Risks Methodology
This section allows you to establish different methodologies for carrying out the Risk Analysis of the company.
This option allows the user to perform the following actions:
Add: It allows you one of the methodologies you have created. For this task you have to select the methodology in the drop down and click on the button ‘Add’.
New: You can insert a new entry in the table.
Remove: It offers the possibility of removing one methodology of the list. For this you have to select the specific row and click on the button ‘Remove’.
When you click on one of the methodologies, it appears the following options of parameterization.
Configure Methodology dimensions of the Methodology
Name: It identifies the name of the methodology. This name is shown on the list of methodologies.
Acceptable Percentage of the threats: It allows the user to define the percentage of threts which will view in the section 'Analysis/Risk Evaluation'.
Configurable fields: It offers the possibility of defining the text columns we want that appears in the option ‘Risk Analysis’. This information is shown in the table:
Name: It identifies the name of the item. You have to click twice on the cell for modifying the name
Main field: It allows you to define the field which will be shown in the different options of the Risk Analysis such as Risk Assessment, Risk Management, etc.
Equivalence Catalog: It allows you to define the equivalence of the selected field. There are the following options:
Threat Catalog: When you select this option, the field will show the information defined in the section ‘Threat’ of the option ‘Administration/Analysis Catalog’.
Vulnerability Catalog: When you select this option, the field will show the information defined in the section ‘Vulnerability’ of the option ‘Administration/Analysis Catalog’.
Empty field: If you leave the field empty, it reads as free text.
Dimensions: It allows the configuration of the dimensions to value in the risk analysis. You can create and remove dimensions, and you also put them in ascending or descending order with the 'Move up Dimension' button and 'Move down Dimension'
This is the information which the table shows:
Nickname: This name is generated automatically by GlobalSUITE.
Name: It shows the name of the dimension. If you click twice on the cell, you can change its name.
Order: It shows the order on which the dimension will appear in the Risk Analysis
Show Color: It allows you to define if we want to stand out the dimension with a color.
Minimum Value: It identifies the minimum number on which the dimension formula is calculated.
Type: It identifies whether the dimension is Text type or not.
Group: It displays the groups to which each dimension belongs.
Associate Groups: Clicking on the Associate Groups button, GlobalSUITE opens a pop-up window like the one in the upper image, which allows us to select which group or groups of dimensions that dimension belongs to.
Dimension Type: It offers the possibility of establishing the calculation methodology of the dimensions, you can select the calculation among the following ones:
Quantitative: It allows you to define that the calculation of the dimension, which you have selected, will be quantitative and selecting a numerical value in the dimension.
Qualitative: It allows you to define that the calculation of the dimension, which you have selected, will be qualitative and you can establish an specific range of values (E.g: High, Medium, Low).
Text: Textual dimensions are not enabled for the risk methodology. In this case, to include text fields you must add them in the Configurable Fields section (see above)
Value: It allows how we want to carry out the calculation (Manually or automatically) of the dimension you have selected on the previous table.
Type of Calculation: In case you have selected the automatic option, GlobalSUITE offers the following options:
Cartesian product: It allows you to establish the calculation of the dimension based on a two-dimensional matrix which has been defined in the option ‘Dimensions’. For this task you have to select a dimension in the ‘X axis’ and other dimension in the ‘Y axis’ and give values according to the levels established.
NOTE: The Cartesian product cannot be generated according to the dimension whose calculation is quantitative.
Formula: The option allows you to define how it will be obtained the calculation of the dimension based on a mathematical formula. For this task, GlobalSUITE shows the following option:
In case you have associated a 'controls methodology', the formula allows you to add the dimensions of controls.
In case you want to establish a formula (taking in account the implemented controls), it's necessary to establish a quantifier for these dimensions and GlobalSUITE allows the following ones:
Counter: It performs a calculation for obtaining the number of associated controls as a value. E.g.: If I have 3 controls associated with a threat, this calculation is resulting value 3..
Maximum: It performs a calculation for obtaining the maximum value of the dimension selected of all controls which are applied for each threat. E.g: If I have 3 controls with value 1, 2 and 3, this calculation is resulting 3.
Minimum: It performs a calculation for obtaining the minimum value of the dimension selected of all controls which are applied for each threat. E.g: If I have 3 controls with value 1, 2 and 3, this calculation is resulting 1.
Sum: It performs a calculation for obtaining the sum of the dimension selected of all controls which are applied for each threat. E.g: If I have 3 controls with value 1, 2 and 3, this calculation is resulting 6.
