Home Page
Practical Threat Analysis in-depth
Part 5: The Car & Passenger Simplified Threat Model Example
Part 1:
The State of Threat Analysis
Part
2: PTA Methodology, Terminology and
Definitions
Part
3: The PTA Threat Analysis and Risk
Assessment Process
Part
4: The PTA Threat Analysis
Calculative Method
The Car & Passenger Simplified Threat Model Example
The following threat model represents the Car and Passenger threat model:
Figure 3: The Car and Passenger threat model
Example: a simplified car & passenger case
1. The Threat Model Description
Figure 3 illustrates the threat model entities of the threat analysis of a simplified system which is comprised of a car and a passenger.
The assets are: the car itself (A001) and the passenger’s well being (A002).
The vulnerabilities are: the car's windows, which are made of ordinary glass and therefore may be easily broken (V001), the car may be started by connecting wires that bypass the ignition key (V002) and the fact that the car is not protected against gun fire and therefore shooting bullets may penetrate it (V003).
The countermeasures for the vulnerabilities in the example are: install an alarm system (C001), install an immobilizer protection system (C002) and armor the vehicle (C003).
For the sake of simplicity, only two threats are identified: the car may be stolen (T001) and the car and the passenger may be severely hurt by a gun fire attack (T002). Threat T001 damages asset A001 and exploits vulnerabilities V001 and V002. Threat T002 damages assets A001 and A002 and exploits vulnerability V003.
2. High level description of the PTA calculation flow for the example
According to the PTA calculation flow illustrated in Figure 2, the calculation includes the following steps:
At step 90 the time period and the currency type parameters are entered. The time period in the current example is defined as a fixed one time period, and the currency type is American dollar.
Next, at steps 100 to 130 the system’s assets, the system’s vulnerabilities, the countermeasures and threats are specified according to the description above.
At steps 140 the relations between the threats and the assets are defined and threat T001 – the stealing of the car – is defined as threatening asset A001 – the car itself, whereas threat T002 – the gunfire attack – is defined as threatening both asset A001 and asset A002 – the car and its passenger. In this example both threats pose 100% damage on the assets associated to them.
The relations between the vulnerabilities and the countermeasures are define at step 150 and the relations between the threats and the vulnerabilities are defined at step 160: threat T001 – the stealing of the car – exploits vulnerabilities V001 and V002 – the cars windows, which may be broken, and the car ignition which may be done by crossing wires instead of using the key. Threat T002 – the gunfire attack – exploits vulnerability V003 – the fact that bullets may penetrate the car.
In steps 162 and 165 the recommended countermeasures for each threat are calculated, and at steps 170 and 180 the mitigation policies are defined. After the initial definitions are entered, the system performs the risk and mitigation priorities, as they are specified in great details in section 3 in this page.
The results provide a clear prioritized list for implementing the countermeasures according to their calculated cost effectiveness: installing an alarm and an immobilizer are recommended since they provide risk reduction of 0.4167 % for each dollar. Arming the vehicle is much less recommended since the risk reduction it provides is only 0.00075% for each dollar. The ratio of the two values of cost effectiveness is 1:555 in favor of installing an alarm and an immobilizer.
The current calculation would change significantly if instead of an ordinary driver the passenger of the car is a top government official. In this case the probability for car theft is estimated to be a relatively low 0.01 but the likelihood of a terrorist attack is estimated to be a high 0.5. In step 240, where the current risk level of each thread is calculated, T001 risk changes to 0.05% and T002 risk changes to 50%. The following calculation change accordingly the cost effectiveness of each countermeasure and yields the following results: installing an alarm and an immobilizer are not recommended since the risk reduction they provide is only 0.001% for each dollar, but arming the vehicle is found to provide 0.005% of risk reduction for each dollar. It is evident then that the order of countermeasures in the prioritized list changes and the ratio of the cost effectiveness is 1:5 in favor of armoring the vehicle.
3. Detailed calculation for the Car & Passenger example
Step 90: Input the time period
and currency type parameters.
- Time period [t]: fixed one time
- Currency type [c]: $ USA
Step 100: Input list of system assets.
- ID: A001 Name: The car ValA: $30,000
- ID: A002 Name: The passenger's well being (health and life) ValA:
$270,000
Step 110: Input list of system vulnerabilities.
- ID: V001 Name: The car's windows can be easily broken (made of regular
glass)
- ID: V002 Name: The car's ignition key can be bypassed (by connecting
bypass wires)
- ID: V003 Name: The car's body is not protected against gun fire
(shooting bullets may penetrate the car through its doors and windows)
Step 120: Input list of system countermeasures.
- ID: C001 Name: Install an alarm system that alerts when car window is
broken IC: $100 IF: false
- ID: C002 Name: Install an immobilizer system that disables igniting
the car's engine IC: $100 IF: false
- ID: C003 Name: Armor the vehicle against shooting IC: $20,000 IF:
false
Step 130: Input list of system threats.
- ID:T001 Name: The car is stolen by a car thief TP: 0.50
- ID:T002 Name: The car and the passenger are severely hurt by a gun
fire attack TP: 0.01
Step 140: Input the relations between threats and assets.
