Threat Risk Assessment

For Security Architects

Threat Level

Expertise

The general level of knowledge required to carry out an attack.

No particular expertise is required. Examples may include people who can follow simple instructions for existing attack tools, but who can not succeed if the instructions or the tools do not work as expected.
General security and domain knowledge is required. Professionals with knowledge about simple and popular attacks, are capable of mounting them with available tools, and if necessary, are able to improvise. For example, IT professionals who can modify standard exploits or combine multiple attack techniques without needing detailed tutorials or step-by-step guides.
Expert security and domain knowledge is required. Experts are familiar with underlying algorithms, protocols, hardware, software and concepts. They know techniques and tools of existing attacks and are able to create new attacks.
Expert security and domain knowledge is required for several distinct domains. Allows for a situation in which different fields of expertise are required at an expert level to succeed with an attack.

Knowledge about target

The distribution of information about the target, i.e., the availability of information and the community size possessing that knowledge.

The necessary information is public. Examples include information available on the Internet, in documentation, technical standards, or shared without non-disclosure agreements (NDAs), such as common protocols, APIs, system architectures, or published vulnerability databases.
The information is shared with partners under non-disclosure agreements. For example, requirements and design specifications, internal documentation, or technical details that must be shared with vendors, contractors, or business partners.
The information is shared between specific teams, but access is constrained to their members. Examples include restricted system configuration parameters, internal databases, source code, or technical documentation limited to authorized development teams.
The information is restricted to a few individuals. Access is tightly controlled on a strict need to know basis. Examples include root signature keys.

Window of opportunity

The access type available to the attacker, and the time window the attacker has to mount a successful attack.

Unlimited physical access, or network access for an unlimited time. Examples include always-on Internet access, physical access to owned devices, or unrestricted access to systems that users legitimately control.
High physical and/or remote availability with some time limitations.
Low availability with severe time limitations. Limited physical and/or remote access to the target. Physical access to systems or devices without using specialized tools (e.g., accessing external ports, connectors, or user-accessible components).
Very low availability. Physical access required to perform complex disassembly of equipment or systems to access internal components to mount an attack on the asset.

Equipment

The equipment required to identify or exploit vulnerabilities.

The equipment is readily available to the attacker. The equipment may be part of the target itself (e.g. built-in debugging tools, administrative interfaces), or is easily obtained. Examples include standard diagnostic tools, common IT devices such as laptops, or widely available hardware/software tools.
The equipment is not readily available to the attacker, but could be acquired without undue effort. This could include the purchase of moderate amounts of equipment, or the development of more extensive attack scripts.
The equipment is not readily available to the public as it may need to be specially produced, or because the equipment is so specialised that its distribution is controlled or restricted or may be very expensive.
Multiple types of bespoke equipment are required for a successful attack.

Impact Level

Safety

The safety impact refers to the safety of users, operators, and affected parties or infrastructure. Safety is a first-order requirement in any system that can affect human wellbeing or critical operations.

No injuries.
Light and moderate injuries.
Severe and life-threatening injuries with probable survival.
Life-threatening injuries with uncertain survival and fatal injuries.

Financial

The financial impact includes all direct and indirect financial damages of all stakeholders.

No discernible effects or appreciable consequences for the stakeholders.
The financial damage remains tolerable for the stakeholders.
There are substantial financial losses which do not threaten the existence of the stakeholders.
The financial damage threatens the existence of the stakeholders.

Operational

Operational impact refers to operational damages which have little or no safety or financial impact, for instance the loss of secondary functionalities such as convenience features, or non-critical systems and services.

There is no discernible effect.
The appearance of an item or an audible notification annoys between 25% and 75% of users.
The degradation or loss of a secondary function, or the degradation of a primary function.
Loss of a primary function which leaves the system inoperable and potentially affects safety or legislative requirements.

Privacy and Legislative

Privacy violations and legislative compliance impacts affecting personal data protection and regulatory requirements.

There is no discernible effect.
Privacy violations without direct potential for abuse, or legislative violations with no appreciable consequences, e.g., a warning without a fine.
Privacy violations which lead to abuse, or legislative violations with business and financial impact such as fines or reputation loss.
Privacy violations of multiple stakeholders which lead to abuse, or legislative violations with significant business and financial impact, such as significant loss of market share, trust or reputation.