Information security theory and practises use a commonly understood and simple range of tools, methods, and practises to help organisations understand their risk portfolio and to enable them to make both strategic and tactical investment decisions….
Ok someone pinch me. this simply isn’t the reality I see on the ground. The theory is vast, complex and there are a multitude of good/best/insert phrase frameworks and tools that you can leverage to map, model, and communicate risks, vulnerabilities, controls, threats etc.
I’m not going to do a detailed analysis and comparison of different models here, but I am going to at least give people a view of some of the tools and frameworks that you can and may likely experience in the cyber security world.
Risk Analysis Models/Frameworks/Guidance
- NIST SP 800-30/RMF
- FAIR (Factor Analysis of Information Risk)
- FRAP (Facilitated Risk Assessment Process)
- OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
- TARA (Threat Agent Risk Assessment)
- ITIL (Risk Management Process)
- Management of Risk (MoR)
- PRINCE2 Risk Management Approach
- OWASP TOP 10
- PASTA (Process for Attack Simulation & Threat Analysis)
- STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege)
- Microsoft Threat Modelling Process
- NIST 800-53
- LINDDUN (linkability, identifiability, nonrepudiation, detectability, disclosure of information, unawareness, noncompliance)
- Security Cards
- Hybrid Threat Modelling Method (hTMM)
- Visual, Agile, and Simple Threat (VAST) Modelling
- Attack Maps/Trees
- Mitre CWE
- Common Vulnerabilities and Exposures (CVE)
- MITRE ATT&CK
- MITRE D3DEND
If I told you when I’ve gone to different organisations, I have found many of these commonly in use and understood by the community of people actively managing and operating technology systems I would be doing you a disservice. The reality is that most organisations use abridged versions of frameworks and tools to get by. That isn’t to say that is right or wrong, nor is this to say that people should follow everything by the letter, it’s just a view from someone who travels around different companies and has done for a long time. Tools and theory are great, but if you are outside of a unicorn/high security maturity environment (90% of orgs are not in this space) then be mindful of the theory and the reality of bringing all the things to the table. Pick the tools that work to enable the business outcomes required would be my practitioner advice. If the audience can’t understand the tool, it’s not always a problem with the audience.