Threats and Mitigations

This page describes all concepts related to the terms threat and mitigation.

Threat Sources

A list of threat sources can be defined. For each threat source (or threat actor), the motive and capabilities can be described and their likelihood assessed. These threat actors can optionally be referenced in attack scenarios.

Threat Sources image

System Threat

System threats can also be considered as threat scenario, damage scenario, or violation scenario. The intention is to identify WHAT threats can occur compared to attack scenarios describing HOW threats are conducted. System threats focus on the outcome / impact / consequences of an attack.

System Threat image

The intention of the threat identification view is to support finding system threats. On the left side, there is a list of the defined assets. On the right side, there is a list of pre-configured threat categories. Users should consider all identified assets and, with the use of threat categories, find threats for these assets.

The impact should be rated for each protection goal. It is recommended to add a system threat for each protection goal separately, as this improves the risk assessment.

Attack Scenario

Attack scenarios are the link between many modeled information. They are always associated with an element (target).

Besides name and number, there are a few buttons for links, which are further described in Traceability. The status field is important especially for generated threats. These do not necessarily applied and should be investigated manually. Attack scenarios of the state "Not applicable" or "Duplicate" are ignored in risk tables and reports.

The treatment status can be seen as completion check. The risk of a scenario must be assessed. Depending on the outcome, countermeasures must be defined and the risk re-rated. The reason for the current treatment status can be viewed by clicking on the info button.

As mentioned before, scenarios must be linked to an element. This element is usually the target. If the scenario applies for multiple elements, these are listed in the targets field.

Adding an attack vector and threat categories is optional but may simplify and accelerate the assessment process. Defined the threat sources is optional (the field can be activated/deactivated in the project settings).

It is recommended to define the protection goals, system threats, and affected assets. These are important for a consistent and comprehensible risk assessment. Setting these fields may automatically assign the risk metrics.

Attack Scenario image

The fields for (remaining) risk assessment are described separately here.

There are four common strategies for risk mitigation. These can be viewed by clicking on the related info button.

Furthermore, new or existing countermeasures can be added. It is possible to link other attack scenarios, checklist requirements, and test cases.

Countermeasure

The structure of a countermeasures is similar to that of attack scenarios. Like attack vectors for attack scenarios, there are controls for countermeasures providing more details on the countermeasure type.

Countermeasure image

Mitigation Process

Multiple countermeasures can be grouped in a mitigation process. This can be useful for clustering dozens of countermeasures.

Mitigation Process image