- TA(T001): A001 (T001 threatens A001)
- TA(T002): A001, A002 (T002 threatens A001 and A002)
- RelTAD(T001, A001): 100% (T001 damages A001 by 100%)
- RelTAD(T002, A001): 100% (T002 damages A001 by 100%)
- RelTAD(T002, A002): 100% (T002 damages A002 by 100%)
Step 150: Input the relations between vulnerabilities and
countermeasures.
- VC(V001): C001 (V001 is mitigated by C001)
- VC(V002): C002 (V002 is mitigated by C002)
- VC(V003): C003 (V003 is mitigated by C003)
Step 160: Input the relations between threats and
vulnerabilities.
- TV(T001): V001, V002 (T001 exploits V001 and V002)
- TV(T002): V003 (T002 exploits V003)
Step 162: Calculating the relations between countermeasures and
vulnerabilities.
- CV(C001): V001 (C001 mitigates V001)
- CV(C002): V002 (C002 mitigates V002)
- CV(C003): V003 (C003 mitigates V003)
Step 165: Calculating the set of recommended countermeasures for
each threat.
- RCMT(T001) = C001, C002 (T001 may be mitigated by C001 and/or C002)
- RCMT(T002) = C003 (T003 may be mitigated by C003)
Step 170: Define the actual mitigation sets of countermeasures
for each of the threats.
- ACMT1(T001): C001, C002 (ACMT1 for T001 is comprised of C001 and C002)
- ACMT2(T001): C001 (ACMT2 for T001 is comprised of C001)
- ACMT3(T001): C002 (ACMT3 for T001 is comprised of C002)
- ACMT1(T002): C003 (ACMT1 for T002 is comprised of C003)
Step 180: Define the threat’s mitigation level for each of the
actual mitigation sets of countermeasures.
- ACMTL1(T001): 100% (ACMT1(T001) provides 100% mitigation for T001)
- ACMTL2(T001): 50% (ACMT2(T001) provides 50% mitigation for T001)
- ACMTL3(T001): 50% (ACMT3(T001) provides 50% mitigation for T001)
- ACMTL1(T002): 100% (ACMT1(T002) provides 100% mitigation for T002)
Step 185: Calculating the maximal and current mitigation level
for each threat.
MaxTM(Ti) – Maximal Threat Mitigation level is the maximum over all of
the ACMTLj(Ti) (i is fixed, j varies); 0 < value of MaxTM ≤ 100.
CurTM(Ti) – Current Threat Mitigation level is the maximum over all of
the implemented ACMTLj(Ti) (i is fixed, j varies); 0 < value of CurTM ≤
100.
- MaxTM(T001) = 100% (maximum over all ACMTLs of T001)
- MaxTM(T002) = 100% (maximum over all ACMTLs of T002)
- CurTM(T001) = 0% (maximum over all implemented ACMTLs of T001)
- CurTM(T002) = 0% (maximum over all implemented ACMTLs of T002)
Step 190: Calculating the total value of all system assets.
ValSA = ∑ ValA (Ai) where i runs over all assets
- ValSA: $300,000
Step 200: Calculating the relative value of each asset.
RelValA(Ai) = ValA(Ai) / ValSA * 100 ; 0 < value of RelValA ≤ 100.
- RelValA(A001) = 10% (ValA of A001 out of ValSA)
- RelValA(A002) = 90% (ValA of A002 out of ValSA)
Step 210: Calculating the relative damage level of each threat.
RelTD(Ti) = ∑ RelTAD(Ti, Aj) / 100 * RelValA(Aj) where j runs over all
assets ; 0 < value of RelTD ≤ 100.
- RelTD(T001) = 10% (T001 damages system assets by 10%)
- RelTD(T002) = 100% (T002 damages system assets by 100%)
Step 220: Calculating the maximal risk level of each threat.
MaxTR(Ti) = RelTD(Ti) * TP(Ti) ; 0 < value of MaxTR ≤ 100.
- MaxTR(T001) = 5% (At maximum, T001 risks 5% of system assets)
- MaxTR(T002) = 1% (At maximum, T002 risks 1% of system assets)
Step 230: Calculating the minimal risk level of each threat.
MinTR(Ti) = MaxTR(Ti) * ( 1 - MaxTM(Ti) / 100) ; 0 < value of MinTR ≤
100.
- MinTR(T001) = 0% (T001 risk may be reduced to 0%)
- MinTR(T002) = 0% (T002 risk may be reduced to 0%)
Step 240: Calculating the current risk level of each threat.
CurTR(Ti) = MaxTR(Ti) * ( 1 - CurTM(Ti) / 100); 0 < value of CurTR ≤
100.
- CurTR(T001) = 5% (Currently, T001 risks 5% of system assets)
- CurTR(T002) = 1% (Currently, T002 risks 1% of system assets)
Step 250: Calculating the maximal risk for each asset.
