Risk Scoring with Threat Modeling
- What knobs / dials exist that allow us to tailor a model to specific threats targeting our organization? For example, if a line of service is being targeted and that actor is known to use certain methods, could we increase the risk score on those assets that are vulnerable?
- There are two types of knobs / dials you can use to control vulnerability prioritization expressed in terms of risk score:
- Vulnerability Risk Factor: You can control the magnitude of the Threat Factor, which signifies whether there is a threat targeting a vulnerability. There is an Exploit Factor that is auto-selected based on the type of exploit, with remotely executed exploits getting the highest weighting. This is not currently adjustable out of the box, but the values do automatically change based on the type of exploit.
- Asset Criticality Factor - You can model virtually any attribute of the asset on which a vulnerability is found, such as the line of business it belongs to, whether it is Internet-facing, and the type of data that is stored on the asset. Each attribute value is associated with a weighting that will influence the Asset Criticality Factor, and therefore the risk score.
Related Articles
New Articles