Mom! Dad! There’s a monster under my bed! If you’ve ever responded to a call like this from your kids, congratulations – you’ve conducted a threat assessment. A threat assessment is basically identifying things that could harm your assets and assessing their ability to do so. Hopefully in this case you can convince your child that there is no threat under the bed, the risk of getting eaten is quite low, and it’s okay to go back to sleep.
Threat assessments are part of an overall process called risk management. What is risk? Essentially, measurable uncertainty. Management expert Peter Drucker said, “If you can’t measure it, you can’t improve it.” Measurability is a must. And if it’s not uncertain, then technically there is no risk. For example, what is the “risk” of the sun not rising tomorrow? No insurance company would pay a premium if the sun does rise. It’s not insurable because it’s certain, and therefore not a risk.
Cybersecurity risk management is all about reducing the probability or potential severity of incidents that could damage or destroy your IT resources or the information within. As security professionals, our responsibility is to help managers make informed, risk-based decisions. We do that by considering the components of the risk equation:
Risk = Threat * Vulnerability * Asset Impact
Threats are sources of harm. They could be human (e.g., hacker, disgruntled employee), technical (e.g., malware, hard drive failure), or natural (e.g., hurricane, fire.) Note one important characteristic of nearly all threats: they are outside of your control. You can’t control an earthquake, you can’t control a hacker in Pyongyang, and you can’t control the behavior of compiled malicious code. In each case, the threat is going to do what it’s going to do. To reduce risk, we need to focus on the other elements of the equation. Keep reading as we build out our threat model.
Vulnerabilities occur when assets are exposed to threat actors. Vulnerabilities are often things we can control, or at least influence. For example, if you want to reduce the risk of a hurricane damaging your office in Florida, you can move operations to Nevada. You haven’t changed the hurricane, but you’ve certainly changed its ability to affect your asset. A lot of risk management is vulnerability management because there are often changes we can make that measurably reduce our risk.
Asset impact refers to how much damage a threat can do to an asset. For example, reinforcing our Florida office to be hurricane-resistant doesn’t change the threat or the vulnerability, but it significantly reduces the threat impact. In many cases, however, we’re stuck with our assets as they are, and thus this becomes a constant in our risk equation.
So, back to threat assessment. Threat assessment involves identifying threats, determining the seriousness of each threat, and prioritizing how to manage threat actors. Threat intelligence is information about potential adversaries. Think of severe weather forecasts as a form of threat intelligence. When you know your adversary’s capabilities and which adversaries are interested in you, you can prioritize your defenses accordingly. For cyber threat actors, this information is often available as a paid subscription. One very useful tool is the MITRE ATT&CK® framework, which provides a repository of adversary tactics and techniques. By analyzing the tactics and techniques used by each threat actor, commonalities may emerge that suggest where countermeasures could have the most impact. For example, if threat intelligence suggests three advanced persistent threat (APT) teams are targeting you, and each uses phishing to establish a foothold, then defending against this common technique reduces the risk across all of these threats.
Threat assessment is an essential element of risk assessment. By providing knowledge of what is most likely to occur, threat assessment helps you avoid allocating resources for lower probability, lower impact threats. This is not limited to cybersecurity: in football, defenses expect a pass play on third-and-long; you would respond differently to being chased by a puppy than you would a gorilla; if police reports show burglars all come in through the bedroom window, you’d lock that window first.
The result of effective cybersecurity threat assessment is better risk management. Because all risk is about probabilities, focusing your defenses on the most likely threats decreases the overall probability of an incident or breach.
If you’re interested in learning more about the monsters that may be hiding under your organization’s bed, CBIZ Technology is here to help. CBIZ Technology provides a full cybersecurity service offering.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.