A threat risk assessment will help you identify key threats and assets, and also help…
Recent cases of health data breaches have been reported by the news, such as the Arizona-based Banner Health that experienced a cybersecurity attack potentially affecting 3.7 million patients. The data might have been compromised after an organization’s employee accessed corporate data outside of normal job duties, without following existing regulations.
Such examples show how attacks targeting companies’ assets and critical information, often resulting in major data breaches, are increasing and becoming a dominant a source of concern. Although it is impossible to remove all risks to organizations, it is possible to reevaluate a company’s strategy towards risk and decide which risks it is going to accept in order to reduce its risk exposure.
One of the first steps your company should be considering is a threat risk assessment, or better yet, a cybersecurity posture assessment that would give you an overview of your current security posture and give you recommendations on where to go next.
Why Perform a Threat Risk Assessment?
One of the main purposes of performing a Threat Risk Assessment (TRA) is to ensure that policy and appliance settings are at an acceptable risk level within the organizational infrastructure. The organization might ask to review its policies on confined areas or issues.
Goals of a TRA
- Define the industry norms for security settings/use in scope and determine if the organization meets the current industry norms;
- Provide an estimate of risk according to the current state of the organization’s security posture;
- Assess the residual risk, and analyze what controls could be used to reduce that residual risk.
In order to achieve these goals, a Security Consultant analyzes the initial risks and looks for controls that could be used to reduce the risks, all while keeping the quality and the functionality of the organization services unchanged. In order to elaborate mitigation strategies, ‘industry norms’ are analyzed as much as the specific standards that the organization might be following. Assuming the recommendations are discussed and applied within the organization, a new set of risks is generated. This results in a virtual elimination within the ‘very high’ risks, and all the high risks that can be removed in the immediate. Some ‘high’ risks might be caused by a number of vulnerabilities that are more difficult to modify in the short term.
Adopting TRA-1 Methodology
Consultants usually follow the TRA-1 ‘Harmonized Threat and Risk Assessment Methodology’. TRAs provide a systematic way of understanding risks and exploring them from an enterprise interest perspective and how a particular project will affect these interests. The methodology also attempts to quantify the risks so that enterprise resources may be best deployed to reduce the most serious risks to an acceptable level. While no risk can ever be removed completely, this systematic procedure helps organizations minimize the risks to an appropriate level while using the fewest resources necessary.
A TRA process follows the following steps:
- Identifying the assets, threats, and controls implementation relevant to the project scope.
- Assigning asset values which rank their importance in respect of confidentiality, integrity and availability. The list of assets provides the scope of the TRA.
- Assigning a ‘threat score’ to threats by multiplying (1) their probability of occurrence with (2) their severity if they do occur.
- Assigning a score to controls implementation: this score is high for a missing control that is equivalent to a vulnerability which is easy to exploit, and low for good control implementation.
All numerical scores are numbered from 1 to 5. The exact assignment of numerical values to the assets, threats and control implementation is part of the ‘art’ of the threat and risk assessment. Once this list of assets, threats and vulnerabilities is generated and values are assigned to each of these elements, the TRA continues by linking threats, controls and assets together in a plausible risk scenario:
A threat (i), exploits a vulnerability/missing controls (j), which affects an asset (k).
The values assigned from the initial procedure are then multiplied to obtain a ‘risk score’ for the given scenario identified by (i,j,k).
Risk scores can vary from a score of 1-4 (very low risk), 5-12 (low risk), 15-32 (medium risk), 36-75 (high risk) and 80-125 (very high risk).
Healthcare Industry Examples
The Healthcare Industry is a great example because it suffers from constant attacks due to its sensitive patient information. Let’s consider the scenario in which a motivated attacker robs an iPad in order to steal health information related to a politician for malicious purposes (Asset: Patient data (confidentiality is impacted) score = 3).
Given the threat probability being low (2) and the severity being mid-to-high (4), the threat score = 3. Knowing that the Patient data is stored on an unencrypted device with no passcode protection on the tablet, the control score = 5 (very poor safeguards).
Following the TRA calculations, the risk score would be 3*5*3 = 45. This falls into the ‘high risk’ category and is probably worth mitigating. In this case, the security practitioner will suggest a possible mitigation strategy that results in introducing controls in such a way that data is not stored locally on the device, and enforce a passcode to access the patient information.
In this case, by assigning the updated control (j) a value of 2, the risk score will be equal to 18 (medium risk), which may be acceptable for the scope of the project.
How long does a Threat Risk Assessment take?
The necessary effort to perform a TRA can be estimated but it is strictly dependent on the scope of the project. The total amount of hours being estimated is within the range of 160-250 hours.
In most cases, the first and the last phases of the engagement have a standard duration: one (1) day is required for the engagement initiation phase, and one (1) week for the final report definition and the presentation summary. The middle part of the project depends entirely on the scope and can be divided into two parts:
- The System Description Development (SDD) phase, in which all variables are defined (asset, threats, controls). This phase requires 1-2 full weeks of work.
- The TRA Analysis phase, in which all the combination between the variables are defined, scenarios are built and calculation is performed. In general, this phase requires 2 weeks of work.
Final Note: As mentioned earlier, every Threat Risk Assessment’s scope is different. This information is for indication purposes only.