The following is a list of the reports that are part of the PTA Professional Edition Risk Assessment tool. You are invited to download and install the PTA free threat risk assessment tool from the Practical Threat Analysis Download page - the PTA Help file that comes with the software provides detailed and updated description of the tool's features and reports. Visit the PTA Professional Edition Latest Updates page for more information on latest changes and product versions history.
Analysis Reports
Provides a “bottom
lines monitor” of the threat analysis project with an updated view of the Risk
Status of the system, as well as indications regarding the progress
of the threat risk assessment process.
The Total Value of Assets, Total Cost of Countermeasures
and the amount of money that is Already Invested in Mitigation
provides bottom line important financial figures.
Top Current Risk Threats is a bar chart presentation of the
current top 5 risky threats. The risk values are displayed in $. The
names of the threats are displayed in the details table below the bar
chart.
Risk History is a graph which displays the levels of risk in the
system along the time axis of the threat analysis process. The levels of
various risks are presented in percents of the total value of system
assets.
Analysis History is a graph that displays the numbers of
threat model entities e.g. vulnerabilities, threats and countermeasures defined in the model along
the time axis of the threat analysis process.
Shows a list of
countermeasures sorted according to their Theoretical Cost-Effectiveness
that is based on the assumption that all countermeasures will be
implemented. Since this assumption is, in most cases, not practical, it
is recommended to complement the results of this report with the results
of Optimized Risk Reduction Plan analysis report.
For each countermeasure, the report displays calculative parameters such
as cost-effectiveness, implementation cost and overall mitigation. In
addition, each countermeasure is accompanied by a list of the
vulnerabilities it mitigates.
This report produces a
list of mitigation plans for threats sorted in a descending order by
their ROSI value. ROSI - Return On Security Investment -
is a very common quantitative criterion for comparing security
solutions.
The following calculative values are displayed for each of the
mitigation sets in the report:
Mitigation Plan ID is a unique ID build by concatenating the
Countermeasures IDs of all countermeasures included in the mitigation
plan.
Mitigation Cost is the cost per year of implementing all
countermeasures in the mitigation plan calculated by summing all
Countermeasures’ Weighted Cost.
ROSI (Return On Security Investment) is defined by the following
formula:
(∑Value at
Risk * (Mitigation Level/100)) – Mitigation Cost
ROSI = ----------------------------------------------------------------
* 100
Mitigation Cost
∑ - summation over all threats mitigated by the specific
mitigation plan
Value at Risk (AKA Risk Exposure or ALE - Annual Loss Expectancy)
is the threat’s damage multiplied by the threat's probability which
expresses the number of times the threat will materialize per year (ARO).
Mitigation Level is the estimated level (in percents) of
mitigation that the threat’s mitigation plan provides.
Mitigation Cost is the cost per year of implementing all
countermeasures in the mitigation plan.
Notes:
1. To determine the return on security investment (ROSI) we simply
subtract the annual cost of the security mitigation solution from what
we expect to lose in a year and present the result in percents.
2. Negative ROSI values imply that the investment in the countermeasures
is not well justified from a financial point of view.
This analysis report produces a
recommended sequence of mitigation steps that will reduce the system’s
risk to a given target level in the most cost-effective way. Each step
in the plan is comprised of countermeasures that should be implemented
in order to achieve the step’s contribution to risk reduction.
Notes:
1.The optimization mechanism starts from the current status of
countermeasures implementation - countermeasures marked as ‘already
implemented’ will not be assigned to the proposed risk reduction plan.
2.All countermeasures in a given step should be implemented in order to
achieve the step’s contribution to risk reduction.
3.The contribution of each step in the plan to risk reduction is
accurate only if all steps preceding it are implemented. Therefore, in
order to achieve the target risk level, all countermeasures in the
outcome sequence should be implemented. In case of partial
implementation, the optimization should be run again in order to create
an updated sequence that reflects the current system status.
For each of the steps in the optimized sequence the report displays the
Remaining Risk that remains after the implementation of the
specific step’s countermeasures. In addition it displays the
Countermeasure’s Implementation Cost of each of the proposed
countermeasures.
Information Reports
This report produces a
list of all the system’s threats, ordered by their Current Risk Level.
It shows all assets, vulnerabilities, countermeasures, entry points,
attacker types and tags associated with each threat.
In addition, it displays the relevant calculative parameters such as
maximal, minimal and current risk levels, threat’s probability, level of
damage, and the maximal mitigation level available for the threat.
Shows a detailed list of
all assets ordered by their Maximal Risk Level. For each asset
the report displays its Weighted Value and its Maximal, Minimal
and Current Risk values. In addition, the report
displays the threats that threaten each of the assets and their relevant
calculative parameters such as Level of Damage and Threat’s
Probability.
Shows a detailed list of all vulnerabilities ordered by their IDs and the threats associated with each of the vulnerabilities.
Shows a detailed list of all countermeasures ordered by their IDs and the vulnerabilities and threats associated with each of the vulnerabilities.
This report produces a chart of top risky threats, ordered by their Current Risk Level. The threats’ names and their risk values in $ are displayed above the chart.
Self Diagnosis Reports
This self-diagnosing
report is intended to help in assessing the completeness and robustness
of the current PTA threat model and help in monitoring the maturity of
the threat risk assessment process. For each of the model's entity types
(Threats, Assets, Vulnerabilities and Countermeasures) it displays a
table with a checklist of conditions which the entity should fulfill in
order to be part of a 'well behaved' threat model. Entities conditions
which are not fulfilled, and hence may weaken the model's productivity,
are marked in red. The following is a list of the threat model
completeness mandatory conditions:
Threats: Has Unique Name, Exploits Vulnerabilities, Threatens
Assets, Causes Damage, Occurs.
Assets: Has Unique Name, Threatened by Threats, Is Damaged, Has
Value.
Vulnerabilities: Has Unique Name, Exploited by Threats, Has
Countermeasures.
Countermeasures: Has Unique Name, Mitigates Vulnerabilities,
Mitigates Threats, Has Cost.
Customized Reports
If you wish to provide threat analysis reports tailored to your clients’ needs, we offer personalized, private professional development programs. For more information please contact Zeev Solomonik or have a look at our Threat Risk Assessment and Risk Management Solutions for Security Consultants and Security Service Providers.
***
PTA Risk Assessment Tools
for Practical Threat Analysis
Home Page