Threats
Threats are potential causes of harm that could affect the confidentiality, integrity, or availability of systems or data [1]. Organizations face many threats from a wide array of threat actors. Nonhuman threats include power outages, tornadoes, wild animals, and equipment failures. Unintentional human threats to systems include users inaccurately modifying data, system administrators inadvertently causing outages, developers introducing bugs into software, users inappropriately sending or storing confidential data, and third-party providers failing to protect data. Intentional threats include both insiders and outsiders. Insiders with access to intellectual property or data could release or sell such assets. Insiders could also maliciously insert defects into systems or software. Outside threats come from many sources. Competitors could attempt to steal intellectual property for competitive advantage. Cybercriminals may seek to steal intellectual property or data. Hacktivists and other groups looking to harm an organization’s reputation may attempt to deface websites or disable systems.
Identifying Threats
Organizations should start by identifying the assets, both tangible and intangible, that it must protect [2]. It is important for companies to understand the value of their assets. For each asset, the organization can then develop a threat matrix to assist in identifying the threats to each asset. A simple threat matrix will include the threat agent, the vulnerability that threat agent can exploit, and the resulting threat. The threat agent is the actor, such as a hacker, a fire, an employee, or malware, that could exploit a vulnerability of the asset. A vulnerability is a weakness in a system that a threat agent might be able to exploit [1]. The resulting threat is a combination of the threat actor and the vulnerability [2]. For example, the threat actor fire could exploit the vulnerability of lack of fire extinguishers resulting in the threat of damage to property and possible loss of life.
Risks
Risk refers to the probability that a threat agent will exploit a vulnerability and cause harm [1]. In addition to probability, risk also considers the possible resulting damage. Risk management methodologies assist companies in identifying, assessing, and prioritizing risks [3]. Organizations can choose to deal with risks in one of four ways – risk reduction, risk transference, risk acceptance, and risk avoidance
Performing a quantitative risk analysis allows the business to assign a value to risks [3]. First, the analysis assigns a dollar value to the asset. Then, for each threat to each asset, the single loss expectancy (SLE) is calculated. Each threat is analyzed to determine the annual rate of occurrence (ARO) for that threat. The SLE and the ARO are then combined to calculate an annualized loss expectancy (ALE). Based on this ALE, the organization can then make an informed decision whether to reduce, transfer, avoid, or accept the risk.
Organizations can also use a qualitative approach to risk analysis [2]. Qualitative risk analysis does not assign specific values and dollars to assets and losses. Qualitative risk analysis may use methods such as Delphi, storyboarding, questionnaires, and surveys. A typical qualitative approach will rate asset and threat scenarios based on relative impact and probability. Both quantitative and qualitative approaches have their shortcomings. Quantitative calculations are more complex and can be labor intensive. Qualitative analysis is mostly subjective, which makes it harder to weigh cost/benefit. Companies may use a hybrid approach that uses quantitative analysis where feasible and a qualitative approach in more nebulous or more complex situations.
Managing Risks to Counter Threats
A security assessment can assist in determining the current security posture of the organization [4]. The security assessment reviews the current policies, standards, and procedures related to logical and physical security. The security assessment should involve the operations teams to review the current level of logical and physical security controls, security monitoring, and compliance with standards and regulations. The security assessment should also include process owners to review administrative controls such as segregation of duties and change management processes.
A risk assessment identifies the threats and vulnerabilities and quantifies or qualifies the risks [2]. The prioritization of risks ensures the organization focuses resources on the appropriate risks. The risk assessment identifies the company assets, both tangible and intangible, and the value of these assets. The risk assessment also determines the vulnerabilities along with the threats, both internal and external. The assessment team quantifies or qualifies the probability of the threats and the possible business impacts to determine the risks to the company.
The output of the risk assessment will provide a prioritization of the risks that need evaluating [2]. By reviewing the prioritized risks against the output of the security assessment, the organization can identify security gaps and implement corrective actions. The organization can then evaluate and estimate the cost of proposed countermeasures to counter the threat and minimize the risk [3]. The countermeasures can include logical, physical, and administrative controls. The organization can weigh the prioritized risks against the cost of the proposed countermeasures. The organization then decides for each gap whether to reduce, transfer, accept, or avoid the risk. This analysis results in a prioritized list of countermeasures.
Conclusion
An organization must understand the assets the organization must protect and the value of those assets. After identifying assets that need protection, the organization must identify the threats each asset faces. A formalized risk management process that either quantifies or qualifies each risk based on the probability of a risk and the possible loss is necessary to ensure the organization is prioritizing risks appropriately. Risk management processes will allow an organization to make informed decisions about security investments and whether to reduce, transfer, accept or avoid risks.
About the author: Donnie Wendt is an information security professional focused on designing and engineering security controls and monitoring solutions. In addition, Donnie is an adjunct professor of cybersecurity at Utica College. Donnie is currently pursuing a Doctorate of Science in Computer Science with a research focus on security automation and orchestration.
References
[1] Pfleeger, C. P., & Pfleeger, S. L. (2012). Analyzing computer security: A threat/ vulnerability/countermeasure approach. Upper Saddle River, NJ: Prentice Hall.
[2] Harris, S. (2010). All-in-one CISSP exam guide. New York, NY: McGraw-Hill.
[3] International Information System Security Certification Consortium. (2015). Official (ISC)2 guide to the CISSP CBK. Boca Raton, FL: CRC Press.
[4] Killmeyer, J. (2006). Information security architecture: An integrated approach to security in the organization. Boca Raton, FL: CRC Press.