I’ve been a long-time member of the San Francisco chapter of ISACA, so it was truly an honor for me to be selected to speak at the 2014 Fall Conference on October 15th.

My speech was titled “How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling.”

Main points I covered, with links to additional reading I referenced during the talk

• Basic definitions of threats, threat agents and threat modeling

• Types of threat modeling

• How threat modeling fits into two common risk frameworks: Factor Analysis of Information Risk (FAIR) and NIST

• High level categories of threats

• Creating in-depth threat profiles

• Free and publicly available threat agent profile libraries (why re-invent the wheel?)

  • Intel’s Threat Agent Risk Assessment (TARA)

  • Homeland Security’s Information Technology Sector Baseline Risk Assessment

• An example of one threat actor profile: Cyber Vandal:

• Once common threat profiles are complete, one is able to see the big picture of the threat actor landscape:

• Last – a high level risk analysis is shown on DDoS attacks, using the Factor Analysis of Information Risk (FAIR) Basic Risk Assessment Guide.

Additional Reading:

The Failure of Risk Management: Why It’s Broken and How to Fix It, by Douglas Hubbard

How to Measure Anything: Finding the Value of Intangibles in Business, by Douglas Hubbard

Measuring and Managing Risk: A FAIR Approach, by Jack Jones and Jack Freund

Here’s the speech abstract:

CISO’s and risk analysts alike often get caught up in checking boxes on a list of control objectives in order to satisfy compliance and regulatory requirements. However, companies that only view risk through a narrow, regulatory or compliance-focused lens have the potential to overlook a myriad of threats that could impact business continuity, customer privacy and security and financial solvency. The last several high-profile data breaches prove that compliance does not equal security.

There are many ways to assess risk in a meaningful, efficient way that drives business value. Many top companies are moving away from control-based and vulnerability-based risk assessments and are instead putting themselves in the shoes of an attacker. In order to keep up with the rapidly evolving world of cyber criminals and crime rings, organizations are learning to utilize threat intelligence to ascertain the methods, goals, and objectives of threat agents that are targeting their firm or similar firms in their sector. This helps an organization produce focused risk assessments that take a business-centric approach.

This is a beginner to intermediate-level presentation designed to provide an introduction to threat modeling, a primer on threat modeling techniques, ways to integrate threat modeling into risk management frameworks (such as FAIR and NIST), and how to build a library of threat agents specific to one’s firm. Attendees will learn hands-on techniques to perform threat modeling that they will be able to immediately integrate into their risk assessment processes.

Slides below: