Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.
Purpose
The constantly evolving threat landscape makes it impractical for organizations to invest equally in all cybersecurity areas. The purpose of reviewing the threat landscape is to pinpoint the most significant risks to the organization and prioritize protection measures accordingly.
Objectives
Inputs
Activities
Choose your approach
The first step in a threat landscape review is choosing a practical risk management approach. By adjusting traditional risk assessment methods, we can perform a broader evaluation, helping to prioritize security areas and guide strategic planning, as detailed in part 1 of this article – “1D. Review threat landscape (1/5)“.
Prepare for assessment
In preparing for a threat landscape assessment, aligning the scope with your cybersecurity strategy and identifying relevant internal and external threat sources is crucial. As part 1 of this article outlines, adequate preparation is the foundation for a robust threat landscape review – “1D. Review threat landscape (1/5)“.
Identify crown jewels
The process of conducting a threat landscape review begins with the identification of your organizational crown jewels. These are assets whose compromise could have a significant impact on your business. The detailed procedure for identifying them is documented in part 2 of this article – “1D. Review threat landscape (2/5)“.
Assess threat sources
Threat sources are anything that can cause harm to your information assets. To effectively manage risk, it is crucial to identify and understand the characteristics of threat sources relevant to your organization.
This understanding will help you identify later potential threat events that threat sources can initiate, assess their likelihood of initiation and gauge their inherent impact.
As an outcome of this activity, you should produce a list of threat sources relevant to your organization with ratings of two key parameters – threat source probability and threat source strength, which we will explain later in this article.
Create a table for threat sources
To organize information about threat sources, construct a table with the following columns:
Identify threat sources
To identify threat sources, you can leverage resources available within your organization or use taxonomies provided in the following standards:
NIST SP 800-30. Appendix D to NIST SP 800-30 offers a threat source taxonomy, including adversarial, accidental, structural and environmental categories, their description and attributes that you can assess.
IRAM2. Appendix C to IRAM2 includes a common threat list grouped by adversarial, accidental and environmental categories. It covers the threat source and its origin, which can be internal or external.
ISO 27005. Annex C to ISO 27005 presents examples of typical threats. However, this list is limited and mixes threat sources with threat events.
Market reports. Market reports collected during the “Identify information sources” activity should supply you with the latest insights into existing and emerging threat sources.
NIST, ISF and ISO categorize the threat sources based on their intent. While the naming conventions or the number of categories may vary slightly, they serve as a foundation for defining threat source characteristics:
Adversarial. Individuals, groups, organizations, or states with deliberate intentions to exploit or damage your information resources.
Accidental. Sources responsible for erroneous or unintentional actions that may negatively impact information assets.
Environmental. Natural disasters, man-made hazards, and failures of critical infrastructure, all of which are beyond your organization’s control.
Structural. Failures in equipment, software, or environmental control that could affect supporting applications for information assets.
By reviewing available resources, you can construct an initial list of threat sources, including threat source category, title, and origin.
Then, you can assess their relevance to your organization, considering your business model, your industry, and various factors such as political, economic, regulatory, social, technological, and other that impact your organization.
| ID | Title | Category | Origin |
|---|---|---|---|
| TS001 | Hacking group | Adversarial | External |
| TS002 | Individual hacker | Adversarial | External |
| TS003 | Nation-state | Adversarial | External |
| TS004 | Privileged insider | Adversarial | Internal |
| TS005 | Power supply | Structural | Internal |
| TS006 | User | Accidental | Internal |
| TS007 | Insider | Adversarial | Internal |
| TS008 | Competitor | Adversarial | External |
| TS009 | Supplier | Adversarial | External |
| TS010 | Privileged user | Accidental | Internal |
| TS011 | Environmental controls | Structural | Internal |
| TS012 | Fire | Environmental | Internal / External |
| TS013 | Flooding | Environmental | External |
| TS014 | Hurricane | Environmental | External |
| TS015 | Supplier | Accidental | External |
Assess threat source probability
Threat source probability is the likelihood that a particular threat will act against your assets by initiating one or more threat events. Various risk management frameworks employ this parameter (e.g., Threat Event Frequency in FAIR, Likelihood of Initiation in IRAM2, and Likelihood of an Attack Initiation in NIST).
To assess threat source probability, evaluate the characteristics summarized below.
