Home Page

Practical Threat Analysis in-depth

 Part 4: The PTA Threat Analysis Calculative Method

Part 1: The State of Threat Analysis
Part 2: PTA Methodology, Terminology and Definitions
Part 3: The PTA Threat Analysis and Risk Assessment Process
Part 5: The Car & Passenger Simplified Threat Model Example
 

The following flowchart is an abbreviated description of the PTA calculative method.

The PTA Calculative Method Steps

1. Input Local Parameters

Step 90: Input the time period and currency type parameters. Time period [t] and currency type [c] parameters are used as units of the calculated financial values. For example: when [t] = ‘annual’ and [c] = ‘USD’ then a financial value such as an asset value is expressed in USD per year. If the [t] parameter is omitted then the calculation treats the monetary values as fixed one time values with no recurring factor over time.

2. Input Threat Model Entities

Step 100: Input list of system assets. The set {A1,…,ANa} includes all system assets that may be threatened. Each asset is identified by a unique ID and name and assigned with a value of asset (ValA) that represents the maximal financial value of the damage that may be caused to the system due to the loss of the asset.

{A1,…,ANa} – Set of system assets.
ValA(Ai) – Value of asset of the i-th asset; value of ValA ≥ 0.

Step 110: Input list of system vulnerabilities. The set {V1,…,VNv} includes all system vulnerabilities that may be exploited to threaten system assets. Each vulnerability is identified by a unique ID and name.

{V1,…,VNv} – Set of system vulnerabilities.

Step 120: Input list of system countermeasures. The set {C1,…,CNc} includes all countermeasures that may mitigate system vulnerabilities. Each countermeasure is identified by a unique ID and name and assigned with its estimated implementation cost (IC) that represents the financial value of the implementation of the countermeasure. Each countermeasure is also assigned with a Boolean implementation flag (IF) indicating whether or not the countermeasure has been already implemented.

{C1,…,CNc} – The set of system countermeasures.
IC(Ci) – Implementation cost of the i-th countermeasure; value of IC ≥ 0.
IF(Ci) – Implementation flag of the i-th countermeasure; value of IF = {true, false}.

Step 130: Input list of system threats. The set {T1,…,TNt} includes all threats that may threaten system assets. Each threat is identified by a unique ID and name and assigned with the estimated threat probability (TP) that it will materialize within the time period [t]. The TP values may range between 0 and 1 where 0 means that threat scenario will never materialize in the [t] period and 1 means that it will certainly materialize at least once within [t]. If the [t] parameter is omitted then the TP value refers to the whole life time of the system.

{T1,…,TNt} – The set of system threats.
TP(Ti) – Threat probability of the i-th threat; 0 ≤ value of TP ≤ 1.

4. Input Entity Relations

Step 140: Input the relations between threats and assets. Each threat is associated with threat assets (TA) that includes the assets that may be damaged if the threat materializes. Each threat is assigned with the relative threat asset damage (RelTAD) that is the level of the damage that may be caused by the threat to each of the assets in the TA of the specific threat. The damage is expressed in percents where 0% means that no damage is caused to the asset if the threat materializes and 100% means that the damage caused to the asset by the threat is total and equals to the whole asset’s value.

TA(Ti) – Threat assets of the i-th threat; a non-empty subset of {A1,…,ANa} that may be damaged by the i-th threat.
RelTAD(Ti, Aj) – Relative threat asset damage that may be caused by the i-th threat to the j-th asset in TA(Ti); 0 ≤ value of RelTAD ≤ 100.

Step 150: Input the relations between vulnerabilities and countermeasures. Each of the vulnerabilities is associated with vulnerability countermeasures (VC) that includes countermeasures providing some mitigation to the vulnerability.

VC(Vi) – Vulnerability countermeasures of the i-th vulnerability; a subset of {C1,…,CNc} that may mitigate the i-th vulnerability.

