what can you control about threat vulnerability pairs course hero

by Elmore Turner Published 2 years ago Updated 1 year ago 5 min read

How do I create the threat and vulnerability pairs?

Once the threat and vulnerability listings are complete, it is a fairly straightforward exercise to create the Threat and Vulnerability pairs: 1. Assuming that you are using a spreadsheet or a table format, list all the threats in one column. 2.

Do compensating controls reduce the severity of a threat/vulnerability pair?

Compensating controls can reduce the severity or likelihood of a threat/vulnerability pair, but most often, they will affect the likelihood. Say, there is a new vulnerability announced and virus code has been detected on the Internet.

What is a threat-vulnerability pair?

What is a threat source in cyber security?

The threat source is part of a small and trusted group, controls prevent exploitation without physical access to the target, significant inside knowledge is necessary, or purely theoretical.

What is a threat vulnerability pair?

A threat-vulnerability pair is a matrix that matches all the threats in our listing with the current or hypothetical vulnerabilities that could be exploited by the threats. This is the final product leveraging both the threat listing and vulnerability listing that we have been preparing. Once the threat and vulnerability listings are complete, it is a fairly straightforward exercise to create the Threat and Vulnerability pairs:

What is the impact of a vulnerability?

In simple terms, an information security risk exposure should describe the outcome of a successful exploit of the vulnerability by the threat. Sometimes, this combination of threat and vulnerability is referred to as the “impact” or “consequence” of a risk exposure.

What is a low threat source?

Low. The threat source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised. Moderate. The threat source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.

How to assess for high risk?

1. Identify HIGH risk threats across all systems —This is fairly straightforward. This allows the assessor to quickly identify threats that have the highest risk for the systems reviewed. 2. Obtain aggregate threat and vulnerability pair scores across all systems —This is a little more subtle of an approach.

How to list all threats in one column?

1. Assuming that you are using a spreadsheet or a table format, list all the threats in one column. 2. In the following column, write down all the applicable vulnerabilities for each of the threats listed in the first column. 3. Remember that each threat could potentially have multiple vulnerabilities related to it.

What is the final output of the Impact Analysis and Likelihood Analysis?

The Risk Determination section is the final output based on the results of the Impact Analysis and Likelihood Analysis. The final output that is represented in this section is the Risk Score. Since the risk score is computed for all threat and vulnerability pairs for all systems, it is not feasible to put all of the results in the body of the report. As with Impact and Likelihood analysis, the results for this section are better represented in an Appendix. In our case this is a spreadsheet containing the risk computation. As with the previous section we encourage you to provide an example within the body of the report and will provide an example below. It is also a good idea to present some form of aggregate results since the full risk scores cannot be easily presented. The presentation of the aggregate results could be a summation table of all the risk scores as seen in the example below. All of the content for this section can be derived from the data analysis activities covered in Chapter 4. What follows is a template that can be used for this section: