The calculation of risk is fundamental to security assessment and threat modeling. Ultimately, some reliable and repeatable risk methodology will have to be adopted in order for priority decisions to be made about which attack surfaces will receive mitigation, how much mitigation to build, and which risks can be tolerated without unduly impinging on an organization’s mission.
In an effort to simplify risk calculation such that it can be performed rapidly during security assessments, we’ve proposed a rather simple approach: All of the terms in our “credible attack vector” must be true in order for a threat agent to be able to exercise a vulnerability. Even if there is a credible attack vector, the impact of the exploit must be significant or there is no risk.
The terms in a credible attack vector are:
- • Threat (exploit)
- • Exposure
- • Vulnerability
Each of these terms is further broken down so that the aspects of a successful attack can be assessed in separate and distinct terms. In fact, we propose substituting credible attack vector for the probability term in the standard, well-known insurance risk equation that was presented at the beginning of this chapter.
When we build security defenses, we can use a simplified Boolean approach to each of the terms in credible attack vector. To interrupt any single term is to prevent an attack. This simplified approach allows us to more precisely specify security controls as we build our defense-in-depth.
In this chapter, we have narrowed the scope of the term “risk” to precisely fit the purpose of security assessment and threat modeling. We have proposed one methodology as an example of how risk can be understood and rated fairly easily. Whatever methodology is used, it will have to be repeatable by the analysts who’ll provide security assessments, build threat models, and provide requirements for a system’s security posture.