Step 160: Input the relations between threats and vulnerabilities. Each of the threats is associated with threat vulnerabilities (TV) that includes one or more vulnerabilities that are exploited in the threat scenario.

TV(Ti) – Threat vulnerabilities of the i-th threat; a non-empty subset of {V1…VNv} that are exploited by the i-th threat.

Step 162: Calculating the relations between vulnerabilities and countermeasures. Each of the countermeasures is automatically associated with countermeasure vulnerabilities (CV) that includes one or more vulnerabilities for which it provides some mitigation. CV is calculated from the inputs in step 150.

CV(Ci) – Countermeasure vulnerabilities of the i-th countermeasure; a non-empty subset of {V1,…,VNv} that may be mitigated by the i-th countermeasure.

Step 165: Calculating the set of recommended countermeasures for each threat. Each threat is automatically associated with a set of recommended countermeasures mitigating threat (RCMT) that includes the countermeasures that may mitigate the threat. RCMT is calculated from the inputs in step 150 and step 160. RCMT(Ti) – Recommended countermeasures mitigating threat for the i-th threat; a set of countermeasures that may mitigate the i-th threat.

RCMT(Ti) is a subset of {C1,…,CNc}.

5. Input Mitigation Policy

Step 170: Define the actual mitigation sets of countermeasures for each of the threats. An actual countermeasures mitigating threat (ACMT) of a specific threat is a subset of the RCMT associated with that threat which, in order to be efficient, has to be implemented as a whole. There can be several ACMTs for a given threat, each representing a different possible solution to the specific threat. A set which is a union of several ACMTs may also be defined by the user as a valid ACMT.

ACMTj(Ti) – The j-th actual countermeasures mitigating threat for the i-th threat; a subset of RCMT(Ti) that provides some mitigation for the i-th threat.
An ACMTj(Ti) is said to be implemented if all of its countermeasures are implemented, otherwise it is considered as not implemented.

Step 180: Define the threat’s mitigation level for each of the actual mitigation sets of countermeasures. The actual countermeasures mitigating threat level (ACMTL) of a given ACMT for a specific threat is the level of the overall mitigation provided by the countermeasures in the ACMT to the risk posed by that threat. The ACMTL is expressed in percents where 0% means that the risk posed by the threat is not reduced by the specific ACMT and 100% means that the risk posed by the threat is completely mitigated by the ACMT.

ACMTLj(Ti) – The actual countermeasures mitigating threat level provided by the j-th ACMT to the i-th threat; 0 < value of ACMTL ≤ 100; The ACMTL of a union of several ACMTs should be greater or equal to the maximum value of the separate ACMTLs.

Step 185: Calculating the maximal and current mitigation level for each threat.

MaxTM(Ti) – Maximal threat mitigation level is the maximum over all of the ACMTLj(Ti) (i is fixed, j varies); 0 < value of MaxTM ≤ 100.
CurTM(Ti) – Current threat mitigation level is the maximum over all of the implemented ACMTLj(Ti) (i is fixed, j varies); 0 < value of CurTM ≤ 100.

6. Perform the PTA method calculations

Step 190: Calculating the total value of all system assets. Value of all system assets (ValSA) is calculated by summing the ValA of all assets.

ValSA – Value of all system assets.
ValSA = ∑ ValA (Ai) where i runs over all assets

Step 200: Calculating the relative value of each asset. Relative value of asset (RelValA) is the percentage of the value of a specific asset ValA out of the total value of all system assets. It is calculated by dividing the asset’s value ValA by the total value of all assets ValSA and multiplying by 100.

RelValA(Ai) – Relative value of the i-th asset.
RelValA(Ai) = ValA(Ai) / ValSA * 100 ; 0 < value of RelValA ≤ 100.

Step 210: Calculating the relative damage level of each threat. Relative threat damage (RelTD) is the percentage of the damage of a specific threat out of the total value of assets in the system. It is calculated by summing the multiplications of the relative damage that may be caused by the threat to a specific asset RelTAD divided by 100 by the relative value of that asset RelValA.

