Debi Ashenden

Subscribe to Debi Ashenden: eMailAlertsEmail Alerts
Get Debi Ashenden: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Sustainable Investment

Sustainable Investment: Article

Threat Assessment and Its Input to Risk Assessment

Risk assessment as a business process


A number of factors (affecters) may encourage a threat agent to carry out an attack at a particular time against a particular target or group of targets. Again, these may affect either the target or the threat agent. Examples of this may be the perception that the target system is not well protected during a certain time period and that an attempt to attack it will not be detected or, even if detected, that no follow-up action will be taken.


For a threat agent to carry out a successful attack on a system, there are at least two system-related factors that must be present. The first is that there must be an exploitable vulnerability in the system the threat agent can use. For a vulnerability to be exploitable, it must be known, or there must be an expectation that it will be known to the attacker, and he must have sufficient access to the system to carry out the attack. The vulnerability may exist in the hardware, the operating system software, the applications software, or the physical environment in which the system is contained. The second factor is that the target system must be important enough to the organization that the loss of it or a degradation in its confidentiality, integrity, or availability would have a large enough impact on the business process of the organization to be considered a success by the attacker and/or the organization. Alternatively, it may be the only target available to the threat agent that will satisfy their requirements.

Sequence of Factors Involved in a Threat

As described above, for a threat agent to pose an actual threat to an information system, a number of factors have an influence. In reality, for it to pose a real threat to an information system, the threat agent must possess a capability and be able to gain either physical or electronic access. The level of access and its capability will influence the potential impact that such a threat agent will have. The likelihood of the threat agent being able to mount a successful attack will be reduced by factors that inhibit its ability to and will be enhanced by other factors. In addition, some type of catalyst will cause the threat agent to act when it does, depending on the motivation of the threat agent. The components of a malicious threat and their interrelationships are detailed in Figure 1.

Malicious Threat Agent

Malicious threat agents can be categorized into one of a number of groups. The groups detailed below are neither exclusive (the threat agent may belong to one or more of them) nor exhaustive. The main groups are shown in Figure 2. A malicious threat agent can be generated from any one of the groups or group combinations identified in Figure 2. This is not an exhaustive list of potential sources or groupings of malicious threat agents, because these change over time as high technology, education, national and international politics, culture, and a host of other factors have an effect.


For a malicious threat agent to be effective, it must have the perceived or actual capability to carry out and, if necessary, to sustain an attack and perhaps totally destroy the target and any subsequent replacement. The main constituent elements of the capability of a threat are detailed in Figure 3 . For malicious threat agents to be able to carry out an attack, they must have the means in terms of personnel and equipment and the necessary skills and methods to be successful. They must also, in some cases, have a sustainable depth of capability to achieve their aims.


A range of influences and factors can either inhibit or assist a malicious threat agent in carrying out a successful attack. These have been labeled as inhibitors and amplifiers. It is possible that the same influence, with a different value or in different circumstances, can act to inhibit or amplify either the likelihood of an attack or the potential for success of an attack. An example of this might be the security measures in place to defend a system. If they are weak, this will encourage an attacker to mount the attack; if they are strong, it may deter an attacker or prevent them from succeeding.

The influences that might act as inhibitors are detailed in Figure 4. An inhibitor can work in a number of ways. First, it can reduce the inclination of a threat agent to initiate an attack. Second, it can prevent a threat agent from initiating or carrying out a successful attack. Third, it can minimize the impact a successful attack will have. The fear of being captured as a result of conducting an attack may well act as a sufficient deterrent to the threat agent and cause it to decide not to carry out the attack. If the threat agent perceives its peers or indeed the public will hold him or her in contempt for attempting the attack (for example, if the target was a hospital or a charity), this may be sufficient to inhibit the attack. Also, if the level of technical difficulty that the threat agent encounters is sufficiently high, the threat agent may decide it is not worth the investment of effort required to attempt or continue the attack either on the initial target or at the current time. The factors that come together to inhibit an attack are, or may be, used as part of the protection and defense of the system and can assist in the reduction of the risk to the system.


As mentioned above, the influences that may be an inhibitor in one environment can be an amplifier in another. The influences that might act as amplifiers to an attack taking place or being successful are detailed in Figure 5. The types of influences that amplify or increase the possibility of an attack occurring or being successful are varied and are dependent on the type of threat agent but include factors such as peer pressure or the level of skill or education. In the first of these amplifiers, there is the desire of the threat agent to be well regarded by his or her peers. His or her desire is to gain the recognition and respect of peers through the demonstration of skills, and this will strengthen his or her resolve to carry out the attack. The level of education and skill an agent possesses, or can gain access to, improves the confidence of the threat agent and also increases the likelihood of a successful attack. Another factor can be the ability to gain access to the information the agent needs to mount an attack, in terms of information on the target, other relevant information systems, organizations, or in terms of programming scripts and tools that can be run to conduct an attack; these may also increase the possibility of a successful attack.


The causal factor in a threat agent deciding whether and when to carry out an attack on an information system may be the result of an event, such as a publicity event for an organization with which the threat agent has a dispute or a dislike, or perhaps the start of an armed conflict between the threat agent's country or one for which they have sympathy, and an opponent. Another factor may be the circumstances of the threat agent, and any change (perhaps in location, social grouping, or employment status) may affect their ability or desire to carry out an attack or to be successful.

An attack can also be triggered by the advent of a new technology that makes what was previously not achievable a possibility. Finally, the commercial imperative to gain advantage against a competitor may cause a threat agent to conduct an attack. Figure 6 details some of the main groups of factors that can act as catalysts for an attack being initiated.


The motivation of the threat agent is, by definition, a subjective area, and the threat agent may be influenced by a wide range of factors. Influential factors depend on the grouping or combination of groupings from which the threat agent originates. In some cases a number of these will act together to influence the threat agent.

In this excerpt the term threat, as it is used in this book, has been defined and explained, and the elements that need to be present for a threat agent to cause a problem have been examined. In summary, for a malicious threat agent to be effective, it must have the capability to carry out its attack and also the motivation and the opportunity.

More Stories By Andy Jones

Andy Jones is a research group leader at the Security Research Centre for British Telecommunications where he is doing research into the security of information and communication systems.

More Stories By Debi Ashenden

Debi Ashenden is a senior research fellow in information assurance at the Royal Military College of Science, Cranfield University, U.K.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.