Activity 1: Establish unified information bases for Risk Management
Information bases including the following points should be provided:
- Common definitions of threats
- Common definitions of vulnerabilities
- Common definitions of asset groups (e.g. good default definitions and values)
- Common representation schemes for risks or classes of risks
Driver: This is an indispensable condition to achieve comparability / interoperability / compatibility.
Activity 2: Compatibility/interoperability of methods
This activity embraces several issues concerning comparability and interoperability of methods (and tools):
- Two different independent systems have been assessed with the same method. What happens if the systems are then connected? (Solution: consider common sets of assets, threats and vulnerabilities, and risks generated by their interconnection).
- Two different independent systems have been assessed with two different methods. What happens if the systems are then connected? (Solution: consider common sets of threats and vulnerabilities, propose some method for the evaluation of asset values and risks generated by their interconnection).
- Two different methods cover different issues of Risk Management (e.g. corporate governance and IT security). How can these methods be connected?
Driver: Assessing information systems and combining them is becoming increasingly common practice. Similar activity has already been identified (but not yet solved) by experts in the relevant field (e.g. EBIOS club).
Activity 3: Measurements of risks
What (types of) qualitative methods do exist?
What (types of) quantitative methods do exist?
Do any bridges exist between qualitative and quantitative methods? (This issue should also be addressed in area 1 (interoperability)).
Is it possible to improve existing methods based on knowledge from other fields (e.g. banking, insurance, critical infrastructures, aerospace)?
Driver: Comparability / compatibility / interoperability of methods require comparability / compatibility / interoperability of measurements of risks.
Activity 4: Method and tool inventory maintenance
What are the functions needed to maintain an inventory? (Enter, remove or update methods and tools).
What is the minimum amount of information needed to describe a method and how can this information be assessed? Who defines it?
What kind of quality assurance is needed for to the inputs to the above points?
Driver: New methods / tools are constantly being developed. Existing ones are constantly maintained. As ENISA inventories are open lists, this information has to be added to the inventory (e.g. at least one method has already been submitted to ENISA by the Italian member of PSG).