A Method of Simplifying the Asset Dependency Cycle in Security Risk Analysis

In recent years, one obstacle to information security risk analysis is the complexity of asset dependency. Developing research tends to produce models with great complexity and some that do not involve dependency cycles, make the model difficult to implement. This research developed the idea of compound nodes to produce a modular risk analysis that simplify the asset dependency cycle. This study uses the following assumptions: aimed at quantitative assessments, values based on likelihood, and based on graph basic models. The stages of the method consist of identification of cyclic in the initial model, reconstructing cyclic graph into acyclic graph, and reconstruction of cyclic sub graph into acyclic sub graph. Through an illustrative example, this research produces a method that helps facilitate understanding the complexity of asset dependencies in risk analysis.


Introduction
Large amounts of data on systems connected to the internet certainly need a protection mechanism. The method commonly used to obtain adequate protection is to carry out an information security risk analysis (ISRA), a process to identify and evaluate factors that can interfere with the success of the project or the achievement of objectives [1]. ISRA has an important role in the organization's ability to survive [1] - [3].
One of the main limitations of ISRA is asset dependency complexity [2]. The failure of one information asset in an organization can affect other assets and result in greater system failure. For example, a web has high security, but installed on a server with poor security. The calculation of web risk must also consider the condition of the server, because it is relevant. This makes the risk model assuming asset dependency stronger than not [4]. Unfortunately, traditional risk analysis only partially studied about it [5].
[5] - [15] is research that offers solutions to asset dependency constraints. Unfortunately, no one takes into account the asset dependency cycle. Cyclic dependence in risk analysis can originate from the process of collecting data [16] or requirements analysis [17]. Cyclic data collection may be due to weaknesses of the learning algorithm, with hidden variables. Example of a requirements analysis cycle is a client server application consisting of three components: database, application interface, and backup. Unauthorized access to the application interface will continue to allow unauthorized access to the backup. Unauthorized backup access will allow the attacker to obtain a password from the database, which again provides unauthorized access to the interface. The relationship between the database, application interface, and back up is a form of cycle.  [19] attempted to solve the limitations of cyclic dependency by introducing the Dependency-Aware Root Cause (DARC) model in the Critical Infrastructure (CI) domain. Unfortunately, CI focuses on a series of important assets with a small size, while in other domains; the number of assets can be very large. In his own perspective, Muller showed that complexity is one of the future jobs. ISRA requires models that can take into account their cyclic dependencies, but in simpler complexity.

