5.3 Identify Areas of Concern
As people work with information-related assets when performing their jobs, they develop an understanding of the operational procedures related to accessing and using information. They learn about the way operations really work in their organization. They know where written procedures must be followed to the letter, and they know where they have to "make things work" by deviating from formally written protocols. The knowledge about what is really happening in the organization is vital when creating threat scenarios.
In this activity participants express concerns about how their most important assets are threatened. They create the scenarios using prompts based on known sources and outcomes of threat, resulting in highly contextual threat information from the people who use and depend upon the organization's assets. This information forms the basis for constructing threat profiles during process 4.
Step 1: Describe Areas of Concern
A threat is an indication of a potential undesirable event [NSTISSC 98]. It refers to a situation in which a person could do something undesirable (an attacker initiating a denial-of-service attack against an organization's email server) or a natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware). An area of concern is a situation in which someone is concerned about a threat to his or her important assets. Typically, areas of concern have a source and an outcome, that is, a causal action that has an effect on the organization. Figure 5-4 shows typical sources and outcomes for areas of concern.
The threat sources and outcomes in Figure 5-4 are based on known sources of threat from the generic threat profile. For a more in-depth discussion of the generic threat profile, see Chapter 6. Table 5-4 provides a definition for each category of threat source, while Table 5-5 provides a definition for each outcome.
To conduct step 1, ask the participants the following question: What scenarios threaten your important assets? To help them think about threat scenarios, have the participants focus on how the sources and outcomes contained in Figure 5-4 related to their important assets.
Note that the participants might consider one asset at a time, or they might consider and discuss all important assets simultaneously when they identify areas of concern. Identifying areas of concern is a brainstorming activity, in which participants will likely focus on multiple assets and sources simultaneously.
At MedSite, the senior managers identified areas of concern for their important assets. Figure 5-5 shows a few of the areas of concern for PIDS.
Note that the areas of concern in Figure 5-5 are written as complete sentences. One of the biggest mistakes, made by many inexperienced analysis teams, is to record partial phrases that do not completely capture the meaning of the concern. When the teams review areas of concern later in the process, they cannot always remember the exact concern if only a few words were recorded. Appendix A summarizes the areas of concern identified during processes 1 to 3.
Step 2: Describe the Impact on the Organization
The second step of this activity centers on collecting information about the potential impact on the organization. This information will be useful when you start to construct risks in process 7. It will help link the outcomes of threats to business goals and objectives. (See Chapter 9 for more information about process 7.)
For each scenario elicited, ask the following questions:
Note that there can be more than one impact for each area of concern. Figure 5-6 illustrates the potential impact on the organization for two of the senior managers' areas of concern for PIDS.
This concludes the second activity of processes 1 to 3. In the next activity you will identify security requirements for the participants' most important assets.