This mistake occurs primarily when people are trying to estimate something like the TEF for attacks against an Internet-facing system or web application. Jack Freund, Jack Jones, in Measuring and Managing Information Risk, 2015 Mistaking contact frequency for TEF If you adopt FAIR as a fundamental component of your organization’s risk management practices, you will inherently evolve your approach to threat metrics. Today nobody is asking them to be very proficient because common practices regarding threat metrics are usually pretty superficial. Later in the book we give SIEM providers a hard time for not leveraging their data very effectively. Oh, you’ll often see things about the number of viruses blocked, the number of scans against web systems, and such, but beyond that, organizations tend to underutilize what could be a rich source of intelligence. Very few organizations really seem to leverage threat metrics. For some threat communities (e.g., insiders of one sort or another), you can also include a metric regarding the number of threat agents, because there is likely to be some correlation between the number of threat agents and the probability of threat events (malicious or not). Threat metrics should, unsurprisingly from a FAIR perspective, focus on threat event frequency (TEF) and threat capability. Jack Freund, Jack Jones, in Measuring and Managing Information Risk, 2015 Threat visibility The probability of loss occurring in each threat event is a function of Vulnerability, which we will discuss in detail a little later. Note that in the first sentence of each bullet above, loss is not guaranteed it isn’t until the second sentence that loss is clear. Being cut by the knife would be the loss event. Having someone thrust a knife at you would be a threat event. Having a problem with the release that results in downtime, data integrity problems, etc., would be a loss event. Pushing a new software release into production is a threat event. If they manage to damage the site or steal information, that would be a loss event. Ī hacker attacking a website is a threat event.Having the dice come up “snake eyes” is a loss event. Rolling a pair of dice while gambling is a threat event. The operative phrase in the TEF definition that distinguishes it from LEF is “may result in loss.” In other words, the key difference between LEF and TEF is that loss may or may not result from Threat Events.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |