Assessing Your Threat Model

If you’re reading this, it’s probably safe to say that you are at least somewhat concerned about cyber security. Perhaps you run a business, and statistics such as ‘4 in 10 businesses suffer at least one cyber attack per year’ have you worried. Perhaps you’re an employee, wondering what you can to to ensure that you won’t be the one responsible for an expensive compromise at work.

However, it can sometimes seem like the threats you hear about and the advice you are given to protect yourself against them are never-ending. Whilst some of them seem like they might conceivably happen to you, when you hear about incredibly complex nation-state-sponsored attacks it might seem like there’s nothing you can do. May as well just accept that people far better-resources and more technically-proficient than you might one day decide to ruin your day.

Have no fear—there is some good news. You do not have to implement protections for absolutely every single possible threat that may befall you. The level of defences required for HM Government, for example, are going to be wildly different to those required by a family-owned glaziers with five employees. That’s reassuring, but leads to an obvious question: ‘how can I determine the correct level for me?

The two key words to talk about here are ‘threat model’ and ‘risk appetite’. The first step of the threat assessment process is model the threats posed to you. There is a rogues gallery of potential threat actors, from technologically inept ‘script kiddies’ abusing automated tools to the extremes of the long-term, co-ordinated Advanced Persistent Threat (APT). In theory, every business may potentially become the target of any of these, but some are more likely than others in practice.

By assessing your own business, looking at things such as the potential value to an attacker of any data you may hold or whether you operate within industries that may attract hacktivist attacks (such as fossil fuels). Having determined the nature of target you presenting, you can then assess the appeal from the perspective of the full range of threat actors and thus the likelihood of becoming the target of each.

Risk is commonly defined as ‘threat × vulnerability × cost’. For example, a credible threat actor exploiting a vulnerability present within your organisation that comes with a negligible cost to protect against may present the same overall level of risk as an unlikely threat actor exploiting another vulnerability that would be prohibitively expensive to remediate. Often, risk is classified as ‘high’, ‘medium’ and ‘low’, but you can be as specific as you like.

Risk appetite determines how much risk your business is willing to absorb as simply the cost of doing business. At some point, depending on your threat model, the cost of protecting yourself against an attack will not being in a sufficient return on your investment in terms of security, perhaps because the attack was so unlikely to begin with, or the cost to remediate so high. In short, wherever your risk appetite stops is where you need to start looking into recovery planning and cyber attack insurance, and this will be at different levels for different people.

For more information on Mitigate’s consultancy offerings, providing advice on how to assemble your threat model and assess your risk appetite, please email [email protected] or call +44 (0)333 323 3981.

Latest Articles

Scroll to Top