Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.
Purpose
The constantly evolving threat landscape makes it impractical for organizations to invest equally in all cybersecurity areas. The purpose of reviewing the threat landscape is to pinpoint the most significant risks to the organization and prioritize protection measures accordingly.
Objectives
Inputs
Activities
Choose your approach
The first step in a threat landscape review is choosing a practical risk management approach. By adjusting traditional risk assessment methods, we can perform a broader evaluation, helping to prioritize security areas and guide strategic planning, as detailed in part 1 of this article – “1D. Review threat landscape (1/5)“.
Prepare for assessment
In preparing for a threat landscape assessment, aligning the scope with your cybersecurity strategy and identifying relevant internal and external threat sources is crucial. As part 1 of this article outlines, adequate preparation is the foundation for a robust threat landscape review – “1D. Review threat landscape (1/5)“.
Identify crown jewels
The process of conducting a threat landscape review begins with the identification of your organizational crown jewels. These are assets whose compromise could have a significant impact on your business. The detailed procedure for identifying them is documented in part 2 of this article – “1D. Review threat landscape (2/5)“.
Assess threat sources
Threat sources are anything that can cause harm to your information assets. Understanding potential threat sources to your organization is vital. Comprehensive listing, probability and strength assessment of these threats allow prioritizing risks. The approach for this is detailed in Part 3 of this article – “1D. Review threat landscape (3/5)“.
Assess threat events
A threat event refers to an event or situation initiated by a threat source, which may lead to undesirable consequences for your information assets. It is important to note that a single threat source can start multiple threat events, and similarly, a single threat event could be triggered by various threat sources.
After completing the steps described below, you should have a comprehensive list of threat events that could affect your information assets. This list will assist you in prioritizing your cybersecurity domains.
Create a table for threat events
To manage your threat events, create a table labeled Threat Events. This table should include the following columns to consolidate information about threat events, threat sources, and other attributes for calculating inherent risk ratings:
Identify potential threat events
Several standards provide catalogs of threat events:
NIST 800-30. Appendix E of NIST 800-30 provides examples of adversarial and non-adversarial threat events and their descriptions. The adversarial threats are presented following a kill-chain model and are arranged based on the threat source capability.
IRAM2. It includes adversarial, accidental, and environmental threats. The catalog incorporates the threat event type, name, and description. For adversarial and accidental threats, it provides initiation requirements concerning their origin and minimum threat strength.
ISO 27005. While Annex C of ISO 27005 provides examples of typical threats, it lacks the detailed analysis necessary for this article.
These sources can serve as a starting point in identifying potential threat events that could impact your organization. Furthermore, you may refer to the earlier reports described in the “Identify information sources” activity. The goal is to identify not only current threats but also emerging threats for which you may need to prepare mitigation strategies.
To identify threat events relevant to your organization, examine your information assets, supporting assets, and technology objectives. The supporting assets will help you identify current applicable threat events, while the technology objectives will highlight future threats, particularly if your organization plans to adopt new or emerging technologies.
Also, consider your business model, industry sector, and the political, economic, regulatory, social, technological, and other environmental factors that influence your organization. These aspects also shape the nature of potential threat events.
Since you conduct this assessment at a strategic level, you might find it helpful to group specific threats and operate in terms of threat categories or domains rather than focusing on detailed techniques.
For each identified threat event, define the information security attribute the threat event can impact, e.g., confidentiality (C), integrity (I), and availability (A). You can store this information in the Impacted column – you can use it later when assessing the business impact of the threat event on your information assets.
You might also find it beneficial to include the name of the information source that helped you identify a specific threat event. References to trusted information sources increase the credibility of your research.
By the end of this activity, you should possess a comprehensive list of threat events relevant to your organization, each with its category and origin.
