Many organizations have performed an information security risk assessment or had one done by an outside party. Most have likely undergone an IT audit. Both of these activities are designed to help assess risk and put appropriate controls in place.
However, in order to fully understand the risks an organization faces, these activities should include a threat assessment. In this tip, we will examine what a threat assessment is, threat assessment processes, and how the processes can integrate into information security risk assessments.
What is a threat assessment?
A threat assessment focuses on the potential threat sources an enterprise faces. The process includes surveying the threat landscape for ongoing, upcoming and rising threats, and mapping them to vulnerabilities in the enterprise's systems or processes. Then, a threat assessment can be combined with an information security risk assessment to help the enterprise prioritize the security controls it needs to prevent a threat agent from taking advantage of a vulnerability.
Just as there are multiple information security risk assessment methodologies, there are multiple threat assessment methodologies. Intel Corp. has a free white paper on its website, Threat Agent Risk Assessment, which it describes as a “methodology that identifies threat agents that are pursuing objectives which are reasonably attainable and could cause unsatisfactory losses.” OWASP has Security Assessment Techniques that include a Security Threat Assessment that “analyzes application architectural information to develop a threat profile for the application components. “ The Microsoft Security Development Lifecycle also includes threat modeling in the design process to define the attack surface of an application -- meaning, which threats it is likely vulnerable to and where it can be attacked.
Which threat assessment methodology an enterprise chooses will depend on its organizational culture and the specific details of the system. For enterprises developing software, the Microsoft SDLC methodology could be used and Intel’s Threat Agent Risk Assessment (TARA) methodology could be used when assessing systems and applications. All of the different methods may require significant resources to for the assessment, but could be scaled to fit the size of the enterprise and systems.
Threat assessment process
Performing a threat assessment involves identifying potential threats to an environment. Intel has a free Threat Agent Library (TAL) (.pdf) to use as a starting point for identifying the specific threat agents most relevant to a company. For example, if your enterprise doesn’t think an anarchist poses a significant threat, you could remove it from the library or never rank it as a high-priority area. You can have your information security risk analyst work with the business and technology staff to identify the most likely threat agents, and then identify controls to manage these threat agents based on the vulnerabilities they could exploit. For example, if reckless employees pose a significant threat, a combination of monitoring, security awareness training and access controls may be controls worth implementing to minimize that threat.
Integrating threat assessments into risk assessments
The information security risk assessment process an enterprise uses should be flexible enough to include input from a variety of sources like standard questionnaires, interviews and other more focused evaluations on individual controls. However, before embarking on a detailed threat assessment, an organization should first ensure it has a mature information security risk management program, and then start expanding on it by adding a threat assessment. Ensuring a mature information security risk management program will provide a framework for how to manage the results from a threat assessment, since it will not be reasonable to mitigate all potential threats; some information security risks can simply be accepted by an enterprise.
Many enterprises perform information security risk assessments and some have even begun to integrate these with enterprise risk management programs, but it's still important they don’t lose their focus on information security threats. Analyzing the threats an organization faces can help security pros to prioritize the controls they implement to ensure their enterprise is adequately protected. By focusing controls based on the threats to the company's high-value assets, enterprises can ensure these assets are adequately protected, while carefully managing the resources necessary to continue to protect them.
About the author:
Nick Lewis, CISSP, is an information security architect at Saint Louis University. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.
This was first published in December 2011