Case Study: Determining the Likelihood and Impact of Occurrence
One of the most challenging aspects of a risk assessment is determining the likelihood of occurrence and impact. NIST SP 800-30 defines the likelihood of occurrence as follows: A weighted risk factor based on an analysis of the probability that a given threat source is capable of exploiting a given vulnerability (or set of vulnerabilities). For adversarial threats, an assessment of likelihood of occurrence is typically based on: (i) adversary intent; (ii) adversary capability; and (iii) adversary targeting. For other than adversarial threat events, the likelihood of occurrence is estimated using historical evidence, empirical data, or other factors. Organizations typically employ a three-step process to determine the overall likelihood of threat events:
Image Organizations assess the likelihood that threat events will be initiated (for adversarial threat events) or will occur (for non-adversarial threat events).
Image Organizations assess the likelihood that the threat events, once initiated or occurring, will result in adverse impacts or harm to organizational operations and assets, individuals, other organizations, or the nation.
Image Organizations assess the overall likelihood as a combination of likelihood of initiation/occurrence and likelihood of resulting in adverse impact.
Identify two threat sources-one adversarial and one non-adversarial-that could exploit a vulnerability at your school or workplace and would result in disruption of service. An adversarial event is the intentional exploitation of a vulnerability by criminal groups, terrorists, bot-net operators, or disgruntled employees. A non-adversarial event is the accidental exploit of a vulnerability, such as an undocumented process, a severe storm, or accidental or unintentional behavior.
1. For each (using your best judgment), answer the following questions:
a) What is the threat?
b) What is the threat source?
c) Is the source adversarial or non-adversarial?
d) What vulnerability could be exploited?
e) How likely is the threat source to be successful and why?
f) If the threat source is successful, what is the extent of the damage caused?
2. Risk assessments are rarely conducted by one individual working alone. If you were hosting a workshop to answer the preceding questions, who would you invite and why?