Risk assessment concepts

So we have pretty much most of the data breach concepts now discussed, except how to represent the risk assessments.

Below is the example I mentioned in the call earlier today regarding doing risk assessments  if we use ISO terms.

1) (Asset) Database has (Vulnerability) Weak Password
2) Weak Password causes (Risk Source) Easily guessing passwords
3) Easily guessing passwords results in (Threat) Unauthorised Access
4) Unauthorised access is caused by (ThreatActor) Unauthorised Employee
5) Unauthorised access results in (Risk) Data Breach
6) Mitigations can be applied on the asset to reduce vulnerability (e.g. 
keep database updated, have password policy), or to reduce risk source 
(e.g. lock account after 3 tries), or reduce threat (e.g. networking 
firewall), or threat actor (e.g. role-based access control).
7) Consequences happen after the Data Breach has taken place.
8) Impacts arise due to the Consequences of a Data Breach
9) Mitigations are applied to stop consequences or reduce their severity 
(e.g. encrypt data to prevent re-identification, or distribute data to 
reduce amount leaked).
10) Mitigations are applied to stop impacts or reduce their severity 
(e.g. change all passwords to prevent using leaked passwords, email 
users warning against scams)

To simplify, some terms are often omitted, e.g. Database has a Weak 
Password which causes Data Breach, which is represented as:

1) Database has susceptibility to Unauthorised Access
2) Unauthorised Access causes Data Breach
3) Mitigations are applied to remove threats and vulnerability through 
same measures e.g. password policy, limit number of tries, etc.
4) Consequences and Impacts happen after Data Breach
5) Mitigations are applied to prevent or reduce consequences and impacts.

The proposal is to have DPV provide the full range of concepts from the first set above, and if someone wants to use the concepts in a short or summary form - then that's up to their preferrences.


Received on Thursday, 18 May 2023 16:47:51 UTC