Information Technology Reference
In-Depth Information
Figure 5.2
p
3
approach.
A threat status of
no threat
acknowledges the existence of the threat, but the
likelihood of the threat acting against a vulnerability is so low as to be essentially
nonexistent. For example, the data center roof is not likely to be meteor-proof.
However, the probability of a meteor striking the data center is so low as to not
warrant the expense of reinforcing the roof.
Potential
threats abound in our everyday lives. There is risk in driving to work
with threats from other drivers (fatigued, careless, or distracted). There is risk in
using the Internet with threats from spam, viruses, and spyware. Many, many
threats are possible; far fewer threats are probable. Figure 5.2 shows the P
3
(P-three)
approach to identifying the potential, differentiating the potential from the prob-
able, and establishing priorities to deal with the probable. The P
3
approach applies
to risks, threats, and vulnerabilities.
The collection of potential threats will be quite large. Assessing the probabil-
ity of their occurrence yields a list of highest probable threats (high priority) to
lowest (low/no priority). A threat may affect one or more vulnerabilities within
the organizational asset space. Those assets containing vulnerabilities that may be
exploited by high-priority threats become high-priority assets for risk mitigation;
those assets with the highest business value become top priorities. The following
sections elaborate on this concept. The IA
2
threat probability assessment enables
you to distinguish potential threats from probable threats and to establish priorities
from the collection of probable threats.
5.4.2
Guiding Risk Analysis with Threat Assessments
5.4.2.1
Threat Probability Assessment
A model for adversary threat probability assessment (TPA) must evaluate adversary
capability (
means
); tactical preferences and operations (
method
); leadership, indi-
vidual psychology, group and social dynamics, and political psychology (
motiva-
tions
); and interests and potential objectives (
mission
). These evaluations provide
insight into a potential threat versus a probable threat, and a probable threat versus
a priority threat.
A known adversary may desire your company's secrets, but if it lacks the knowl-
edge to carry out the espionage activities and lacks the funding to hire the exper-
tise, this known adversary remains a potential threat status and a low probability
on the TPA scale. If, however, the adversary has the means (i.e., knowledge or fund-
ing) and information on the adversary shows activity toward your company, then
