Information Technology Reference
In-Depth Information
table 4.1 tpA rating template
TPA
Parameter
Confidence
Level
Rate
Description
Comments
Means
<Rate>
<Level>
Budget, expertise,
equipment
<Insert comments>
Method
Tactical preferences,
previous actions,
patterns
Motivation
A reason to act
Mission
A target to act upon
value or assets of high business value. Risk mitigation decisions are then made on
the results of this internally focused risk assessment.
The TPA approach operates under the premise that a vulnerability with no
threat is less of a risk than a vulnerability under threat. TPA focuses on the threat
space first and asset space second. TPA discerns higher probability threats, then
looks to the asset space and asset vulnerabilities that the threat space may exploit.
The objective is to guide intelligent resource allocation to mitigate risks in the asset
space targeted by high probability threats.
A framework for adversary TPA includes evaluating adversary capability
(means); tactical preferences (method); leadership, individual psychology, group
and social dynamics, and political psychology (motivations, operations, and inter-
ests); and potential adversary objectives (mission). Evaluating potential threats using
TPA identifies the probable threat space within the possible threat space. A simple
TPA quantification method is a 0 through 4 capability scale, where 0 implies no
capability, 4 implies fully capable, and 1, 2, and 3 imply low, medium, and high
capability, respectively. Table 4.1 provides a template to record TPA ratings. Rating
determination is subjective and largely depends on what you know and what you
think you know. A confidence level serves as a separate data point to consider in the
overall TPA profile. Again, use a 0 through 4 scale to represent no confidence, low,
medium, high, and 100 percent certain, respectively.
TPA is an artificial system of metrics and measures. For consistent application
of TPA, there is need for a rating guide and a confidence level guide. Table 4.2 pro-
vides a sample TPA rating guide, and Table 4.3 provides a sample TPA confidence-
level guide. The guides will convey the rationale behind TPA to various audiences
within the organization.
As an example, consider a TPA rating interpretation of an organization known
for industrial espionage. It is fully funded, possesses full knowledge, and possesses
appropriate equipment for many exploitive activities. Its methods are predictable
and known to be effective. Therefore, both means and method are rated as 4s.