Related Works
The existence of asset dependencies in ISRA is generally new. Sendi et al. [2] in ISRA's taxonomy identified asset dependency as one of the fundamental problems that current risk tools and methods cannot address.
Suh and Han [6] initiated the asset dependency of ISRA. The model developed to determine the value of assets based on the relationship between the asset and the business function. Assets are valued based on the relationship with other assets that use maximum functions. Rahmad [8] added confidentiality and integrity in the form of threat scenarios corrected the weaknesses of [6], which only focused on availability.
Tatar & Karabacak [10] also observed the weaknesses in terms of availability in [6], and chose the hierarchical valuation of assets considering the CIA (confidentiality, integrity and availability) of these assets; this connectivity then presented in the form of associated tables. Breier [11] considered that the proposed asset dependency analysis [6] was too straightforward and could not describe it in detail because it based only on the maximum value of the related assets. Next, Breier presented the relationship between assets in the form of related graphs and provided asset values based on connection considerations, a risk matrix, physical connection patterns, and logic. The resulting value was combined with the initial value of the asset independently.
Alpcan & Bambos [5] examined the problem of interdependence in organizational risk based on three main factors of risk management: business units, threats/ vulnerabilities and humans. The proposed framework examined dependencies within and between business units, security/vulnerability threats and people using graph theory. Then, the model registered dynamic changes in the risk due to the interactions. Finally, they classified the risks in the organizations by using risk algorithms.
Khanmohammadi & Houmb [13] introduced a new concept in risk assessment focusing on business objectives, ignoring the assets and process which supporting it. The process identified and assessed the risks at the business process level. The risk was also grouped based on the critical level, role and level of importance of the organization as a whole. Schmidt & Albayrak [14] have developed a quantitative framework for risk assessment vertically and horizontally. Horizontal connectivity is between assets, while vertical connectivity brings connectivity into three levels: process, service, and application. At the application level, the hardware gives virtual asset values. Hierarchical virtual asset values is combined with district time algorithms to obtain risk values. This approach evaluates business processes and thanks to infrastructure dependencies, these values are broken down into each component of the computer system.
Lololei et al [15] divided the values of the assets on independent and dependent values. Independent values obtained from two parameters: cost (initial costs, maintenance costs, replacement costs), and the level of importance of the asset in the business process. The dependence value of the asset dependency presented in the form of CIA parameters, focused on availability. Level of dependency classified as partial or total, as indicated by the dependency percentage.
Muller [19] has created a DARC model, a quantitative research that offers convenience because the organization only needs to determine the value of assets ranked as root and attribute the probability of dependence. This search has improved by positioning the assets in layers by himself [18].
Based on the basic description of several previous studies. The theoretically elaborated models can overcome the limits of asset dependence. However, in practice, Rahmad [7]- [9] must use a very large list of threat scenarios [19]. Breier's research [11] showed the connectivity of 10 assets in a building, it will be very difficult to apply it to the real world with all assets. Similarly, with the development of IOP Publishing doi:10.1088/1757-899X/1077/1/012002 3 Muller [19], the connectivity of each asset will be determined in a special graph that makes the mapping very complex, and will be difficult for organization to implement. Muller stated that the fact that graphics dependencies can be large is a problem that must be solved [19]. This clearly shown in [19] of how to apply the proposed DARC model in the real world ( Figure 6). This shows how the loss of readability of the graph. Even for the supply chain sector, the development of initial risk has a very large graph, see [20].
The second obstacle is the coverage of the types of risk. The investigation conducted by Loloei and Shahriari [15], Suh and Han [6] is example that admitted only the assets availability risk. The dimensions of the information security objectives only transmitted as separate values sometimes used as the average for each asset, such as research [6]- [9].
Qualitative approaches are indeed more widely used in the field of information security [3]. Indeed, this approach presents the subjectivity of the evaluator [2] which further contributes to the creation of weaknesses in expert dependence.
Ouyang told CI that one of the recommended and advanced methods for overcoming dependencies is high level architecture (HLA). HLA uses the concept of modularization to overcome difficulties in the legibility of the risk analysis model that takes into account asset dependencies [21]. With the similarity of the existing parameters, IS can take advantage of these developments, just like Muller [19], who has developed several CI studies for IS.
Differences in modelling and simulation approaches sometimes lead to conflict, so an integrated approach is needed to differentiate each responsibility into a uniform framework [22]. Modularization of Eusgeld's risk analysis at the highest level of the system of system (SoS), which in turn consists of several subsystems at the critical infrastructure level, and with the lowest, is at the system level. Unfortunately, this remains at the conceptual level with several challenges in its application [22]. Which later became the basis of this article. To apply the Eusgeld conceptual model [21] in the risk analysis, the approach with fault tree analysis (FTA), event tree analysis (ETA) and the attack tree cannot be used because it does not support cycle dependencies. The only possible approach is to use the attack graph. A dependency model involving dependency cycles is the connectivity model of the Omer & Schill's [23]. In their study, the cycle was correlated with dependencies for the case of web services. Based on the study of the literature (Figure 1), this paper proposed a model of risk analysis based on dependence. The idea came from the development of the dependence of the IS risk analysis [5]- [9], [13]- [15], [15] resulting from the Sendi's taxonomy [2]. Based on the faster development of CI, the adaptation of the conceptual model developed by the literature [21], [22], [24], [25]. In the final stage, the conceptual model was applied in the operational model using a combination of Muller risk analysis proposals [17]- [19] followed by a compound node proposed by Omer and Schill [23].

Assumption
3.1.1. Quantitative. The emphasis on the conceptual model makes HLA a challenge in terms of application. However, the idea of combining several models at the same time will be very difficult to be applied in a qualitative research that emphasizes the subjectivity and experience of the evaluation team. This makes it difficult to give an overview of the risks involved. Only quantitative research makes it possible to observe all the risk scenarios and compare them to each other [17].

Likelihood.
The risk calculated based on a combination of threat probability estimates for each asset and the impact that affects the assets successfully [26]. The non-consideration vulnerability used Fenz's statement in [9]: the node's probability of exploiting a vulnerability due to the actual threat is only an intermediate node to facilitate the mapping of the threat. After all, the targeted steps are risk analysis, to demonstrate why risk management needs to be implemented [1], which requires simplicity in the components used. Because risk defined as a product of probability and non-compliance, preventive safety measures aim to reduce the likelihood, while mitigation measures applied to reduce the consequences [27]. The first priority is of course to reduce the likelihood.
The likelihood connection expressed in the formula [26]: Risk (Threat, Asset) = Likelihood (Threat) ⊗ Impact (Threat, Asset) 3.1.3. Graph based model. This research adapted the model from [17], because it has considered cyclic in information security. In [17], where for V set as a security incident, statement ܸ ⊆ ‫ܣ‬ × ܵ can be used, A is the set of all the assets and S is the set of security properties. These security properties known as Security Triads: Confidentiality, Integrity, and Availability (CIA) [17], so S consists of {C, I, A}. Asset confidentiality written as a.S instead of(ܽ, ‫)ݏ‬ ∈ ‫ܣ‬ × ܵ. So that the hard disk (HDD) availability can be written HDD.A. If incident a have impact on incident b, it can be written aAEb instead of (α, β), so that if hard disk availability affects data availability, it can be written HDD.AAEDATA.A.

