Business and Threat Assessments

To support a cyber security strategy it is necessary to conduct a business assessment and evaluation of the organisation’s current state. The breadth and depth of this assessment will again be in proportion to the proposed scope and vision of the strategy. The criteria for an assessment should again reflect the scope but in general the assessment should aim to cover:

  • Geography and locations
  • Business services and operations
  • Organisational structure
  • Legal or regulatory requirements per geography
  • Current business strategies per geography
  • Current risk and threats
  • Current security capabilities
  • Current architecture
  • Current service management and supplier management

The list above is not exhaustive and there may be other specific areas that are beneficial to the strategy but the list above should cover enough to gain a good understanding of the current or AsIs position. The assessment is basically the beginning of the necessary gap analysis required to qualify the strategy, transformation and determine its success. There are a number of different ways to conduct a business assessment and enable the gaps to be identified. These include diagrammatic means such as building block diagrams and use case models or through spreadsheet matrices.

Once the business assessment has been completed and sufficient information has been gathered to form a good understanding of the organisation and its scope of operations, an assessment of the likely threat to these finding can begin. Your security operations should have a security incident classification within the organisation incident management domain which can be used to define threats. This classification or taxonomy of threat types should be used to help produce an initial threat assessment based upon a breakdown of what a threat means and how it manifests. There are a number of useful threat classification model available including those from:

The type of information that is also required if it can be obtained is the following:

  • Security incident reports
  • Assets targeted
  • Geography
  • Impact on business/services
  • Root cause conclusions
  • Repeated incident types
  • Organisation vulnerabilities

A Threat Assessment is built up with the following activities and output:

  1. Define threat types facing organisation and order by severity
  2. Define threat profile for each threat type – including threat actor, motive, FOI or target asset
  3. Define threat scenarios to challenge the organisation and its vulnerabilities

Once you have completed the business and threat assessment and the have an understanding of the current state and operations within the organisation, its vulnerabilities and threats you can conduct a risk assessment. Your risk assessment should follow your organisation risk method or select FAIR or OCTAVE as a means to determine the risk “appetite” or tolerance towards the threat. This tolerance and assessment will influence further assessment types, gap analysis and areas for transformation.

Cyber Security Strategy Business Threat Assessment
Cyber Security Strategy Business & Threat Assessment

Drivers, Goals, Objectives, Constraints and Concerns

All strategies should start with a vision set out either by a necessity or visionary inspiration. Whether the trigger behind the vision is based upon a new senior role, restructuring, repositioning or survival the vision needs to be qualified through the drivers, goals, objectives and any opposing aspects such as issues, constraints or concerns. A vision needs balance and cross examination before it moves to any further formality. A cyber security strategy is no different however it has one further aspect to challenge it and that is the threat which is faced. That threat needs to be broken down into its many parts and actors to fully understand the magnitude, diversity and expertise behind it. A threat assessment needs to cover enough to meet the size and scale of the vision and is also there to make sure that the drivers and goals set out the right means to mitigate and manage the threat in the future, as that will generally unknown until some event or evidence appears to define it.

To compliment the threat assessment it is also necessary to conduct more general business assessments of capability, architecture and operations to build an up to date view of what, where and how the organisation is functioning. The larger the organisation the bigger the assessment view will be and the level of detail is questionable as that will depend upon resources and budget available. The business assessment should be in proportion to the size and scale of the strategy and vision. There are also a number of general standards and practices in an organisation that either have produced or must produce assessments to meet legal or regulatory requirements and these should be a starting point.


Cyber Security Strategy Drivers, Goals & Objectives
Cyber Security Strategy Stage 1 – Drivers, Goals & Objectives…

Applying evidence of risk to support architectural design and change

There is an awful lot of material published on risk in general, risk analysis and management as well as the methods used to determine and classify risk.  Unlike vulnerability, which is more objective in evidence and assessment, risk is more subjective and therefore requires more effort in the gathering and development of the evidence used to support a decision. From an enterprise point of view decision makers will be subject to the risk vs cost vs benefit tradeoffs. When faced with these tradeoffs decision makers will have to choose from options that may cause harm or worse. Important factors in these choices include both the probability of a risk and whether its consequences would be negligible, moderate, or serious. So it is important that the criteria used in the evidence supporting the choices is sufficient for the right choice to be made as well as managing the consequences should the risk arise.

As always Wikipedia provides a suitable definition and further background to the topic:

In enterprise risk management, a risk is defined as a possible event or circumstance that can have negative influences on the enterprise in question. Its impact can be on the very existence, the resources (human and capital), the products and services, or the customers of the enterprise, as well as external impacts on society, markets, or the environment. [Wikipedia]

Certainly cyber threats pose events or circumstances that can have negative influences on the enterprise and security incidents and reports from security technology provide sufficient evidence that the risk of attack is constant. What is important is the requirement to ascertain what, within the enterprise, are the critical assets – services/systems and their availability, customer data, intellectual property etc., and conduct appropriate risk /threat assessment and evidence to show the risk can be mitigated or the threat determined.

If i refer back to the evidence model and the means to accumulate the required forms of evidence – for risk analysis and management – benefits from an evidence evaluation method and there are a number associated with risk:

  • FAIR (Factor Analysis of Information Risk) – Information Security
  • RiskIT – IT Risk
  • ISO 31000 – Risk Management General Principles and Guidelines
  • CRAMM – UK OGC General Risk Management Framework
  • ISO 27000 – ISO Series on Information Security Standards
  • NIST 800 – US standards for Computer Security
  • OCTAVE – CERT Strategic Information Risk Assessment

An evaluation method applies a level of control as well as quality to the output and also the reliability that the method has its own evidence of effectiveness.

I am going to use FAIR as the example method as the output gained can be applied to architectural decision making in respect to cyber security. In other words there is a risk to a critical system from an inside attack and in order to propose a change or security improvement plan evidence needs to show the vector and example evidence that the risk is highly probable.

FAIR Model Cyber Security Ontology
FAIR Model & Cyber Security Ontology

The model i have attached to this post shows the alignment between the recognition that the risk method is a valid evaluation method, the threat is determined as an Insider Threat and the vulnerable system being a Critical Business Application. The source of the security events associated with the threat are derived from Access Management log data analysed via anomaly analysis – unusual log in patterns by user for example – which also corresponds to an evidence source – metadata analysis. The purpose of the alignment of the evidence model to the risk method is to indicate that the method is a recognised and authoritative means to provide evidence and the source of the evidence is derived from a cyber defence capability. The data source for the Threat Event Frequency would be derived from the Log Analysis. Other criteria within the FAIR model would be derived form additional research or analysis. There are other factors to include that the data is stored and managed in a forensically ready manner, however the report output has justification nevertheless to support risk based decision making.