What is the EBIOS cyber risk analysis method? Which structures can make use of it? What are its benefits and drawbacks?
EBIOS is a method for analysing the risks that information systems face. It was created in 1995, in France, by the Central Service for the Security of Information Systems (SCSSI). For more than 20 years, it has been regularly updated, with notable versions being published in 2010 and 2018. Its latest version is called EBIOS Risk Manager and is now maintained by the French National Agency for the Security of Information Systems (ANSSI). Its aim is to be more educational and more accessible than previous versions. As cybersecurity issues increase in prevalence, EBIOS is more specifically used by public sector organisations that provide critical services. How is it structured? Who is it intended for? What are the customary precautions?
EBIOS is the French acronym for “Expression of Needs and Identification of Security Objectives”. It is a risk management method related to information systems security (also known as INFOSEC). It was created in 1995 by the Central Service for the Security of Information Systems (SCSSI), the former name of the ANSSI (National Agency for the Security of Information Systems), which now maintains it.
According to ANSSI, EBIOS is a risk management method that has proven itself over more than 20 years. The Agency updates the methodology on a regular basis, so much so that it now complies with three ISO standards: ISO 27000, ISO 27005, and ISO 31000. ANSSI tells us that EBIOS Risk Manager has several advantages:
ANSSI further specifies that the EBIOS method was revised in 2010, in collaboration with the EBIOS Club, which brings together approximately 60 member companies – including consulting and training companies and four software publishers – as well as around 200 individual members. This new formula adapted its principles to changes in regulation and to the varied feedback submitted over the years. It offered:
Then, in 2018, the latest version was released: EBIOS “RM” (Risk Manager). This method has the unique characteristic of addressing the issue of the entry points cybercriminals use to penetrate a system. It focuses on cyber threats of intentional origin. While cyber incidents of accidental origin (human error, natural disaster, or structural failure) constitute a constantly growing category of cyber incidents according to the annual Verizon DBIR report, unintentional risks are, surprisingly, outside the scope of the EBIOS risk analysis. Indeed, it is considered that this type of risk can be dealt with through compliance and security baseline good practices.
EBIOS is designed as a toolbox that provides a framework for cyber risk management on several levels:
This method is mainly used by French public establishments and ministries. In the private sector, due to its complexity and low outreach, only a few large companies use it, and this is often to complement more established and widespread international standards such as NIST CSF, ISO27005, and now the FAIR standard. For the same reasons, the NIST CSF, ISO 31000, and ISO 27005 standards are also preferred worldwide.
The methodology is usually applied in successive stages, known as “workshops”. The titles of these workshops may differ from one version of the method to another, but the logic remains, nevertheless, essentially the same. With EBIOS, you use the company’s unique business context as a basis from which you can assess the weaknesses of your IT infrastructures. You can find more details on this method in the EBIOS Risk Manager ANSSI guide.
Workshop 1, “Scope and security baseline”, first aims to draw the scope of application of the method: participants, schedule, objectives, supporting assets. At this point, you need to identify the "feared events" associated with your business values, factoring in their "severity" and their "impact". Business values were referred to as "essential assets" in previous versions of EBIOS. These values are the components of the organisation which are essential to the accomplishment of its mission (service, support function, project, information). From the very first workshop, the EBIOS approach tackles cybersecurity breach anticipation.
In its EBIOS RM guide, the ANSSI specifies that the level of impact needs to be measured on a scale of severity, enabling you to prioritise the feared events. You can assess their impact proportionally to the harmful effects of the risk: unavailability of a business value, breach of integrity, confidentiality, or traceability.
A given feared event can be summed up as a short phrase or a “scenario” in order to make the damage easier to understand. The levels of severity can be expressed in different ways, depending on the business value, e.g., two hours of website downtime, a data transfer rate limited to 1 MBps for one hour, etc.
2 / Workshop 2 is about cross-referencing the risk origins (RO) with the targeted objectives (TO). The most relevant "RO/TO" pairs are selected to map the risk origins.
3 / Workshop 3 is used to develop digital threat scenarios: the “strategic scenarios”. These introduce the “attack paths” of a “risk origin”. Once again, the scenarios need to be based on an impact-severity scale.
4 / The objective of workshop 4 comes down to designing operational scenarios to detail how cyberattackers operate, here focussing on critical support assets. The level of likelihood of these scenarios needs to be assessed. Workshops 3 and 4 complement each other.
5 / The fifth and final workshop summarises all the previously reviewed risks. The idea here is to define and implement a strategy against cyber threats. Such a strategy needs to detail implementation measures and fit within a continuous improvement plan. Now is also the time to sum up the residual risks and to detail monitoring methods.
EBIOS is usually used as a complement to ISO27005, specifically because it benefits from a certain simplicity of implementation compared to other InfoSec risk analysis methods. However, it operates around notions that remain vague, such as severity and impact assessment.
EBIOS, at the very least, helps organisations clearly pinpoint the essential elements of danger, not just the elements of a scenario. EBIOS highlights the people and interactions that are the building blocks of a cyber risk. This approach is quite flexible as it easily adapts to various organisational contexts.
This risk analysis method also comes with the advantage of being relatively quick to set up. It only deals with analysis elements relative to the objective you determined during workshop 1. You can also reuse EBIOS to ensure continuous monitoring of information security risks.
In addition to a relatively low dissemination outside of French critical service providers who use it for their annual report to ANSSI, this approach has the disadvantage of not being subject to any external evaluation. It is, just like the NIST cyber framework, a self-assessment technique. The EBIOS method is also based on the idea that cyber threats come from external attacks, so it does not tackle any potential accidental risk.
Another drawback of EBIOS is that the risk analysis is either based on a summarised severity scale (example: “the attack caused the site to be unavailable for two hours”), or on a rating system. As featured in the ANSSI guide, this rating system is more about giving examples than recommendations.
Furthermore, it includes four severity thresholds. For example, the "critical" threshold relates to risks which imply “incapacity for the company to ensure all or a portion of its activity, with possible serious impacts on the safety of persons and assets” and on the survival of the structure. A colour, from red to green, is assigned to each threshold – critical, serious, significant, minor.
This risk analysis methodology is therefore based on a subjective and unquantified assessment of the danger. The actual inability of an organisation to ensure business continuity or survival depends on assumptions made on the basis of nominal or ordinal scales. Consequently, the resulting ranking of cyber risks may very well be approximate.
The FAIR (Factor Analysis of Information Risk) Analysis method was created to address this kind of inaccuracy. This approach is about statistical and mathematical risk quantification. FAIR aims to give you data on the financial impact of a risk scenario, so that you can compare and establish a hierarchy of credible, realistic, and useful risks to help you build an effective and preventive cybersecurity action plan.
Yes, EBIOS’s method is compatible with the information security risk management principles described by ISO 27005.
This approach brings together several participants in workshops: business leaders, CIO, CISO, cybersecurity manager, risk manager.
The Expression of Needs and Identification of Security Objectives is a risk management methodology published by Club EBIOS. It is also a registered trademark of the French General Secretariat for Defence and National Security (SGDSN). EBIOS Risk Manager (EBIOS RM) is the cybersecurity risk analysis method that the National Agency for Information Systems Security (ANSSI) now maintains.
related to Cyber Risk Quantification and Cybersecurity