Cyber Strategy Management – 1D. Review threat landscape (2/5)

Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.


The constantly evolving threat landscape makes it impractical for organizations to invest equally in all cybersecurity areas. The purpose of reviewing the threat landscape is to pinpoint the most significant risks to the organization and prioritize protection measures accordingly.


Identify key risk themes
Develop a strategic overview of the biggest threats with the potential to impact your mission-critical assets.
Prioritize cybersecurity domains
Prioritize cybersecurity domains according to your threat landscape to ensure efficient resource allocation. Focus on areas that yield the most value.


Business landscape
Summary of the business environment in which the company operates and its business model, including customer segments, products and services, sales, distribution and communication channels. Developed as part of “1b. Review internal factors” activity.
Technology landscape
Summary of IT operating model, IT architecture, an overview of key technologies used by the company and critical infrastructure components. Developed as part of “1b. Review internal factors” activity.
Security landscape
An outline of the security landscape featuring the organizational structure, operating model, and the key frameworks in use.
Business and technology objectives
List of business and technology objectives, their prioritization, supporting initiatives and definition of common interests. Developed as part of “1b. Review internal factors” activity.
External factors
List of the market, technology, cyber and regulatory trends affecting your organization and cyber strategy, their impact and cyber implications. Developed as part of “1c. Review external factors” activity.

Choose your approach

The first step in a threat landscape review is choosing a practical risk management approach. By adjusting traditional risk assessment methods, we can perform a broader evaluation, helping to prioritize security areas and guide strategic planning, as detailed in part 1 of this article – “1D. Review threat landscape (1/5)“.

Prepare for assessment

In preparing for a threat landscape assessment, aligning the scope with your cybersecurity strategy and identifying relevant internal and external threat sources is crucial. As part 1 of this article outlines, adequate preparation is the foundation for a robust threat landscape review – “1D. Review threat landscape (1/5)“.

Identify crown jewels

Your threat landscape assessment begins by identifying your organization’s assets that require protection from potential threats. However, conducting a strategic-level review for all assets is not feasible or efficient, as it can take time and effort. So, instead, you can focus on the crown jewels.

Crown jewels refer to your mission-critical information assets, distinguished by their value and potential impact if compromised. Depending on your industry and business model, these could include strategic plans, client data, proprietary source code, research results, product formulas, or trade secrets. Compromising these assets could severely affect your company’s competitive advantage, revenue streams, and reputation or lead to serious regulatory actions.

Focusing on the crown jewels lets you identify your organization’s most significant cybersecurity risks. These risks stem from the potential impact and likelihood of threat events, with the risk increasing with the impact. The most substantial impacts occur when vital assets are affected.

If you already have an inventory of your crown jewels, use it for your threat landscape assessment. If not, follow the steps below to create one.

Identify potential crown jewels

ISO 27005 identifies two types of assets: primary (business processes and information) and supporting (hardware, software, network, personnel, site, and organizational structure). IRAM2 distinguishes between business information assets and technology information assets. Both approaches can yield similar results.

To identify potential crown jewels, follow these steps:

Create a list for the assets. Create the Assets table that will contain essential information about your information assets. Include columns for:

Title of the information asset.
Short description of the information asset.
Classification of the information asset.
Critical business processes that rely on the information asset.
Supporting assets used to process the information.
Business impact in case of a confidentiality breach.
Business impact in case of an integrity breach.
Business impact in case of an availability breach.
Overall business impact.
Value of the asset for the organization.
Overall criticality of the asset.

Identify business processes. Identify your mission-critical business processes. Review your business model, Business Impact Assessment results, and available process documentation, or interview relevant stakeholders.

Identify information assets. From identified processes, recognize information assets supporting process execution. Look at process inputs and outputs. Use additional sources that may include the definition of mission-critical information assets, such as process documentation, Business Impact Assessment results or information classification policy. List unique information assets for simplicity. Fill in the Title, Description, Classification, and Key Processes columns.

Identify supporting assets. For each information asset, identify supporting assets on which it relies. Examine the information lifecycle and determine where and how the information is collected, transmitted, processed, stored, and destroyed. Focus on core assets or groups of supporting assets. Consider the following types:

Business applications used at all stages of the information lifecycle, hosted internally or in the cloud.
Infrastructure supporting applications. Application and database servers, including operating systems, storage systems and networks.
Equipment used to access and process information, such as server hardware, workstations, laptops, mobile devices, storage devices and media.
Buildings, data centers, and offices where information is processed, stored, or devices and infrastructure components are hosted. People. Key stakeholders that create, use, or process the information, including business owners, users, developers, and operation staff.
Business lines, functions, project organizations, suppliers and partners that require access to or process the information.

