Scribd Logo
Upload

Welcome to Scribd!

  • 3 views

    What Is A Risk Scenario

    Uploaded by

    salemg82
    A risk scenario defines a risk by identifying the threat actor, threat type, threatened asset, vulnerability, and impact. For example, a risk scenario could be: "Cyber criminals are able to use the php vulnerability on the external facing ecommerce web application to download large amounts of personal credit card data, once per year." The FAIR Institute uses the example of a bald tire on a swing over a cliff to illustrate how risk increases as the likelihood and impact increase based on additional threats and vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    What Is A Risk Scenario

    Uploaded by

    salemg82
    3 views2 pages
    A risk scenario defines a risk by identifying the threat actor, threat type, threatened asset, vulnerability, and impact. For example, a risk scenario could be: "Cyber criminals are able to use the php vulnerability on the external facing ecommerce web application to download large amounts of personal credit card data, once per year." The FAIR Institute uses the example of a bald tire on a swing over a cliff to illustrate how risk increases as the likelihood and impact increase based on additional threats and vulnerabilities.

    Original Description:

    Original Title

    What is a risk scenario

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    A risk scenario defines a risk by identifying the threat actor, threat type, threatened asset, vulnerability, and impact. For example, a risk scenario could be: "Cyber criminals are able to use the php vulnerability on the external facing ecommerce web application to download large amounts of personal credit card data, once per year." The FAIR Institute uses the example of a bald tire on a swing over a cliff to illustrate how risk increases as the likelihood and impact increase based on additional threats and vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    3 views2 pages

    What Is A Risk Scenario

    Uploaded by

    salemg82
    A risk scenario defines a risk by identifying the threat actor, threat type, threatened asset, vulnerability, and impact. For example, a risk scenario could be: "Cyber criminals are able to use the php vulnerability on the external facing ecommerce web application to download large amounts of personal credit card data, once per year." The FAIR Institute uses the example of a bald tire on a swing over a cliff to illustrate how risk increases as the likelihood and impact increase based on additional threats and vulnerabilities.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    What is a risk scenario and how to define it

    COBIT 5 risk scenarios is still one of my favorite ways to identify security risks. Using
    COBIT risk scenario examples as a reference and having the below components identified
    helps to define a meaningful and complete risk scenario, and that will help with identifying
    relevant controls.

    Who is the Threat Actor? Internal staff, 3rd party, competitor, etc.

    What is the Threat Type? Malicious, error, accident, etc.

    What is the Threat Event? Disclosure, interruption, theft, misuse, etc.

    Which Assets is at risk? People, process, systems, applications, network, etc.

    What Vulnerabilities are on that asset that can be exploited by the threat?

    What is the expected event Time? Occurrence, duration, frequency, etc.

    I see quite often that people get vulnerabilities or threats confused with risks. Risk is only
    valid when there is both vulnerability and threat are present for a particular asset. For
    example, “a php vulnerability on a web application” is not the risk, neither something like a
    “sensitive data breach”. Instead, an example of a risk scenario can be:

    “Cyber criminals are able to use the php vulnerability on the external facing ecommerce web
    application to download large amount of personal credit card data, once in a year.”

    There is also a very good example on FAIR Institute website about the bald tire risk scenario
    (https://www.fairinstitute.org/white-papers-bald-tire). That explains what we mentioned
    above in more details. Picture in your mind a bald car tire. Imagine that it’s so bald you can
    hardly tell that it ever had tread. How much risk is there?

    Next, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is
    there?

    Next, imagine that the rope is frayed about halfway through, just below where it’s tied to the
    tree branch. How much risk is there?

    Finally, imagine that the tire swing is suspended over an 80-foot cliff – with sharp rocks
    below. How much risk is there?
    Now, identify the following components within the scenario. What were the threats; the
    vulnerabilities; the risks?

    Risk is Likelihood Multiplied by Impact (impact = threat times vulnerabilities). The reason
    we maintain this as operation of multiplication rather than addition is that a massive impact
    with zero likelihood with have a result of zero risk. If this was a matter of addition risk that
    could never happen would appear in our risk analysis.

    You might also like