I interviewed with a firm to do Information Security consulting. They had a list of all the regulatory security needs. They then asked what else I thought they needed. I responded with one question.
What are you trying to defend?
This is the decision that should drive any security mindset. This is the core question found behind threat modeling.
Security is focused on risk. The risk equation says the quantified risk is equal to a threat times a vulnerability times impact. It is very similar to the formula that businesses use to calculate expected returns based on a set of investment options.
A vulnerability is how adversaries come after you. An example is a thief entering a door someone forgot to lock. Impact is the cost associated with an incident. An example is money lost from lack of sales due to a downed website. A threat is an adversary that causes harm. An example is activists protesting to shut down an organization’s business.
Many businesses start with basics. People know computers need antivirus, and they’ve heard of firewalls. But the more security they add, the more expensive it gets. The amount of security spending should be proportionate to the risk faced. And that starts with a question. What are you trying to defend?
This is where an organization needs to think like an adversary. How would someone hurt an organization, and how would an organization prevent that? Be creative. Start with the biggest impact. What would cripple the business? The loss of money? How would the money be lost? Armed robbery, business email compromise (scammers), or spending on the wrong resources?
The Threat
Who can do this? It isn’t necessary to name specific people like the neighbor, Bob. Thieves who want money would commit robbery. Scammers who want to convince an organization to send money for some seemingly legitimate reason would commit digital fraud.
The Vulnerability
How would they exploit an organization’s status quo? Robbers have an easier time if there’s no armed security. Scammers, pretending to be trusted parties to get an organization to send money, count on people to willingly trust.
Think of each of these factors and how someone would prevent that. For example, scammers are easily thwarted by doublechecking with the person who they are impersonating via another method of communication. For example, if the request comes in from the “CEO” over e-mail, call or text the CEO using a known contact number to confirm.
A measured, proportionate defense should be tailored to mitigate a vulnerability for a given threat. Safety deposit boxes provide great security for important documents at a reasonable price. They work well for items that they rarely needed, but if someone needs frequent access to something, a safety deposit box becomes an unreasonable solution.
People don’t usually put car keys in a safety deposit box.
Threat modeling comes down to identifying the things that would hurt the organization to lose, understanding how someone could cause the organization to lose them, and what type of adversary would come for those things with the skill to achieve their aims. Answering these questions will help an organization spend their finite security resources in the most strategic manner possible.
Comments