Marcum 2021 Year-End Tax Guide
The Importance of Performing a Cybersecurity Threat Assessment Mom! Dad! There’s a monster under my bed! If you’ve ever responded to a call like this from your kids, congratulations – you’ve conducted a threat assessment. A threat assessment is basically identifying things that could harm your assets and assessing their ability to do so. Hopefully in this case you can convince your child that there is no threat under the bed, the risk of getting eaten is quite low, and it’s okay to go back to sleep. Threat assessments are part of an overall process called risk management. What is risk? Essentially, measurable uncertainty. Management expert Peter Drucker said, “If you can’t measure it, you can’t improve it.” Measurability is a must. And if it’s not uncertain, then technically there is no risk. For example, what is the “risk” of the sun not rising tomorrow? No insurance company would pay a premium if the sun does rise. It’s not insurable because it’s certain, and therefore not a risk. Cybersecurity risk management is all about reducing the probability or potential severity of incidents that could damage or destroy your IT resources or the information within. As security professionals, our responsibility is to help managers make informed, risk-based decisions. We do that by considering the components of the risk equation:
RISK = THREAT * VULNERABILITY * ASSET IMPACT. Threats are sources of harm. They could be human (e.g., hacker, disgruntled employee), technical (e.g., malware, hard drive failure), or natural (e.g., hurricane, fire.) Note one important characteristic of nearly all threats: they are outside of your control. You can’t control an earthquake, you can’t control a hacker in Pyongyang, and you can’t control the behavior of compiled malicious code. In each case, the threat is going to do what it’s going to do. To reduce risk, we need to focus on the other elements of the equation. Keep reading as we build out our threat model. Vulnerabilities occur when assets are exposed to threat actors. Vulnerabilities are often things we can control, or at least influence. For example, if you want to reduce the risk of a hurricane damaging your office in Florida, you can move operations to Nevada. You haven’t changed the hurricane, but you’ve certainly changed its ability to affect your asset. A lot of risk management is vulnerability management because there are often changes we can make that measurably reduce our risk. Asset impact refers to how much damage a threat can do to an asset. For example, reinforcing our Florida office to be hurricane-resistant doesn’t change the threat or the vulnerability, but it significantly reduces the threat impact. In many cases, however, we’re stuck with our assets as they are, and thus this becomes a constant in our risk equation. So, back to threat assessment. Threat assessment involves identifying threats, determining the seriousness of each threat, and prioritizing how to manage threat actors. Threat intelligence is information about potential adversaries. Think
marcumllp.com | 37
Made with FlippingBook flipbook maker