MINISTERIO DE

ADMINISTRACIONES
PÚBLICAS

MAGERIT – version 2
Methodology for Information Systems Risk
Analysis and Management

III – Techniques

© MINISTERIO DE ADMINISTRACIONES PÚBLICAS

Madrid, 20 June 2006 (v 1.1)
NIPO: 326-06-044-8
Catálogo general de publicaciones oficiales
http://publicaciones.administracion.es
PROJECT TEAM

Director:
Francisco López Crespo
Ministerio de Administraciones Públicas

Miguel Angel Amutio Gómez

Ministerio de Administraciones Públicas

Javier Candau
Centro Criptológico Nacional

External consultant:
José Antonio Mañas
Professor
Universidad Politécnica de Madrid
Magerit version 2 Introduction

Index
1. Introduction....................................................................................................................4
2. Specific techniques .......................................................................................................5
2.1. Analysis using tables..............................................................................................................6
2.1.1. References .....................................................................................................................7
2.2. Algorithmic analysis................................................................................................................8
2.2.1. A qualitative model .........................................................................................................8
2.2.2. A quantitative model .....................................................................................................12
2.2.3. A model using steps .....................................................................................................17
2.2.4. On the efficiency of safeguards ....................................................................................20
2.3. Attack trees ..........................................................................................................................22
References .............................................................................................................................22
3. Generic techniques......................................................................................................23
3.1. Cost-benefit analysis ............................................................................................................24
References .............................................................................................................................24
3.2. Data flow diagrams (DFD)....................................................................................................25
References .............................................................................................................................25
3.3. Process diagrams.................................................................................................................26
References .............................................................................................................................26
3.4. Graph techniques .................................................................................................................27
3.5. Project planning....................................................................................................................28
References .............................................................................................................................28
3.6. Working sessions .................................................................................................................29
3.6.1. Interviews......................................................................................................................29
3.6.2. Meetings .......................................................................................................................29
3.6.3. Presentations................................................................................................................29
References .............................................................................................................................29
3.7. The Delphi method ...............................................................................................................30
References .............................................................................................................................30

© Ministerio de Administraciones Públicas page 3 (of 30)

Magerit version 2 Introduction

1. Introduction
This book of techniques completes the guide to the Magerit methodology. It assumes that the con-
cepts of risk analysis and management, as explained in the methodology guide, are already known
and understood.
The aim is to describe techniques to be used in risk analysis and management projects 1. Tech-
niques are considered to be a set of heuristics and procedures supported by standards. It is im-
plied that they use one, or several, specific notations for syntax and semantics and apply criteria of
excellence when applied. Practices are procedures to achieve specific objectives rapidly, securely
and precisely, with minimal room for the unexpected.
For each of the techniques and practices referred to below:
• there is a brief explanation of the aimed objective,
• the basic associated elements are described,
• the basic principles, on which the technique is based, are described,
• a text and/or graphic notation is presented, and
• bibliography sources deemed of interest to readers who wish to study each subject further
are provided, although the list is can never be complete.
All the techniques in this book can be used without automated aids; however, for repeated or com-
plex use, it is recommended to use tools as widely and frequently as possible.
It is important to point out that the notation proposed for applying the technique is in no case com-
pulsory. Each organization may adapt to the available tools or sector specific notations.

1 Several of the techniques referred to have been incorporated from Métrica version 3.

© Ministerio de Administraciones Públicas page 4 (of 30)

Magerit version 2 Specific techniques

2. Specific techniques
This chapter focuses on very specific techniques for risk analysis and management projects.
These are techniques that are not used in other work contexts.
The following are thought to be of special interest:
1. the use of tables to derive simple results
2. algorithmic techniques to derive complex results
3. attack trees to complement the reasoning behind which threats could attack an information
system
and are dealt with in the sections below.

© Ministerio de Administraciones Públicas page 5 (of 30)

Magerit version 2 Tabular analysis

2.1. Analysis using tables

An analysis is defined as differentiating and separating the parts of a whole until disclosing its prin-
ciples or elements. Risk analysis involves working with several elements, which have to be com-
bined into a system and put in order of importance, without the many details obscuring the vision of
the whole.
Experience has proved the usefulness of simple methods of analysis using tables, which, although
not very precise, certainly succeed in identifying the relative importance of the various assets sub-
ject to threat.
The following scale is a tool for grading the value of the assets, the size of the impact and the size
of the risk:
VL: very low
L: low
M: medium
H: high
VH: very high

Impact estimation
Impact can be calculated from simple, double-entry tables:

degradation
impact
1% 10% 100%
VH M H VH
H L M H
value M VL L M
L VL VL L
VL VL VL VL

Any assets that are graded as very high impact (VH) should receive immediate attention.

