Why Threat & Risk Analysis - TARA?
There has been much discussion of risk-based security, especially since security budgets and headcount have been increasingly constrained.
According to a report from the Phonemon Institute, adoption of this philosophy continues to grow, with 77% of respondents in the UK claiming a significant or very significant commitment to risk-based security.
However, we have found many organisations are uncertain how to implement it in a practical and pragmatic way.
Our response has been to create a simple process for the identification, analysis and prioritisation of risks that can be implemented without the need for significant investment in time or money.
The challenge for most businesses seems to stem from three areas of weakness, which must be addressed in order for any risk-based approach to succeed:
What are your key information assets, where are they and who owns them?
Who has legitimate access to these assets and how are they protected?
Who may wish to steal or damage your assets, why and how?
What’s involved in Threat & Risk Analysis?
Our threat and risk analysis (TARA) is conducted as a round table discussion, led by an experienced information security practitioner.
We begin by identifying threat sources and threat agents – the adversaries who want to steal or damage your assets. These may include competitors, disgruntled employees, activists, foreign governments and many others, as well as non-hostile threats such as untrained or reckless employees and business partners.
The likelihood of a particular scenario taking place is determined in debate between security professionals and business managers, taking into account threat intelligence on the one hand and sector-specific experience on the other.
The anticipated motivation of each threat agent, their respective skills and typical methods, inform the discussion and allow the group to assign a risk level to each.
The discussion around threats quickly broadens into an exchange of views on known vulnerabilities, and what information is sensitive and valuable to the business, thus also addressing the remaining two questions.
Within a couple of hours, we are able to fill a flipchart with potential scenarios, and the individuals in the room begin to think in a risk-based fashion.