For companies to survive and thrive, they need to be skilful in understanding and managing their existential risks. Some of these existential risks include strategic risk, compliance risk, operational risk, financial risk, reputational risk and cyber risk. Of these risks, cybersecurity risk is emerging as one of the fatal risk companies are facing into today to maintain their digital ecosystem. The criticality of the digital ecosystem of most companies cannot be understated. It extends to customer channels (including mobile, web and social), partner systems and critical national infrastructure (e.g. financial services). Cybersecurity risk management underpins the identification, assessment and estimation of potential compromise to essential elements of the digital ecosystem including business information systems, data (customer and business) and services (i.e. internal & external). Cybersecurity risk management has become a significant cornerstone that enables the confidentiality, integrity and availability of the digital ecosystem. And as such companies require a balanced approach to manage cybersecurity risk. Extreme measures can rack up high cost and bankrupt the business. At the same time, lackadaisical actions can lead to unacceptable breaches that can undermine the company. The balanced approach must utilise the right set of practices, including risk assessment and threat modelling. Both are two highly recommended practices by companies to understand their risk exposures and manage their risk position. They enable senior management to align with the board set risk appetite. Risk assessment and threat modelling are two words often used interchangeably but technically have different meanings.
Risk assessment & threat modelling (architectural risk assessment)
The reluctance to differentiate between risk assessment and threat modelling on the first thought is understandable. Both activities enable companies to understand their cybersecurity risk exposure.
“So, what is a risk assessment?” — Risk assessment is one of the critical steps in risk management. It enables other risk management stages, including prioritisation of relevant risk, determination of a company’s risk appetite and definition of initiatives to minimise risk. It fundamentally helps the company to answers the question “what is at stake”. From recent cybersecurity breaches, examples of “what is at stake” include significant material fines, reduction in company share prices, loss of earnings, legal actions, prison time for executives and regulatory penalties.
To understand what is at stake, companies follow a mixture of qualitative and quantitative risk assessment methodologies or either. NIST SP-800–30, ISO/IEC 2005:2018 and ISF underpins most of the risk assessment methodologies used companies. They provide a robust framework for companies to identify, assess and manage their risk posture. Each of these methodologies has its unique approach to risk assessment, and still share some similarities. A review of the NIST SP-800–30 risk assessment process shows five steps in the assessment phase. The assessment phase includes identify threat sources and events, identify vulnerabilities and predisposing conditions, determine the likelihood of occurrence and determine the magnitude of impact and determine risk.
The first step of the assessment phase is identifying threat sources and events. Identifying threat sources and events allows the company to answer the question “who wants to attack me” and “how can they attack me”. Providing this intelligence, to the company is topmost on the priority list of most Chief Information Security Officers (CISOs) or Directors of security. The national cybersecurity strategy lends itself to this question by identifying the threat actors to include cybercriminals, terrorists, states/sponsored states, hacktivists and script kiddies.
The second step of the assessment phase is identifying vulnerabilities. To the company identifying vulnerabilities answers the question “what’s our exposure”. A company’s exposure is the perimeter of its exploitable attack surface. Usually, this includes human, application or network attack surface. Most large companies utilise external consultancy to understand their exposure due to their size, its requirement for in-depth specialist knowledge and need for a neutral, independent view. This approach, although expensive, is more thorough and easily stands up to scrutiny. The exposure report or top risks leverages proprietary external security consultancy frameworks or other industry best practice frameworks. Eliciting specific company knowledge is done using staff interviews, questionnaires, specialist domain reviews, empirical data collection and technology testing tools to drive the adopted frameworks. Companies set the scope of the exposure report using their cybersecurity business requirements like control testing, compliance or general risk assessments.
An example of this is focusing on the Payment Card Industry Data Security Standard (PCI DSS) merchant business service line, as opposed to the entire length of its organisation including the issuers and acquire business service lines. Generally speaking, reducing cybersecurity exposure is a challenge for organisations. Because the ways and activities companies seek to deliver better value to their customers by improving performance and profitability are the things that increase their cybersecurity risk exposure. Also, every pound spent on cybersecurity is a pound not spent on other business activities.
The other steps of the risk assessment phase are determining the likelihood, assessing the magnitude and identifying the scale of risk. Companies compute the likelihood of threat events causing adverse impacts by calculating both the likelihood of a threat occurring and the likelihood of its successful exploitation. For both a technique that factors in the type of adversaries (including cybercriminals, terrorists, states/sponsored states, hacktivists and script kiddies), their skill level and the effort required is factored in. Hence companies have result narratives such as the likelihood of an attack (e.g. ransomware) is rare or unlikely or possible or likely or almost certain. For companies, assessing the magnitude entails understanding the impact on business process and services. These business processes and services include the channels used to relate with customers, deliver value, collaborate with partners and suppliers and also generate income. Also, the impact on business assets, customers/staff, other organisations (including partners and suppliers) and the nation at large must also be understood and computed accordingly. Just as likelihood, the result of impact also comes out as catastrophic or major or moderate or minor or negligible. Using the value of both likelihood and the magnitude allows the company to understand the scale of their risk. This risk is then identified by reading theses key indicators on this a calibrated risk assessment matrix.