© Ministerio de Administraciones Públicas page 6 (of 30)

Magerit version 2 Tabular analysis

Risk estimation
The frequency is also modelled from a simple scale:
VF: very frequent (daily)
F: frequent (monthly)
NF: normal frequency (yearly)
I: infrequent (every few years)

The impact and the frequency can be combined into a table to calculate the risk:

frequency
risk
PF FN F MF
VH H VH VH VH
H M H VH VH
impact M B M H VH
L VL L M H
VL VL VL L M

Any assets that are graded as very high risk (VH) should receive immediate attention. Those
graded as high risk should be subject to immediate safeguard planning.

2.1.1. References
• ISO/IEC 13335-1:2004 – Information technology – Guidelines for the management of IT se-
curity – Part 1: Concepts and models for Information and communications technology secu-
rity management.

© Ministerio de Administraciones Públicas page 7 (of 30)

Magerit version 2 Algorithmic analysis

2.2. Algorithmic analysis

An analysis is defined as differentiating and separating the parts of a whole until disclosing its prin-
ciples or elements
In chemical science, a qualitative analysis is used to find and isolate elements or ingredients of a
compound body, unlike the quantitative analysis, which is used to decide the quantity of each ele-
ment or ingredient.
Two algorithmic approaches are presented in the following sections. First, there is a qualitative
model that seeks a relative valuation of the risk on the assets (what is the greatest, as opposed to
what is the least?). Second, there is a quantitative model which aims to answer the questions of
how much more and how much less. A step-by-step model is shown below which represents a
typical assessment of impact on the availability of information systems. Finally, there is a model to
calculate the impact of a package of safeguards.

2.2.1. A qualitative model

A qualitative risk analysis aims to find out what there is, without quantifying it more precisely than
necessary to make relative the components of the model
This section shows a calculation model that works on a discrete scale of values.

Values
A risk analysis needs to be able to assess, relatively at least, the elements involved. Specifically,
the assets, the impact of the threats and the risk run.
A scale of symbolic levels is used throughout:
V = { ..., v0, v1, ..., vi, ... }
this series of levels satisfies the following properties:

• total order: ∀ i, vi < vi+1

• there exists a special element, “v0”, which is ranked as “negligible” 2.
Informally, an asset is said to have “i points” to indicate that it has been assessed as “vi“ 3.

The value of assets

Each asset in each dimension receives a value on the scale V.
The various dimensions of an analysis are not inter-related, and each asset has to have a value in
each of the dimensions.

The dependency between assets

The only concern is whether asset A depends, significantly, on another asset B. In other words,
dependency between assets is a Boolean value: yes or no.
A→B
The dependency can be transitive:
(A → B) ∧ (B → C)
A depends on B; B depends on C.

2 This negligible level establishes a subjective boundary between what can be appreciated and should give
cause for concern, and what is insignificant and can be disregarded. Values below v0 are disregarded.
3 If the reader wishes, the points on this assessment system can be interpreted as orders of magnitude, for
example vx can be read as 10x.

© Ministerio de Administraciones Públicas page 8 (of 30)

Magerit version 2 Algorithmic analysis
It can even be represented as a diamond shape: A

(A → B1) ∧ (A → B2) ∧ (B1→ C) ∧ (B2→ C)

A depends on B1 and B2; B1 and B2 depends on C.
B1 B2

C
The transitive closure of direct dependencies between assets is of interest.

A ⇒ C ⇔ ∃ B, ( A ⇒ B ) ∧ ( B → C )
A depends (indirectly) on C if and only if
there is an asset B, so that A depends directly or indirectly on B and
B depends directly on C.
The following does not differentiate between direct and indirect dependencies.

The accumulated value

Let SUP(B) be the unit of assets higher than B, i.e. the set of assets that depend directly or indi-
rectly on B:
SUP(B) = { Ai , Ai ⇒ B }
The accumulated value over B is defined as the highest value among B and any ones above:
accumulated_value(B) = max (value(B), maxi {value(Ai)})
The above formula states that the accumulated value on an asset is the highest of the values in-
cluded, either of itself, or any one above it.

The degradation [of the value] of an asset

When an asset falls prey to a threat, it loses part of its value. A subjective “percentage of degrada-
tion of the asset” is given, which may be between 0% and 100%. “d” is set as a real value between
0.0 (0% degradation) and 1.0 (100% degradation).

The accumulated impact of a threat on an asset

This is the measurement of what a threat involves; in other words, it is the accumulated loss of
value. If an asset has an accumulated value of “vx“ and it is degraded by a percentage “d”, the
value of the impact will be
impact = vround(x × d)
Example
If an asset is valued at “v8“ and it degrades by 90%, the impact will be “v7“:
round(8×0.9) = round(7.2) = 7

When the impact is reduced to “v0”, it is said to be negligible.