The table includes the most often used attributes, their description, applicability based on threat category and reference to frameworks that use these attributes and will provide you with more details:
| Title | Description | Threat Category | Frameworks | |
|---|---|---|---|---|
| 01 | History | History of the threat initiating threat events against your organization or your industry peers in case they have similar business models and operate using similar information assets. | Adversarial, Accidental, Structural, Environmental | IRAM2 (History) |
| 02 | Motivation | The level of threat motivation to conduct the attack. This is usually impacted by the objective of the threat source (intent), attractiveness of your organization to achieve this objective, and perceived strength of your control environment which translates into effort that the attacker needs to take. | Adversarial | IRAM2 (Motivation), NIST (Intent), CompTIA Security+ (Intent / Motivation) |
| 03 | Targeting | The extent to which threat source targets specifically your industry, organization or specific functions or people in your organization. | Adversarial | NIST (Targeting) |
| 04 | Competence | The level of skills and experience of the threat actor related to their job role and working with your information systems. The less skilled and competent the threat actor, the bigger likelihood of human mistakes. | Accidental | IRAM2 (Competence) |
| 05 | Culture | The extent to which threat actors are risk aware, act responsibly during their activities and are compliant with security policies and procedures. The less they care abour cyber risk and more often bypass security controls, the higher rating. | Accidental | IRAM2 (Culture) |
| 06 | Predisposition | The extent to which your environment is susceptible to specific threat without taking implemented controls into consideration. Some geographical locations may be more prone to hurricanes. Power interruptions will happen more often in a data center with outdated infrastructure. | Structural, Environmental | IRAM2 (Predisposition) |
IRAM2 proposes a complete approach to evaluate the combination of selected attributes and a set of Threat Profiling Reference Tables that define each attribute, a question you need to ask to assess the attribute level and comprehensive additional guidelines. NIST provides qualitative ratings related to their attributes as well.
If you need a simple approach, estimate the level of each attribute. Generally, the higher level each attribute has, the higher the threat source probability. For an adversarial threat source, the more events it initiated in the past (History) and the higher Motivation, the higher the threat source probability will be.
It is important to note that if you have data and are considering the history of events, your rating scale should correspond to a number or range of events within a defined period.
In addition to this, for adversarial threat sources, you have the option to assess and list their intents. It allows for predicting the types of potential threat events they might initiate. A nation-state actor, for example, might pursue objectives like political or economic gains, different from a cybercriminal group that primarily aims for financial profit. Their possible intents could range from financial gains, espionage, disruption, reputation damage, competitive advantage, political influence, cyber warfare, ideological or religious beliefs, personal vendetta, and exploration to simple curiosity. However, motivations can be tricky to determine and might only become apparent following a thorough investigation.
After considering the above attributes, assign a qualitative rating to each threat. This rating describes the threat source probability, for example, 1 – Very Low, 2 – Low, 3 – Medium, 4 – High, and 5 – Very High.
Assess threat source strength
IRAM2 defines Threat Strength as “how effectively a particular threat can initiate and/or execute threat events” against your environment. This parameter helps to prioritize threat sources, assess the likelihood of a successful threat event and derive a residual business impact rating. FAIR has a similar concept called Threat Capability, defined as “the capability of a threat agent.”
In this article, I use a threat source strength name as this is related to the threat source. I also use this parameter to prioritize threat sources when conducting a strategic threat landscape assessment to keep things simple.
To evaluate threat source strength, consider the characteristics outlined below. The table includes frequently used attributes, their descriptions, applicability based on threat category, and references to frameworks that employ these attributes for further details:
| Title | Description | Threat Category | Frameworks | |
|---|---|---|---|---|
| 01 | Capability | Refers to the level of skills, experience in conducting cyber attacks and available resources that the threat actor can use. The resources can include people, technology, facilities and funding. | Adversarial | IRAM2 (Capability), NIST (Capability), CompTIA Security+ (Sophistication), Skills (FAIR), Resources (FAIR) |
| 02 | Committment | Indicates the level of effort including time and resources the threat actor is ready to spend to conduct successful attack and achieve its objectives. Threat sources with high commitment are able to initiate and conduct APT attacks including extensive reconnaissance, identification of zero-day vulnerabilities or development of customized malware. Threat sources with low level of commitment will use general hacking tools and invest much less of their time and resources. | Adversarial | IRAM2 (Commitment), NIST (Capability), CompTIA Security+ (Resources / Funding), FAIR (Resources) |
| 03 | Access | The level of authorized access of the treat. Employee with privileged access to the systems or with physical access to sensitive areas can do more harm than the standard system user or person with general access to the premises. | Adversarial, Accidental | IRAM2 (Privilege), CompTIA Security+ (Access) |
| 04 | Severity | The level of strength of assessed threat, e.g. hurricane grade or scope of the flooding. It can be usually assessed on historical data about similar events in the past. | Structural, Environmental | IRAM2 (Severity), NIST (Range of Effects) |
Similar to the assessment of threat source probability, after considering the factors specified above, assign a qualitative rating to each of your threat sources to describe their threat source strength. For example, 1 – Very Low, – Low, 3 – Medium, 4 – High, 5 – Very High.
