What is a threat?
A threat can be defined as the potential for a vulnerability in the system or process to be successfully exploited by a given threat-source.
How are threats identified?
Identifying the threats would involve-
- identifying the vulnerabilities
- identifying the threat-sources and their actions
- computing the likelihood of exploit, based on-
- conditions required for the exploit to be successful (whether accidentally triggered or deliberately attacked)
- existing controls
Identifying Threats to an Organization in Florida-
- Natural Threats – hurricanes (given the geographical location)
- Human Threats- student hackers, computer criminals, insider threat (poorly-trained, sabotage, conflict-of-interest positions, dishonest, competitor espionage)
- Environmental Threats- long-term power/network outage
Few of them could be-
- Misconfigured firewalls
- Identity and access management process not in place – leading to breach of confidentiality
- IDPS not monitored
- Spam filters not in place
- Virus and malware end-point protection not updated with latest signatures
- Software not patched
- No effective security training programs in place
- No tested back-ups in place
Likelihood of occurrence-
The team determining this factor would need to pool data from the last few years, from audit records, and draw inferences based on their own intuition and experience.
Should every threat be planned for?
Identifying and quantifying every possible threat to the various systems and processes in the organization (or any organization) is an advantage, even if the likelihood of occurrence is low and loss caused by it seem acceptable.Having a documented plan to deal with them (mitigation, controls and safeguards, risk transference, or acceptance) would work
Having a documented plan to deal with them (mitigation, controls and safeguards, risk transference, or acceptance) would be beneficial for the organization.
While not all threats can be foreseen, being aware and prepared for those that can be, will increase the overall security health.
Stonebumer, G., Goguen, A., & Feringa, A. (2002, July). NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf