1. Introduction
Developments in computer and software technology have made this technology a part of daily life. Despite the advances in software technology and the demands for various applications, there are many existing legacy applications that pose different kinds of problems for organisations that no longer have a justification for using them. Therefore, these systems should be migrated to a new system which can work more effectively in the new environment. There are risks in the migration process that could create problems; therefore, prior to commencing the migration process, the possible risks should be analysed.
A simple definition of risk is that it is “a problem that has not yet happened but which could cause
some loss or threaten the success of the project if it did” [1]. In a legacy migration project, risk analysis is an important step before implementing a new application technology. In order to identify the possible risks in a new technology deployment project, the relevant personnel should know how to perform a suitable risk analysis. A number of methods have been proposed for risk analysis such as Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE), VECTOR matrix, and Central Computer and Telecommunications Agency Risk Analysis and Management Method (CRAMM) [2].
One of the most important and difficult activities in software engineering is security maintenance in the migration of a legacy system to a new system. Security maintenance is a serious consideration because two-thirds of a software system’s lifetime cost involves maintenance.
Risk may appear in every kind of investment. If a company wants to change its legacy software to a new one, it has to calculate the risk of failure and other possible hazards. To decrease the risks, a suitable risk analysis is necessary [3]. The aim of any risk analysis is to provide decision-makers with the best possible information about the probability of loss. As a result, it is important that decision-makers accept the risk analysis method that has been used, and that the information resulting from the analysis is in a useful form.
Despite the importance of risk analysis in legacy migration, little research has been undertaken on this topic. The current project aimed to review the relevant risk analysis methods and identify the most suitable methods for the analysis of possible risks in the migration of legacy software [4]. These methods could be used in combination in order to achieve the best results in the risk assessment.
In this study, we compared existing information security risk analysis methods in order to choose the most suitable methods for risk analysis in the migration of software. We proposed an enhanced risk analysis method for the migration process, including the implementation and evaluation of the enhanced method [5].
2. Related Work
2.1 Methods of risk analysis
Risk analysis includes processes such as the identification of activities, vulnerability analysis, threat analysis, and guarantees. Fig. 1 shows a comparison of some existing methodologies. The first ranked method was OCTAVE, followed by CRAMM [6]. The next highest ranked was CORAS, followed by FRAP, ISRAM, COBRA, CORAS, Risk Watch and finally id IS.
Fig. 1.Rankings of different risk analysis methods.
As shown in Fig. 2, OCTAVE was mentioned significantly more times than other risk analysis methods. This indicates that OCTAVE is a suitable risk analysis method that could be applied to any type of case study.
Fig. 2.OCTAVE mentions compared to other methodologies.
2.2 OCTAVE
OCTAVE was developed at the CERT Coordination Center (CERT/CC). The focus of the OCTAVE approach is on activities, threats, and vulnerabilities. One of the important concepts of OCTAVE is self-direction, whereby the employees in the organization should practice information security risk assessments. An analysis team composed of staff from the organisation's business units is responsible for running the assessment and recording the results.
The OCTAVE method has three phases, with each phase divided into processes [7]. The three phases are: build asset-based threat profiles, identify infrastructure vulnerabilities and develop a security strategy and plans. The phases of OCTAVE method and their detailed description is presented as follows (Fig. 3).
Fig. 3.Phases of OCTAVE method
Phase 1: Build Asset-Based Threat Profiles
Phase 1 of the OCTAVE approach involves the evaluation of the company’s security strategy. During this phase, the employees have to be informed about the resources possessed by the company, each of which requires special protection. Security requirements for this type of resource have to be considered [8]. The staff describe the security measures carried out by the company and try to find the weaknesses in this strategy. Through interviews with the employees, primary information is gathered. This phase makes the staff aware of the importance of data protection, and gathers information about the potential losses that could emerge in case of vital data loss.
Phase 2: Identify Infrastructure Vulnerabilities
Phase 2 involves the assessment of the information management system. It is related to the data gathered during Phase 1. Data protection vulnerabilities are surveyed with a focus on technological issues, and the key issues for the future strategy are determined. This phase is based on the data gathered from the employees of the IT department, executives and other staff. A common solution has to be developed without obstructing the present business model of the company [8].