Assess threat source criticality
Once you have determined your ratings related to threat source probability and threat source strength, you can evaluate threat source criticality to identify which threats to prioritize for further analysis. When assessing the threat landscape at a strategic level, considering all threat sources may not be feasible, as this could be too time-consuming and not necessarily valuable.
One approach recommended by IRAM2 is to sort the threat sources first by their likelihood of initiation and then by their strength. The next step would be to sequentially number the list, establishing the threat source priority for further analysis.
However, if you are concerned about overlooking threat sources that seldom initiate attacks against your organization but possess greater strength, you can adopt an alternative approach.
You can multiply threat source probability and threat source strength numeric values to calculate the threat source criticality. Use this value to rank your threat sources in descending order. The higher the threat source criticality, the higher the priority it should have in your analysis.
As shown in the following example, you can also represent it by a simple matrix that considers both ratings. The most critical threats are in the top right section of the matrix.
As a result of this activity, you should end up with a list of your threat sources ordered by threat source criticality, starting with those with the highest values.
| ID | Title | Intent | TS Probability | TS Strength | TS Criticality |
|---|---|---|---|---|---|
| TS001 | Hacking group | Financial gains, Disruption | 4 - High | 5 - Very High | 20 |
| TS002 | Individual hacker | Financial gains, Disruption, Personal vendetta, Exploration | 5 - Very High | 3 - Medium | 15 |
| TS003 | Nation-state | Financial gains, Espionage, Political influence, Cyber warfare | 2 - Low | 5 - Very High | 10 |
| TS004 | Privileged insider | Financial gains, Personal vendetta, Exploration | 3 - Medium | 3 - Medium | 9 |
| TS005 | Power supply | 2 - Low | 4 - High | 8 | |
| TS006 | User | 4 - High | 2 - Low | 8 | |
| TS007 | Insider | Financial gains, Personal vendetta, Exploration | 3 - Medium | 2 - Low | 6 |
| TS008 | Competitor | Competitive advantage, Reputation damage | 2 - Low | 3 - Medium | 6 |
| TS009 | Supplier | Financial gains | 2 - Low | 3 - Medium | 6 |
| TS010 | Privileged user | 2 - Low | 3 - Medium | 6 | |
| TS011 | Environmental controls | 2 - Low | 3 - Medium | 6 | |
| TS012 | Fire | 1 - Very Low | 5 - Very High | 5 | |
| TS013 | Flooding | 1 - Very Low | 5 - Very High | 5 | |
| TS014 | Hurricane | 1 - Very Low | 5 - Very High | 5 | |
| TS015 | Supplier | 2 - Low | 2 - Low | 4 |
Assess threat events
A threat event is an event or situation initiated by a threat source, which may lead to undesirable consequences for your information assets. Understanding cybersecurity risks requires a detailed assessment of potential threat events, their sources, origin and affected assets. Steps for identifying these threat events is detailed in Part 4 of this article – “1D. Review threat landscape (4/5)“.
Estimate the inherent likelihood
The process of assessing inherent likelihood revolves around gauging how frequently a specific threat source could initiate a threat event against your organization, irrespective of risk mitigation measures. This process estimates the frequency of a threat source initiating an event based on the evaluation of likelihood, characteristics, historical data, and market reports. The approach is explained in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Estimate the inherent impact
From the likelihood, we shift to “Inherent Impact” – the potential consequences of a successful threat event, without considering mitigation controls. The assessment involves analyzing potential effects on assets and identifying key ones at risk. The procedure is outlined in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Calculate inherent risks
Upon understanding inherent impacts, we proceed to calculate inherent risks. These guide us toward the most significant cybersecurity areas, enabling a prioritized listing of threat events by combining likelihood and impact. The method for this calculation will be described in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Summarize the threat landscape
Effectively summarizing the threat landscape involves outlining the top ten risks in comprehensible language for stakeholders. The approach for creating this summary will be detailed in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Outputs
References
Use the following links to deepen your knowledge about this topic.
- Freund, J., & Jones, J. (2015). Measuring and Managing Information Risk: A FAIR Approach. [Elsevier]
- Landoll, D. (2021). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. [CRC Press]
- Talabis, M. R., & Martin, J. (2021). Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis. [Elsevier]
- Wheeler, E. (2011). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. [Elsevier]
- Cyber Leadership Institute (2019). CISO Playbook: Protecting the Crown Jewels
- Information Security Forum (2017). IRAM2: The Next Generation of Assessing Information Risk
- Information Security Forum (2016). Protecting the Crown Jewels: How to Secure Mission-Critical Information Assets
- Information Security Forum (2016). Protecting the Crown Jewels: Implementation Guide
- ISO (2011). ISO/IEC 27005: Information Technology – Security Techniques – Information Security Risk Management
- NIST (2012). NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
- NIST (2011). NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View
Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.