© Ministerio de Administraciones Públicas page 9 (of 30)

Magerit version 2 Algorithmic analysis

The defected impact of a threat on an asset asset

activoAAA
activo
activo A
If asset A depends on asset B, threats to B will affect A. If B un-
dergoes a degradation “d”, this will also occur on A, with the im-
pact on A being the loss of the basic value. If the value of A is “vx“,
the impact is: asset
activoBBB threat Z
activo
activo B amenaza Z
impact = vround(x × d)
Example
If A has a value of “v5“ and depends on B (whose value is not of interest here) which degrades
by 20%, the deflected impact on A will be “v1“:
round(5×0.2) = round(1.0) = 1

When the impact is reduced to “v0”, it is said to be negligible.

The frequency of threats

The frequency of threats is described on a scale of symbolic values:
F = { ..., f0, f1, ..., fi, … }
In other words, a series of frequency levels which are the elements or particles of analysis.
This series of levels complies with the following properties:

• total order: ∀ j, fj < fj+1

• there is a separate element, “f0”, referred to as “negligible frequency”

• there is a separate element “fn”, referred to as “normal frequency” 4

Informally, it is said that a threat has “j frequency points” to show the frequency as “fj”.

The risk
Risk is measured by the scale of values, being a function of the impact and the frequency:

risk = ℜ(impact, frequency)

a function that has to be defined in line with the following requirements:

• it grows with the value: ∀ fi, ℜ(vi, fj) < ℜ(vi+1 , fj)

• it grows with the frequency: ∀ vi, ℜ(vi, fj) < ℜ(vi , fj+1)

• ℜ(v0, fn) = v0
A simple function that satisfies these properties is

ℜ(vi, fj) = vi+j-n

When the value of risk is “v0” (or less) it is regarded as negligible.

4 If a yearly study is to be made, fn refers to “once a year”.

© Ministerio de Administraciones Públicas page 10 (of 30)

Magerit version 2 Algorithmic analysis
Example
If an asset has a value of “v8“ and it degrades by 10
90%, the impact will be “v7“: 9
value
round(8×0.9) = round(7.2) = 7 8
impact
If the estimated frequency for the threat is 7
risk
“f2“, and “f3“ is considered the normal frequency, 6
d= 90%
then the risk will be “v6“. 5 f= fn- 1
4
The accumulated risk
3
When calculating accumulated risk, the accumulated impact
2
on the asset is used.
1
The deflected risk
0
When calculating the deflected risk, the deflected impact on the asset is used.

Safeguard packages
When a threat is in force, a series of safeguards is implemented, a safeguard package, whose effi-
ciency, “e”, is calculated as shown below. For now, it is sufficient to say that efficiency is a real
value between 0.0 (no protection) and 1.0 (fully efficient safeguard), a value that can be broken
down into efficiency against impact, “ei”, and efficiency against frequency “ef”.

The residual degradation

If the asset was subject to a degradation “d”, safeguards will reduce this degradation to a residual
value “dr”:
dr = d × (1-ei)
where “ei” measures the effectiveness of safeguards to reduce the degradation of this asset (that
is, limiting the impact). The value ranges between:
• ei= 0 y dr= d, when safeguards have no effect
• ei= 1 y dr= 0, when safeguards are perfect
Example
If an asset has been degraded by 66% (that is, by 2/3 of its value), but the safeguards are 90%
efficient, residual degradation is 7%:
dr = 0.66 × (1-0.9) = 0.07

The residual impact

Residual impact is calculated in the same way as the impact, but using residual degradation:
residual_impact = v round(x × dr)
A package of safeguards that is fully efficient reduces the impact to a residual value “v0”, that is, to
negligible levels. If the safeguards are not strong enough, the impact will continue to be perceived.
The accumulated residual impact is calculated on the accumulated value.
The deflected residual impact is calculated on the basic value.

The residual frequency

As with the impact, the frequency of the threat on the asset is reduced to a residual value. If the
frequency was “fj”, it is now:
residual_frequency = fk where k = round(j × (1 − ef))
With “ef” being the efficiency of the safeguards mitigating the frequency of occurrence of the threat.
“ef” is a value between 0.0 (0% efficiency, i.e. unusable) and 1.0 (100% efficiency, i.e. perfect).

© Ministerio de Administraciones Públicas page 11 (of 30)

Magerit version 2 Algorithmic analysis
The residual risk
This is the risk calculated from the residual frequency and impact:

residual_risk = ℜ(residual_impact, residual_frequency)

The residual accumulated risk is evaluated using the residual accumulated impact.
The residual deflected risk is evaluated using the residual deflected impact.
Example
Supposing an asset A with a value of “v5“, which depends on another asset B with a value of
“v8“.
Supposing a threat to asset B that degrades it by 90%, with an estimated frequency of “f2“, with
“f3“ being the normal frequency.
A package of safeguards is deployed in the system which reduces the impact by 50% and the
frequency of occurrence by 50%.
The calculations provide the following indicators:

for A for B
accumulated value: v5 accumulated value: v5 + v8 = v8
deflected impact: v4 accumulated impact: v7
deflected risk: v3 accumulated risk: v6
residual degradation: 45% residual degradation: 45%
residual impact: v2 residual impact: v3
residual frequency: f1 residual frequency: f1
residual risk: v0 residual risk: v1