Phase 3: Develop Security Strategy and Plans
Phase 3 is the risk analysis phase. The information gathered in Phase 1 and Phase 2 is used to assess the risk of data compromise in the company and other risks that may exist in the company’s business activities. The security strategy and ways of minimising the risk of data loss are developed. By using the clear information about the business model of the company, the types of attacks which might take place in the future can be determined. In the third phase, the exact procedures are created. A value matrix is used to determine the value of the expected risks. The main formula for OCTAVE is:
Loss = Impact/Consequence x Probability
OCTAVE implements no mathematical computations and thus it obtains a value of 3 for simplicity and a value of 1 for precision [8]. If an organisation is concerned with simplicity more than accuracy, OCTAVE is a good fit.
2.3 CRAMM
CRAMM is a qualitative risk analysis and management method that was developed by the UK Government Central Computer and Telecommunications Agency in 1985 to provide government departments with a method for revising the security of information systems [9]. The instrument, which has undergone major revisions (currently in version 4), was then sold and delivered by a British firm, Insight Consulting, as the “CRAMM Manager”. CRAMM is used for all types of organisations.
Security assessments relate to the need to justify investments in information systems and networks demonstrating a need for action by management, based on quantifiable results and organisation-specific countermeasures for risk analysis. The three stages of a CRAMM review (Fig. 4) cover the crucial elements of data collection, analysis and output results to be presented in a programmed risk analysis tool:
(i) Recognising and valuing assets
(ii) Recognising threats and vulnerabilities and computing risks
(iii) Recognising and prioritising countermeasures.
CRAMM is used to analyse risk for different groups of assets versus the threats to which the asset is vulnerable on a scale of 1 to 7. The risk matrix has default values which compare the activity level of threat and vulnerability. A score of 1 shows a fundamental requirement of safety and 7 means a high safety requirement [10].
Fig. 4.CRAMM method
2.4 VECTOR matrix method
VECTOR matrix is a self-assessment risk method that is open source and free. It was developed to help business systems identify priorities of critical risks, including information security risks.
With this method, users are able to quantify and visually represent all possible aspects of risk to the business system.
The VECTOR method is based on the universal principles of business risk and it is scalable for both small businesses and large enterprise systems in domestic and international private sectors [11].
The formula for the VECTOR risk assessment method is:
RISK = V+E+C+T+O+R VECTOR. It is the acronym of the following words:
V = vulnerability, E = ease of execution, C = consequence, T = threat, O = operational importance, R = resiliency.
Vulnerability:
Vulnerability is a characteristic of a property or business process to indicate its weakness to some kind of attack. Vulnerability is linked to a threat that exploits it.
Ease of execution:
Ease of execution is a parameter that describes the level of expertise, knowledge, advanced training, special tools and equipment needed by an attacker.
It relates to the time required to successfully carry out an attack on an information system.
A low level of execution ease means that an attacker must invest much more effort and knowledge to successfully break the existing security mechanisms.
A high level of execution ease means that an attacker needs minimal effort for the successful penetration and unauthorised entry into the information system of an organisation.
Consequence:
Consequence refers to a loss of the economic, symbolic or psychological value of an organisation (for example, reputational risk for a bank in the case of loss or theft of data, unavailability of certain parts of information systems, reduced levels of service quality).
Threat:
A threat represents the probability of an event in which an attacker could damage a particular business system. Analysis of threats is the first step that needs to be done in the process of risk assessment.
Operational importance:
Operational importance measures the importance of the operational activity in the organisation.
This could include activities such as developing, risk mitigation, security measures, and so on.
Resiliency:
Resilience includes the speed with which the organisation can successfully recover, reorganise itself and prepare to resume operations after a significant violation or failure of prescribed security policies. Risk scoring for this criterion is based on the inverse relationship.
A high level of resilience (e.g., rapid recovery with minimal or no outage time) results in a low level of risk.
A real case scenario of a bank can provide more explanation about the VECTOR matrix.