| ID | Threat Event | Threat Event Description | Impacted | Information Sources |
|---|---|---|---|---|
| TE001 | Phishing | External attackers can send emails prerenting to be from a legitimate source to our employees to reveal their credentials or introduce malware into our systems to obtain initial access into our organization. | C | Verizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30, IBM - 2022 Cost of Data Breach |
| TE002 | Ransomware | External attackers can deliver and install malware into our systems to steal our sensitive information or spread ransomware for financial gains. | A | Verizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30, IBM - 2022 Cost of Data Breach |
| TE003 | Data leakage - accidental | Insiders can leak our confidential data by mistake, by loosing data storage devices or by not following information handling guidelines. | C | Verizon - 2023 Data Breach Investigations Report, ISF IRAM2, ISACA Risk IT, NIST SP 800-30, IBM - 2022 Cost of Data Breach |
| TE004 | Data leakage - theft | Insiders can steal our sensitive information for personal gains by exploiting vulnerabilities in our data protection capabilities leading to financial and competivie advantage losses. | C | ISACA Risk IT, NIST SP 800-30, IBM - 2022 Cost of Data Breach |
| TE005 | Vulnerability exploitation | External attackers can exploit vulnerabilities in our applications or supporting systems to obtain unauthorized access to sensitive information. | C, I, A | Verizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30 |
| TE006 | Insufficient vendor oversight | Inadequate selection or oversight over vendors can lead to sharing sensitive information with vendors that do not guarantee its adequate protection leading to potential data leakage incidents. | C, I, A | ISACA Risk IT, IBM - 2022 Cost of Data Breach |
| TE007 | Denial of service | External attackers can attempt to make our Internet-facing resources unavailable to our clients leading to financial and reputational losses. | A | Verizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30 |
| TE008 | Misconfiguration | Improperly configured services, systems or infrastructure can expose sensitive data to unauthorized users, degrade system performance or lead to its unavailability. | C, I, A | Verizon - 2023 Data Breach Investigations Report, ISF IRAM2, NIST SP 800-30, IBM - 2022 Cost of Data Breach |
| TE009 | Power failure | Power failures or disruptions in data center can lead to data loss or unvailability of applications supporting key business processes. | A | ISF IRAM2 |
| TE010 | Ineffective security design | Inadequate planning or ineffective design during adoption of new technologies can lead to insecure implementations. | C, I, A | ISACA Risk IT |
| TE011 | Regulatory incompliance | Overlooking or misinterpreting new laws or regulations impacting cyber security may lead to incompliance with them and result in fines and financial losses. | C, I, A | ISACA Risk IT |
| TE012 | Fire | Fire in our facilities can impact health and safety of our employees, damage facilities and equipment and lead to disruption to critical processes. | A | ISF IRAM2, NIST SP 800-30 |
Map threat events to threat sources
The next step involves mapping threat events to the threat sources capable of triggering them you identified in step “4. Determine threat sources”. This critical process allows you to identify any threat sources within your environment with the potential to initiate specific threat events and to evaluate the likelihood of their occurrence.
However, this step poses a challenge, as numerous threat sources might trigger a single threat event. Similarly, a single threat source could potentially trigger several different threat events. Thus, a many-to-many relationship often exists between threat events and threat sources.
NIST advises mapping all threat sources to the threat events they could trigger, given that the threat probability and threat strength may vary for each pairing. Nevertheless, this approach might overly complicate the assessment, which is unnecessary for a strategic-level evaluation.
For this exercise, you could adopt a more straightforward method. For each threat event in your Threat Events table, identify a single, most relevant threat source in the Threat Sources table that meets the following criteria:
- Capable of initiating the selected threat event,
- Has the highest threat source criticality rating,
- The threat source origin aligns with the threat event origin. Some threat events, for example, could be initiated by internal threat sources like insiders with access to your internal network,
- Threat source intent is aligned with the type of initiated event type. As an example, threat source interested in espionage will more likely initiate events leading to sensitive data theft than events focused on creating business disruption,
- The threat source strength is adequate to initiate the selected threat event. For instance, an individual hacker might lack the capability to launch an APT attack against your organization. However, nation-state actors or hacking groups might be capable.
After identifying the relevant threat source, assign it to the Threat Source column in the Threat Events table. Based on this selection, populate the Threat Source Probability, Threat Source Strength, and Threat Source Criticality columns in the same table. The Threat Events table is where all critical risk calculation elements can be stored. This data relates to the threat and will be used to assess inherent likelihood.
If no threat source can initiate a threat event, the event may not be relevant to your organization and should be discarded.
If multiple threat sources have the same threat source criticality, select the most relevant source based on the nature of the threat event.