RelTD(Ti) – Relative threat damage that may be caused by the i-th threat to the system’s assets.
RelTD(Ti) = ∑ RelTAD(Ti, Aj) / 100 * RelValA(Aj) where j runs over all assets; 0 < value of RelTD ≤ 100.

Step 220: Calculating the maximal risk level of each threat. Maximal threat risk (MaxTR) is the expected damage, in percents out of the total value of assets in the system that may be caused by a specific threat Ti if none of the ACMTs for this threat is implemented. It is calculated by multiplying the relative damage RelTD of the threat by the threat’s probability TP.

MaxTR(Ti) – Maximal threat risk of the i-th threat.
MaxTR(Ti) = RelTD(Ti) * TP(Ti) ; 0 < value of MaxTR ≤ 100.

Step 230: Calculating the minimal risk level of each threat. Minimal threat risk (MinTR) is the expected damage, in percents out of the total value of assets in the system that may be caused by a specific threat Ti if the most efficient ACMT (the one with the highest ACMTL) for this threat is implemented. It is calculated by multiplying the threat’s maximal risk MaxTR by a factor that expresses the unmitigated part of the threat that is left after the most efficient ACMT is implemented.

MinTR(Ti) – Minimal threat risk of the i-th threat.
MinTR(Ti) = MaxTR(Ti) * ( 1 - MaxTM(Ti) / 100) ; 0 < value of MinTR ≤ 100.

Step 240: Calculating the current risk level of each threat. Current threat risk (CurTR) is an approximation of the expected damage, in percents out of the total value of assets in the system, that may be caused by a specific threat taking into account the current mitigation provided by the implemented ACMTs for this threat. It is calculated by multiplying the threat’s maximal risk MaxTR by a factor that expresses the unmitigated part of the threat that is left taking into account only the currently implemented ACMTs for the threat.

CurTR(Ti) – Current threat risk of the i-th threat.
CurTR(Ti) = MaxTR(Ti) * ( 1 - CurTM(Ti) / 100); 0 < value of CurTR ≤ 100.

Step 250: Calculating the maximal risk for each asset. Maximal asset risk (MaxAR) is the upper bound, in percents relative to the total value of assets in the system, on the expected risk to a specific asset by all threats that may damage that specific asset, assuming that no countermeasures are implemented for any threat. It is calculated by averaging the relative damage that each threat may cause to the specific asset. The threats are weighted by their probabilities.

MaxAR(Ai) – Maximal asset risk for the i-th asset.
MaxAR(Ai) = ∑ RelTAD(Tj, Ai) * TP(Tj) where j runs over all threats that may cause damage to Ai; value of MaxAR may exceed 100.

Step 260: Calculating the minimal risk for each asset. Minimal asset risk (MinAR) is the lower bound, in percents relative to the total value of assets in the system, on the expected risk to a specific asset by all threats that may damage that specific asset, assuming that all of the ACMTLj(Ti) of all the threats are implemented. It is calculated by averaging the relative damage that each threat may cause to the specific asset multiplied by a factor that expresses the unmitigated part of the threat that is left after all countermeasures are implemented. The threats are weighted by their probabilities.

MinAR(Ai) – Minimal asset risk for the i-th asset.
MinAR(Ai) = ∑ RelTAD(Tj, Ai) * (1 - MaxTM(Tj) / 100) * TP(Tj) where j runs over all threats that may cause damage to Ai; value of MinAR may exceed 100.

Step 270: Calculating the current risk for each asset. Current asset risk (CurAR) is the current risk to a given asset, in percents relative to the total value of assets in the system, taking into account the currently implemented countermeasures. It is calculated by averaging the relative damage that each threat may cause to the specific asset multiplied by a factor that expresses the unmitigated part of the threat that is left when the currently implemented ACMTLj(Ti) are taken into account. The threats are weighted by their probabilities.

