How to avoid the combinatorial explosion of a study?
Answer from a Club EBIOS member: “We can act on several elements so that the result corresponds to the expectations”
Studies are sometimes criticized because of the combinatorial explosion of the elements to be studied. Therefore, before or at the beginning of any study, it is necessary to wonder what the sponsor is able to accept in terms of readability.Some wish to have as much detail as necessary to treat the risks (and/or justify the measures) in a fine way.
In this case, it is possible to handle the entire combination of events and threat scenarios.
If this is not the case, here are some tips that will help you reduce the entropy of the analysis:
- act on the presentation: keep the detailed study as a “working document” and group the risks into families in a “summary document” to facilitate decision-making. This “summary document” may only highlight the most important risks (in terms of severity and/or likelyhood), as well as those of specific interest to the sponsor;
- act on the number of assets: to group the essential assets and/or the supporting assets in the context study. It is possible for example to adapt the level of detail of the modeling without necessarily seeking homogeneity in the model. For example, the description of supporting assets may contain both systems (for assets on which the threat analysis does not need to be detailed) and network, hardware, and software elements (for assets on which the threat analysis must be more refined);
- act on the hypotheses: to limit the complexity of the study by reducing the combinatorics of the analysis to the only questions or justifications that one wishes to expose. To do this, it is possible to set hypotheses in the context of the study. Thus, it can be considered as a postulate that a supporting asset (or an essential asset) is protected against a type of threat (for example, “a homologation proves that the servers and workstations are sufficiently protected from all the malicious scenarios coming from ‘external attacks’). One can also consider that a risk is sufficiently covered by a certification without requiring a decomposition of this risk (for example, “the private key stored in the certified electronic chips is sufficiently protected against all threats leading to a disclosure”). It is also possible to make assumptions about residual risks for which the study is not expected to provide justification or that the study acts on the related supporting asset (for example, “the GPS is considered as no reliable, it is likely to provide bad location data “);
- act on the decomposition into several studies: another method can consist of breaking down the studied system to transform a complex analysis into several less difficult studies to carry out. In this case, particular attention should be paid to the interfaces between these subsystems.