As a result of this activity, you should have a list of threat events, each with additional information about the most relevant threat sources capable of initiating them.
| ID | Threat Event | Threat Source | Threat Source Category | Threat Source Origin | Threat Source Probability | Threat Source Strength |
|---|---|---|---|---|---|---|
| TE001 | Phishing | TS001 Hacking group | Adversarial | External | 4 - High | 5 - Very High |
| TE002 | Ransomware | TS001 Hacking group | Adversarial | External | 4 - High | 5 - Very High |
| TE003 | Data leakage - accidental | TS006 User | Adversarial | Internal | 4 - High | 2 - Low |
| TE004 | Data leakage - theft | TS004 Privileged insider | Adversarial | Internal | 3 - Medium | 3 - Medium |
| TE005 | Vulnerability exploitation | TS001 Hacking group | Adversarial | External | 4 - High | 5 - Very High |
| TE006 | Insufficient vendor oversight | TS006 User | Adversarial | Internal | 4 - High | 2 - Low |
| TE007 | Denial of service | TS001 Hacking group | Adversarial | External | 4 - High | 5 - Very High |
| TE008 | Misconfiguration | TS010 Privileged user | Accidental | Internal | 2 - Low | 3 - Medium |
| TE009 | Power failure | TS005 Power supply | Structural | Internal | 2 - Low | 4 - High |
| TE010 | Ineffective security design | TS006 User | Accidental | Internal | 4 - High | 2 - Low |
| TE011 | Regulatory incompliance | TS006 User | Accidental | Internal | 4 - High | 2 - Low |
| TE012 | Fire | TS012 Fire | Environmental | Internal / External | 1 - Very Low | 5 - Very High |
Map threat events to impacted assets
Mapping threat events to impacted assets is crucial in evaluating threat event impact. To establish this mapping, follow the steps below:
Create a Threats-Assets table. Set up a table to store your mapping data. Include these columns:
Select threat event. Choose a relevant threat event from the Threat Event column in the Threat Events table. Based on this selection, the Threat Source, Threat Strength and Origin columns should be populated.
Map impacted assets. Take into account the threat source and determine which crown jewels you identified in step “3. Identify crown jewels” would be of interest to them. Evaluate the nature of the threat event and assess which types of supporting and, consequently, primary assets it can impact. For instance, web application attacks will affect web applications and hence all information assets reliant on web applications. Likewise, ransomware spreading across your network can impact most of your servers and the information assets they support. Using separate rows in your table, map each primary asset the selected threat can impact. Upon selecting an asset, populate the following columns: Supporting Assets, Impact – C, Impact – I, Impact – A. You can automate the process of filling in these columns using formulas available in your worksheet software.
Establish the overall impact. The business impact level of a threat event on a specific asset will depend on the affected information security attribute. Different attributes may sustain varying levels of impact. Review your Impacted column to identify which components could be affected, then select the highest rating from the relevant values in the Impact – C, Impact – I and Impact – A columns. As before, you can also automate this calculation using available formulas.
Repeat the three steps above for each identified threat event.
This mapping will later assist in assessing inherent impact.
| Threat Event | Threat Source | Threat Source Strength | Asset | Supporting Assets | Impacted | Impact - C | Impact - I | Impact - A | Impact - Overall |
|---|---|---|---|---|---|---|---|---|---|
| TE001 Phishing | TS001 Hacking group | 5 - Very High | A006 Authentication data | Active Directory, Azure Active Directory, Azure Key Vaults, CyberArk | C, I, A | 5 - Very High | 5 - Very High | 5 - Very High | 5 - Very High |
| TE002 Ransomware | TS001 Hacking group | 5 - Very High | A001 Business strategy | Network shares, Laptops, Storage backups, Data center | A | 4 - High | 4 - High | 2 - Low | 2 - Low |
| TE002 Ransomware | TS001 Hacking group | 5 - Very High | A002 Sales pipeline | Salesforce (SaaS), Cloud provider, Laptops, Network shares, Storage backups | A | 4 - High | 3 - Medium | 3 - Medium | 3 - Medium |
| TE002 Ransomware | TS001 Hacking group | 5 - Very High | A003 New service documentation | Network shares, Laptops, Storage backups, Data center | A | 4 - High | 4 - High | 3 - Medium | 3 - Medium |
| TE002 Ransomware | TS001 Hacking group | 5 - Very High | A004 Client data | Client portal (web), Mobile applications (Android, iOS), API, 60 web servers in AKS cluster, Database as a Service (DBaaS), Cloud service provider, Sales team, Customer service team | A | 5 - Very High | 4 - High | 5 - Very High | 5 - Very High |