CurAR(Ai) – Current asset risk for the i-th asset.
CurAR(Ai) = ∑ RelTAD(Tj, Ai) * (1 - CurTM(Tj) / 100) * TP(Tj) where j runs over all threats that may cause damage to Ai; value of CurAR may exceed 100.

Step 280: Calculating the total system maximal risk. Maximal value of system risk (MaxValSR ) is the financial value of the risk to the system if no countermeasures are implemented. It is calculated by summing the multiplications of the asset’s maximal risk MaxAR by the asset’s value ValA for each of the assets in the system. Maximal system risk (MaxSR) is the risk to the system, in percents relative to the total value of all assets, if no countermeasures are implemented. It is calculated by dividing MaxValSR by the total value of all assets ValSA and multiplying it by 100.

MaxValSR – Maximal value of system risk
MaxValSR = ∑ MaxAR(Ai) / 100 * ValA(Ai) where i runs over all assets; value of MaxValSR may exceed ValSA.
MaxSR – Maximal system risk
MaxSR = MaxValSR / ValSA * 100; value of MaxSR may exceed 100.

Step 290: Calculating the total system minimal risk. Minimal value of system risk (MinValSR) is the financial value of the risk to the system if all countermeasures are implemented. It is calculated by summing the multiplications of the asset’s minimal risk MinAR by the asset’s value ValA for each of the assets in the system. Minimal system risk (MinSR) is the risk to the system, in percents relative to the total value of all assets, if all countermeasures are implemented. It is calculated by dividing MinValSR by the total value of all assets ValSA and multiplying it by 100.

MinValSR – Minimal value of system risk
MinValSR = ∑ MinAR(Ai) / 100 * ValA(Ai) where i runs over all assets; value of MinValSR may exceed ValSA.
MinSR – Minimal system risk
MinSR = MinValSR / ValSA * 100; value of MinSR may exceed 100.

Step 300: Calculating the total system current risk. Current value of system risk (CurValSR) is the financial value of the risk to the system taking into account the contribution of countermeasures already implemented. It is calculated by summing the multiplications of the asset’s current risk CurAR by the asset’s value ValA for each of the assets in the system. Current system risk (CurSR) is the risk to the system, in percents out of the total value of all assets, taking into account the contribution of countermeasures already implemented. It is calculated by dividing CurValSR by the total value of all assets (ValSA) and multiplying it by 100.

CurValSR – Current value of system risk
CurValSR = ∑ CurAR(Ai) / 100 * ValA(Ai) where i runs over all assets; value of CurValSR may exceed ValSA.
CurSR – Current system risk
CurSR = CurValSR / ValSA * 100; value of CurSR may exceed 100.

In the user interface, the actual values of the three total risk quantities, calculated in steps 280 to 300, are displayed in the status screen graph, although they may exceed 100%. A marker indicating the 100% risk level may be added for the user’s convenience. It is clear that the actual damage to the system’s assets cannot exceed 100%; however, the risk level is not equivalent to the actual damage. It reflects the amount of effort that has to be invested in order to mitigate the threats on the system, and since neither the number of threats nor their severity are limited, the risk quantities cannot be limited to 100%.

Step 310: Calculating the relative maximal threat risk for each threat. Relative maximal threat risk (RelMaxTR) is the percentage of the maximal risk of a specific threat out of the total system maximal risk MaxSR. It is calculated by dividing the maximal threat risk MaxTR of the specific threat by the total system maximal risk MaxSR.

RelMaxTR(Ti) – Relative maximal threat risk of the i-th threat
RelMaxTR(Ti) = MaxTR(Ti) / MaxSR * 100; 0 < value of RelMaxTR ≤ 100.

Step 320: Calculating the relative minimal threat risk for each threat. Relative minimal threat risk (RelMinTR) is the percentage of the minimal risk of a specific threat out of the total system minimal risk MinSR. It is calculated by dividing the minimal threat risk MinTR of the specific threat by the total system minimal risk MinSR.