Summary
This is the qualitative model, where the assets have been placed on a scale of relative value by
defining an arbitrary value “v0” as drawing the line between values of concern and those that are
negligible.
On this scale of value, measurements are taken both of the basic or accumulated value of the as-
set and the impact of a threat when it occurs and the risk to which it is exposed.
While the impact measures the value of the potential problem, the risk weights this impact with the
estimated frequency at which the threat may occur. The impact is the measure of the cost if the
problem should occur, while the risk measures the exposure during a specific period of time.
Estimations of the impact and residual risk include the efficiency of the safeguards to deal with the
threat, either by limiting the impact, “ei”, or by reducing the frequency, “ef”.
Therefore, the model combines the following analysis parameters:
• rating the value of the asset through a discrete scale
• rating the degradation posed by a threat as a percentage
• rating the frequency at which a threat occurs through a discrete scale
• the integration of a package of safeguards
• rating the efficiency of the safeguards through a percentage
All these parameters allow for upward or downward movement on the scale of values.

2.2.2. A quantitative model

A quantitative risk analysis seeks to find out what there is and to what extent, by quantifying all

© Ministerio de Administraciones Públicas page 12 (of 30)

Magerit version 2 Algorithmic analysis
possible aspects.
The following model does not function on a scale of discrete values, but with real positive numbers
(in a mathematical sense).

The value of assets

The value of an asset in a specific dimension is a real value higher than zero.
A specific value, “v0“, is set as the boundary between the negligible values and those that are rele-
vant.

The dependency between assets

It must be established whether asset A depends on asset B, and to what extent. The concepts of
direct or indirect dependency stated in the qualitative model are applied, but now the dependency
is rated by a coefficient between 0.0 (independent assets) and 1.0 (assets with absolute depend-
ency). This coefficient is called the degree of dependency.
As the dependency can be direct or indirect, it is calculated on the basis of the transitive closure of
the direct dependencies between assets.

A ⇒ C ⇔ ∃ B, ( A ⇒ B ) ∧ ( B → C )
A depends (indirectly) on C if, and only if, there exists an asset B so that A depends di-
rectly or indirectly on B, and B depends directly on C.
By calculating the degree of dependency as:

degree(A ⇒ C) = Σi { degree (A ⇒ Bi) × degree (Bi → C) }

Where the sums are carried out following this formula:
a + b = 1 − (1 − a) × (1 − b) 5
Examples

50% 100% 100% 50%

50%

30% 50% 30% 30%

15% 65% 55%

The following does not differentiate between direct or indirect dependencies.

The accumulated value

Let SUP(B) be the unit of assets higher than B, i.e. the set of assets that depend directly or indi-
rectly on B:
SUP(B) = { Ai , Ai ⇒ B }

5 This addition satisfies the commutative, associative properties and the existence of a neutral element, in
addition to containing the result within the range [0..1] if the addends are within this range.
The choice of this peculiar formula, taken from the Bayes calculation of probability, arises from the need
to reflect the fact that, if an asset depends on another through various routes (diamond structures), the to-
tal dependency cannot exceed 100%.

© Ministerio de Administraciones Públicas page 13 (of 30)

Magerit version 2 Algorithmic analysis
The value accumulated on B is defined as the (traditional) sum of the values of the higher assets,
weighted by the degree of dependency:

accumulated_value (B) = value(B) +Σi { value(Ai) × degree(Ai ⇒ B) }

The degradation [of the value] of an asset

When an asset falls prey to a threat, it loses part of its value. A subjective “percentage of degrada-
tion of the asset” is given, which may be between 0% and 100%. “d” is set as a real value between
0.0 (0% degradation) and 1.0 (100% degradation).

The accumulated impact of a threat on an asset

This is the loss of accumulated value. If an asset has an accumulated value ”v” and undergoes a
degradation ”d”, the impact is
impact = i = v × d
Example
If an asset is valued at 1,000,000 and undergoes a degradation of 90%, the accumulated impact
amounts to 900,000.

When the impact is reduced to “v0”, or less, the impact is said to be negligible.

The deflected impact of a threat on an asset

If asset A depends on asset B, the threats on B affect A. If B undergoes a degradation ”d”, A loses
by the proportion of its dependence on B. If asset A has a basic value “v”, the impact is
impact = v × d × degree(A ⇒ B)
Example
Suppose there is asset A valued at 1,000,000, which has a 30% dependency on another asset B
(whose value is not important here). If B falls prey to a threat that degrades it by 90%, A under-
goes a deflected impact of the amount
1,000,000 x 90% x 30% = 270,000

When the impact is reduced to “v0”, or less, the impact is said to be negligible.

The frequency of threats

The frequency of a threat is a real value higher than zero.
A value of “f0“ is set as a “negligible” frequency, below which the threat is not considered to be of
consequence.