Fig. 5 shows the risk assessment of information security in a bank that was developed using the VECTOR method. The risk values were as follows: 1-4 low, 5-7 moderate, and 8-10 high levels of risk for each VECTOR [11].
Fig. 5.Risk assessment of information security in a bank developed using VECTOR method
The first column in Fig. 5 shows the important assets, business processes or business functions that support the overall operations of the bank. For each of these assets, the VECTOR method analyses the criteria to determine the risk of the observed property or business functions in relation to other assets within the business system in this case [12].
As highlighted in Fig. 5, the largest sums in the matrix relate to workstations (with a score of 51), network equipment (47) and firewalls at the operating system level (55); that means risks are the largest in these three types of assets.
2.5 Advantages and disadvantages of risk analysis methods
The OCTAVE, CRAMM, CORAS and VECTOR matrix methods are good choices for risk analysis, but in different steps of implementation.
A comparison of these four methods (Table 1) shows that OCTAVE has the higher percentage than the others [13].
Table 1.Summarises the strengths and weaknesses of the four methods (CRAMM, CORAS, OCTAVE and VECTOR methods).
The OCTAVE method provides much more detailed and higher quality analysis and assessment of security risks in relation to specific information assets. Moreover, by using the OCTAVE method it is possible to measure more
accurately and achieve a better assessment of the information security risk regarding a particular asset. However, the OCTAVE method is more complex and requires much more time and effort when applied to the information security risk assessment of certain assets [14].
The qualitative risk analysis methods perform risk analysis with the help of adjectives, not mathematics. Methods of risk analysis using quantitative measures are not suitable for intensive analysis of today’s information security risks.
Unlike in the past, contemporary information systems have a complicated structure and are heavily used. Thus, the intensive mathematical steps implemented to model risk for complicated environments make this process more difficult. The calculations performed during the risk analysis process are very complex.
Quantitative methods may not be able to model complex risk scenarios today. Methods of risk analysis based on qualitative measures are more suitable for the complicated risk environment of today's information systems. The OCTAVE method also includes qualitative risk analysis methods[15].
The features and advantages of the OCTAVE approach are as follows:
Some weaknesses can be identified as follows:
In order to analyse the characteristics of CRAMM, CORAS, OCTAVE and VECTOR methods, Table 1 presents the suumary of these methods with strenghts and weaknesses.
3. Design of the Proposed Method
In this section we present the analysis of the problem that the project addresses, an overview of the design of the method (both the conceptual and physical design), and a justification of how it meets the identified requirements [17]. The steps of the migration process, the analysis of risk in the steps of the migration process, and the proposed risk analysis method are each discussed.
3.1 Process analysis
Legacy software applications are important in organisations. They usually form the backbone of the organisation. It means that if one of these software applications stops working, the business might be noticeably influenced. A failure in one of these systems might have serious business impacts.
3.1.1 Which software should be migrated
Fig. 6.Application categories
Today, many organisations want to migrate their legacy software to new environments so that their information systems can be more easily maintained. They also can adapt the system to new business requirements. It is important for organisations to identify which software should be migrated. Fig. 7 shows four categories of existing applications in organisations [18].
Fig. 7.Five major phases in legacy system migration
As shown in the Fig. 6, applications can be categorised into the following four groups:
Thus, applications in category 3 should be migrated. They have low quality, but they are necessary for the organisation.
3.1.2 Major phases in migration process
The process of migrating a legacy system consists of five main phases, as illustrated in Fig. 7 These five phases are:
3.2 Selected risk analysis methods
Currently, there are many methods for risk analysis in relation to information security, but in different steps of implementation. In the previous sections, we explained some different methods of risk analysis. This section recaps two of these methods which are used in this project, namely, the VECTOR matrix method and the OCTAVE method. The project enhances the VECTOR method by adapting the OCTAVE method [19].
3.2.1 VECTOR matrix method
The VECTOR matrix is a free, open source, simple, self-assessment, and qualitative method. This method was developed to help prioritise critical risks. As explained previously, the VECTOR matrix illustrates all possible aspects of each risk, with a focus on vulnerability, ease of execution, consequence, threat probability, operational importance and resilience [11]. Fig. 8 presents the VECTOR matrix.
