Product Spotlight

About this Article

This article is an excerpt from Risk Management for Computer Security: Protecting Your Network & Information Assets. Printed with permission from Butterworth-Heinemann, a division of Elsevier. Copyright 2005. For more information about this book and other similar titles, please visit www.books.elsevier.com.

In this excerpt we examine the role of threat assessment and its importance in the accurate and effective assessment of risk.

Threat

It seems appropriate to start this chapter by explaining what is meant by a threat assessment. In information security, this is probably one of the most abused and misunderstood terms and is often used interchangeably with the term "vulnerability." In this book, the word "threat" is used to describe those "things" that may pose a danger to the information systems, and for clarity, the term "threat agents" is used. What we are actually referring to is those agents, either intentional or accidental, that have the opportunity and that may exploit a vulnerability in the security of information systems.

The Internet Request For Comments (RFC) Glossary of terms describes threat in the following ways to cover differing environments:

• Internet usage: A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability. A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal) or "accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado).

In some contexts, such as the following, the term is used narrowly to refer only to intelligent threats:

• U.S. government usage: The technical and operational capability of a hostile entity to detect, exploit, or subvert friendly information systems and the demonstrated, presumed, or inferred intent of that entity to conduct such activity.

British Standard (BS) 7799, which has been developed into International Standard (ISO/IEC) 17799:2000 - Code of Practice for Information Security Management, is one of the most relevant documents and standards in this area and defines threats, risks, vulnerabilities, and assets as follows:

• Threats are anything that could cause harm to your assets, and vulnerabilities are weaknesses in your security arrangements that make it easy for these threats to occur. For example, if you have no backup of your data you are vulnerable and make the threat "loss of data" likely to occur.
• Risks describe the probability that a damaging incident is happening (when a threat occurs because of a vulnerability), as well as the possible damage if this incident takes place
• Assets are something that has value to your company and how it is carrying out its business operations.

The BS 7799 definition of information security also defines those aspects that it is safeguarding, as follows:

• Confidentiality of information: Ensuring that it is accessible only to those authorized to have access.
• Integrity of information: Safeguarding its accuracy and completeness.
• Availability of information: Ensuring that authorized users have access to it when required.

In developing a common vocabulary of terms, it is important that we recognize other standard definitions such as the ISO/IEC Guide 73 Vocabulary for Risk Management - Guidelines for Use in Standards. In this document, risk is defined as "the combination of the probability of an event and its consequence." Risk assessment is defined as "overall process of risk analysis and risk evaluation."

Threat Assessment

A threat assessment is an integral and essential element of the risk assessment and risk management processes. If an organization wants to undertake an effective risk assessment for its information systems to enable rational and considered decisions to be taken, then it is essential that an accurate picture of the threats to the organization are understood. It must be clearly understood that risk assessment is a business process. The need to carry out these assessments of the risks to information assets or to other assets of an organization has been brought about as a result of the proliferation in the use of information and communications technologies and the convergence of these technologies over the last three decades. This massive increase in the use of these systems and the subsequent dependence on them has resulted in significant changes in the level and type of threat to the information environment that we have, whether knowingly or in ignorance, come to rely on.

The way in which we assess the threat that is posed to an information environment has not developed at a pace that has matched the rate of change and adoption of the technologies, with the result that we are still using tools and techniques from a previous environment. It is also a reality that the way in which we assess threat has not yet transitioned from art to science. As a result of using tools and techniques that were developed for non-technology-based systems, there is currently no way in which the threats, as opposed to the vulnerabilities, to information systems can be either modeled or quantified in any meaningful or repeatable manner that will allow the decision makers to take informed decisions.

In this heavily dependent and rapidly changing environment, where technology is offering new opportunities and the matching problems, all types of organizations, from governments to commerce to academia, are increasingly needing to produce meaningful risk assessments on which they can make decisions on the appropriate level of investment required to establish and ensure that they maintain the appropriate levels of confidentiality, integrity, and availability to their information. This is not possible without assessing threats as well as vulnerabilities.