The risk
The risk is calculated as
risk = impact × frequency
This is a real value, higher than zero.
A threshold “r0“ is set below which the risk is “negligible”, that is:
r0 = v0

© Ministerio de Administraciones Públicas page 14 (of 30)

Magerit version 2 Algorithmic analysis
Example
Supposing there is an asset valued at 1,000,000, which has fallen prey to a threat that has de-
graded it by 90%. The impact is of the amount
1,000,000 x 90% = 900,000
If the asset is exposed to the threat at an estimated frequency of 0.1, the estimated risk is of the
amount
900,000 x 0.1 = 90,000
If the values are in euros and the frequency measures yearly occurrences (i.e., if 0.1 signifies
once every 10 years), then the possible loss in value is 900,000 euros, while the annual loss is
forecast at 90,000 euros.

The accumulated risk

When calculating the accumulated risk, the accumulated impact on the asset is used, i.e. the loss
in accumulated value due to threats to the asset.

The deflected risk

In order to estimate the defected impact, the deflected impact shall be used; that is, the loss of its
own value due to tretas on assets below.

Safeguard packages
When faced with a threat, a series of safeguards, the safeguard package, is deployed, whose effi-
ciency, “e”, is calculated as shown below. For now, it is sufficient to say that the efficiency is a real
value between 0.0 (no protection) and 1.9 (safeguard fully effective), a value that can be broken
down into efficiency against impact, “ei”, and efficiency against frequency “ef”, so that
(1 – ei ) × (1 – ef ) = 1 – e 6

The residual degradation

This is the part of the degradation that the efficiency of the safeguard package in use does not
succeed in counteracting.

The residual impact

A completely inefficient system of safeguards (ei = 0) leaves the impact where it was, while a fully
efficient system of safeguards (ei = 1) reduces the impact to 0. In calculation form:
residual_impact = impact x (1 – ei)

Example
Supposing there is an asset valued at 1,000,000, which has fallen prey to a threat that has de-
graded it by 90%. The impact is of the amount
1,000,000 x 90% = 900,000
If the safeguards are 90% efficient on the impact, the residual impact is
900,000 x (1 – 0.9) = 90,000

The accumulated impact is calculated from the data of the accumulated impact on an asset and
the proper safeguards against threats on the asset.
The deflected impact is calculated from the data of the deflected impact on the higher value asset

6 The chosen formula has the following properties. If ei= 0% and ef= 0%, e= 0%. If ei= 0%, e= ef. If ef= 0%,
e= ei. If ei or ef= 100%, e= 100%. Therefore, the results increase with the components ei and ef, while at
the same time remaining within the range [0%..100%].

© Ministerio de Administraciones Públicas page 15 (of 30)

Magerit version 2 Algorithmic analysis
and the proper safeguards against threats to the lower value asset.

The residual frequency

A system of completely inefficient safeguards (ef = 0) leaves the frequency in the same position,
while a fully efficient system of safeguards (ef = 1) reduces the frequency to 0. In calculation form:
residual_frequency = frequency x (1 – ef)

The residual risk

This may derive indirectly as
residual_risk = residual_impact x residual_frequency
Example
Supposing there is an asset valued at 1,000,000, which has fallen prey to a threat that has de-
graded it by 90%. The impact is of the amount
1,000,000 x 90% = 900,000
If the estimated frequency is 0.1, the risk amounts to
900,000 x 0.1 = 90,000
If the safeguards are 90% efficient on the impact, the residual impact is
900,000 x (1 – 0.9) = 90,000
If the safeguards are 50% efficient on the frequency, the residual frequency is
0.1 x (1 – 0.5) = 0.05
The residual risk is
90,000 x 0.05 = 4,500
The combined efficiency of the safeguards is
1 – (1 – 90%) x (1 – 50%) = 95%
If the amounts are in euros and the frequencies are yearly, the possible loss is 90,000 euros and
the annual loss is estimated at 4,500 euros.

Summary
This is the quantitative model and functions with real values that are always higher than zero.
The degree of dependency between assets is modelled as a continuum between 0.0 (independent
assets) and 1.0 (fully dependent assets; any incident on the lower one has a severe effect on the
higher one).
The value of the asset, basic or accumulated, is measured, as well as the impact of the threat
whenever it occurs and the risk involved.
While the impact measures the value of the potential problem, the risk weights the impact with the
estimated frequency at which the threats will occur. The impact measures the cost, should the
threat occur, while the risk is the measure of exposure over a period of time.
If the asset is valued in economic terms (the monetary cost entailed by its complete loss), the cal-
culated impact is the cost deriving from the threat, and the calculated risk is the amount which has
to be planned for as annual losses. Therefore, the quantitative model allows a comparison be-
tween the cost of safeguards and the reduction of losses.
The estimations of impact and residual risk incorporate the efficiency of the safeguards when deal-
ing with a threat.
If the valuation of the asset is economic, the quantitative model allows a comparison between the
cost of the safeguards and the reduction in losses.
Therefore, the model combines the following analysis parameters:
© Ministerio de Administraciones Públicas page 16 (of 30)
Magerit version 2 Algorithmic analysis
• rating of the value of the asset through a numerical quantity
• rating of the dependency between assets through a percentage
• rating of the degradation posed by a threat through a percentage
• rating of the frequency at which a threat occurs through a frequency
• the integration of a package of safeguards
• rating of the efficiency of the safeguards through a percentage
All these parameters can be moved up and down the scale of values.