MaxAR(Ai) = ∑ RelTAD(Tj, Ai) * TP(Tj) where j runs over all threats;
value of MaxAR may exceed 100.
- MaxAR(A001) = 51% (At maximum, A001 is in risked by 51%)
- MaxAR(A002) = 1% (At maximum, A002 is in risked by 1%)
Step 260: Calculating the minimal risk for each asset.
MinAR(Ai) = ∑ RelTAD(Tj, Ai) * (1 - MaxTM(Tj) / 100) * TP(Tj) where j
runs over all threats that may cause damage to Ai; value of MinAR may
exceed 100.
- MinAR(A001) = 0% (The risk to A001 may be reduced to 0%)
- MinAR(A002) = 0% (The risk to A002 may be reduced to 0%)
Step 270: Calculating the current risk for each asset.
CurAR(Ai) = ∑ RelTAD(Tj, Ai) * (1 - CurTM(Tj) / 100) * TP(Tj) where j
runs over all threats that may cause damage to Ai; value of CurAR may
exceed 100.
- CurAR (A001) = 51% (Currently, A001 is risked by 51%)
- CurAR (A002) = 1% (Currently, A002 is risked by 1%)
Step 280: Calculating the total system maximal risk.
MaxValSR = ∑ MaxAR(Ai) / 100 * ValA(Ai) where i runs over all assets;
value of MaxValSR may exceed ValSA.
MaxSR = MaxValSR / ValSA * 100; value of MaxSR may exceed 100.
- MaxValSR = $18,000
- MaxSR = 6%
Step 290: Calculating the total system minimal risk.
MinValSR = ∑ MinAR(Ai) / 100 * ValA(Ai) where i runs over all assets;
value of MinValSR may exceed ValSA.
MinSR = MinValSR / ValSA * 100; value of MinSR may exceed 100.
- MinValSR = $0
- MinSR = 0%
Step 300: Calculating the total system current risk.
CurValSR = ∑ CurAR(Ai) / 100 * ValA(Ai) where i runs over all assets;
value of CurValSR may exceed ValSA.
CurSR = CurValSR / ValSA * 100; value of CurSR may exceed 100.
- CurValSR = $18,000
- CurSR = 6%
Step 310: Calculating the relative maximal threat risk for each
threat.
RelMaxTR(Ti) = MaxTR(Ti) / MaxSR * 100; 0 < value of RelMaxTR ≤ 100.
- RelMaxTR(T001) = 83.33 % (At maximum, T001 relative risk is 83.33 %)
- RelMaxTR(T002) = 16.66% (At maximum, T002 relative risk is 16.66 %)
Step 320: Calculating the relative minimal threat risk for each
threat.
RelMinTR(Ti) = MinTR(Ti) / MinSR * 100; 0 < value of RelMinTR ≤ 100.
- RelMinTR (T001) = 0 % (T001 relative risk may be reduced to 0%)
- RelMinTR (T002) = 0 % (T002 relative risk may be reduced to 0%)
Step 330: Calculating the relative current threat risk for each
threat.
RelCurTR(Ti) = CurTR(Ti) / CurSR * 100; 0 < value of RelCurTR ≤ 100.
- RelCurTR (T001) = 83.33 % (Currently, T001 relative risk is 83.33 %)
- RelCurTR (T002) = 16.66% (Currently, T002 relative risk is 16.66 %)
Step 340: Calculating the current overall countermeasure
mitigation level for each countermeasure.
CurSRCI(Ci) = CurSR assuming the i-th Countermeasure is Implemented and
all other countermeasures are in their current implementation status.
CurSRCNotI(Ci) = CurSR assuming the i-th Countermeasure is not
Implemented and all other countermeasures are in their current
implementation status.
CurCM(Ci) = (CurSRCNotI(Ci) - CurSRCI(Ci)) / CurSRCNotI(Ci) * 100; 0 <
value of CurCM ≤ 100.
- CurSRCI(C001) = 3.5%
- CurSRCNotI(C001) = 6%
- CurCM(C001) = 41.67%
- CurSRCI(C002) = 3.5%
- CurSRCNotI(C002) = 6%
- CurCM(C002) = 41.67%
- CurSRCI(C003) = 5.1%
- CurSRCNotI(C003) = 6%
- CurCM(C003) = 15%
Step 350: Calculating the current cost effectiveness of each
countermeasure.
CurCCE(Ci) = CurCM(Ci) / IC(Ci).
- CurCCE(C001) = 0.4167% per 1$
- CurCCE(C002) = 0.4167% per 1$
- CurCCE(C003) = 0.00075% per 1$
4. Analyzing the results:
The results provide a clear prioritized
list for implementing the countermeasures – install alarm and
immobilizer and do not bother with armoring the vehicle.
If we replace the regular driver in our exemplar with a top government
official where the probability for car theft is low but the likelihood
of terrorist attack is high, the order of countermeasures in the
prioritized list will probably change and armoring the vehicle will be
more cost effective from the threat analysis point of view.
***
Risk Assessment of an Integrated Enterprise Call Accounting Solution (Case Study)
Beginning -
Previous -
Home Page