Risk Management
Using threat modeling to build a security business case PDF  | Print |  E-mail

Building a business case for security technology

The management board understands money - revenue,costs, capital expenses and value at risk.

A management board cannot justify spending money on new technology initiatives (for example a data loss prevention system or a new fraud monitoring system) simply based on the fact that Bank of America had a number of major data loss events or an assessment by internal audit that there is a 'low'  threat level of fraud in a particular department.  How does 'low' translate to 'value at risk'?

Unlike line of business applications,  information security is not a deterministic business process that can be planned and managed.  Instead of trying to manage the unmanageable, we suggest using a  threat modeling approach.

Threat analysis is based on the notion that that you have  assets of value worth protecting - for example customer data or reputation. Your assets have vulnerabilities that can be exploited by threats - trusted insiders or malicious outsiders, causing damage to the assets.  A threat scenario for a bank might be employees in the foreign currency group exploiting vulnerabilities in systems and procedures to launder transactions and pocket commissions.  The asset is customer confidence in the integrity of the bank and the damage can include investigative audit costs, legal costs, public relations costs and remediation (closing the barn door after the horses have fled).

For every vulnerability in people, systems and procedures (for example a system that doesn't require reporting of forex transactions under EU10,000) there are  appropriate security countermeasures - for example monitoring for excessive numbers of small cap forex transactions to foreign residents and rotating forex staff.

You can easily model threat scenarios and calculate value at risk using  the Practical Threat Analysis methodology and PTA Professional software.  

 

PTA Data model

 

 
Read more...
 
Optimizing is better than securing your business PDF  | Print |  E-mail

Do you run a business?

In a perfect world, you would have an omnipotent advisor at your side, showing you the best way to deal with threats and profit from opportunities.  Imagine a virtual world where you collaborate with friends and foes, encounter threats and vulnerabilities, and find the most cost-effective measures to reduce risk and grow your business.

The problem is that In today's risky world and volatile economy, operational threats and vulnerabilities shift constantly.

How does a good business stay alert, preempt threats with cost-effective measures and profit from opportunities?

Read more...
 
Using threat modeling for cost-effective security and compliance management PDF  | Print |  E-mail

Unlike ERP,  enterprise risk is not a deterministic business process that can be planned and managed.  Instead of trying to manage the unmanageable, consider using the "threat modeling" method.  Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats that exploit these vulnerabilities in order to cause damage to the assets, and appropriate countermeasures exist that mitigate the threats.  For example, you want to mitigate the risk of your wife's jewelry being stolen. You have assets – valuable diamond jewelry stored at home. Your assets have vulnerabilities - since you live on the ground floor and your friendly German Shepherd  who will happily show anyone around the house. The key threat to the asset is that an attacker may break in through the ground floor windows. The countermeasures are bars for the windows, an alarm system and training your dog to be a bit less friendly around strangers with ski-masks.

Drop your checklist and try something new. With threat modeling you can economically test many risk mitigation plans, implement countermeasures and measure effectiveness on the fly. Here are  rules for effective threat modeling, inspired by Tom Peters.

 

PTA Data model

 

 
Read more...
 
Drop your checklist and try out for a modeling job PDF  | Print |  E-mail

Security and compliance Insights - August 08

You probably think I'm going to tell all you security geeks to drop ISO 27001 and take up modeling. That might be a better career option if the have the right physical stats. But no - today, I want to talk about threat modeling not about Monica Belluci. (”I feel fine and comfortable with myself, but not because I’m beautiful”)

Read more...
 
PCI DSS Self-Assessment on a budget PDF  | Print |  E-mail

The business problem

Small businesses are put off by mega-costs of external auditors and confused by all the noise from technology vendors. Our PTA PCI DSS Self-assessment package is designed specifically for small businesses that process credit cards and need to improve their payment card security on a small budget.Click here for the free download

Read more...
 
Understanding Culture as a factor in compliance and risk management PDF  | Print |  E-mail

Understanding technology and people is not enough.

Whether you're an account manager at Cisco, a programming geek in an Israeli startup, an expert on ISO 17799 or an industry authority on CRM; you must understand the culture in your workplace in addition to your professional skills in order to effectively manage risk and comply with regulation.

Read more...
 
More Articles...
<< Start < Prev 1 2 3 4 5 6 7 Next > End >>

Page 1 of 7
Software Associates - Business security specialists for hi-tech firms