New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

EBIOS Risk Manager

January 28, 2019

EBIOS Risk Manager

After 8 years of use of the EBIOS 2010 Risk Analysis Method, A new concept emerged at the end of 2018, based on agility, knowledge, and commitment : EBIOS « RM », For Risk Manager.

It is worth recalling that the first version of the EBIOS method dates back to 1995, then a first update of EBIOS was carried out in 2004, and a significant evolution in 2010. This latter version, by far the most widely used, introduced the concepts of essential goods and feared events to assess information security risks at the level of the organization's activities and not just at the technical level.

According to the’ANSSI, « The EBIOS RM method adopts a risk management approach that starts from the highest level (major missions of the object studied) to progressively focus on business and technical elements, studying possible attack paths. It aims to achieve a synthesis between "compliance" and "scenarios" by repositioning these two complementary approaches where they bring the most added value. Risk assessment by scenario therefore focuses on intentional and targeted threats.. »

Figure 1 – Digital Risk Management Pyramid. Source : https://www.ssi.gouv.fr/uploads/2018/10/guide-methode-ebios-risk-manager.pdf

Like the 2010 version, RM is based on 5 major workshops aiming to meet several objectives:

  • Identify the security framework appropriate to the purpose of the study;
  • To comply with digital security standards;
  • Assess the level of threat to the ecosystem in relation to the object of the study;
  • Identify and analyze high-level scenarios;
  • Conduct a preliminary risk assessment to identify priority areas for improving safety;
  • Conduct a complete and finished risk study.

A possible comparison?

Below are a summary of the two methods.

Figure 2 – EBIOS Method 2010. Source : https://www.ssi.gouv.fr/guide/ebios-2010-expression-des-besoins-et-identification-des-objectifs-de-securite/

Figure 3 – EBIOS Risk Manager Method. Source : https://www.ssi.gouv.fr/uploads/2018/10/guide-methode-ebios-risk-manager.pdf

As can be seen, the course of the analysis is different in both form and substance.

The RM strategy will allow for a more in-depth study. But while EBIOS 2010 is based on a concrete, safety-criterion-driven approach with a logical and pragmatic guiding principle, EBIOS RM is situated within a analysis and reflection on scenarios of intentional threats which may seem speculative at first glance.

In-depth analysis This involves determining the risks faced by a profession based on an attacker's capabilities and objectives, the path taken to achieve their goal, and their modus operandi. three major elements This will allow us to determine the measures to be implemented to reduce, or even eliminate, these risks through the various workshops. Each workshop will therefore establish certain measures, which will be further developed as the risk analysis progresses.

The 2010 method, on the other hand, is based on security objectives and a vulnerability/severity ratio on threat sources and feared events.

It is therefore It is not recommended to compare the two versions in a strict sense. for a better understanding of the RM method, but rather to see it as a new method to follow:

A source from the EBIOS Club states: "RM's biggest difficulty is having done 2010 beforehand. The paradigm is so different from a standard AR. It's important to remember that hygiene isn't part of AR, which is supposed to save a lot of time."«

EBIOS RM and ISO27005

Besides the ongoing debate on the issue: "« Is ISO27005 a method? »", we detected some fairly obvious similarities between ISO 27005:2013 and EBIOS 2010.

However, with this new version, announced at Security Conference 2018 In Monaco, there is a tendency to ask new questions about the veracity of the method with regard to ISO, especially since its last update in July 2018.

These questions may seem pointless since we certainly don't ask them about the Mehari, Octave, and other methods. What is troubling, however, is ANSSI's publication of the EBIOS RM method to the detriment of others and its rejection of the 2010 version.

ANSSI titles its presentation of the EBIOS method as follows:

«"The EBIOS method (Expression of Needs and Identification of Security Objectives) is a comprehensive information systems security risk management tool compliant with the RGS and the latest ISO 27001, 27005 and 31000 standards."»

Have you heard of the Draft ISO/DIS 34001 standard 'Safety Management System'‘, focused on fraudulent acts?

Discussions on some social media platforms debate the theory that EBIOS RM does not specifically aim to comply with the ISO27005 standard/method, but rather to focus on... new interpretations of risk analysis very close to this draft standard.

In any case, even though the V2010 tools and methodology are no longer available on the ANSSI website (but are still accessible via a web search), having been replaced by the 2018 RM kit, many organizations still recommend the older version of EBIOS as a reference methodology to be familiar with in preparation for the «Risk Manager» certification».

Finally, it's worth adding that EBIOS RM allows the extraction of security measures Throughout the various workshops, a significant advantage arises, coupled with the complementary nature of these workshops. Each element can add value to previous workshops and provide new security measures to be implemented within the organization, which is absolutely not the case in EBIOS 2010, where the study of security measures is the subject of an entire final module. EBIOS RM may therefore seem flawed, but the agility of its use can reveal elements that a traditional risk analysis might overlook.

Conclusion

EBIOS RM is therefore intended to simpler and quicker to implement than the 2010 version.

We did not mention the completion times for the various workshops This article provides guidance on estimating the time required for each step of the methodology, but the guide on the ANSSI website does offer some indications. However, estimating the time needed to complete each workshop is very difficult, considering the scope of the study and the number of services to be audited.

It is also worth noting that while EBIOS RM is recommended by ANSSI, this method is not a mandatory and exclusive approach applicable to all risk analyses. Indeed, each organization must choose a method based on the ISO 27005 standard to conduct these studies.

However, it is quite interesting to examine this EBIOS version for its a new approach to risk, more focused on the attacker and (external) scenarios rather than on the organization's (internal) defenses.

The limited scope of the various productions from the 5 workshops allows for to focus on the most critical risks to the company and to define major security measures allowing coverage of a wider range of supporting assets and business values than the old method.

On the other hand, the Continuous Safety Improvement Action Plan (CSI) This may lead companies to set up more elaborate security committees and become more involved in information security.

However, this method is especially applicable to companies that are already at a high level of maturity, whose process and job mapping is already clearly defined. Very small businesses (TPEs) and small and medium-sized enterprises (SMEs) will therefore be less targeted by these scenario-based risk analyses and more suited to traditional risk analyses.

Ebios 2010 is by no means a method to be rejected, nor is it obsolete.. Ebios RM is just another way of reasoning and carrying out risk analyses, some would say "a contemporary approach to assessing risks".

It remains to be seen what the application of this method can bring in the long term to a company; there is not yet enough perspective to determine this.

Contact