This explains the differences, pros, and cons to control driven, threat modeling, and hybrid approaches for a Security Threat and Risk Assessment.
A control driven approach is focused on identifying threats and vulnerabilities by working from a pre-canned set of controls which is appropriate for the system being assessed. Every control in the set is reviewed and assessed. The primary risk evaluator, usually an information technology (IT) or information security professional, reviews each control in the set against the system. When it is observed that a control is not met the primary risk evaluator investigates the related threat or vulnerability further. The primary risk evaluator then determines what it means to the organization, what the overall risk is, how likely the risk is to occur, and the potential impact. The risk is then recorded as part of the Security Threat and Risk Assessment process and a summary of the risk is documented in the Statement of Acceptable Risk artefact.
This approach is also sometimes referred to as a “compliance driven approach” – though it is important to remember that the objective of compliance on its own is slightly different than compliance driven risk management. The objective of compliance is to demonstrate that a policy, standard, or rule of some sort is met. The objective of risk management is to identify and reduce risk to an acceptable level for an organization. A system can be compliant to a standard without being secure (e.g. sometimes standards can be dated), and a system can be secure without being compliant (e.g. a standard may require a higher level of security which the organization wants met – possibly where a high level of assurance is desired for a business reason). With this approach compliance and risk management are both considered, and the primary intended output is the identification of risks.
Threat modeling is an approach used by primary risk evaluators, usually information technology (IT) and information security professionals, to identify threats and vulnerabilities in a structured manner. Threat modeling will typically attempt to quantify the severity of each threat or vulnerability and helps toward the overall assessment and determination of security risks which may be present.
To create a threat model typically will involve reviewing a systems architecture, configuration, and a review of interconnections to other systems and components. Observations from these sources is what drives the discovery of risk. When a threat or vulnerability is uncovered the primary risk evaluator digs into it further to determine what it means to the organization, what the overall risk is, how likely the risk is to occur, and the potential impact. The risk is then recorded as part of the Security Threat and Risk Assessment process and a summary of the risk is documented in the Statement of Acceptable Risk artefact.
There are a variety of threat modeling frameworks which can be used, each with their own minor variations to the approach stated above. For example: 1) STRIDE, 2) OWASP Application Threat Modeling, 3) OCTAVE, 4) Trike, 5) P.A.S.T.A.
A hybrid approach uses elements from both the control driven and threat modeling approaches and is not as rigid. With the hybrid approach, the primary risk evaluator can use a control set as a good reference to help think about potential risks but is not constrained by the control set and does not need to assess every control if deemed low value or not applicable. This can help to keep a risk assessment efficient and timely. In the same way, the risk assessor can use threat modeling techniques where it is deemed appropriate to augment the discovery or understanding of risks in a tailored way to the system. This can help with risks which otherwise may have gone unfound or may not have been understood using a strictly control driven approach. The use of threat modeling as a part of the hybrid approach helps the primary risk evaluator delve deeper where it is needed and appropriate. In a hybrid approach the primary risk evaluator can toggle between identifying risks from controls and from threat modeling, with the objective of producing a well balanced and efficient risk assessment. The ability to toggle in this manner also allows the risk assessor to keep the assessment of a risk higher level if it is appropriate (e.g. if the business impact would be low there may be less of a need to go deep on a risk).
In conclusion for those new to assessing security risk, or new in the field of information security, taking a control driven approach is a good option. It provides a high level of structure and guidance to the activity, and results in an end-product which is audit worthy. This approach can be time consuming though and may result in a backlog of risk assessments if used exclusively by a security team. To address the backlog more people resources may be needed; or a decision point may need to occur where another approach is explored.
For those who are more seasoned security professionals a threat modeling approach may be preferred. This is an approach which can be very tailored to the system being assessed, and which can uncover important security risks which otherwise might be missed by a control driven approach. The success of this approach largely depends on the security professional’s ability to avoid going down rabbit holes and getting stuck, which can also result in backlogs of risk assessments. A high degree of self-control is needed by the security professional in this regard. This approach is not well-suited for all security professionals.
A hybrid approach provides the most balanced option. This approach is useful to informational security professionals with a medium level of expertise or higher. The most significant benefit to this approach is that it produced a quality assessment which can reasonably withstand the scrutiny of audit, which has a faster time-to-completion, and is not wasteful of staff time or organizational resources. A hybrid approach helps the security professional to avoid distraction in the risk assessment process and helps to keep the assessment focused on the asset being assessed. It takes the best aspects of control driven and threat modeling approaches, without the waste. For this reason, a hybrid approach is recommended.