Table 1: Risk assessment matrix
Company’s review the scale of their risk against their board set risk appetite. This, in turn, drives their risk response activities eventually till they operate within their risk appetite. In summary, a company can understand the likelihood of cyber-attack, what the impact will be on the company and the risk rating by identifying “who wants to attack the company”, “how they can attack the company” and “what’s the company’s exposure”. It is worth calling out that the building blocks to determining the risk through the likelihood and impact are understanding “who wants to attack the company”, “how can they attack the company” and “what’s the company’s exposure “. These three activities holistically make up threat modelling (or architecture risk assessment). Threat modelling is an integral part of risk assessment. The similarity of threat modelling and risk assessment is why both terms are often not distinguished. In fact, in some publications, NIST refers to threat modelling as a form of risk assessment. Threat modelling allows a company to model aspects of an attack on any logical entity including piece of data, applications and any infrastructure.
Driving the company through threat modelling
As businesses’ face into the headwinds of their operating ecosystem, they quickly realise that the products and services that defined yesterday’s success will be obsolete tomorrow. Hence the need to continually evolve to ensure they do not become dinosaurs. Often this evolution involves trying out new products and services in a quick and agile manner. Understandably, these new products and services will also bring about new cybersecurity threats and risk, which need to be assessed and managed. The ability to keep up with zero-day cyber threats while company’s transform business products and services at pace requires a flexible and adaptable cybersecurity assessment approach. Threat modelling can serve as that approach. It does not include determining the likelihood, assessing the magnitude and identifying the scale of risk. The reduced steps make it less complicated. And if required, the other steps can be included seamlessly to turn it into a full risk assessment. Threat assessment includes identifying threat actors, their attack surface, possible exploits and vulnerabilities. These steps enable companies to elicit cybersecurity exploits easily. An agile team that wants to test a new service can identify how the authentication of the service can be compromised using threat modelling.
Five ways to unleash threat modelling
1. Identification of security requirements.
Security requirements exist to ensure the confidentiality, integrity and availability of business systems, data (customer and business) and services (i.e. internal and external). Most companies obtain their security requirements from industry best practices which include NIST, ISO 27001 and ISF. In their unedited form, these security requirements lack specific business context and are not all applicable. While they provide fair coverage, threat models should be used to refine the security requirements. Threat models incorporated the necessary business context. That way, the identified threats can be used to update and when required, create security requirements. An example of this is, the threat of a brute force attack can inform a security requirement for multifactor authentication. Threat modelling can give precision to the identification of security requirements.
2. Identification of security controls.
Security controls exist to detect, defend, delay and deter cybersecurity attacks. Often the choice of security controls for new information technology solutions are dictated by a mixture of best practices and the company’s risk management framework or either. The security controls are high level and still require further analysis to bottom them out. Again, threat models can be used to identify more granular sets of security controls. An example of this, the threat of a man in the middle attack can be defended by encrypting data with the appropriate secure protocol, encryption algorithm/key length and cryptographic hash. Threat models can be used to identify the precise and cost-effective security controls.
3. Compliment risk assessment
Most company’s response to their business environment results in a lot of business change initiatives and projects. Often most of the change initiatives are rehearsals to actual business products and services. Irrespective of their eventual status, the change initiatives need to be risk assessed at their inception to ensure they remain within the board set risk appetite. Hence the regular need to risk assess multiple initiatives and projects. For these set of initiatives and projects a threat model will suffice. It includes the initial stages of risk assessment such as identifying threat sources, identifying threat events and identifying vulnerabilities. It excludes determining likelihood, assessing the magnitude and defining the scale of risk which are not relevant due to the experimental nature of such projects. These additional stages can be included if and when necessary.
4. Compliment security testing
Generally, tests are only as good as the test cases executed, including security testing. Threat models can enable security testing to factor in the threat landscape, thereby it presents a more accurate dimension to security testing. With zero-day attacks popping up regularly, security practitioners understand that their test scope and test cases require frequent updates to include the latest exploits. And the order of security testing must be intelligent enough to cater for all scenarios. Threat models can inform security testing with the latest exploits to test. Also, threat models can inform security testing on the right order to test security exploits. It provides the attackers’ context. This way, security tests are built with threat intelligence and cover the complete scope of attack exploits.
5. Drive risk assessment
Risk assessment has always been in the sole purview of qualified risk practitioners. With the rapid pace of business change, this has often created a bottleneck to business agility. The business has had to move at the speed of security. This delay affects the time to market and the number of customer features delivered. Threat modelling can alleviate this predicament. It includes the initial steps of risk assessment. The output of the threat model is used to drive the other steps in the risk assessment process. That way, risk professional can focus their scarce resource on the later stages of the risk assessment process as opposed to the whole process. Incorporating threat modelling, increases the pace of completing risk assessments making the business more agile.
Based on this analysis it does show that threat modelling is a subset and key building block to risk assessment. Also, the output of the threat model is key to completing the risk assessment process.