Conditional Formula: This option allows you to determine a conditional calculation among different dimensions established in the methodology.
For setup this section you have to click on the button 'Configure' and you will accede to the following screen:
The configuration of the conditional formula is established by the operators. The operator 1 and 2 serve for determining the condition and it's necessary to fix that on the dropdown. These are the options that the table allows: ==: Equal to !=: Different to <: Lesser than >: Greater than <=: Lesser or equal than >=: Greater or equal than Once you established the condition formula, it's necessary to fix the results that you want to obtain. In case it complies the condition, the results corresponds with the operator 3, and in the contrary it will correspond with the operator 4.
The user can select among the different dimensions and calculation options for generating the formula on which it will be obtained the result of the dimension selected.
Note: It’s necessary to validate the formula clicking on the button ‘Validate Formula’ before you save.
Result: It enables to define the values of the calculation option selected in the previous point (Cartesian product or Formula).
Dimension Levels: It allows you to define the valuation levels of the dimension selected. As well as the other options, you could create or remove levels, and you also put them in ascending or descending order with the 'Move up' button and 'Move down'. To conclude, you could parameter the color for the levels you want to stand out. You have to select the level and click on the button ‘Change color’.
NOTE: If the levels are defined for a qualitative dimension, GlobalSUITE allows the following options: to define the calculation range of the selected level and the value on which you will calculate the dimension. If the levels are defined for a quantitative dimension, GlobalSUITE allows you to define the color on which you will stand out the numerical values of the assets inventory.
Select risk dimension: It allows you to define the dimension that we want to mark as the final dimension of the risk. This dimension will be the one shown by default in the different views and summaries of the risk analysis, and in the risk map.
Select cost dimension: IIt allows you to define the dimension on which we want to obtain the cost. Based on it and the configuration of the cost types, risk costs can be obtained.
RRGE Average Calculation: In this field, you can configure how, in the event that we have defined Average as a criterion, the Global Repercussed Risk by Element (GRRE), in the Risk Summary section. It can be calculated from all the elements or only from those that are valued.
Level by asset: It offers the possibility of defining the risk level which will be global, it means, to establish the same risk for all threats or asset, and particularizing for each asset/threat which one will be its acceptable risk level.
Configuration of Dimensions Visibilities
Group of Dimensions: It allows to create groups of dimensions, which can be associated to the dimensions.
For each one of the configured groups, we will have the option in the Risk Analysis, to display the dimensions of that group solely.
Cost Configuration
The consecution of one threat can involve a specific cost for the organization, for this reason, GlobalSUITE allows you to define a list of cost which you can associate with the threats of the Risk Analysis.
The table ‘Cost’ allows you to create or remove different costs using the buttons ‘New’ or ‘Remove’.
Once defined the costs, you have to indicate the economic sum which involve for the organization, and in this way you can establish economic level clicking twice on the cell you want to modify
Efficiency Controls
It allows you to establish the calculation of the efficiency controls in the section 'Analysis > Risk Management > Projection & Simulation'. For this task, you can define the following parameters:
Type of effectiveness measurement: It offers the possibility of establishing the percentage of improvement of the risk dimensions of the projection and simulation section, being able to choose between the following:
Quantitative: It allows defining that the percentage of improvement of the risk dimensions is quantitative, being able to establish the percentage of improvement of the risks in the Projection and Simulation section.
Qualitative: It allows defining that the percentage of improvement of the risk dimensions is qualitative, being able to establish a certain range of values (example: High, Medium, Low). This classification is established in the following section 'Levels of effectiveness'
Type of control effectiveness measurement: It offers the possibility of establishing the percentage of improvement of the dimensions of controls in the projection and simulation section, being able to choose between the following:
Quantitative: It allows defining that the calculation of the effectiveness of the controls is quantitative, being able to establish the percentage of reduction of the control in the Projection and Simulation section.
Qualitative: It allows defining that the calculation of the effectiveness of the controls is qualitative, being able to establish a certain range of values (example: High, Medium, Low). This classification is established in the following section 'Levels of effectiveness'.
Direct: With this mode, the calculation of the effectiveness of the controls (treatment plans) will be defined directly in the Projection and Simulation section. With this type, it is not necessary to have a prior efficacy assessment defined.
Efficiency levels: Allows you to define the effectiveness levels of the controls. Like the rest of the options, levels can be created and deleted by clicking on the 'Add' or 'Delete' button. Each level may have an associated improvement percentage.
Controls Methodology: It offers the possibility of defining the controls methodology which will be associated with the methodology of the risk analysis.