What is the EBIOS cyber risk analysis method? Which structures can make use of it? What are its benefits and drawbacks?
EBIOS is a method for analysing risks on information systems. It was created in 1995, in France, by the Central Service for the Security of Information Systems (SCSSI). For more than 20 years it has been regularly updated, in particular in 2010 and 2018. Its latest version is called EBIOS Risk Manager and is now maintained by the National Agency for the Security of Information Systems (ANSSI) ; it aims to be more educational and more accessible than the previous ones. As cybersecurity issues are now ramping up, EBIOS is more specifically used by public sector companies which are, more often than not, operators of vital importance. How is it structured? Who is it intended for? What are the customary precautions?
EBIOS is the French acronym for “Expression of Needs and Identification of Security Objectives”. It is a risk management method related to information systems security (also known as INFOSEC). It was created in 1995 by the Central Service for the Security of Information Systems (SCSSI), the former name of the ANSSI - National Agency for the Security of Information Systems, which now maintains it.
According to ANSSI, EBIOS is a risk management method that has proven itself for more than twenty years. The Agency updates on a regular basis, so much so that it now complies with three ISO standards: ISO 27000, ISO 27005 and ISO 31000. ANSSI says EBIOS Risk Manager has several upsides:
ANSSI further specifies that the EBIOS method was revised in 2010, in collaboration with the EBIOS Club which brings together approximately sixty member companies – including consulting and training companies and four software publishers – as well as around 200 individual members. This new formula adapts its principles to the changes in regulations and to the various feedbacks over the years. It offers:
Then, in 2018, the latest version was released: EBIOS “RM” (standing for Risk Manager). This method has the specificity of addressing the issue of the entry points cybercriminals use to penetrate a system. It focuses on cyber threats of intentional origin. While cyber incidents of accidental origin (human error, natural disasters or structural failures) constitute a constantly growing category of cyber incidents according to the annual Verizon DBIR report, unintentional risks are, surprisingly, outside the scope of the EBIOS risk analysis. Indeed, those risks are considered dealt with through compliance and good practices of the security baseline.
EBIOS is designed as a toolbox that provides a framework for cyber risk management on several levels:
This method is mainly used by French public establishments and ministries. In the private sector, due to its complexity and low outreach, only a few large companies use it and this is often to complement more established and widespread international standards such as NIST CSF, ISO27005 and now the FAIR standard. For the same reasons, the NIST CSF, ISO 31000 and ISO 27005 standards are also preferred worldwide.
It is usually done in successive stages, known as “workshops”. The titles of these workshops may differ from one version of the method to another. Nevertheless, the logic remains essentially the same. With EBIOS, you use the company’s specificities as a basis from which you can assess the weaknesses of your IT infrastructures. You can find more details on this method in the EBIOS Risk Manager ANSSI guide.
Workshop 1, “Scope and security baseline”, first aims to draw the scope of application of the method: participants, schedule, objectives, supporting assets . This is also now you need to identify the "feared events" associated with your business values, factoring in their "severity" and their "impact". Business values were referred to as "essential assets" in previous versions of EBIOS. These values are the components of the organisation which are essential to the accomplishment of its mission (service, support function, project, information). From the very first workshop, the EBIOS approach tackles cybersecurity breaches anticipation.
In its EBIOS RM guide, the ANSSI specifies that the level of impact needs to scale on severity, which enables you to prioritise the feared events. You can assess their impact proportionally to the harmful effects of the risk: unavailability of a business value, breach of integrity, confidentiality or traceability.
A given feared event can be summed up as a short phrase or a “scenario” so as to make the damage easier to understand. The levels of severity can be expressed in different ways, depending on the business value, e.g: two hours of website downtime, a data transfer rate limited to 1 MBps for one hour, etc.
2 / Workshop 2 is about cross-referencing the risk origins (RO) with the targeted objectives (TO). The most relevant "RO/TO" pairs are selected to map the risk origins.
3 / Workshop 3 is used to develop digital threat scenarios: the “strategic scenarios”. These introduce the “attack paths” of a “risk origin”. There again, the scenarios need to be based on an impact severity scale.
4 / The objective of workshop 4 comes down to designing operational scenarios to detail how cyber-attackers operate, but here, it focuses on critical support assets. The level of likelihood of these scenarios needs to be assessed. Workshops 3 and 4 complement each other.
5 / The fifth and final workshop summarises all the previously reviewed risks. The idea here is to define and implement a strategy against cyber threats. Such a strategy needs to detail implementation measures and fit in a continuous improvement plan. Now is also the time to sum the residual risks up and to detail the monitoring methods
EBIOS is usually used as a complement to ISO27005, specifically because it benefits from a certain simplicity of implementation compared to other InfoSec risk analysis methods. However, it operates around notions that remain vague, such as severity and impact assessment.
EBIOS has the merit of helping organisations to clearly pinpoint the essential elements of the danger, not just the elements of a scenario. EBIOS highlights the people and interactions that are the building blocks of a cyber risk. This approach is quite flexible as it easily adapts to various organisational contexts.
This risk analysis method also comes with the advantage of being relatively quick to set up. It only deals with analysis elements relative to the objective you determined during workshop 1. You can also reuse EBIOS to ensure continuous monitoring of information security risks.
In addition to a relatively low dissemination outside of the French Operators of Vital Importance who use it for their annual report to ANSSI, this approach has the disadvantage of not being subject to any external evaluation . It is, just like the NIST cyber framework, a self-assessment technique. The EBIOS method is also based on the idea that cyber threats come from external attacks, so it does not tackle any potential accidental risk.
Another drawback of EBIOS is that the risk analysis is either based on a summarised severity scale (example: “the attack caused the site to be unavailable for 2 hours”), or on a rating system. As featured in the ANSSI guide, this rating system is by the way more about giving examples than doing recommendations. It includes 4 severity thresholds.
For example, the "critical" threshold relates to risks which imply “incapacity for the company to ensure all or a portion of its activity, with possible serious impacts on the safety of persons and assets” and on the survival of the structure. A colour, from red to green, is assigned to each threshold - critical, serious, significant, minor -
This risk analysis methodology is therefore based on a subjective and unquantified assessment of the danger. The actual incapacity of an organisation to ensure business continuity or survival depends on assumptions made on the basis of nominal or ordinal scales. Consequently, the resulting ranking of cyber risks may very well be approximate.
The FAIR Analysis method, Factor Analysis of Information Risk, was created to address this kind of inaccuracy. This approach is about statistical and mathematical risk quantification. FAIR aims at giving you data on the financial impact of a risk scenario, so that you can compare and establish a hierarchy of credible, realistic and useful risks to help you build an effective and preventive cybersecurity action plan.
Yes, Ebios offers a method compatible with the information security risk management principles described by ISO 27005.
This approach brings together several participants in workshops: business heads, CIO, CISO, cybersecurity manager, risk manager.
The Expression of Needs and Identification of Security Objectives is a risk management methodology published by Club EBIOS. It is also a registered trademark of the French General Secretariat for Defence and National Security (SGDSN). EBIOS Risk Manager (or EBIOS RM) is the cybersecurity risk analysis method that the National Agency for Information Systems Security (ANSSI) now maintains.
related to Cyber Risk Quantification and Cybersecurity