2.2.3. A model using steps

Sometimes, value degradation is best described as a series of [increasing] degradation steps. A
typical case would be the interruption of services, as depicted below:

cost of [the loss of] availability

10

6
cost
4

0
15m
30m
1h
2h
6h
1d
2d
1s

S1
2s

1m

2m

6m

1a

total

interuption period

where cost of interruption grows up to a maximum limit corresponding to the thorough destruction
of the asset (no remaining value).
The following sections show how to analyse these steps, either qualitatively (discrete scale of val-
ues) or quantitatively (continuous values).

The steps
An ordered series of value steps is determined:
E = { e1, e2, ..., en }
Each step represents an interruption period (see the above diagram).

The value of the assets

Assets are assigned a value for each of the steps
v[ei]
a value that can be qualitative or quantitative, depending on the type of analysis being made; how-
ever, the series must be monotonically growing:
v[e1] ≤ v[e2] ≤ … ≤ v[en]

© Ministerio de Administraciones Públicas page 17 (of 30)

Magerit version 2 Algorithmic analysis
Dependencies between assets
These will be treated either qualitatively (there is, or there is no, dependence), or quantitatively
(there is a certain degree of dependence), as required.

Accumulated value
This is calculated independently (in parallel) for each step.
This means that an actual value and an accumulated value are calculated for each step.
Example
An administration unit provides a claims service that has traditionally been carried out via mail:
the claimant sends in the claim by letter and is answered within the maximum period of 1 week.
Currently, an alternative, online service has been set up with a reply given in less than 1 hour
(during attendance hours), which is considered excellent. After one hour, the image offered to
the public starts to suffer. If the service takes more than one day, it is considered useless, even
though the seriousness is relative, as there is always the option of claiming by post.
Both services depend on computer equipment holding the data of both services:

asset 1hr 1day 1wk

letter [0] [0] [8]
web [3] [5] [5]
server [3] [5] [8] accumulated

The degradation [of the value] of an asset

When a threat occurs, it stops the service for a given period, modelled as a step value “ei“.

The impact of a threat on an asset

It is the value corresponding to the degradation step, “v[ei]”.
To estimate the accumulated impact, the accumulated value (for the referenced step) will be used.
To estimate the deflected impact, the own value of the upper asset (for the referenced step) will be
used. For a quantitative analysis, use that value times the dependency factor.
Example
In the previous example, a computer virus causes a 48-hour stoppage. The impact on the server
is [5], the same as for the web service. The deflected impact on the postal service is [0].

The frequency of a threat

The qualitative or quantitative model is used, as required.

The risk posed by a threat to an asset

The qualitative or quantitative model is used, as required.

The efficiency of a safeguard on the impact

A safeguard against the interruption of a service is based on a reaction time, which measures how
long it takes to resume service.
The efficiency of a safeguard is measured by taking the step corresponding to the time of “guaran-
teed reply” 7.

7 The reasoning is as follows. If a stop of longer than x1 hours involves damage of v1, and a stop of longer
than x2 hours, damage of v2; then a stop of x hours, being x1 …≤ x < x2, means damage of v1, given
that it has not reached the level of x2.

© Ministerio de Administraciones Públicas page 18 (of 30)

Magerit version 2 Algorithmic analysis
Example
In the above case, an anti-virus system can be used that will enable the service to be resumed
in 6 hours. The efficiency is said to be on the 6-hour step.

The efficiency step may be e0, if the safeguard is so effective that it does not allow even the first
step e1.
This efficiency step is the same as the degradation when the safeguard is unable to reduce the
impact 8.
This efficiency step can never be higher than the degradation step, as a safeguard cannot worsen
the situation of an asset under threat.
In addition to the efficiency step, the safeguards applied to the case constitute a package charac-
terised by their efficiency in reducing the impact, ei, and their efficiency in reducing the frequency,
ef. How to calculate these coefficients is described below.
What must be shown, however, is how to calculate the effectiveness step for a package of safe-
guards:

step(ps)= step(s) if s is separate

maxk { step(psk) } if ps= all (psk)
mink { step(psk) } if ps= some (psk)
mink { step(psk) } if ps= one (psk)

Where the special value “na” 9 behaves as a neutral element in the operations.
Therefore, a set of alternative safeguards must contain at least one that will be effective. In a set of
concurrent safeguards, efficiency is rated by the worst of these.

Residual degradation
If the unprotected asset is positioned on degradation step “ed“, the safeguards will place it on the
step proposed as efficiency step, “es“; but modulated by efficiency “ei” against the impact, resulting
in a residual step “er“:
r = ⎣d − ((d − s) × ei)⎦ 10

Where the special value “na” is assessed at 0.

