Security Threat and Risk Assessment Approaches

Introduction

This explains the differences, pros, and cons to control driven, threat modeling, and hybrid approaches for a Security Threat and Risk Assessment.

Control driven approach

Approach description:

A control driven approach is focused on identifying threats and vulnerabilities by working from a pre-canned set of controls which is appropriate for the system being assessed. Every control in the set is reviewed and assessed. The primary risk evaluator, usually an information technology (IT) or information security professional, reviews each control in the set against the system. When it is observed that a control is not met the primary risk evaluator investigates the related threat or vulnerability further. The primary risk evaluator then determines what it means to the organization, what the overall risk is, how likely the risk is to occur, and the potential impact. The risk is then recorded as part of the Security Threat and Risk Assessment process and a summary of the risk is documented in the Statement of Acceptable Risk artefact.

This approach is also sometimes referred to as a “compliance driven approach” – though it is important to remember that the objective of compliance on its own is slightly different than compliance driven risk management. The objective of compliance is to demonstrate that a policy, standard, or rule of some sort is met. The objective of risk management is to identify and reduce risk to an acceptable level for an organization. A system can be compliant to a standard without being secure (e.g. sometimes standards can be dated), and a system can be secure without being compliant (e.g. a standard may require a higher level of security which the organization wants met – possibly where a high level of assurance is desired for a business reason). With this approach compliance and risk management are both considered, and the primary intended output is the identification of risks.

Approach pros:

• The primary risk evaluator can have a basic level of expertise and knowledge and still be able to reasonably perform the risk assessment. This increases the potential that staff or contract resources would be capable of performing a risk assessment.
• Similar systems are assessed equally using similar controls which allows for metrics, benchmarking, and comparisons.
• Auditors may like the control formatted artefacts which result from this approach in the event of an audit, as it potentially makes their assessment easier.

Approach cons:

• Many controls sets are long, in excess of 100 controls. This can result in an assessment which takes a long time.
• Some controls may not be applicable and could cause delay and distraction, taking away from the timely assessment of risks to a system. 
• The risk assessment potentially could lack depth of understanding for the discovered risks which could make it challenging to produce defensible evidence if ever audited.

Threat modeling approach

Approach description:

Threat modeling is an approach used by primary risk evaluators, usually information technology (IT) and information security professionals, to identify threats and vulnerabilities in a structured manner. Threat modeling will typically attempt to quantify the severity of each threat or vulnerability and helps toward the overall assessment and determination of security risks which may be present.

To create a threat model typically will involve reviewing a systems architecture, configuration, and a review of interconnections to other systems and components. Observations from these sources is what drives the discovery of risk. When a threat or vulnerability is uncovered the primary risk evaluator digs into it further to determine what it means to the organization, what the overall risk is, how likely the risk is to occur, and the potential impact. The risk is then recorded as part of the Security Threat and Risk Assessment process and a summary of the risk is documented in the Statement of Acceptable Risk artefact.

There are a variety of threat modeling frameworks which can be used, each with their own minor variations to the approach stated above. For example: 1) STRIDE, 2) OWASP Application Threat Modeling, 3) OCTAVE, 4) Trike, 5) P.A.S.T.A.

Approach pros:

• The assessment is tailored to the system. 
• The identified risks are very quantified because of the supporting information which was assessed to find them, and it is thereby more likely that evidence related to risk findings could be produced in a defensible manner to an auditor if ever audited.

Approach cons: 

• The primary risk evaluator usually needs to be a technical expert with a high level of expertise. This restricts who can perform the risk assessment which can be challenging in situations where staff or contract resources may be sparse. 
• A primary risk evaluator who has technical expertise has a high likelihood of being detail oriented. While this is also a pro in many regards, the con is that the primary risk evaluator may delve down rabbit holes and could get quagmired there. The primary risk evaluator may go deep on a risk or a category of risk and may miss a whole other set of risks due to the narrow focus in a specific area. Because there is not guidance from a control set in a purely threat modeling approach, there is nothing to help the primary risk evaluator to think more broadly or at a higher level, aside from their existing professional knowledge. Threat modeling can take a lot of discipline to avoid getting stuck. 
• In the event of an audit it may take more work for an auditor to link a risk finding to a control which they may be assessing against. This could result in audits taking longer.

Hybrid approach

Approach description:

A hybrid approach uses elements from both the control driven and threat modeling approaches and is not as rigid. With the hybrid approach, the primary risk evaluator can use a control set as a good reference to help think about potential risks but is not constrained by the control set and does not need to assess every control if deemed low value or not applicable. This can help to keep a risk assessment efficient and timely. In the same way, the risk assessor can use threat modeling techniques where it is deemed appropriate to augment the discovery or understanding of risks in a tailored way to the system. This can help with risks which otherwise may have gone unfound or may not have been understood using a strictly control driven approach. The use of threat modeling as a part of the hybrid approach helps the primary risk evaluator delve deeper where it is needed and appropriate. In a hybrid approach the primary risk evaluator can toggle between identifying risks from controls and from threat modeling, with the objective of producing a well balanced and efficient risk assessment. The ability to toggle in this manner also allows the risk assessor to keep the assessment of a risk higher level if it is appropriate (e.g. if the business impact would be low there may be less of a need to go deep on a risk).

Approach pros:

• The primary risk evaluator can have a medium level of expertise as gaps in their knowledge can be augmented from reference control set(s) used. This increases the potential that staff or contract resources would be capable of performing a risk assessment. 
• More likely to result in efficient assessments as the approach takes the best qualities from both a control driven and threat modeling approach, while leaving their respective inefficiencies to the side.
• Efficient assessment due to the flexibility of the approach, and empowerment of the primary risk evaluator to use the tools available to them to identify risk. This means the potential to get through more assessments within a defined time period without fundamentally compromising the quality of the assessment. 
• Easier for a risk assessor to avoid getting stuck on a risk or class of risks when threat modeling as control references can help to paint a bigger overall picture for the assessment. The primary risk evaluators can avoid going too narrow down a certain path. 
• Outputs from the risk assessment may reasonably align to controls which an auditor may use. 
• There is a reasonable chance that identified risks will be defensible if ever audited.

Approach cons: 

• May be viewed as a less structured approach (due to the flexibility). 
• The methodology used may take some explanation to an auditor if ever audited.

Conclusion

In conclusion for those new to assessing security risk, or new in the field of information security, taking a control driven approach is a good option. It provides a high level of structure and guidance to the activity, and results in an end-product which is audit worthy. This approach can be time consuming though and may result in a backlog of risk assessments if used exclusively by a security team. To address the backlog more people resources may be needed; or a decision point may need to occur where another approach is explored.

For those who are more seasoned security professionals a threat modeling approach may be preferred. This is an approach which can be very tailored to the system being assessed, and which can uncover important security risks which otherwise might be missed by a control driven approach. The success of this approach largely depends on the security professional’s ability to avoid going down rabbit holes and getting stuck, which can also result in backlogs of risk assessments. A high degree of self-control is needed by the security professional in this regard. This approach is not well-suited for all security professionals.

A hybrid approach provides the most balanced option. This approach is useful to informational security professionals with a medium level of expertise or higher. The most significant benefit to this approach is that it produced a quality assessment which can reasonably withstand the scrutiny of audit, which has a faster time-to-completion, and is not wasteful of staff time or organizational resources. A hybrid approach helps the security professional to avoid distraction in the risk assessment process and helps to keep the assessment focused on the asset being assessed. It takes the best aspects of control driven and threat modeling approaches, without the waste. For this reason, a hybrid approach is recommended.