Aggregate where possible. The goal is to identify potential crown jewels and understand the threats that may impact them rather than create a detailed inventory. Therefore, the level of granularity should be relatively low. When considering supporting assets like physical devices, infrastructure, people, or organization, operating in terms of asset groups or categories is more reasonable than single assets.

IDTitleDescriptionClassificationKey ProcessesSupporting Assets
A001Business strategyDetails of the business strategy.Strictly ConfidentialStrategy managementNetwork shares, Laptops, Storage backups, Data center
A002Sales pipelineSales pipeline including information about prospects, clients, proposed services, their value and status in the sales process.ConfidentialSalesSalesforce (SaaS), Cloud provider, Laptops, Network shares, Storage backups
A003New service documentationInformation related to the new service including value proposition, business model, strategy, platform architecture and solution blueprints.Strictly ConfidentialProduct managementNetwork shares, Laptops, Storage backups, Data center
A004Client dataPersonally identifiable information of our clients.ConfidentialMarketing, Sales, Client onboarding, Customer serviceClient portal (web), Mobile applications (Android, iOS), API, 60 web servers in AKS cluster, Database as a Service (DBaaS), Cloud service provider, Sales team, Customer service team
A005Platform codeSoftware code of our web and mobile applications including client profiling and recommendation algorithms.ConfidentialSoftware development, Platform managementWeb servers (production, test, development), GitHub, CI/CD tools (including code scanning platform)
A006Authentication dataAll user and employee passwords, certificates and other authentication data used to obtain access to applications and supporting infrastructure.ConfidentialAccess managementActive Directory, Azure Active Directory, Azure Key Vaults, CyberArk
A007Vendor contractsContracts with our vendors.ConfidentialSourcing, Third party managementThird party management system, Database cluster, Network shares, Backup storage, Email, Laptops, Sourcing team
A008Employee dataPersonally identifiable data of our employees or contractors.ConfidentialHR managementHR platform, Database cluster, Data center, Network shares, Backup storage, Email, Laptops, HR team, Payroll provider

Assess business value

For each potential crown jewel, assess its value for the business. The ISO 27005 standard outlines various asset valuation approaches, but ISF offers a more straightforward method in their “ISF Protecting the Crown Jewels – Implementation Guide” report.

ISF suggests analyzing the extent to which each asset supports your business in categories such as Financial, Operational, Legal and Regulatory Compliance, Reputational and Health and Safety. However, depending on the business model, you need to decide which categories are best for your organization. For example, I often used the Financial, Customer, Regulatory and Reputational categories.

For each of these, you can define a set of questions to assess the asset value in each category, such as:

  • Financial: To what extent does the asset support the business revenue?
  • Customer: To what extent does the asset support the customer journey?
  • Regulatory: To what extent does the asset support our regulatory compliance?
  • Reputational: To what extent does the asset support our brand identity?

After answering these questions, assign an asset value rating for each category using a preferred rating scale. For threat landscape assessment, consider using a simple qualitative scale (e.g., 1 – Very Low, 2 – Low, 3 – Medium, 4 – High, 5 – Very High). Quantitative approaches may be too time-consuming for this task.

IDTitleValue - FinancialValue - CustomerValue - RegulatoryValue - ReputationalAsset Value
A001Business Strategy5 - Very High4 - High2 - Low2 - Low5 - Very High

The highest rating usually dictates the overall asset value. However, some frameworks may propose a different approach. Record this rating in the Asset Value column of your Assets table. Granular ratings for each category are not necessary for cybersecurity strategy development.

Upon completing this activity, each information asset in your Assets table should have an asset value rating.

Assess business impact

Next, evaluate the business impact level for each potential crown jewel if a compromise occurs, focusing on confidentiality, integrity, and availability. You do not have to consider the threats causing the impact at this stage, as you will evaluate them later. Similarly, focus on the inherent risk impact, leaving out the mitigating controls for now.

Use a qualitative rating scale for the impact rating. Apply the same assessment categories as you did during the value assessment but shift your approach slightly. Instead of gauging the asset’s importance to your organization, examine the consequences of risk materialization.

