EBIOS RM Explained: its history, methodology, strengths and limits

What is EBIOS RM?

EBIOS is the French acronym for “Expression of Needs and Identification of Security Objectives”. It is a risk management method related to information systems security (also known as INFOSEC). It was created in 1995 by the Central Service for the Security of Information Systems (SCSSI), the former name of the ANSSI (National Agency for the Security of Information Systems), which now maintains it.

Historic development of EBIOS

According to ANSSI, EBIOS has established itself as a reliable risk management method over the past 20 years. The Agency updates the methodology on a regular basis, so much so that it now complies with three ISO standards: ISO 27000, ISO 27005, and ISO 31000. EBIOS Risk Manager has several advantages:

• Analyzing cyber risks within a cybersecurity strategy
• Treating risks relative to information security (InfoSec)
• Communicating to internal and external stakeholders about cyber risks

In 2010, the EBIOS method was revised in collaboration with the EBIOS Club. EBIOS Club an independent non-profit association that brings together approximately 60 member companies, including consulting and training companies and four software publishers, with more than 200 individual members. This revision considered the changes in regulation and to the feedback from users over the years. It offered:

• a simplified approach
• a framework for InfoSec action plans
• use cases that help build credible scenarios
• software to facilitate implementation

‍

In 2018, EBIOS Risk Manager was released. EBIOS RM 1.0 addressed the issue of the entry points cybercriminals use to penetrate a system. It focused on cyber threats of intentional origin. While cyber incidents of accidental origin (human error, natural disaster, or structural failure) constitute a constantly growing category of cyber incidents according to the annual Verizon DBIR report, unintentional risks are, surprisingly, outside the scope of the EBIOS risk analysis. Indeed, it is considered that this type of risk can be dealt with through compliance and security baseline good practices.

‍

In March 2024, EBIOS Risk Manager version 1.5 was released. It brings significant improvements to previous iterations of EBIOS that strengthen risk anticipation and support better decision-making in evolving environments. The updated method integrated extensive practitioner feedback and aligns with the updated ISO 27005:2022 standards.

‍

What is the purpose of EBIOS, and who is it designed for?

EBIOS is designed as a toolbox that provides a framework for cyber risk management on several levels:

• Installation of a data and information security management system
• Implementation of an InfoSec strategy
• Integration of information security in various projects
• Repository of requirements applicable to InfoSec audit service providers

‍

This method is mainly used by French public companies and ministries. In the private sector, due to its complexity and low outreach, only a few large companies use it, and this is often to complement more established and widespread international frameworks and standards such as NIST CSF or ISO 27005, and increasingly the FAIR standard. For the same reasons, the NIST CSF, ISO 31000, and ISO 27005 are also preferred worldwide.

How to use the EBIOS methodology

The methodology is usually applied in successive stages, known as “workshops”. The titles of these workshops have changed as the method has been updated, but the logic remains essentially the same. With EBIOS, you use the company’s unique business context as a basis from which you can assess the weaknesses of your IT infrastructures. You can find more details on this method in the EBIOS Risk Manager ANSSI guide.

‍

Workshop 1: the concept of “feared events”

Workshop 1, “Scope and security baseline”, first aims to draw the scope of application of the method: participants, schedule, objectives, supporting assets.

At this point, you need to identify the "feared events" associated with your business values, estimating their "severity" and evaluating their "impact". Business values ​​were referred to as "essential assets" in earlier versions of EBIOS. Business values are what were formerly referred to as “essential assets,” meaning the key components of an organization required to accomplish its mission (such as business processes or data). Next comes the security baseline, which involves considering the applicable reference frameworks within the scope of the study and assessing them. From the very first workshop, the EBIOS RM method therefore takes cybersecurity vulnerabilities into account.

‍

Regarding the assessment of the severity of feared events, ANSSI specifies in its guide that the impact level must be based on a severity scale. You can assess their impact proportionally to the harmful effects of the risk: unavailability of a business value, breach of integrity, confidentiality, or traceability.

A given feared event can be summed up as a short phrase or a “scenario” in order to make the damage easier to understand. The levels of severity can be expressed in different ways, depending on the business value, e.g., two hours of website downtime, a data transfer rate limited to 1 MBps for one hour.

‍

Risk mapping workshops

Workshop 2 is about cross-referencing the risk origins (RO) with the targeted objectives (TO). The most relevant "RO/TO" pairs are used to create an initial mapping..

‍

Workshop 3 is used to develop digital threat scenarios: the “strategic scenarios”. These introduce the “attack paths” of a “risk origin” towards its targeted objective. Strategic scenarios adopt the severity level of the feared event associated with them (using the impact severity scale from Workshop 1).

‍

The objective of Workshop 4 comes down to designing operational scenarios to detail how cyber-attackers operate, here focusing on critical support assets. The level of likelihood of these scenarios needs to be assessed.

