stemming
from the risk assessment activities, the treatment strategy must define
the acceptability of the risk (example: unacceptable, tolerable, accep-
table). Usually, acceptability is directly deduced from the level of risk
and the strategy is simply the formalisation of it. The role of the risk
treatment strategy is to decide the acceptance of each risk in light of
the assessment activities.

SECURITY ACCREDITATION
Validation by an accreditation authority that the level of security
achieved by the organisation is compliant with the expectations and
that the residual risks are acceptable in the framework of the study.

SECURITY CONTINUOUS IMPROVEMENT PLAN (SCIP)

The security continuous improvement plan formalises all of the mea-
sures for treating the risk to be implemented. It favours elevating the
organisation's IT system security maturity and allows for a progressive
management of the residual risks. The measures defined in the security
continuous improvement plan relate both to the studied object and
its ecosystem.

TERMS AND DEFINITIONS / Ebios risk manager — 87

SECURITY measure
Means of treating a risk taking the form of solutions or requirements
that can be written into a contract.
Notes  :
■■ a control can be of a functional, technical or organisational nature;
■■ it can also act on a business asset, supporting asset, a stakeholder of
the ecosystem;
■■ certain measures can be reinforced mutually by acting along comple-
mentary lines (governance, protection, defence, resilience).

SECURITY NEED
Security property to be guaranteed for a business asset. It reveals a
security stake for the business asset.
EXAMPLES  : availability, integrity, confidentiality, traceability.

SECURITY PATCH
Section of code added to a piece of software in order to correct an
identified vulnerability.

SEVERITY
Estimation of the extent and of the intensity of the effects of a risk. The
severity provides a measurement of the detrimental impacts perceived,
whether direct or indirect.
EXAMPLES  : negligible, minor, major, critical, maximum.

88 — Ebios risk manager / TERMS AND DEFINITIONS

 SOCIAL ENGINEERING
Unfair acquisition of information used to obtain property, service or
key information from another person. This practice exploits human
and social flaws of the target structure to which the target information
system is linked. Using their knowledge, charisma or audacity, the at-
tacker abuses the trust, ignorance or gullibility of the targeted persons.

SUPPORTING ASSET
Component of the information system on which one or several bu-
siness assets are based. A supporting asset can be of a digital, physical
or organisational nature.
EXAMPLES  : server, telephone network, interconnection gateway, technical
room, video protection system, team in charge of the project, adminis-
trators, R&D department.

STAKEHOLDER
Element (person, information system, organisation, or risk origin) with
direct or indirect interaction with the studied object. Interaction means
any relationship that takes place in the normal operation of the studied
object. A stakeholder can be internal or external to the organisation to
which the studied object belongs.
EXAMPLES  : partner, service provider, client, supplier, subsidiary, related
support service.

TERMS AND DEFINITIONS / Ebios risk manager — 89

 STRATEGIC SCENARIO
Attack paths going from a risk origin to a target objective and including
the ecosystem and the business assets of the studied object. Strategic
scenarios are assessed in terms of severity.

STUDIED OBJECT
Organisation, information system or product that is the object of the
risk assessment.

TARGET OBJECTIVE (TO)

End purpose targeted by a risk origin, according to its motivations.
EXAMPLES  : theft of information for lucrative or industrial spying purposes,
diffusing an ideological message, take revenge on an organisation, gene-
rate a health crisis.

THREAT
Generic terms used to designate any hostile intent to do harm in cy-
berspace. A threat can be targeted or not on the studied object.

THREAT LEVEL OF A STAKEHOLDER (WITH RESPECT TO THE STUDIED OBJECT)

Provides a measurement of the risk potential that a stakeholder places
on the ecosystem of the studied object, in light of its interaction with
it, its vulnerability, its exposure to the risk, its reliability, etc.

90 — Ebios risk manager / TERMS AND DEFINITIONS

 VULNERABILITY
Fault, via malicious intent or thoughtlessness, in the specifications, design,
carrying out, installation or configuration of a system, or in the way of
using it. A vulnerability can be used by an operating code and lead to an
intrusion in the system.

WATERHOLE
Booby-trap set up on a server of an Internet site that is visited on a
regular basis by the targeted users. The attacker waits for their victim
to connect to the server in order to compromise the latter. The boo-
by-trapped Internet site can be a legitimate or a fake site.

TERMS AND DEFINITIONS / Ebios risk manager — 91

Version 1.0 — November 2019
ANSSI-PA-048-EN

Open Licence (Etalab — V1)

agence nationale de la sécurité des systèmes d’information

ANSSI — 51, boulevard de la Tour-Maubourg — 75 700 PARIS 07 SP
www.ssi.gouv.fr — communication@ssi.gouv.fr — ebios@ssi.gouv.fr