Fig. 8.VECTOR matrix
3.2.2 OCTAVE
As discussed above, one of the important concepts of OCTAVE is self-direction whereby employees in the organisation should practise information security risk assessment [3]. An analysis team composed of staff of the organisation’s business units is responsible for running the assessment and recording the results [8].
When applying OCTAVE, personnel from the operational or business units and the IT department work together to form the analysis team and address the security needs of the organisation. The analysis team carries out the following tasks:
Considers the relationships among the critical assets, the threats to these assets and the vulnerabilities (both organisational and technological) that can expose the assets to threats Evaluates risks in the operational context, that is, how the critical assets are used to conduct the organisation’s business and how they are at risk due to security threats and vulnerabilities Creates a practice-based protection strategy for organisational improvement as well as risk mitigation plans to reduce the risk to the organisation’s critical assets.
As explained previously, the OCTAVE methodology has three phases, namely, build asset-based threat profiles, identify infrastructure vulnerabilities, and develop a security strategy and plans [3][11].
3.3 Enhancement of VECTOR method by adapting OCTAVE method
The VECTOR matrix method and OCTAVE method are both a good choice for the risk assessment of information security. Like all methods, these two methods have limitations. As the migration of a legacy system should be done as soon as possible in order to avoid problems such as obsolete software, the risk analysis method should require less time for the analysis of possible risks [20]. The OCTAVE method is complex and needs a lot of time for risk analysis; however, the combined VECTOR method and adapted OCTAVE method does not require much time. In addition, combining the VECTOR and OCTAVE methods can increase the accuracy of the risk analysis.
This project aimed to enhance the VECTOR method by adapting the OCTAVE method in order to mitigate the limitations, and make a suitable method, referred to as EVAO (enhancement of VECTOR method by adapting OCTAVE method) for risk analysis in the migration process [4].
As previously mentioned, the migration process has five major phases, and each phase has some risks. In continue, these phases with their risks and their value will be shown .
As explained previously, VECTOR is an acronym of vulnerability, ease of execution, consequence, threat probability, operational importance, and resiliency; and OCTAVE is an acronym of operationally critical threat, asset and vulnerability evaluation. Each of these letters represents a risk that has a certain value in relation to certain assets.
3.3.1 VECTOR matrix
Table 2 presents an example of the results obtained using the VECTOR matrix risk analysis method. This matrix was distributed among five programmers and experts to complete the blank fields regarding the valuation of each risk. The value of each risk in the VECTOR matrix was ranked from 1 to 10.
Table 2.Result of VECTOR matrix risk analysis
4. Evaluation of Results
In this section, we present the results from the design phases which were used as the input for the implementation and testing process. The end result was the enhanced risk analysis method that underwent certain implementation steps as explained below.
4.1 Design implementation
The migration of legacy software normally takes a long time, but programmers, experts and stakeholders tend to carry out the process as soon as possible, because there is a risk of the software becoming obsolete if the process takes a lot of time. Therefore, the method of risk analysis in the migration process should also be completed as quickly as possible. In addition, the migration of legacy software is an expensive process; therefore, it is essential that the method delivers results with high precision in order to avoid the possibility of failure [21].
4.1.1 VECTOR matrix
In the design phase of this study, the VECTOR matrix was designed for the migration of legacy software. In the next step, the value of the assets should be determined.
For this purpose, we distributed five questionnaires to five programmers. Based on their experience, the participants wrote the risk values of each asset in the VECTOR matrix.
To obtain the final result of the VECTOR matrix method regarding the value of the risks for each asset, we calculated the average of each parameter of risk in each asset from all the questionnaire responses. The final values are listed in Table 2 the numbers were added together to get the sum value.
After calculating the sum of the risk values for each asset in the VECTOR matrix, the average of each sum should be calculated.