Residual impact
This is the value corresponding to the residual step:
residual_impact = value[er]

Example
In the case above, if an antivirus system is deployed that enables service to be resumed in 6
hours, the residual impact on the server and Internet service is [3].
If an antivirus system is deployed that guarantees service to be resumed in 30 minutes, the re-
sidual impact will be [0].

Residual frequency
The qualitative or quantitative model is used, as necessary.

8 A back-up centre that starts up after 48 hours is useless against threats that stop the service for 6 hours.
9 na: not applicable.
10 Notation ⎣ν⎦ stands for the integer floor of the value.

© Ministerio de Administraciones Públicas page 19 (of 30)

Magerit version 2 Algorithmic analysis
Residual risk
The qualitative or quantitative model is used, as necessary, based on the residual impact and re-
sidual frequency.

2.2.4. On the efficiency of safeguards

All the models require an assessment of the efficiency of the safeguards deployed to protect an
asset from a threat. Below is described a common model for assessing the efficiency of a set of
safeguards applied to an asset.

Package of safeguards
When a threat appears, a package of safeguards is deployed which is simply a set of separate
safeguards accumulated over an asset. The various safeguards can be accumulated concurrently
(all are needed to produce the desired effect), or exclusively (only one of the set produces an ef-
fect) or additively (the more, the better).
ps::= safeguard
| all(ps0, ps1, ...)
| some (ps0, ps1, ...)
| one (ps0, ps1, ...)

The efficiency of a safeguard

Each safeguard is valued according to its efficiency in reducing the risk to the asset it is protecting.
The efficiency of a package of safeguards is a real number between 0.0 and 1.0:
• if a safeguard is perfect (100% efficient), then e = 1
• if a safeguard is insufficient, then e < 1
• if a safeguard is useless, then e= 0
• if a safeguard is not suitable for the context, then e = na
The efficiency of the safeguard depends on its natural capacity to protect the asset and on how it is
deployed. The value of the efficiency unites both aspects into a single parameter.

The efficiency of a package of safeguards

e(ps)= e(s) if it is separate
11
avgk { e(psk) } if ps= all(psk)

min { 1,0, Σk e(psk) } if ps= some (psk)

maxk { e(psk) } if ps= one (psk)

Where the special value “na” behaves as a neutral element in the operations for calculating the
maximum, product or sum.
As a result, the efficiency of a package of concurrent safeguards is the average of these; the effi-
ciency of a package of additive safeguards is accumulated to a limit of 100%; and in a package of
alternative safeguards, the efficiency is set by the best one.

Weighted efficiency of a package of safeguards

The average value of the efficiency of the components is taken as the efficiency of a package of
safeguards. This calculation can be modulated if it is remembered that not all safeguards are of the
same type, by introducing a weighting “p”:

11 The average value is calculated as usual: efficiencies other than NA are added and divided by the
number of addends.

© Ministerio de Administraciones Públicas page 20 (of 30)

Magerit version 2 Algorithmic analysis

e(ps) = Σk e(psk) × pk / Σk p k

If all the safeguards should have the same importance, then “p = 1”.

Efficiency against impact and the frequency of a threat

Risk combines impact and frequency. A safeguard can reduce the impact, or the frequency, or
both. It depends on the type of safeguard acting on the impact or the frequency.
Consequently, in the above sections, a difference can be made between efficiency that reduces
the impact, “ei”, and the efficiency that reduces the frequency “ef”. Both of these are calculated us-
ing the same criterion: fulfilment of the task. Finally, the efficiency can be calculated by reducing
the risk, “e”, as
(1 − ei) × (1 − ef) = 1 − e

© Ministerio de Administraciones Públicas page 21 (of 30)

Magerit version 2 Attack trees

2.3. Attack trees

This section is only available in Spanish.

References
• J. Viega et al., “Risk Analysis: Attack Trees and Other Tricks”, Software Development Maga-
zine, August 2002.
• A.P. Moore et al., “Attack Modeling for Information Security and Survivability”, Software En-
gineering Institute, Carnegie Mellon University, Technical Note CMU/SEI-2001-TN-001,
2001.
• B. Schneier, “Secrets and Lies: Digital Security in a Networked World”, John Wiley & Sons,
2000.
• B. Schneier, “Attack Trees: Modeling Security Threats”, Dr. Dobb's Journal, December 1999.

© Ministerio de Administraciones Públicas page 22 (of 30)

Magerit version 2 Generic techniques

3. Generic techniques
This chapter deals with general techniques that are widely used, but that also apply to some
stages of a risk analysis and management project. It is shown where do they apply, and how. This
section builds on the methodology explanations.
The following techniques are referenced:
1. cost-benefit analysis
2. data flow diagrams (DFD)
3. process diagrams (SADT)
4. graph techniques
5. project planning (PERT)
6. working sessions
7. the Delphi method

© Ministerio de Administraciones Públicas page 23 (of 30)

Magerit version 2 Cost-benefit analysis

3.1. Cost-benefit analysis

This section is only available in Spanish.

