The present invention relates to the field of risk assessment and, more particularly, to an automated solution for performing information systems risk assessments using a contextual data model that correlates physical and logical assets. Risk assessment is a step in the risk management process. However, this step is prone to a variety of errors and approaches. In an attempt to provide a common understanding and approach to risk assessment, standards have been developed, such as IS 15408 Common Criteria. FIG. 1 illustrates the basic data models of IS 15408 regarding security concepts and relationships 105 and evaluation concepts and relationships 150.
These data models 105 and 150 illustrate the generic terms and simple relationships conveyed by IS 15408. Such simplistic models 105 and 150, while providing a basic foundation, have a diminished value because they are not readily applied to complex systems, such as information systems. In information systems, asset owners 110 can be also be a cause of threats 115 and vulnerabilities 120 through actions taken upon assets 130. These security interrelationships that are of concern in an information system are not accounted for in the security data model 105 of IS 15408.
Additionally, the broadness of terminology used in the data models 105 and 150 lack distinctions that are critical for information systems. For example, the term “assets” 130 and 155 is used in such a broad manner that there is no distinction between physical and logical assets. This lack of discrimination does not address differences in threats 115 and vulnerabilities 120 between physical and logical assets. Further, the relationships between physical and logical assets are not shown in these data models 105 and 150.