The story behind RAFIS

RAFIS started as a Dutch-only tool called RAVIB in 2013. In February 2022, I decided it was time to go international with it and derived RAFIS from it. So, the story below is actually about why I created RAVIB.

Before I got involved with risk analyses, it was unclear to me how you should actually perform a risk analysis. There was little useful information to be found on the internet and companies involved in this kept their methods secret for commercial reasons. It all became more clear to me when I had a risk analysis carried out for an organization I worked for in the past with the help of an external consultant. This consultant used an Excel sheet containing a list of threats, which were linked to one or more controls from the ISO/IEC 27002 standard. By going through the threats and indicating to what extent a threat applies to your organization, it became clear which control was relevant for your organization. Although I thought the method used was good, I was less positive about the implementation. Some threats were very similar to others, others were too technical, and topics like the cloud and BYOD were missing.

PD 3005:2002

When I asked the external consultant where this Excel sheet came from, he said it was something 'publicly available'. I did some polling with people I knew and posted some calls on forums to hear how other organizations conducted their risk assessments and what threats and links to controls they used in doing so. More or less the same Excel sheet was sent to me by several people / organizations in the Netherlands (only the layout differed), with the comment: "I don't know where this Excel sheet comes from and what the copyright status is, so you didn't get it from me. But this sheet is what we use/have used." I found it very remarkable that apparently many organizations conduct their risk analysis using a tool of which no one knows the origin. After some further asking-around and some research I found out that it came from the PD 3005:2002 standard. A lot of organizations then apparently conducted their risk analysis based on a standard that was, at that time, more than 10 years old. In the ICT business, that's a long time.

Because I think it's not right to perform a risk analysis using an outdated standard or a, for commercial reasons, secret method, I decided to develop my own, modern approach and make it available to everyone for free. This was somewhere at the end of 2012. The result is this tool, in which I am completely transparent about the threats and links that are being used. In addition to positive feedback, I also received a number of critical questions and comments. The main question here was what the guarantees are that my choice of threats and links to controls is the right one. I agree that this is a good question. However, the answer is "nothing". The threats and links are my personal choice and based on my knowledge and experience. But this question can also be asked for the threats and links from the PD 3005 standard and even for the methods by those big commercial companies. The advantage of my approach is that it is transparent and that I am open to comments and discussion about make changes in my approach. So if you have any comments or a proposal for a change in the threats or the links, please let me know.

The fact that the risk analysis method as offered by RAFIS is not 100% perfect is not a problem if you understand how to view and treat the results of a risk analysis. It's just the start of your approach to improve your information security. Information security is not a project, but a process. It's something you have to constantly be working on. If the organization, for which you are conducting the risk analysis, is more familiar with the subject of information security and has embedded it well within the organization, then the details of information security will come naturally. Although it is 'just' a start in the approach to information security, it should of course be a good start. That is why I have asked several other people I know from the information security world to give their critical view on the workings of this tool and the threats and the links that are used in it, which led to several improvements. It is therefore a method that I fully support and about which I have received a lot of positive feedback.

Hugo Leisink