Monday, January 20, 2014

What is Threat Analysis?

Threat analysis is the process of determining the likelihood of harmful things occurring to your assets – who will do what to what systems. This information, coupled with value of each of your systems, forms the basis for making sound security decisions.

A threat is an indication of an impending event that is harmful.[1] Something that is impending and harmful to one entity may not be to another.  A 6.0 magnitude earthquake is harmful.  Whether an earthquake is impending or not is dependent on location.  According to the U.S. Geological Survey there is a 90% probability of a 6.0 or greater magnitude earthquake occurring in the San Francisco Bay region before 2037. There is a 0% probability of a similar magnitude earthquake occurring in Bismarck, North Dakota, during the same period.  Earthquakes are a threat to those who live in San Francisco. Earthquakes are not a threat to those who live in Bismarck. Interestingly, with all the recent hydraulic fracturing in North Dakota, the USGS may have to reassess their Bismarck earthquake assessment.

Just as threat of earthquake varies by geographic location, information security threats vary by entity and by asset. Consider the simple example of the threat of customer account takeover through stolen customer authentication credentials for a bank and a local auto repair shop. The threat is real and pressing for the bank if they have an online banking system, but it doesn’t even apply to a local auto repair shop.  Even for two financial institutions, the threat significance could differ based on factors such as the type of data and the transaction capabilities of their online banking system, the size and profile of their base, and even the geography they serve. For banks, the large institutions often see threat activity years before the small ones do. The threat applicability and significance differs based on the organization and the asset in question.