Information Technology Reference
In-Depth Information
However, with respect to your assets, this organization may have a 0 motivation to
exercise its means and method. A 0 motivation means there is no specific target.
The TPA rating points to a low probability from this potential threat. The business
implication is no IA resources are necessary to specifically address state-sponsored
threats. Even though espionage is possible, it is not probable, and therefore is not a
priority for the IA budget.
Applying the TPA guidance is not a rote methodology; it does not support a
simple 3 in this box, 4 in that box, add them up, and multiply.
he numbers are a
clue, not a conclusion.
Considerable subjective evaluation is necessary. If the means
of adversary depend upon money, knowledge, and equipment, the presence of two
out of three may not be enough to make that adversary a high priority, that is,
enough of a priority to redirect budget from another priority. However, subjective
judgment enters when trying to determine how close an organization is to obtain-
ing the missing piece; e.g., an export embargo on a specialized piece of equipment
is only as effective as a smuggler's ability to bypass customs and border patrol. These
subjective judgments are important and require a confidence level to assist in objec-
tively evaluating threats as potential, probable, or priority.
Confidence levels are determined the same way for means, method, motivation,
and mission; however, each TPA parameter must be assigned its own confidence level.
To continue the above example, the confidence level in means and method are 4s
even without specific, direct knowledge. A reasonable assumption is that the espio-
nage organization has funding and methodologies to draw upon. Determining con-
fidence level for motivation comes from examining your business environment and
your knowledge of competitive interests. Moreover, what you perceive as a target for
the mission may not be of interest to a prospective adversary. Assigning a confidence
level forces you to think about your situation a bit more critically and question your
own knowledge. If you are confident, great! If you are not, also great—because now
you know it, acknowledge it, and can act upon your conclusions accordingly.
Colin Powell provides good guidance on the point of confidence levels with,
“Tell me what you know. Tell me what you don't know. And then, based on what
you really know and what you really don't know, tell me what you think is most
likely to happen.”
Chapter 5 contains additional details on TPA. This chapter introduces TPA as
an option to quantify the IA threat space where threat space is one attribute of the
IA quantification framework.
4.3.5.2 Deductive Approach
Deductive reasoning produces a conclusion that is found in the premises. The accep-
tance of the premises ensures the conclusion. The deductive approach attempts to
http://www.fas.org/irp/congress/2004_hr/091304powell.html (accessed October 2007).