RelMinTR(Ti) – Relative minimal threat risk of the i-th threat
RelMinTR(Ti) = MinTR(Ti) / MinSR * 100; 0 < value of RelMinTR ≤ 100.

Step 330: Calculating the relative current threat risk for each threat. Relative current threat risk (RelCurTR) is the percentage of the current risk of a specific threat out of the total system current risk CurSR. It is calculated by dividing the current threat risk CurTR of the specific threat by the total system current risk CurSR.

RelCurTR(Ti) – Relative current threat risk of the i-th threat
RelCurTR(Ti) = CurTR(Ti) / CurSR * 100; 0 < value of RelCurTR ≤ 100.

Step 340: Calculating the current overall countermeasure mitigation level for each countermeasure. Current countermeasure mitigation (CurCM) of a specific countermeasure is the percentage of contribution of a specific countermeasure to the reduction of the current system risk CurSR. It is calculated by dividing the difference of CurSRCNotI and CurSRCI by CurSRCNotI and multiplying it by 100. CurSRCI is the system risk calculated under the assumption that the specific countermeasure is implemented and all other countermeasures are in their current implementation status. CurSRCNotI is the system risk calculated under the assumption that the specific countermeasure is not implemented and all other countermeasures are in their current implementation status.

CurCM(Ci) – Current countermeasure mitigation of the i-th countermeasure.
CurSRCI(Ci) = CurSR assuming the i-th countermeasure is implemented and all other countermeasures are in their current implementation status.
CurSRCNotI(Ci) = CurSR assuming the i-th countermeasure is not implemented and all other countermeasures are in their current implementation status.
CurCM(Ci) = (CurSRCNotI(Ci) - CurSRCI(Ci)) / CurSRCNotI(Ci) * 100; 0 < value of CurCM ≤ 100.

Step 350: Calculating the current cost effectiveness of each countermeasure. Current countermeasure cost effectiveness (CurCCE) of a specific countermeasure is the current overall countermeasure mitigation CurCM per unit of implementation cost in [c]. It is calculated by dividing the current countermeasure mitigation CurCM by the implementation cost IC of the countermeasure.

CurCCE(Ci) – Current countermeasure cost effectiveness of the i-th countermeasure.
CurCCE(Ci) = CurCM(Ci) / IC(Ci).

Step 360: Calculating an optimized risk reduction plan. Optimized risk reduction plan (OptRRP) is an optimized subset of the countermeasures that if implemented will reduce the total current risk level CurSR below a given target risk level (TarR) and within the limits of a given target budget (TarB). There are three optimization options: optimize by cost effectiveness (OptCE) and, optimize by risk (OptR) and optimized by cost (OptC).

The two targets, TarR and TarB, define a set of solutions that meet these targets. Each solution is a subset of the set of currently unimplemented countermeasures, such that if implemented as a whole will reduce the current total risk level below TarR and the cost of its implementation will not rise above TarB. The three methods of optimization further narrow the set of solutions: the OptCE, offers the solutions which are the most cost effective; the OptR, offers the solutions which achieve a maximal risk reduction; and the OptC, offers the solutions whose cost of implementation is the lowest.

It is important to note that in order to offer the fastest risk reduction plan, the user needs to input, for each countermeasure, its period of implementation or some other parameter that reflects the complexity of the operation. The number of countermeasures in a solution is not necessarily the appropriate indicator for such a parameter.

It is also important to note that at certain situations conflicts between countermeasures may occur. For example, a countermeasure that mitigates a specific vulnerability may contradict the mitigating effect of another countermeasure which is aimed at the same or at different vulnerability. At these situations the user needs to indicate the pairs of conflicting countermeasures that might affect both the risk calculations and the recommendation on the appropriate risk reduction plans.

***

Next (Part 5): The Car & Passenger Simplified Threat Model Example
Beginning - Previous - Home Page

Check the Practical Threat Analysis FAQ Area