Risk profiles and distributed risk assessment

Risk assessment is concerned with discovering threat paths between potential attackers and critical assets, and is generally carried out during a system's design and then at fixed intervals during its operational life. However, the currency of such analysis is rapidly eroded by system changes; in dynamic systems these include the need to support ad-hoc collaboration, and dynamic connectivity between the system's components. This paper resolves these problems by showing how risks can be assessed incrementally as a system changes, using risk profiles, which characterize the risk to a system from subverted components. We formally define risk profiles, and show that their calculation can be fully distributed; each component is able to compute its own profile from neighbouring information. We further show that profiles converge to the same risks as systematic threat path enumeration, that changes in risk are efficiently propagated throughout a distributed system, and that the distributed computation provides a criterion for when the security consequences of a policy change are local to a component, or will propagate into the wider system. Risk profiles have the potential to supplement conventional risk assessments with useful new metrics, maintain accurate continuous assessment of risks in dynamic distributed systems, link a risk assessment to the wider environment of the system, and evaluate defence-in-depth strategies.