4.1.1.1 Calculation of the risk values using the VECTOR method
In this step, the average of each sum should be calculated. The number obtained from calculating the average of the sum shows the value of the risk [22]. If it was between 8 and 10 (8<=x <= 10), it means the asset has a high risk value. A result between 5 and 7 (5 <= x <= 7) means the asset has a medium risk value, and a result between 1 and 4 (1<= x <=4) means the asset has a low risk value. Table 3 presents the value of each risk in the VECTOR matrix. This can be represented as follows:
If (8 <= x <= 10 >>> High, 5 <= x <= 7 >>> Medium, 1 <=x <= 4 >>> Low)
Table 3.Risk values in the VECTOR matrix
4.1.2 Adapting the OCTAVE method
In adapting the OCTAVE method to be more like the VECTOR matrix, and to obtain the value of each risk, five programmers were asked to complete the adapted OCTAVE table in a questionnaire. They wrote the risk values of each asset based on their experience [16].
To obtain the final result of the risk value for each asset from the adapted OCTAVE method, we calculated the average of each parameter of risk in each asset from the five questionnaire responses, and we wrote the final values in Table 4.
Table 4.Results from the adapted OCTAVE Method
The resulting numbers were added together to get the sum value. Table 4 shows the results from using the adapted OCTAVE.
4.1.2.1 Calculation of the risk values using the adapted OCTAVE method
Like the VECTOR method, the average of each sum should also be calculated for the adapted OCTAVE method. The number obtained from calculating the average of the sum shows the value of the risk [18].
If the result obtained from calculating the average is between 8 and 10 (8<= x <= 10), it means the asset has a high risk value.
If the result is between 5 and 7 (5 <= x <= 7), the asset has a medium risk value, and if the result is between 1 and 4 (1<= x <=4), the asset has a low risk value. This can be represented as follows:
If (8 <= x <= 10 >>> High, 5 <= x <= 7 >>> Medium, 1 <=x <= 4 >>> Low).
Table 5.Risk values from adapted OCTAVE method
4.2 Comparing the risk values using the EVAO method
After calculating the final results for the value of each risk by the VECTOR and adapted OCTAVE methods, we compared the results obtained for each asset. If they were same, for example in the justification phase, and the risk had the same value (e.g., low) in both the OCTAVE and VECTOR methods, it means the EVAO method worked well for the calculation of the risk regarding this asset. Table 6 shows the EVAO results based on a comparison of the risk values from the adapted OCTAVE and VECTOR methods [23].
Table 6.Risk values using the EVAO method
With reference to the results presented in Table 6, it can be seen that different risk values are shown for some assets. For example, the risk value of “cost” in phase one obtained from the VECTOR method (high) was different to the value obtained from the adapted OCTAVE method (medium). Therefore, to identify the risk value of the cost asset, we needed to identify the average of the VECTOR and OCTAVE values. Table 7 shows the result for the risk value of the cost asset.
Table 7.Final result for different answers using the VECTOR and adapted OCTAVE methods
5. Conclusions
After conducting a review of the literature and carrying out research through questionnaires, the basic concept and theory on the enhanced methods for legacy software migration have been identified. The main steps in the research were as follows:
Most small and medium enterprises do not apply a risk analysis method for the migration of their legacy software. The proposed method can provide them with a new way to carry out the analysis of risk in the migration of software, even though these risks can be variable among different organizations.
참고문헌
- Wiegers, Karl, "Know your enemy: software risk management," Software Development-San Francisco- 6, pp. 38-44, 1998.
- Erdil, Kagan, Emily Finn, Kevin Keating, Jay Meattle, Sunyoung Park, and Deborah Yoon, "Software maintenance as part of the software life cycle," Comp180: Software Engineering Project, 2003.
- Behnia, Armaghan, Rafhana Abd Rashid, and Junaid Ahsenali Chaudhry, "A survey of information security risk analysis methods," Smart Computing Review 2, no. 1, pp. 279-94, 2012.
- C. Alberts, Audree Dorofee, James Stevens, Carol Woody, Introduction to the OCTAVE Approach, Pittsburgh, PA: 15213-3890, Carnegie Mellon, Sotfware Engineering Institute, August, 2003.
- Wu, Bing, Deirdre Lawless, Jesus Bisbal, Jane Grimson, Vincent Wade, Donie O'Sullivan, and Ray Richardson, "Legacy systems migration-a method and its tool-kit framework," In Proc. of Software Engineering Conference, Asia Pacific and International Computer Science Conference 1997. APSEC'97 and ICSC'97. Proceedings, pp. 312-320. IEEE, 1997.
