The main purpose of COB.RA is to simplify and structure the preparation of IT security risk assessments. The objective of this section is to give you a high-level overview of the different steps to take. COB.RA is a quantitative methodology, meaning that most of the steps are mathematically linked with each other.
Setting up COB.RA
Before you start preparing risk assessments, you can configure COB.RA in a variety of ways to fit your needs. Most importantly, you should review the settings for risk tolerance and the questionnaire for the business impact analysis.
Step 1: System overview
Typically, you start the process by scoping the system and collecting relevant information about the envisaged architecture, use cases, dependencies on other systems etc.
Step 2: Criticality assessment (business impact analysis)
The criticality assessment in COB.RA consists of a set of configurable questions. Together with your impact grading scale, you define criticality ratings which represent the business impact of confidentiality, integrity and availability breaches of a worst case scenario.
Step 3: Selecting relevant controls and threats
In COB.RA, controls and threats for a specific scope are bundled in “components”. By selecting existing components or creating new components, you define which (intentional and accidental) threats you find relevant and which controls should be implemented to mitigate these threats. The component also includes a matrix with information on how well each of the controls can protect you against each of the threats (‘control strength’).
Step 4: Assessing the effectiveness of the chosen controls
If you identify control weaknesses, you document these weaknesses as findings. Findings reduce the effectiveness rating of the affected control. The reduced effectiveness rating increases the likelihood of the threats linked to the control (via the component matrix). Together with the impact ratings of the relevant threats, the unmitigated threats contribute to the overall risk.
Step 5: Risk reporting
Based on your input, COB.RA will calculate the overall confidentiality, integrity and availability risk. Additional statistics and diagrams enable you to fully understand the main drivers of the risks and to prioritize the remediation of control weaknesses. Due to the automation, any change to the business impact analysis, closure or creation of findings, or updates of the threat landscape will be immediately reflected in an updated risk picture.