Conducting threat assessments
A threat assessment identifies potential threats to a capability.
Threats don’t just refer to capability failures or technical errors, they can also come from people.
Threat actors refer to individuals or groups that aim to gain access or disrupt operations.
An understanding of these actors, as well as the tactics and techniques they use, is essential is essential for an effective threat assessment.
Common types of threat actors include:
Threats don’t just refer to capability failures or technical errors, they can also come from people.
Threat actors refer to individuals or groups that aim to gain access or disrupt operations.
An understanding of these actors, as well as the tactics and techniques they use, is essential is essential for an effective threat assessment.
Common types of threat actors include:
- nation states
- cyber criminals
- insiders
Frameworks such as the MITRE ATT&K Framework can help you to understand threat actor’s tactics and anticipate their actions.
Another useful source of threat assessments is Defence Intelligence, such as the DI Cyber Baseline Technical Threat Assessment Hub.
Once you have identified potential threats, this should be used to inform your risk management activities, including selecting the correct security controls. You may also need to adjust your risk appetite.
Capabilities should refer to guidance on cyber security Suitably Qualified and Experienced Person (SQEP) requirements to make sure that they have the correct resources to manage threat assessments.
Threat assessments also require input from a variety of stakeholders, not just "cyber", to give a well-rounded picture of threats a capability may face.
Another useful source of threat assessments is Defence Intelligence, such as the DI Cyber Baseline Technical Threat Assessment Hub.
Once you have identified potential threats, this should be used to inform your risk management activities, including selecting the correct security controls. You may also need to adjust your risk appetite.
Capabilities should refer to guidance on cyber security Suitably Qualified and Experienced Person (SQEP) requirements to make sure that they have the correct resources to manage threat assessments.
Threat assessments also require input from a variety of stakeholders, not just "cyber", to give a well-rounded picture of threats a capability may face.
Benefits
Benefits of conducting threat assessments include:
- informing the risk assessment
- helps prioritise the risks which need the most immediate attention and resources
- guides the selection and implementation of appropriate controls
- informed decision making around risk
Outcomes
An understanding of the threats facing the capability, how these may affect the mission and how they can be addressed.
Responsibility
Who is responsible for threat assessments:
- Senior Responsible Owner (SRO), or suitable equivalent
- delivery team lead
- project management office (PMO)
- delivery team
All these should already include considerations for security.
When to conduct threat assessments
Threat assessments should be:
- conducted throughout the capability lifecycle
- reviewed regularly
- complemented by intelligence feeds