2.1 Determining Threats 25
Chapter 2
ities and existing safeguards are identified and examined to determine the
ways an asset can be compromised by a threat agent. The level of risk to the
asset is a measure of the likelihood of the compromise and the conse-
quences of the compromise, where the consequences are a function of the
asset’s sensitivity.
An assessment of the adequacy of existing or proposed safeguards that
protect system assets forms part of the TRA process. Where the assessment
of safeguards indicates that certain vulnerabilities are not appropriately off-
set, appropriate additional safeguards are recommended in order to reduce
the risk to an acceptable level. Conversely, if safeguards are no longer appro-
priate, their removal is recommended. If additional safeguards cannot
reduce the risk to an acceptable level for an acceptable cost, the risk may be
avoided or transferred by moving the location of the system or removing
the asset that is at risk.
The TRA process provides the system manager with an appreciation of
the security status of the system. The TRA recommendations will suggest
either possible changes to the system design or acceptance of the risk. Each
option will have an associated cost: that is, risk, time, money, people, and
equipment. Management must choose the most appropriate option, based
on the likelihood of the undesirable or intolerable consequences of a threat
scenario occurring.
A vulnerability is defined as a flaw or weakness in system security pro-
cedures, design, implementation, or internal controls that, if exercised
(accidentally triggered or intentionally exploited), would result in a security
breach or a violation of the system’s security policy. In determining the like-
lihood of a threat, one must consider threat-sources, potential vulnerabili-
ties, and existing controls. The analysis of the vulnerabilities associated with
the system environment is intended to develop a list of system vulnerabili-
ties (flaws or weaknesses) that could be exploited by the potential threat-
sources. Such threats may include people, processes, systems, or external
events. To determine the likelihood of a potential adverse event, threats
must be analyzed in conjunction with the potential vulnerabilities and the
controls already put in place for the organization. An example vulnerability
analysis chart (see Figure 2.1) is useful in performing this exercise.
The threat statement, or the list of potential threat-sources, should be
tailored to the individual organization and its processing environment (e.g.,
end-user computing habits). In general, information on natural threats
(e.g., floods, earthquakes, storms) should be readily available. Known
threats have been identified by many government and private sector organi-
zations. Intrusion detection tools also are becoming more prevalent, and