| TE002 Ransomware | TS001 Hacking group | 5 - Very High | A005 Platform code | Web servers (production, test, development), GitHub, CI/CD tools (including code scanning platform) | A | 5 - Very High | 4 - High | 3 - Medium | 3 - Medium |
| TE004 Data leakage - theft | TS004 Privileged insider | 3 - Medium | A001 Business strategy | Network shares, Laptops, Storage backups, Data center | C | 4 - High | 4 - High | 2 - Low | 4 - High |
| TE004 Data leakage - theft | TS004 Privileged insider | 3 - Medium | A002 Sales pipeline | Salesforce (SaaS), Cloud provider, Laptops, Network shares, Storage backups | C | 4 - High | 3 - Medium | 3 - Medium | 4 - High |
| TE004 Data leakage - theft | TS004 Privileged insider | 3 - Medium | A003 New service documentation | Network shares, Laptops, Storage backups, Data center | C | 4 - High | 4 - High | 3 - Medium | 4 - High |
| TE004 Data leakage - theft | TS004 Privileged insider | 3 - Medium | A004 Client data | Client portal (web), Mobile applications (Android, iOS), API, 60 web servers in AKS cluster, Database as a Service (DBaaS), Cloud service provider, Sales team, Customer service team | C | 5 - Very High | 4 - High | 5 - Very High | 5 - Very High |
| TE004 Data leakage - theft | TS004 Privileged insider | 3 - Medium | A005 Platform code | Web servers (production, test, development), GitHub, CI/CD tools (including code scanning platform) | C | 5 - Very High | 4 - High | 3 - Medium | 5 - Very High |
| TE004 Data leakage - theft | TS004 Privileged insider | 3 - Medium | A006 Authentication data | Active Directory, Azure Active Directory, Azure Key Vaults, CyberArk | C | 5 - Very High | 5 - Very High | 5 - Very High | 5 - Very High |
| TE007 Denial of service | TS001 Hacking group | 5 - Very High | A002 Sales pipeline | Salesforce (SaaS), Cloud provider, Laptops, Network shares, Storage backups | A | 4 - High | 3 - Medium | 3 - Medium | 3 - Medium |
| TE007 Denial of service | TS001 Hacking group | 5 - Very High | A004 Client data | Client portal (web), Mobile applications (Android, iOS), API, 60 web servers in AKS cluster, Database as a Service (DBaaS), Cloud service provider, Sales team, Customer service team | A | 5 - Very High | 4 - High | 5 - Very High | 5 - Very High |
Estimate the inherent likelihood
The process of assessing inherent likelihood revolves around gauging how frequently a specific threat source could initiate a threat event against your organization, irrespective of risk mitigation measures. This process estimates the frequency of a threat source initiating an event based on the evaluation of likelihood, characteristics, historical data, and market reports. The approach is explained in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Estimate the inherent impact
From the likelihood, we shift to “Inherent Impact” – the potential consequences of a successful threat event, without considering mitigation controls. The assessment involves analyzing potential effects on assets and identifying key ones at risk. The procedure is outlined in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Calculate inherent risks
Upon understanding inherent impacts, we proceed to calculate inherent risks. These guide us toward the most significant cybersecurity areas, enabling a prioritized listing of threat events by combining likelihood and impact. The method for this calculation will be described in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Summarize the threat landscape
Effectively summarizing the threat landscape involves outlining the top ten risks in comprehensible language for stakeholders. The approach for creating this summary will be detailed in Part 5 of this article – “1D. Review threat landscape (5/5)“.
Outputs
References
Use the following links to deepen your knowledge about this topic.
- Freund, J., & Jones, J. (2015). Measuring and Managing Information Risk: A FAIR Approach. [Elsevier]
- Landoll, D. (2021). The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. [CRC Press]
- Talabis, M. R., & Martin, J. (2021). Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis. [Elsevier]
- Wheeler, E. (2011). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. [Elsevier]
- Cyber Leadership Institute (2019). CISO Playbook: Protecting the Crown Jewels
- Information Security Forum (2017). IRAM2: The Next Generation of Assessing Information Risk
- Information Security Forum (2016). Protecting the Crown Jewels: How to Secure Mission-Critical Information Assets
- Information Security Forum (2016). Protecting the Crown Jewels: Implementation Guide
- ISO (2011). ISO/IEC 27005: Information Technology – Security Techniques – Information Security Risk Management
- NIST (2012). NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
- NIST (2011). NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View
Cybersecurity Strategy Management Framework
This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.