From EBIOS 2010 to EBIOS RM
Migrate your risk analyses
The EBIOS Risk Manager method continues its deployment and its adoption is accelerating. Nevertheless, a large capital of EBIOS 2010 analyses is still in place and valid. Can they be migrated to EBIOS RM and for what gains?
A bit of history
The EBIOS method is a risk analysis and evaluation method that is now almost 25 years old. It was initially defined by the DCSSI, which became the ANSSI in 2009. Initially designed to meet the need to draw up FEROS sheets for the defence industry, it has been updated many times as it has been integrated into the industrial world and used by players in the field. It is intrinsically compatible (vocabulary, approach) with the most widely used standards, in particular ISO 27005.
The history of this method is marked by 4 major stages: the first official version (1995), an update (2004), then two significant developments, respectively in 2010 (EBIOS 2010) and 2018 (EBIOS RM). Supported by a rapidly expanding cyber context, the EBIOS 2010 method has become firmly established, both among public and institutional players and in the private world. However, its shortcoming was that it did not propose a fairly low-level approach, driven by a unitary approach to vulnerabilities and the associated remediation. The EBIOS RM update aims at accelerating this deployment and the use of the method, by providing a new, more agile framework, centred on the user and the ecosystem. As the two versions of the method are not intended to cohabit, how to migrate from one to the other?
Release of the first official version.
Updating of the method with users feedbacks.
New version, including many major changes: an iterative approach, the definition of feared events and business assets.
New major version, focusing on agility when conducting the analysis, taking into account the ecosystem and complex scenarios.
Should I switch to EBIOS Risk Manager?
Agility in EBIOS RM
EBIOS 2010 talks about Modules, EBIOS RM talks about Workshops. This change of vocabulary is not insignificant, and really supports the will of communication and exchange carried by this new iteration of the method. The idea of the Workshop implies working with several people, in a direct way, and to integrate as much as possible actors who remained in the past on the fringe of the analysis. Each workshop will require the identification and prioritisation of elements, and this requires an accurate vision through the trades, and the ability to make decisions through those in charge.
In addition, and contrary to what EBIOS 2010 proposed, each workshop will be able to produce elements directly exploitable to improve the global cyber posture: at the end of workshop 1, we will be able for example to consider the perimeter of the security base not applied, at the end of workshop 3 to identify the measures associated with the ecosystem, etc.
The transition from EBIOS 2010 to EBIOS RM therefore requires above all a change of posture: agility and continuous improvement become central in this new approach.
Diagram taken from the official guide of the method
A different construction and approach
EBIOS 2010 required a very broad approach to identifying vulnerabilities and supports, with the corollary risk of integrating many peripheral elements into the perimeter, and the need for real exhaustiveness. This meticulous and often consequent work easily allowed industrialisation. This inventory was partially abandoned by EBIOS RM. The construction of the context is done from the missions (and not towards the mission), and the identification of the vulnerabilities now pursues another goal: to allow the definition of the possible elementary actions and to ensure the relevance of the operational scenarios of workshop 4.
Directly, a large part of the data from the existing EBIOS 2010 analyses can be directly reused in EBIOS RM: supporting assets (be careful with the scope, however), business assets (in the form of business values). The security repository will be able to feed the security base quite simply. The scales are also globally reusable (severity, likelihood, etc.) as well as the impact knowledge base.
Then there are the elements for which correlation is possible but less direct:
- The EBIOS 2010 threat sources (Module 1) are partially covered by the EBIOS RM risk sources. Indeed, all the unintentional part is no longer explicit, as it is normally absorbed by the security base (Workshop 1). At the margin, some sources of threats can also be reused for the definition of the ecosystem stakeholders.
- The feared events defined in EBIOS 2010 are built quite mechanically based on criteria and security needs. If these notions have not disappeared in EBIOS RM, they are nevertheless less explicit. The objective is to make the feared events less generic and more specific to the job/perimeter covered by the analysis. It will therefore be necessary to pay attention to their reformulation.
- Threats in the sense of EBIOS 2010 are global actions, of very high level, that can be associated with a source in order to build high level threat scenarios. This type of approach no longer has a direct equivalent in EBIOS RM. Nevertheless, depending on the level of detail of the existing analyses, part of the data can be used to feed the basis of intermediate events (Workshop 3), within the strategic scenarios within the framework of an EBIOS RM analysis..
EBIOS 2010: Exhaustiveness approach
EBIOS RM: Representativeness approach
EBIOS 2010 : Construction des scénarios
EBIOS RM : Construction des chemins d’attaque
The differences between the two approaches are significant enough to call for caution when taking up the other elements. The risks identified will be very different in nature: EBIOS 2010 identifies simple, precise risks, whereas EBIOS RM focuses on much richer and more complex scenarios and risks. It is therefore important not to seek to identify the same thing, or the same volume of risks, but to change one’s approach by aiming to build an iterative risk reduction strategy.
A mandatory challenge for tangible gains
The differences and common points discussed in this article allow us to build a first structured approach to a migration: data recovery and pruning, re-divisioning of certain databases, then a new cycle of risk definition and evaluation. This approach must be adapted (an EBIOS 2010 analysis of an IS in a hospital environment does not offer the same context as that of a military defence system), and the results of previous analyses must not be overlooked: the benefits and relevance of the migration will be significant.
Agile Risk Manager!
Evaluation version available!
Ask for demonstration
Agile Risk Manager
To quickly discover our Agile Risk Manager tool, labeled by ANSSI for EBIOS Risk Manager, do not hesitate to book directly a one-hour slot online with our expert!
Are you already carrying out EBIOS 2010 analyses? Do you have existing analysis capital? Your analysis methods are evolving and EBIOS Risk Manager can meet new needs. Do not hesitate to rely on our tool suite to update your EBIOS 2010 analyses or take them over using EBIOS Risk Manager.
Cyber Architect can assist you in carrying out and resuming EBIOS 2010 analyses. As a complementary tool to Agile Risk Manager, they can be used alone or together as a complete software suite.