Weâ€™ve covered a lot of ground, and it can be difficult to pull all of these concepts together until youâ€™ve had an opportunity to use them. This section takes us through a simple risk scenario â€“ providing an opportunity to kick the tires, so-to-speak.
A Human Resources (HR) executive within a large bank has his username and password written on a sticky-note stuck to his computer monitor. These authentication credentials allow him to log onto the network and access the HR applications heâ€™s entitled to use.
Before we get started, think to yourself how youâ€™d rate the level of risk within this scenario based upon the assessments youâ€™ve seen or done in the past.
The simplified process weâ€™ll use in this example is comprised of ten steps in four stages:
- Identify the asset at risk
- Identify the threat community under consideration
- Estimate the probable Threat Event Frequency (TEF)
- Estimate the Threat Capability (TCap)
- Estimate Control strength (CS)
- Derive Vulnerability (Vuln)
- Derive Loss Event Frequency (LEF)
- Derive and articulate Risk
(Note that we’ve made a Basic Risk Assessment Guide available for download >>here<< that documents these steps and can act as a kind of a worksheet.)