Construction
Based on the previous assumptions, the simplification process consisted of the following steps: 1. Identification and extraction of cyclic sub graphs. Cyclic identification and extraction process used Tarjan algorithm [28], as done by [23] to test the measurement of cyclic dependence on web services. Tarjan's algorithm has the ability to identify elementary circuit, an elementary path (a path contains no node twice) with the exception that its first and last node are identical. Tarjan algorithm requires initial graph (G1) as basic input. Tarjan algorithm uses G1 to identify cyclic sub graphs, and then extracts them into array of cyclic sub graph (G2) 2. Reconstruct initial cyclic graph into acyclic graph. The next step is to transform each G2 elements in G1 into a compound node. In the process of transformation, there is a change in the situation at the incoming and outgoing edges. Edges connected to the compound node replaces all the edges connected to the G2 element. The incoming edge of the compound node is from the incoming edge of the G2 elements, the same thing applies to the outgoing edge. So that it can be interpreted that every node that depends on the G2 elements will depend on the compound node that replaces it. This also applies vice versa; the compound node generated during the reconstruction will remain dependent on the dependent G2 elements. 3. Reconstruct cyclic sub graph into acyclic ones.
Based on the model definition [17], node execution was not performed several times, only once in one experiment. Therefore, every G2 element structure must be acyclic.
Restructuring process used Wang algorithm [29]. The use of Wang's algorithm is for cyclic restructuring. This algorithm used the Bayesian Network (BN) due to the acyclic requirements. Based on Wang's algorithm, a node that is not an entry point of a cycle will be more efficient to calculate the cumulative score without considering the cycle. For each node in the cycle that has only one incoming edge, the cumulative score can be calculated (after the calculation of the point entry is complete) as the node is not in the cycle.
The results of the reconstructions of the cyclic G2 elements are stored in acyclic G4 elements (also in array).

Illustration
A data security case study of a client-server application will demonstrate the implementation capabilities of the proposed method.
In the client-server application, a data center requires availability of routers and servers. Server availability requires the availability of the database. Database availability requires the availability of internal data A and transaction data A. For security, database availability requires the availability of database backup. Availability database backup requires the confidentiality of the application obtained from confidentiality of internal data C. Based on the model requirements, the case presented in the form of the initial graph G1 (Figure 2). G1 shows the connection between: 1   Final step is to reconstruct it into the acyclic form because G2 is still cyclic. This stage is different from the G3 reconstruction process, simplifying DB.A as an entry point through one execution with placement as the initial node. The graph became acyclic by removing the edge ID.CAEDB.A, then extracted into G4 (see Figure 5). The use of compound nodes simplifies the attack graphics. The complexity that initially tends to be complicated can br modulated quantitatively. We can see the separate discussion of the composite nodes in acyclic structure.

Discussion
Several studies [5]- [15] have offered asset dependency solutions in information security risk taking into account a small number of important assets. In practice, the actual amount of assets in an organization is very large, although the proposed solution might be to model the system in general; the complexity IOP Publishing doi:10.1088/1757-899X/1077/1/012002 7 still lies in their future work [1], [19]. The complexity of the solutions offered hinders organizational understanding of the importance of the problems they face, limited funds and staff [3] which force them to focus on problems they considered more important.
Organizational failure to understand the important problem of information security risks is a form of failure to understand its complexity. This minimized the opportunities to implement the solutions offered.
Proposed method has several advantages over some previous approaches. If [[17]- [19] offered more complexity to group assets of the same type, proposed method offered separates the parts of the cycle in a modular way. Complexity can be seen more clearly than [17]. Compound node CN.DB.A represented the cycle.
Not only exceeded cycles, but dependencies also will be simplified. Using the threat scenario concept of Rahmad [7]- [9], assets can have the same set of security incidents. If [17]- [19] focused only on exceeding the dependency cycle, the proposed model is much more complete because it simplified it. For example, the process carried out by Muller [17] was to evaluate risk analysis includes about 50 different assets with three or four threats; this process produces hundreds of node relationships ( Figure  6). Proposed method can add the ability to separate existing connections into multiple layers of node dependency. Thus, the number of nodes in the proposed method first layer was less than the number of Muller nodes, which certainly simplified the structure.

Conclusion and Future Work
The biggest challenge in analysing information security risks analysis is to involve asset dependencies. It is always difficult to find achievements that can serve as an organizational basis for identifying risks. The popularity of qualitative solutions will depend largely on the availability of experts for the organization, which will generally have increased costs and subjectivity. Developing a quantitative model that can be cost-benefit oriented and easily understood by managers will be a major step towards meeting these needs.
The attack graph as a form of probability is very promising in the analysis of information security risks because of its flexibility and the support of the dependency cycle. It is just that the complexity of IOP Publishing doi:10.1088/1757-899X/1077/1/012002 8 some previous studies is difficult to be implemented in the real world. The proposed method makes it possible to analyze the complexity of the risk analysis.
Future work will focus on an evaluation of the proposed method, which may not be presented due to incomplete data. This study will compare several risk analysis models to compare process speed and readability (if possible).