Multi-dimensional security firstname.lastname@example.org
Security is complex and multi-dimensional—we have threats, threat vectors, tactics, intention, vulnerabilities, risks, hazards, security controls and a plethora of other considerations to take into account when undertaking security assessments.
Hence it should not come as a surprise that, to bring it all together, security assessments can be complex
Two-dimensional vs multi-dimensional
When it comes to determining threat and risk ratings, we traditionally undertake two-dimensional analyses: INTENT x CAPABILITY = threat rating and LIKELIHOOD (or probability) x CONSEQUENCE (or impact) = risk rating.
Interestingly, we tend to use this 2-dimensional approach for several reasons:
- The current security guidance tends to promote a 2-dimensional approach in the absence of a better approach
- We believe we get accurate threat and risk ratings using a 2-dimensional approach
- Often, we use Excel to calculate the rating as Excel (certainly to those of us who are not Excel experts) lends itself to adopting a 2-dimensional approach
- It is easy to copy and paste 2-dimensional models and outcomes into reports
- We can become overly accepting of the methodologies and constructs supporting how we derive threat and risk ratings without questioning whether the outcomes are accurate and how we might mature our models and frameworks to get better outcomes.
- Hence, this is the model we tend to use for calculating a threat rating:
Think about the model below and this should raise a few questions for you…all of the interactions below should be considered when determining a threat rating and now we can see how complex and multi-dimensional threat assessments are in reality.
There are many variables that influence the threat rating beyond intent and capability. For example, how do we assess important considerations such as:
- Opportunity for the threat source to execute the threat vector
- Motivation – this is different from intent
- Likelihood of the threat occurring and the likelihood of the threat being successful—two very different outcomes
- Asset vulnerabilities, criticality and security controls?
How do we assess the many sub-factors influencing intent, capability, opportunity and asset vulnerability in a consistent and accurate way that also provides global visibility for managers?
- Intent may be influenced by many factors including:
- The benefit to the threat source in executing the threat
- Whether the threat sources is being influenced by a higher authority.
- Capability may be influenced by many factors including:
- Access to weapons or other vectors
- The quality of training.
Each sub-factor for intent, for example, may have different ratings that should each be assessed, particularly if they need to be aggregated to influence the overall rating for intent.
Wouldn’t it make sense to be able to target each individual sub-factor in our control analysis to get more granular outcomes—but we need to know what they are and how they combine with each other.
When we consider risk assessments:
- How do we accurately determine the likelihood of the risk occurring, and what impact does the threat rating have on our likelihood assessment?
- How do we factor in the proximity of the risk—what is the overall impact of the activity at risk if the dates are pushed back by say, 12 months?
- What happens to the risk rating if the budget for managing that risk is reduced or increased?
- What if our risk management resources are significantly reduced or increased?
Assessing ratings is complex
Determining accurate threat and risk ratings can get very complex if we assess their multi-dimensional elements. Pentaguard automatically calculates a threat rating from 26 different inputs that are all rated and connected, not just from assessing intent and capability.
Risk assessments in Pentaguard are based on a 5-dimensional approach, not just two. This allows significantly greater understanding of risks and how best to mitigate them—of course, undertaking a multi-dimensional approach to threat and risk assessments will enable better decision making underpinning the expenditure of money on security controls and other resources.
Pentaguard gives you a multi-dimensional approach to threat, hazard and risk assessments ensuring greater visibility of assessments and better security decisions.