AURUM

AURUM (AUtomated Risk and Utility Management) supports decision makers in selecting security measures according to technical and economical requirements. It is designed to minimize the interaction necessary between user and system and to provide decision makers with an intuitive solution that can be used without extensive knowledge about the information security domain. However, the solution is also capable of providing expert users with detailed information on di fferent levels of granularity.

AURUM architecture

According to the requirements, the security ontology provides each AURUM module with knowledge regarding the general information security domain and the speci fic security status of the considered organization. The security ontology is coded in the Web Ontology Language (OWL) and the Protege ontology editor has been used to create and edit the ontology. The security ontology web service acts as an interface between the AURUM modules and the security ontology. Java has been used to code the security ontology web service and the Protege OWL API is used to read and modify the actual knowledge base. The AURUM – Inventory module incorporates interfaces to several third-party inventory and network scanning solutions to support the system characterization phase. C# and the Microsoft .NET Framework 3.5 have been used to code the AURUM – Bayes module. It uses the Norsys Netica API for generating and modifying the Bayesian network for the threat probability determination. The AURUM – Risk module is the central module which uses the Bayes module and connects to the security ontology web service to calculate the risk levels for assets. This is done by gathering probability values from the Bayesian network and multiplying those with the defined impact values, stored in the ontology. Furthermore, all changes to the ontological data repository are handled from this point. The Windows Presentation Foundation framework has been used to code the graphical user interface.

AURUM user interface - schematic overview

The figure above demonstrates the schematic layout of the working area. Section 1 summarizes information on (a) the business processes and its dependence on assets, and (b) the assets’s physical locations in the organization. Section 2 – the main area – provides the decision maker with (a) detailed information about the selected asset, (b) a graphical representation of the selected business process together with the assets needed for the execution of the selected business process, and (c) the graphical representation of the physical location model together with assets. Information provided in Section 2 depends on the selection the decision maker made in Section 1 (the same holds analogously for the dependence between Section 2 and 3). Section 3 displays (a) the risk level for the selected asset, (b) a list of threats and their calculated probabilities, and (c) implemented and not implemented controls with their calculated effectiveness figures.

AURUM Prototype

AURUM - main window
AURUM - control evaluation and selection