Many organizations use a risk impact matrix that outlines the impact across predefined categories at various levels. Here is a partial example to illustrate the concept:

Impact RatingImpact - FinancialImpact - CustomerImpact - Reputational
015 - Very HighImpact on financial performance > 1m USDAdverse impact on more than 35 % of the clientsHigh likelihood of widespread and long-term adverse coverage in national and international media endangering the brand reputation
024 - HighImpact on financial performance between 1 m USD and 1m USDAdverse impact on 2% to 35 % of the clientsHigh likelihood of adverse coverage in national and international media
033 - MediumImpact on financial performance between 50k and 1 m USDAdverse impact on 5 % to 2% of the clientsHigh likelihood of single coverage in national media
042 - LowImpact on financial performance between 10k and 50k USDAdverse impact on less than 5 % of the clientsHigh likelihood of single coverage in the local media
051 - Very LowImpact on financial performance below 10k USDImpact below the low thresholdBelow the low threshold

Agree on an impact rating for each category with the selected scale, ideally assessing this rating for three information attributes: Confidentiality, Integrity, and Availability. Record these ratings in your Assets table under the Impact – Confidentiality, Impact – Integrity, and Impact – Availability columns. Then, enter the highest of the three assessments in the Impact – Overall column as the overall impact rating.

Your Assets table should now include an impact rating for each information asset, which you can use later in the process.

IDTitleImpact - ConfidentialityImpact - IntegrityImpact - AvailabilityAsset Impact
A001Business strategy4 - High4 - High2 - Low4 - High
A002Sales pipeline4 - High3 - Medium3 - Medium4 - High
A003New service documentation4 - High4 - High3 - Medium4 - High
A004Client data5 - Very High4 - High5 - Very High5 - Very High
A005Platform code5 - Very High4 - High3 - Medium5 - Very High
A006Authentication data5 - Very High5 - Very High5 - Very High5 - Very High
A007Vendor contracts4 - High4 - High3 - Medium4 - High
A008Employee data4 - High4 - High3 - Medium4 - High

Select crown jewels

To identify the crown jewels, you can use a simple matrix that considers asset value and impact rating, as shown in the following example:

Assets in the matrix’s top right section typically represent your crown jewels. They have a “5 – Very High” (VH) criticality rating in the example.

This activity should yield a list of your assets, highlighting the crown jewels and providing supporting information.

IDTitleAsset ValueAsset ImpactAsset Criticality
A001Business strategy5 - Very High4 - High5 - Very High
A002Sales pipeline4 - High4 - High5 - Very High
A003New service documentation4 - High4 - High5 - Very High
A004Client data4 - High5 - Very High5 - Very High
A005Platform code5 - Very High5 - Very High5 - Very High
A006Authentication data4 - High5 - Very High5 - Very High
A007Vendor contracts3 - Medium4 - High4 - High
A008Employee data3 - Medium4 - High4 - High

For a more in-depth exploration of identifying and securing organizational crown jewels, you might want to read the “Protecting the Crown Jewels – How to Secure Mission-Critical Information Assets” and “Protecting the Crown Jewels – Implementation Guide” reports, both published by the Information Security Forum.

Assess threat sources

Threat sources are anything that can cause harm to your information assets. Understanding potential threat sources to your organization is vital. Comprehensive listing, probability and strength assessment of these threats allow prioritizing risks. The approach for this is detailed in Part 3 of this article – “1D. Review threat landscape (3/5)“.

Assess threat events

A threat event is an event or situation initiated by a threat source, which may lead to undesirable consequences for your information assets. Understanding cybersecurity risks requires a detailed assessment of potential threat events, their sources, origin and affected assets. Steps for identifying these threat events is detailed in Part 4 of this article – “1D. Review threat landscape (4/5)“.

Estimate the inherent likelihood

The process of assessing inherent likelihood revolves around gauging how frequently a specific threat source could initiate a threat event against your organization, irrespective of risk mitigation measures. This process estimates the frequency of a threat source initiating an event based on the evaluation of likelihood, characteristics, historical data, and market reports. The approach is explained in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Estimate the inherent impact

From the likelihood, we shift to “Inherent Impact” – the potential consequences of a successful threat event, without considering mitigation controls. The assessment involves analyzing potential effects on assets and identifying key ones at risk. The procedure is outlined in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Calculate inherent risks

Upon understanding inherent impacts, we proceed to calculate inherent risks. These guide us toward the most significant cybersecurity areas, enabling a prioritized listing of threat events by combining likelihood and impact. The method for this calculation will be described in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Summarize the threat landscape

Effectively summarizing the threat landscape involves outlining the top ten risks in comprehensible language for stakeholders. The approach for creating this summary will be detailed in Part 5 of this article – “1D. Review threat landscape (5/5)“.


Threat landscape summary
Summary of prioritized organizational threat landscape presenting key risks, their description, criticality rating and most important attributes.
Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.