Estimated time: 120 min
Justification
The idea of this activity is introducing the concept of risk analysis of the organization and also to use an abstraction of the risk matrix methodology to make a first analysis of the organization’s security context, which will be used to select security scenarios in order to elaborate procedures to the case in the second activity.
Input data
- Levels of consequences developed in activity data mapping and classification in section 01.
Products
Direct
- List of possible threats to the organization prioritized by possible impact and probability of occurrence estimated by the team.
Indirect
- Better understanding of possible adverse scenarios through which the organization might undergo.
- Better criteria for collective categorization of possible threats.
- Better criteria of prioritization of potential threats and establishment of security controls.
Previous planning
- In case of carrying out the activity in digital, it is suggested to have a spreadsheet or other software with all the necessary fields and formats.
Materials
In case of doing the activity on paper:
- Post-its or sticky notes and markers or
- Large pieces of paper to stick on the wall and markers. In case of doing the activity in digital equipment:
- Computer.
- Projector.
- Spreadsheet ready to fill, showing the headings with stakeholder categories.
Instructions
- Introduce to the group the concept of threat (Possible negative event occurred to a given resource), considering the following aspects:
- These can occur by human and non-human causes (natural disasters, spontaneous reactions, wear and unscheduled malfunctions, etc.).
- These can be intentional or accidental.
- These can be provoked or fortuitous.
- These can affect physical, digital, human, legal and administrative resources among others. In fact, many organizations consider the affectation of their image and positioning as a resource, being a valid consideration within the exercise.
In general, it seems easier for participants to use a structure in the wording of threats similar to these:
[Something is wrong]
- Absence of the director.
- Thieves break in the office.
[Something bad happens to some resource or stakeholder linked to the organization]
- The twitter account has been hacked.
- Access to the bank account is lost.
However, sometimes this way of building threats can be so vague that they do not represent possible events, but other things such as vulnerabilities or lack of security measures. In this regard, facilitators are recommended to ensure that the wording of threats throughout the exercise corresponds to events. If the facilitator deems it appropriate, a drafting structure can be proposed that helps reduce errors, for example:
[A stakeholder] [execute an action] to/about [a resource] [provoking certain consequences – optional]
- A hacker introduces a malware into the computer of the organization’s director.
- The intelligence agency of my country monitors telephone calls from journalistic sources exposing the physical integrity of those.
[An event] [make an action] to/about [a resource][provoking certain consequences – optional]
- An earthquake measuring 7.5 on the Richter scale or more occurs, destroying the data center of the company where the website is hosted.
- A blackout leaves the office without electricity, making it impossible to work on computers.
This wording can be adapted to consider threats without adversaries or clear events, as well as any other variation of threats that do not directly cover these drafting proposals.
-
Ask the participants to think about threats to the organization, take note and place them visible for everyone.
Map of threat
- With all the threats in one place, use levels of impact development in the activity Data mapping and classification and place them as the vertical axis of a matrix, then along with the help of participants assign each threat a level of impact locating the sticky note or equivalent to the height of the selected impact level.
- It is also suggested to place the qualitative impact levels defined above, then put a numerical scale as shown in the graph. This can help quantifying the level of risks after completing the activity.
Map of threat adding impact level
Reorganizing threats after impact levels
- Explain the concept of occurrence probability and define a scale to represent it onto the risk matrix. Reorganize the threats on the horizontal axis with the help of the group in such a way that they coincide not only with the impact scale but also with the probability of occurrence selected in each case, completing the risk matrix of the organization, as shown in graphic.
- In the graphics a scale of 1 to 10 is suggested, this can be changed by another type of scales such as those described below. However, if you want to make a numerical analysis of the threats it is necessary that the scale be also quantified in numbers and equal to the scale used for the risk levels.
- Low, medium and high probability.
- Null, low, high probability and certainty of occurrence.
- Scale from 1 to 5.
Threats map adding the probability levels of occurrence
Reorganizing threat post probability levels of occurrence
- Discuss levels of risk present in the matrix and read the security context of the organization through this tool.
- It is essential that participants come clear that the most important threats to attend must be those that have high levels of impact and associated high probability of occurrence (in this case those closest to the upper right corner of the matrix).
- In case of wanting to perform a quantitative analysis of the risk levels, when previously has been used numerical scales in levels of impact and occurrence probability, it will be enough to multiply these values for each threat and then organize the results obtained from highest to lowest (risk levels).
- This exercise results in a subjective analysis by the members of the organization, and for no reason represents a rigorous and accurate analysis of the risk context of the organization. Even if the same team repeated the activity the next day it could result in a different risk matrix.
- This risk matrix, as well as any other input that represents the risk context of the organization, is a temporary input that does not consider risks to change over time. It is very important to emphasize with the participants that this matrix represents “a picture” of the state of risk for that particular moment, and the invitation is to repeat this exercise periodically to update this obtained representation.
Risk matrix analysis
Closure of the activity
At the end of the activity you can discuss and emphasize what has been achieved:
- Criteria for the detection of threats were defined, and a map of current threats proposed by the team was made.
- Criteria for the study and prioritization of threats were developed. These criteria were also used during the exercise of threats mapping.
- A risk matrix building methodology was introduced, and it can be replicated in the future of the organization.