Unlike an ERP system, enterprise risk is not a deterministic business process that can be planned and managed.
A central task in risk management is estimating dollar value of risk.
This is a indeed a tough problem; increasing numbers of security analysts from corporate security groups at companies like Cisco, Intel, Microsoft, Seagate and groups of independent security and compliance analysts who participate in the Practical Threat Analysis Professional Forum and The Control Policy Group are turning to practical threat analysis to help calculate risk in a premeditated way.
Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats that exploit these vulnerabilities in order to cause damage to the assets, and appropriate countermeasures exist that mitigate the threats.
With threat modeling, you make future risk scenarios vivid, tangible, and measurable in dollar terms, countering the tendency to ignore threats and do nothing. Threat modeling gives you and your employees a practical language of assets, threats, vulnerabilities and countermeasures.
Here are 6 rules for effective threat modeling -
If you're bought into the traditional approach of consultants telling what time it is, then don't let me stop you, but if you don't mind considering some new ideas for cracking the risk assessment problem, here are a few ideas inspired by Tom Peters "In pursuit of Luck":
1. Do something new. Don't bother with the same old trade shows, talking with the same old security salespeople about the same old stuff. The first time you do threat modeling, it may take several months – and take you into unfamiliar territory of having to valuate assets and anticipate the probability of threat occurrence.
2. Listen to everyone. Ask your senior managers what are your most valued assets – customer lists, product IP, ontime delivery. Ask the CFO how much those assets are worth in dollar terms. Ask your 22 year old customer service agents how they would attack your assets.
3. Try out options. Don't stop with the annual IT security audit. With threat modeling you can test many mitigation plans, implement countermeasures and measure effectiveness on the fly.
4. Ready, Fire, Aim. (instead of ready, aim, fire). Experiment with new attack models. Test the ramifications of turning off personal anti-viru software or opening a field office with contract technicians. Threat modeling lets you test without threatening the operation.
An ERP systems integrator maintained their own corporate messaging systems. Although they felt that security required them to keep corporate mail inhouse; the costs of content security maintenance were skyrocketing. A threat model showed a reduced dollar level of risk to their digital assets at a lower ongoing security cost; they are now using Google Apps, freeing up valuable internal resources and management attention.
5. Make odd friends. Strangers can best help you see new threat scenarios, providing fresh ideas unprejudiced by your corporate judgment. Find advisors through social and professional networks who can help you anticipate the unexpected.
6. Smash functional barriers. Many companies separate IT security, fraud and physical security functions. What difference does it make if a notebook with sensitive M&A data is stolen from an executive's desk by a competitor posing as a FedEx messenger? Threat modeling is a holistic practice that can help mitigate risk in all areas of your business.
