Debi Ashenden

Subscribe to Debi Ashenden: eMailAlertsEmail Alerts
Get Debi Ashenden: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Sustainable Investment

Sustainable Investment: Article

Threat Assessment and Its Input to Risk Assessment

Risk assessment as a business process

Security standards such as BS 7799 and the related ISO 17799 start from the assumption that organizations and governments understand the threats they face to their information systems. For them to achieve a better quantification of the risk to an information environment, it is increasingly important that the information on which decisions are based is as up-to-date and accurate as possible and is expressed in terms that have a common meaning and basis. If a term is used in the assessment of threats to one information system, it should be understandable to those involved in the preparation of a threat assessment for another system, not least because interdependence between systems is a fact of life in the networked world. Unfortunately, in the high-technology environment reality is far from this. Even common terms such as threat and vulnerability are used almost interchangeably. If the input on the level of threat that is used in the risk assessment process is to be improved, then an accurate representation of the threat to information systems must be achieved.

The threat agent is not the only factor that must be considered when determining the level of threat to an information system. Other issues that must be addressed include the probability of an attacker carrying out a successful attack and the impact that a successful attack would have on the business. After all, no matter how capable and motivated a potential threat agent might be, if the countermeasures in place at the target are already at a level higher than the attacker can overcome, then there is no prospect of success. Also, if the information asset that is being targeted is of little or no significance to the business, then the potential impact to the business is low or nonexistent. (It may be appropriate in the last case to question why the system is being used if it has no value or impact to the business; the very existence of a system is a cost to the organization in terms of hardware, software, management, and maintenance.)

For the owners, the custodians, or the insurers of information systems to understand the risks that come into effect as a result of using a particular high-technology device in a particular set of circumstances, it is necessary to carry out a risk assessment of the relevant information environment. The assessment of the risk is essential in the modern environment because it will provide guidance on the system with regard to the likelihood of an event occurring after all the identified threats and vulnerabilities have been taken into account and the selected countermeasures have been implemented. From this, the relevant parties will have a better understanding of the residual risk they will be accepting if they choose to operate the system in the manner that has been defined and can explore the relative benefits of options to reduce this residual risk even further that are available to them and the relative costs and benefits of those options. The following factors must be considered when conducting such a risk assessment:

  • The Agent that is causing a Threat to the system.
  • The exploitable Vulnerability within the system (Note: The significant word here is exploitable; if it cannot be exploited, then it does not require investment to protect it).
  • The Impact of a successful attack.
  • Mitigating factors (countermeasures).

Some History

The assessment of threats in the political and physical environments has been undertaken since time immemorial at the national and international governmental level. More recently, large organizations in the commercial sector have also started to undertake threat assessments to meet legal and regulatory requirements and to ensure that the protection they implement is cost effective. At the government level, assessments have been undertaken by experienced and skilled analysts who have carried them out over an extended period of time. The assessments produced by these analysts have then been applied to potential threats to the nation states' physical assets. The analysts who have, historically, carried out the analysis of the threat have worked in an environment where the time scales were relatively long and the assets they were analyzing had a physical basis. Even in this environment, we have seen how difficult it is to produce an effective analysis of something like the threat from a nation state. A recent example is Iraq, where despite U.N. weapons inspection teams trying to detect weapons of mass destruction over a number of years, there was still considerable disagreement between a number of nation states on the capabilities of the country. With the benefit of good old 20/20 hindsight and a unique scrutiny from the United States, the United Kingdom, and other countries of the strength and accuracy of the intelligence that was used by the coalition governments to justify their actions, the picture became even more confused. Given that this is an assessment of the threat in which physical assets were being analyzed, you may begin to understand the problems that exist when we move into the new and more complex arena of information and information technologies.

Typically, threat analysts have looked at the threat that is posed by other nation states and terrorist groups. Every country will look at the threat that is posed to its interests, both at home and abroad, and will have skilled analysts who spend their careers specializing in, in all probability, a small section of the threat spectrum. They may concentrate on the threat from one geographical area or country and, over time, gain an in-depth knowledge of the threat capability of that entity. They will isolate key indicators of intent and capability, such as the movement of ships or aircraft, the movement of troops, or perhaps even the movement of key individuals. They will look for indicators of intent in the diplomatic arena (remember that countries normally use the military as a last resort). The point is that where physical action is contemplated, the time scales are normally protracted, with a period of diplomatic activity that is then followed by a period of preparation, where the logistics and armaments are moved to locations that will enable the country to undertake operations. In this period, there is time for the analysis of likely actions and outcomes. If the group of interest is a terrorist group, although there may be no diplomatic phase, the group will still need to acquire the knowledge and equipment needed to carry out the attack and to deploy its resources to the location where they are going to carry out the attack. Although the same is fundamentally true of an attack on an information system, the level of resources required, the preparation time, and the number of observable indicators are all significantly different. In an attack on an information system, the attacker is likely to have available the resources to carry out the attack, and they are not detectable as other types of weapons would be. The preparation time is shortened because there is no requirement to move resources to a location from where they can reach the target, and the threshold for initiating the attack may be at a far lower level.

More Stories By Andy Jones

Andy Jones is a research group leader at the Security Research Centre for British Telecommunications where he is doing research into the security of information and communication systems.

More Stories By Debi Ashenden

Debi Ashenden is a senior research fellow in information assurance at the Royal Military College of Science, Cranfield University, U.K.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.