How To Assess Information Security Risksposted by John Spacey, March 06, 2011
Know your most dangerous and credible threats.
Ranking threats is the final step of threat analysis. It is key to distinguishing clear and present dangers from unlikely and low impact threats.
DREADThere are several models used to rank threats. The Microsoft DREAD model ranks threats according to the following formula:
Each factor is ranked on a scale of 1 to 10 and DREAD is calculated as follows:
DREAD = (Damage + Reproducibility + Exploitability + Affected users + Discoverability) / 5
Other Risk Ranking ModelsAt simplicable, we use a model that ranks threats according to damage, exploitability and discoverability.
Damage potentialDamage potential includes factors such as:
Business and technology should both be involved in assessing potential damages.
ExploitabilityExploitability measures how much time, effort, and skill is required to exploit the threat.
DiscoverabilityDiscoverability measures how easily the threat can be found.
Known vulnerabilities in popular tools are easy to discover. Obscure vulnerabilities in custom code are more difficult to discover.
ESB vs. ETL — what you need to know to make an informed choice.|
How to architect an organization.|
Enterprise Architecture (EA) is supposed to help manage IT risks
— but is it possible that EA itself introduces new risks?|
Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats.
~ Howard Aiken |