In the Internet world, a threat could be a potential danger that may exploit a vulnerability to breach security and so cause harm to the organization. A threat will be “intentional” or “unconditional”, man made actions, or occurred through any internal events. A threat-source doesn’t show off a potential risk when there is no vulnerability that can be exercised from it. A vulnerability is a weakness that can be unintentionally triggered or intentionally exploited. We should conduct the Risk assessment to evaluate the relative likelihood of occurrence for each threat.
We should carry out a more detailed risk assessment plan, and we evaluate each threat against the likelihood and actual impact of risks during each stage. Once you have identified the potential threats, the next step is to identify the corresponding weaknesses (vulnerabilities) in your organizational network, Internal/external systems, resources, and organizational policies the external/internal threats could exploit that. I recommend following up on the latest ISO27005 standard listing of threats and vulnerabilities.
We can assess it through the concepts about the threat, threat consequences, the likelihood of nature, and the total impact and exposure of threat matrix.
Control Analysis: The functional goal of this step is to analyze the controls that have been implemented, or yet to be implemented, by the organization to minimize the probability of a threat’s exercising a system vulnerability.
Control Categories: The control methods of the technical and nontechnical can be classified into preventive or detective.
Control Analysis Technique: The security requirements checklist can be used to validate security noncompliance as well as compliance. Therefore, it is essential to update such checklists to reflect changes in an organization’s control environment regularly.
A threat-source is defined as any circumstance or event with the potential action to cause harm to an IT system. There are some common threat sources can be natural, human, or environmental. After performing a risk assessment, you may find a considerable number of ongoing threats and vulnerabilities that can affect your company. These may include intrusions, vandalism, theft, or other incidents and situations that may vary from business to business.
How to perform Threat identification? The distinct class of threat concepts, consequence, likely hood, total impact, and exposure are used to carry out the threat identification. Specific threat events such as hacker attempts, virus attacks, malware intruder attempts etc., fall into a particular threat class will be defined as per the matrix in the given below table.
In this section, we project potential effects and the likelihood of occurrence, with consideration of existing controls safeguards that could reduce the impact of the likelihood. Use a risk rating of Critical, High, Medium, Low, and insignificant to describe the magnitude of risk.
(I) Risk rating:
(ii) Likelihood Rating:
To develop an overall likelihood rating criterion, that shows the probability of a given vulnerability associated with multiple factors.
In the likelihood, we define a threat-source as High, Medium, Low as shown in Fig.2.
(iii) Impact Rating:
The next significant step in measuring the level of risk is to determine the adverse impact when a threat actor exercises a vulnerability. In this approach, while analyzing the actual impact, to interview the system and information owners to analyze and rate further as shown in Fig.3.
a) Describing threats in terms of who, how, and when.
b) Establishing into which threat class a threat falls.
c) Determining the threat likelihood.
d) Determining the implications on the business operations should a threat achieve success.
e) Assessing the impact of the results as less serious, serious, or exceptionally grave injury.
f) Assigning an exposure rating to every threat, in terms of the relative severity to the organization.
g) Prioritizing the impacts /likelihood pairs, according to the determined ratings.
Risk Rating Factors:
The factors we used to determine the premium. Ideally, we should use all risk factors as rating factors.
We discussed the Risk assessment of the relative likelihood of occurrence for each threat. The organization should carry out a more detailed risk assessment plan, and we test each threat against the likelihood and actual impact of risks during each stage.
Quote of the day:
“A good beginning makes a good ending”
Explanation: You could say that your preparation beforehand will help you start well. If you rush any project at the start, most often the end will not be well. Starting right always ends well.
Thanks for reading!
Have a pleasant day!