Exploring F.A.I.R. – Threats – Part 2

by kriggins on March 30, 2009

in Risk Management

In the last post in our series on FAIR we took a look at the data flow diagram for the system that Oblivia wants us to assess. We also reviewed the definition of threat and quickly figured out we need a way to narrow down which threats we should be most concerned about.

FAIR uses the concepts of threat communities and threat characteristics to help us group together like threat agents and help us determine the probability of that threat affecting us. A threat agent being an individual person or instance in a threat population or set of threats.

Let's take a look at these two concepts and see how they can help us.

First, the definition of threat community. From the Introduction to FAIR: Risk Landscape Components:

Subsets of the overall threat agent population that share key characteristics

Basically, we are talking about those characteristics that would define a group of threat agents. The Introduction uses at set of characteristics that could be used to place a threat agent in a community call 'terrorist.' How about the following characteristics?

Motive: Money
Primary intent: Financial gain
Sponsorship: Unofficial
Preferred general target characteristics: Systems where small changes are difficult to find
Preferred specific target characteristics: High traffic/significant impact systems
Preferred targets: Systems and applications
Capability: Significant technology skills
Personal risk tolerance: Medium
Concern for collateral damage: High (need for changes to remain unnoticed)

What could we call the threat community whose agents have these characteristics? I'm going to hate myself for using the term, but cyber criminals seems to work. Individuals who make money by subverting computer systems. This gives us some information about what makes up the community. Now we need some information that can help us determine which communities are worthy of more inspection. That is where threat characteristics come in.

From the Introduction, paraphrased a bit:

There are four primary characteristics we are concerned with in our risk taxonomy:

  • The frequency with which threat agents come into contact with our organizations or assets
  • The probability that threat agents will act against our organizations or assets
  • The probability of threat agent actions being successful in overcoming protective controls
  • The probable nature (type and severity) of impact to our assets

What we are really concerned about from an agent characteristic perspective is, frequency of contact, the likelihood that the agent will act against us, the likelihood that the agent will succeed and the likely type and severity the result of that action to our assets.

A situation where the agent is rarely in contact, is unlikely to actually attack us and even more unlikely to succeed if they do and, finally, the impact if they are successful will be insignificant is much different that one where the agent is in constant contact, is very likely to act against us, is skillful enough to succeed and probably going to result in severe impacts to our assets.

Understanding the different communities and the significant characteristics mentioned above can help us a great deal in managing risk. They help us have a much more concrete estimate of the probability of something untoward happening to us as the result of a threat agent acting against us.

In our next installment we will take one more quick look at a few characteristics related to assets. We will then dive into risk factoring in the next few posts.

As always, I am really interested in your thoughts. I read and take to heart every comment that is left and email received, so please join the conversation!

-Kevin

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: