Security Threats and Asset Protection

Threats and Assets

• Threats prevent assets from achieving confidentiality, integrity, availability, accountability, authenticity, and reliability.
• Assets may have multiple threats.

Threat Sources

• Threats can be either natural (fire, flood, storm, earthquake) or human-made (accidental or intentional).
• Human-made threats can come from insiders (e.g., selling information for personal gain) or outsiders (e.g., hackers).

Human Attackers

• Consider motivations, capabilities, resources, and probability of attack when evaluating human attackers.
• Analyze previous attacks to the organization.

Vulnerability Identification

• A vulnerability is a weakness in an asset that can be exploited by a threat.
• Identify weaknesses in the organization's IT systems or processes to determine the applicability and significance of threats.
• Use standard lists of potential vulnerabilities to identify weaknesses.

Risk Analysis

• Specify the likelihood of occurrence of identified threats.
• Specify the consequence to the organization if the threat occurs.
• Derive an overall risk rating for each threat using a qualitative rating system.
• Use a risk rating formula: risk = probability threat occurs x cost to organization.

Likelihood Determination

• Use a 4-point scale to rate likelihood: Rare (1), Unlikely (2), Possible (3), Almost Certain (4).
• Define each level: Rare (exceptional circumstances), Unlikely (could occur, but not expected), Possible (might occur, but just as likely as not), Almost Certain (very likely).

Determining Resultant Risk

• Use a 5-point scale to rate consequences: Insignificant, Minor, Moderate, Major, Doomsday/Catastrophic.
• Combine likelihood and consequence ratings to determine the resultant risk level.
• Use a risk level matrix to determine the overall risk level: Extreme (E), High (H), Medium (M), Low (L).