Articles
>
IT risk assessment: DICP analysis

IT risk assessment: DICP analysis

To address current threats, you need to assess the security of your information system based on the challenges and risks facing your data. You must then define the security level of your IS and assess whether its assets are adequately secured. To help you with this process,the DICP risk analysis takes into account the various security requirements of your system and prioritizes them. You then analyze digital risks according to their availability, integrity, confidentiality, and evidence.

‍

December 15, 2022
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

To address current threats, you need to assess the security of your information system based on the challenges and risks facing your data. You must then define the security level of your IS and assess whether its assets are adequately secured. To help you with this process,the DICP risk analysis takes into account the various security requirements of your system and prioritizes them. You then analyze digital risks according to their availability, integrity, confidentiality, and proof.

A review of the fundamentals of the classification methodology recommended by ANSSI, accompanied by a practical application of this risk management matrix.

The 4 safety criteria of DICP risk analysis

The DICP methodology is used by risk management teams and cybersecurity management experts around the world. It ensures a certain level of IT security and traceability of controls, and also provides proof of this.

This framework combines four fundamental factors:

  • availability (D),
  • integrity (I),
  • confidentiality (C),
  • the evidence (P).

D: Availability of the IS and its data

  • When do you need this data?
  • How do you use this data?
  • How soon do you need to obtain the information?
  • How long can this data be unavailable without disrupting your organization?
  • What would be the consequence of losing this data?

The answers to these questions enable you to determine the level of data availability. High availability means that the information must be constantly accessible to authorized users and that loss of access to the data cannot be considered.

The direct consequence of this availability requirement is that the equipment, technical infrastructure, and systems that store and display data must be maintained in such a way as to guarantee continuity of service regardless of the threat (weather, fire, human error, theft, cyberattack).

I: Integrity of the system and its data

  • How long do your data last?
  • How important is it that the data is reliable?
  • Do you have multiple data updates to perform in your information system to ensure its reliability?
  • Who can modify the data, and in what circumstances?

These are all questions that provide insight into your need for integrity.

A system is considered to have integrity when the data it contains is accurate, complete, and consistent. According to ANSSI, integrity is a "property of accuracy and completeness of assets and information." This means that any unauthorized modification, whether caused by a technical malfunction, human error, or malicious act, must be detectable and correctable.

For example, the reliability level of health or financial data is maximum. Information systems must therefore guarantee that the information remains unchanged over time, regardless of where the data is stored and displayed. Data security is then reinforced in order to guarantee the required level of integrity.

C: Data confidentiality

Who is authorized to access the information? That is the only question you need to ask yourself!

Data confidentiality ensures that access to information is restricted to authorized persons only. We regularly, even daily, handle confidential data: information protected by medical confidentiality, sensitive data, pay slips, strategic information, computer patents, financial statements, corporate strategy, data subject to legal or regulatory confidentiality requirements, etc.

These few examples give us an insight into the complexity of data processing in companies and the diversity of confidentiality levels expected between employees and subcontractors.

P: Evidence, to go beyond access traceability

  • How can you demonstrate that the data is secure?
  • How traceable are the actions taken?
  • How can you certify the authentication of users who have access to the data?
  • If there is a problem, how can you trace it back to its source?
  • Who is responsible for actions performed on the data?

Long known as DICT, with the T standing for "traceability," the DICP method has seen its fourth criterion replaced by the concept of "evidence." This item is broader than traceability alone. According to ANSSI, proof makes it possible to determine "with sufficient confidence, the circumstances in which this asset is evolving." In the event of a malfunction or security incident, the proof will serve as the starting point for the investigation. This concept is extremely important in the case of electronic signatures or financial transactions, for example.

After redefining the theoretical terms of this methodology for classifying and assessing cyber risk, let's move on to practical examples of its application.

Implementation of the DICP matrix

To assess whether a good, service, or piece of data is secure, it is necessary to conduct a preliminary audit of its level of availability, integrity, confidentiality, and authenticity. Okay, but... In practical terms, how can you implement the DICP matrix within your organization?

The DICP evaluation system

Depending on the sector of activity and the information to be secured, the importance given to each of the DICP criteria and the actions to be implemented will vary.

These four concepts are assessed using a numerical value between 0 and 4, where 0 corresponds to low criticality and 4 to very high criticality. A score of 0 to 4 will be applied to each of the four DICP criteria.

For example, a result presented as " DICP = 4, 1, 0, 4 " would correspond to very high availability and strong evidence, but low integrity and confidentiality.

If you set all evaluation criteria to 4, you will certainly have a high level of security, but is this necessary and do you have the budget to meet such a requirement? It is therefore important to objectively audit the assets or data to be secured.

Example of a DICP assessment for a website

Let's now take the example of a website that needs to be secured and start by listing a few questions to keep in mind when conductinga risk analysis.

  • What threats could potentially target the security of the website?
  • Are financial risks properly taken into account in risk assessment?
  • What level of application security is required?
  • What are the data encryption requirements?
  • Are ISO standards and regulatory compliance being met?
  • Security breaches, vulnerabilities, hacking... What are the operational risks?

The DICP matrix could then be 4, 4, 0, 0.

The website must have very high availability, as users need to be able to access it at any time. Any service interruption results in a loss of revenue in the case of an e-commerce site. It will therefore be given a 4 on the availability scale.

Theintegrity criterion is also very high in this example. The price on a product sheet, the contact address, the company presentation... All the information contained on the website or digital application must be accurate and cannot be modified by a competitor, a disgruntled former employee, or a cyber attacker. Ensuring the integrity of the website's data is therefore rated at 4.

Data confidentiality is much less important in the case of a showcase website (institutional website). This is because data displayed on the web is, by definition, accessible to everyone and therefore not confidential. In the DICP assessment, a value of 1 will be assigned to confidentiality. However, it would be 4 if this data belonged to a customer in the case of an e-commerce site. As a result, protecting the personal information shared by customers (postal address, bank details, etc.) is a regulatory issue for the company.

In this example, proof is not an important criterion. The website provides information without the user being able to modify it. The traceability of actions is therefore not an issue here. Proof could be rated at 0.

In conclusion

Whether you want to map and manage your data or, more generally, manage risks on your IT system, the DICP matrix is an essential decision-making tool that gives you a clearer view when developing your security policy. This risk analysis is fundamental because it aligns the business and the CISO with the security needs and risks associated with your organization.

Using the DICP method (Availability, Integrity, Confidentiality, Evidence), Tenacy allows you to structure risk assessment in a clear, shareable, and directly actionable way for compliance management. This categorization facilitates understanding of business impacts, enhances the consistency of analyses, and provides reliable reporting to stakeholders—from the CISO to senior management.

‍

How does Tenacy structure and automate risk analysis?

Discover the solution
Other articles

You may be interested in

Pentester and CISO: differences and synergies
Risks
Testing for better protection: what synergy exists between pentesters and CISOs?

To effectively protect an organization's IT system, you need to know its strengths and weaknesses. This is the role of risk analysis and security audits, the results of which provide valuable information for the CISO.

July 30, 2024
What is the concept of Human Firewall?
Risks
Human Firewall, or how your employees can protect your business

To cope with the increasing number and sophistication of cyberattacks, companies have been investing in cybersecurity products (firewalls, antivirus software, EDR, etc.) and backup solutions for several years. However, the strategy of relying exclusively on these solutions remains insufficient today.

July 11, 2024
Cyber management: risk-based or compliance-based approach?
Compliance
Risks
Cyber management: risk-based or compliance-based approach?

"Risk-based approach" and "compliance-based approach": you've probably heard these terms before. They divide the cyber world.

March 16, 2025