References
• R.A. Brealey and S.C. Myers, “Principles of Corporate Finance”, Mcgraw-Hill College; 6th
edition, December 2000.
• A.E. Boardman, “Cost-Benefit Analysis: Concepts and Practice”, Prentice Hall, 2nd Edition,
October 2000.
• H.M. Levin and P.J. McEwan, “Cost-Effectiveness Analysis Methods and Applications”, Sage
Publications, Inc., 2nd edition, September 2000.
• Office of The Deputy Chief Information Officer, “Cost-Benefit Analysis Guide for NIH IT Pro-
jects”, Revised May, 1999.
• Office of Management and Budget, Circular No. A-94 Revised, “Guidelines and Discount
Rates for Benefit-Cost Analysis of Federal Programs”, October 29, 1992.

© Ministerio de Administraciones Públicas page 24 (of 30)

Magerit version 2 Data flow diagrams

3.2. Data flow diagrams (DFD)

This section is only available in Spanish.

References
• S.W. Ambler, “The Object Primer. Agile Model Driven Development with UML 2”, Cambridge
University Press, 3rd ed. 2004.
• C.P. Gane and T. Sarson, “Structured Systems Analysis: Tools and Techniques”, Prentice
Hall, 1st ed. 1979.

© Ministerio de Administraciones Públicas page 25 (of 30)

Magerit version 2 Process diagrams

3.3. Process diagrams

This section is only available in Spanish.

References
• Clarence G. Feldmann, “The Practical Guide to Business Process Reengineering Using
IDEF0”, Dorset House Publishing Company, 1998.
• Hill, S. and L. Robinson, “A Concise Guide to the IDEF0 Technique”, Enterprise Technology
Concepts, 1995.
• FIPS 183: “Integration Definition for Function Modeling (IDEF0)”. Federal Information Proc-
essing Standards. December, 1993.
• David A. Marca and Clement L. McGowan, “SADT: Structured Analysis and Design Tech-
niques”. McGraw-Hill, New York, NY, 1988.

© Ministerio de Administraciones Públicas page 26 (of 30)

Magerit version 2 Graph techniques

3.4. Graph techniques

This section is only available in Spanish.

© Ministerio de Administraciones Públicas page 27 (of 30)

Magerit version 2 Project planning

3.5. Project planning

This section is only available in Spanish.

References
• R. Burke, “Project Management: Planning and Control Techniques”, John Wiley & Sons; 3rd
edition. May 16, 2001.
• J.J. Moder, C.R. Phillips, E.W. Davis, “Project Management With Cpm, Pert & Precedence
Diagramming”, Blitz Publishing Company; 3rd edition. February, 1995.
• K. Lockyer, J. Gordon, “Project Management and Project Network Techniques”, Trans-
Atlantic Publications; 6th edition. December 1, 1995.
• R.D. Archibald, R.L. Yilloria, “Network-based Management Systems”, (Information Science
S.) John Wiley & Sons Inc. March, 1967.

© Ministerio de Administraciones Públicas page 28 (of 30)

Magerit version 2 Working sessions

3.6. Working sessions

This section is only available in Spanish.

3.6.1. Interviews
This section is only available in Spanish.

3.6.2. Meetings
This section is only available in Spanish.

3.6.3. Presentations
This section is only available in Spanish.

References
• “Managing Information Security Risks: The OCTAVE Approach”, C.J. Alberts and A.J. Doro-
fee, Addison-Wesley Pub Co; 1st edition (July 9, 2002)
http://www.cert.org/octave/
• Magerit, “Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información”,
MAP, versión 1.0, 1997
http://www.csi.map.es/csi/pg5m20.htm

© Ministerio de Administraciones Públicas page 29 (of 30)

Magerit version 2 The Delphi method

3.7. The Delphi method

This section is only available in Spanish.

References
• J. Fowles, “Handbook of Futures Research. Westport, Greenwood Press, 1978.
• H.A. Linstone and M. Turoff (eds), “The Delphi Method: Techniques and Applications”, Read-
ing, MA: Addison-Wesley Publishing Company, 1975.
• N.C. Dalkey, “The Delphi Method: An Experimental Study of Group Opinion”, RAND Corpo-
ration, RM-5888-PR, 1969.
• O. Helmer, “Analysis of the Future: The Delphi Method”. RAND Corporation Technical Re-
port, P-3558, March 1967.
• N. Dalkey and O. Helmer, “An Experimental Application of the Delphi Method to the Use of
Experts”. Management Science, vol. 9, no. 3, April 1963.
• M. Girshick, A. Kaplan and A. Skogstad, “The Prediction of Social and Technological
Events”. Public Opinion Quarterly, Spring 1950.

© Ministerio de Administraciones Públicas page 30 (of 30)