- Breier, J., & Hudec, L., "Risk analysis supported by information security metrics," In Proc. of Paper presented at the Proceedings of the 12th International Conference on Computer Systems and Technologies, Vienna, Austria, 2011.
- Marek, P., and J. Paulina. "The OCTAVE methodology as a risk analysis tool for business resources," In Proc. of International Multiconference Computer Science and IT, Hong Kong. 2006.
- Christopher Alberts, Audrey Dorofee, James Stevens, and Carol Woody. "Introduction to the OCTAVE Approach," Pittsburgh, PA, Carnegie Mellon University, 2003.
- Choudhari, J., & Suman, U., "Story Points Based Effort Estimation Model for Software Maintenance," Procedia Technology 4, pp761-765, 2012. https://doi.org/10.1016/j.protcy.2012.05.124
- Yazar, Zeki. "A qualitative risk analysis and management tool-CRAMM," SANS InfoSec Reading Room White Paper, 2002.
- Davor Macek, I. M., Nikola Ivkovic, Information Security Risk Assessment in Financial Institutions Using VECTOR Matrix and OCTAVE Methods. 2011.
- Moorthy, Jayaletchumi T. Sambantha, Suhaimi Ibrahim, and Mohd Naz'ri Mahrin, "The Need For Usability Risk Assessment Model," In Proc. of The Second International Conference on Informatics Engineering & Information Science (ICIEIS2013), The Society of Digital Information and Wireless Communication, pp. 215-220, 2013.
- Moorthy, Jayaletchumi Sambantha, Suhaimi bin Ibrahim, and Mohd Naz'ri Mahrin, "Developing Usable Software Product Using Usability Risk Assessment Model," International Journal of Digital Information and Wireless Communications (IJDIWC) 4, no. 1, pp. 95-102, 2014.
- Er, M. C., Problems and solutions in software maintenance. Data Processing, 26(6), 25-27. 1984.
- Bisbal, Jesus, Deirdre Lawless, B. Wu, J. Grimson, V. Wade, R. Richardson, and D. O'Sullivan. "A survey of research into legacy system migration," Technique report, 1997.
- Jalote, Pankaj, "Software Requirements Analysis and Specification," In An Integrated Approach to Software Engineering, Springer New York, pp. 73-158, 1997.
- Ketil Stolen, F. d. B., Theo Dimitrakos, Rune Fredriksen, Model-based risk assessment - the CORAS approach.
- Mahmoodian, N., Abdullah, R., & Murad, M. A. A., "Text-based classification incoming maintenance requests to maintenance type," In Proc. of 2010 International Symposium in Paper presented at the Information Technology (ITSim), 15-17 June, 2010.
- Martin Butler, B. W., Reducing Costs and Improving Agility Through Legacy Migration, 2010.
- Muhammad Inayat Ullah, M. S., Nazir Muhammad, Reduction of enhanced maintenance effort using ARM model and RMMM plan, 2010.
- Patterson, F. D., & Neailey, K., "A Risk Register Database System to aid the management of project risk," International Journal of Project Management, 20(5), pp. 365-374, 2002. https://doi.org/10.1016/S0263-7863(01)00040-0
- Talabis, M., & Martin, J., "Chapter 2 - Information Security Risk Assessment: A Practical Approach, In Information Security Risk Assessment Toolkit," Boston: Syngress, pp. 27-62, 2013.
- Tsiakis, T., "Information Security Expenditures: a Techno-Economic Analysis," International Journal of Computer Science and Network Security (IJCSNS), 10(4), pp. 7-11, 2010.
- Vorster, A., & Labuschagne, L., "A framework for comparing different information security risk analysis methodologies," In Proc. of Paper presented at the Proceedings of the 2005 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries, White River, South Africa, 2005.
- McGill, William L., Bilal M. Ayyub, and Mark Kaminskiy, "Risk analysis for critical asset protection," Risk Analysis, 27 no. 5, pp. 1265-1281, 2007.