Question - OCTAVE Allegro Math (no due date)

eramba 2017-03-25 11:30:13 UTC #1

Hello, reviewing allegro i think we got how it works (hopefully) , those of you that use can confirm please that:

(IA) Impact Area is a classification applied to each asset (in eramba we define this at Asset Mgt / Settings / Classifications)
(A) Impact is a classification applied to Asset Risks (in eramba we define this at Risk Mgt / Asset Risk Management / Settings / Classifications)

Then the math to calculate the risk score is multiplication of I x IA and then the sum of all those results. The documentation mentions the probability is an optional field - but if included , how is factored on the math?

I used as a reference "Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process" from 2007

Thanks - we'll put this and other risk related fixes on a single release once we complete workflows.

wwilliams 2017-03-28 14:04:39 UTC #2

While I've not used this in years, this matches my recollection from the OCTAVE training and my usage of OCTAVE Allegro.

eramba 2017-03-28 22:27:07 UTC #3

Cheers Walt !

We'll also factor probability as an additional column on the left, that will be optional.

jonas.von.scholten 2017-03-29 22:16:13 UTC #4

We use the Octave Allegro - using the margerit calculation:

we attach the Asset Classifications(Impact areas) with 1 value per impact area ranked per allegro method... the risk assesment then adds the Impact score to each impact area. (please see image)

the margerit calculation has likelihood as mandatory - hence we use it... it would simplify things if we didn't have to take into consideration what the likelihood is of a risk being impacted. the likelihood evaluation is always a somewhat subjective that are hard to describe and provide documentation for.

Regards

Jonas

eramba 2017-03-30 19:58:32 UTC #5

Jonas,
So magerit and allegro are the same with the exception of the "likelihood" bit ? Would this mean that if we make the likelihood "optional" in magerit we would not need to add an additional risk method?
Sorry to bother, we just want to get it right.
Thanks!

jonas.von.scholten 2017-04-03 19:00:14 UTC #6

well "the same" would be incorrect - but it is possible to use Octave Allegro using the magerit calculation yes.

making the likelihood field optional would make it more usable on a general level, reducing the need for documenting the method used for making subjective estimations.

so to answer the question - YES, making likelihood optional would make magerit compatible with Octave allegro (calculation wise)

eramba 2017-04-04 11:52:31 UTC #7

We plan to add a new calculation tab, so we are not trying to use "Magerit" to meet "Allegro", just looking at the similarities.

Going back to our suggestion, is that correct or not? what is missing?

The user classifies assets in "Impact Areas" (that is available already).
When an asset risk is created, based on the assets that were input eramba chooses the highest values for each Impact Area
For each Impact Area , the user selects Impact (or whatever the user wants to call that single classification under Risk Classifications)
For each Impact area, the user (OPTIONALLY) select Likelihood (or whatever the user wants to call that single classification under Risk Classifications)

So in the "Allegro" calculation settings, the user will tell eramba:

Which classification do you want to use for Impact? (mandatory)
Which classification do you want to use for likelihood? (optional)

makes sense ? missing something ?

jonas.von.scholten 2017-04-07 08:08:29 UTC #8

To me it makes sense

eramba 2017-04-20 12:07:12 UTC #9

https://github.com/kisero/eramba_v2/issues/475

its there!

rene.beauregard 2018-03-19 18:32:33 UTC #10

Is this still on the roadmap ?

eramba 2018-03-20 09:25:05 UTC #11

Hello There,

I think we hold this as it was the same as “magerit” (i might be wrong here). The only piece that is sligthly different is the following in my understanding (and again, i might be wrong).

In magerit the “likelihood” will be one for all impacts , and Octave seems to let you do it that way OR set a likelihood per impact.

Do you see the same?

Happy to do this one