Likelihood is defined as the “chance” that an attacker will successfully carry out their mode of operation from start to finish within the scope of the study. The actual threat level against the organization is not taken into account. In Workshop 4 of the EBIOS RM method, the analysis is not intended to assess the likelihood that an attacker will choose to target the organization’s study object. Instead, likelihood refers solely to estimating the attacker’s chances of success if they decide to attack the study object by executing the operational mode described in Workshop 4.

Workshops 3 and 4 complement each other. A single strategic scenario may give rise to several operational scenarios.

‍

Workshop 5 is the final workshop that summarizes the overall exercise. Its objective is to define and implement a strategy for treating the initial risks. The available risk treatment options are: accept, avoid, mitigate, and transfer. The mitigation of initial risk is achieved through the implementation of security measures. These measures are then added to the risk treatment plan. Applying the treatment plan to the initial risks produces the residual risks. The monitoring methods are also defined at this stage.

‍

‍

Strengths and limitations of the EBIOS RM method for cyber risk assessments

EBIOS RM is commonly used as a complement to ISO 27005, specifically because it benefits from a certain simplicity of implementation compared to other information security risk analysis methods. However, it operates around notions that remain qualitative and vague, such as severity and impact assessment.

‍

Strengths of the EBIOS RM methodology

The EBIOS RM risk analysis method has the advantage of helping organizations clearly identify the elements that constitute risk, not just the scenarios. It highlights the actors and interactions that contribute to cyber risk. Flexible in nature, this approach adapts easily to different organizational contexts.

This risk analysis process also has the benefit of being relatively quick to implement. It focuses only on the elements to be analyzed in relation to the Feared Events identified during Workshop 1. It can also be reused to ensure continuous monitoring of information system risks.

‍

EBIOS RM Limitations

Apart from its limited use beyond French Operators of Vital Importance, who apply it for their annual report to ANSSI, the EBIOS RM method has several drawbacks. It is not subject to any external evaluation and, like the NIST Cybersecurity Framework, is essentially a self-assessment technique.

EBIOS RM is also based on the assumption that cyber threats stem from malicious internal or external attacks. It therefore does not address the possibility of accidental risks.

In addition, the likelihood of a risk scenario does not take into account the current threat landscape facing the organization. It only considers the attacker’s “chances” of success if they choose to attack the organization using the mode of operation described. However, the probability that an attacker would actually target the organization is not factored into the analysis.

‍

Another drawback of EBIOS is that the risk analysis is either based on a summarized severity scale, such as the attack caused the site to be unavailable for two hours, or on a rating system. As featured in the ANSSI guide, this rating system is more about giving examples than recommendations.

‍

Furthermore, it includes four severity thresholds: critical, serious, significant and minor. For example, the "critical" threshold relates to risks which imply “incapacity for the company to ensure all or a portion of its activity, with possible serious impacts on the safety of persons and assets” and on the survival of the structure. A color, from red to green, is assigned to each threshold.

This risk analysis methodology is therefore based on a subjective and qualitative assessment of the danger. The actual inability of an organization to ensure business continuity or survival depends on assumptions made on the basis of nominal or ordinal scales. As a result, the resulting ranking of cyber risks may very well be approximate.

The FAIR Analysis (Factor Analysis of Information Risk) approach was created to address this type of imprecision. It aims to quantify cyber risk in a reasoned, statistical, and mathematical way. The objective is to determine the financial impact of a risk scenario, compare scenarios, and establish a hierarchy of risks that is clear, realistic, and useful for building an effective cybersecurity action plan.

‍

Complement EBIOS RM with CRQ using FAIR

The EBIOS RM methodology provides a robust framework for identifying and assessing cyber risks, but integrating it with a Cyber Risk Quantification (CRQ) approach, such as the FAIR™ (Factor Analysis of Information Risk) method, adds the precision of statistical and financial measurement to the analysis. As an international standard quantitative model for information security and operational risk, FAIR enables organizations to quantify potential financial impacts of specific risk scenarios. This empowers risk teams to create a prioritized, data-driven action plan tailored to their most pressing threats.

‍

Using both EBIOS and FAIR™, companies gain a comprehensive view of cyber risk: EBIOS RM delivers a structured risk profile, while FAIR’s quantitative analysis offers a financial measure of potential losses and their potential frequency, allowing cybersecurity leaders to communicate risks effectively to executives and prioritize the allocation resources accordingly. C-Risk supports CISOs ready to begin their first CRQ analysis or integrate a new cyber risk management platform with expert guidance and tailored solutions.

‍

For deeper insight into applying quantitative methods to EBIOS RM, you can download our white paper on enhancing EBIOS RM with FAIR.

‍

To explore how CRQ can elevate your EBIOS risk assessment, schedule a complimentary 30-minute consultation with C-Risk today.

‍

‍