Threat taxonomy or threat classification is the process of grouping threats by their common properties. In a series of four Industry Insights, I will introduce and define information security threat taxonomy, explain common threat classes, discuss threat origins, agents and impacts, and conclude with examples of specific threats.
The ISO 27001 standard requires a framework for the analysis of risk posed to an organisation by information security threats. Since organisations have made various attempts at modelling information security risks posed to organisations, risk may be modelled using a number of different philosophies.
The commonly accepted definition for information security risk analysis can be described as: Information security risk can materialise from vulnerabilities inherent in assets that may be exploited by threats as executed by a threat agent.
In this series, I attempt to provide a high-level classification/taxonomy of information security threats. A threat in this context is defined as the enabling circumstance that an entity may use to harm another entity, through a process of exploitation of vulnerability inherent in a resource, leading to increased risk or direct negative impact.
For practical analysis purposes, this can be further extended by mapping countermeasures to known threats via the countermeasure effectiveness.
Information security threats
The ISO 27001 standard requires a framework for the analysis of risk posed to an organisation by information security threats.
Frans Sauermann is an information security consultant for Tsepo Technology Consulting.
In order to provide a high-level rational analysis of information security threats and countermeasures:
1. A broad taxonomy/classification framework should be defined.
2. Specific threats should be classified according to the taxonomy as defined risks.
3. Specific countermeasures should be classified according to capacity to address threat categories.
4. The capability of a countermeasure to address a specific threat should be addressed according to its qualitative or quantitative correlation on the threat categories.
This series will primarily focus on point one of the analysis.
The threat taxonomy as discussed here allows us to lump together a number of threats according to their commonalities. The countermeasure to threat mapping enables informed decision-making on a selection of risk reduction technology based on its common capabilities.
Through two-dimensional grid-based mapping, this methodology will provide insight into a qualitative and quantitative analysis framework of information security risks and controls.
Threat-risk relationships
Although this model does not encompass the whole risk analysis chain, it does address the threat component, and the applicability of countermeasures on specific threats and threat classes. Further modelling on the threat-risk relationship includes aspects such as:
* Information and physical asset scope definition;
* Vulnerability assessment, modelling, penetration testing and vulnerability mitigation;
* Attack tree analysis; and
* Quantitative and qualitative impact and probability studies.
Understanding the relationship between vulnerability, threats and risk provides an economic backing for application of countermeasures as well as insurance. This is a complex field with many different opinions on how to approach the problem.
In the coming Industry Insight of this series, I will address:
* The common threat classes, such as fraud, denial of service, repudiation;
* The origin of the threat, which could be network-based, location-based or media-based;
* The threat agent that perpetrates or could perpetrate the threat;
* The various impacts that threats can have on information security; and
* Some general examples of the common and prevalent threats and how they map into the taxonomy.
* Frans Sauermann is an information security consultant for Tsepo Technology Consulting.
Share