PTA Technologies - Practical Threat Analysis, Threat Modeling and Risk Assessment for Software Systems

<body bgcolor="white"> <h1 align="left"><font face="Verdana" size="1"> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></h1> <h1 align="center"><font face="Verdana" size="1">Practical Threat Analysis Reports</font></h1> <p align="left"><font face="Verdana" size="1">The following is a list of the reports that are part of the PTA Professional Edition tool. You are invited to download and install the tool at the <a target="content" href="DownloadFrameset.htm">Free Practical Threat Analysis Download</a> page - the PTA Help file that comes with the software provides detailed and updated description of the tool's features and reports. Visit the <a target="content" href="LatestUpdateFrameset.htm">PTA Professional Edition Latest Updates</a> page for more information on latest changes and product versions history.</font></p> <p align="center"><font face="Verdana" size="1">Analysis Reports</font></p> <h3 align="left"><font face="Verdana" size="1">System’s Status</font></h3> <p align="left"><font face="Verdana" size="1">Provides a “<b>bottom lines monitor</b>” of the threat analysis project with an updated view of the <b>Risk Status</b> of the system, as well as indications regarding the progress of the threat analysis process.<br> <br> The <b>Total Value of Assets</b>, <b>Total Cost of Countermeasures</b> and the amount of money that is <b>Already Invested in Mitigation</b> provides bottom line important financial figures. <br> <br> <b>Top Current Risk Threats</b> is a bar chart presentation of the current top 5 risky threats. The risk values are displayed in $. The names of the threats are displayed in the details table below the bar chart.<br> <br> <b>Risk History</b> is a graph which displays the levels of risk in the system along the time axis of the threat analysis process. The levels of various risks are presented in percentage of the total value of system assets.<br> <br> <b>Analysis History</b> is a graph that displays the numbers of threat model entities e.g. vulnerabilities, threats and countermeasures defined in the model along the time axis of the threat analysis process.<br>  </font></p> <h3 align="left"><font face="Verdana" size="1">Countermeasures Cost-Effectiveness</font></h3> <p align="left"><font face="Verdana" size="1">Shows a list of countermeasures sorted according to their <b>Theoretical Cost-Effectiveness</b> that is based on the assumption that all countermeasures will be implemented. Since this assumption is, in most cases, not practical, it is recommended to complement the results of this report with the results of <b>Optimized Risk Reduction Plan </b>analysis report.<br> <br> For each countermeasure, the report displays calculative parameters such as cost-effectiveness, implementation cost and overall mitigation. In addition, each countermeasure is accompanied by a list of the vulnerabilities it mitigates.</font></p> <h3 align="left"><font face="Verdana" size="1">Mitigation Plans by ROSI </font> </h3> <p align="left"><font face="Verdana" size="1">This report produces a list of mitigation plans for threats sorted in a descending order by their ROSI value. <b>ROSI</b> - <b>Return On Security Investment</b> - is a very common quantitative criterion for comparing security solutions. <br> <br> The following calculative values are displayed for each of the mitigation sets in the report: <br> <br> <b>Mitigation Plan ID</b> is a unique ID build by concatenating the Countermeasures IDs of all countermeasures included in the mitigation plan.<br> <br> <b>Mitigation Cost</b> is the cost per year of implementing all countermeasures in the mitigation plan calculated by summing all <b> Countermeasures’ Weighted Cost</b>.<br> <br> ROSI (Return On Security Investment) is defined by the following formula:<br> <br> <br>             (∑Value at Risk * (Mitigation Level/100)) – Mitigation Cost<br> ROSI = ---------------------------------------------------------------- * 100<br>                                         Mitigation Cost<br> <br> <br> <b>∑</b> - summation over all threats mitigated by the specific mitigation plan<br> <br> <b>Value at Risk</b> (AKA Risk Exposure or ALE - Annual Loss Expectancy) is the threat’s damage multiplied by the threat's probability which expresses the number of times the threat will materialize per year (ARO).<br> <br> <b>Mitigation Level</b> is the estimated level (in percents) of mitigation that the threat’s mitigation plan provides. <br> <br> <b>Mitigation Cost</b> is the cost per year of implementing all countermeasures in the mitigation plan. <br> <br> Notes:<br> <br> 1. To determine the return on security investment (ROSI) we simply subtract the annual cost of the security mitigation solution from what we expect to lose in a year and present the result in percents.<br> <br> 2. Negative ROSI values imply that the investment in the countermeasures is not well justified from a financial point of view.<br>  </font></p> <h3 align="left"><font face="Verdana" size="1">Optimized Risk Reduction Plan </font> </h3> <p align="left"><font face="Verdana" size="1">This analysis report produces a recommended sequence of mitigation steps that will reduce the system’s risk to a given target level in the most cost-effective way. Each step in the plan is comprised of countermeasures that should be implemented in order to achieve the step’s contribution to risk reduction. <br> <br> Notes:<br> <br> 1.The optimization mechanism starts from the current status of countermeasures implementation - countermeasures marked as ‘already implemented’ will not be assigned to the proposed risk reduction plan. </font></p> <p align="left"><font face="Verdana" size="1">2.All countermeasures in a given step should be implemented in order to achieve the step’s contribution to risk reduction.<br> <br> 3.The contribution of each step in the plan to risk reduction is accurate only if all steps preceding it are implemented. Therefore, in order to achieve the target risk level, all countermeasures in the outcome sequence should be implemented. In case of partial implementation, the optimization should be run again in order to create an updated sequence that reflects the current system status.<br> <br> For each of the steps in the optimized sequence the report displays the <b>Remaining Risk</b> that remains after the implementation of the specific step’s countermeasures. In addition it displays the <b> Countermeasure’s Implementation Cost</b> of each of the proposed countermeasures.<br>  </font></p> <p align="center"><font face="Verdana" size="1">Information Reports</font></p> <h3 align="left"><font face="Verdana" size="1">Detailed Threats </font> </h3> <p align="left"><font face="Verdana" size="1">This report produces a list of all the system’s threats, ordered by their <b>Current Risk Level</b>. It shows all assets, vulnerabilities, countermeasures, entry points, attacker types and tags associated with each threat. In addition, it displays the relevant calculative parameters such as maximal, minimal and current risk levels, threat’s probability, level of damage, and the maximal mitigation level available for the threat.<br>  </font></p> <h3 align="left"><font face="Verdana" size="1">Detailed Assets</font></h3> <p align="left"><font face="Verdana" size="1">Shows a detailed list of all assets ordered by their <b>Maximal Risk Level</b>. For each asset the report displays its <b>Weighted Value</b> and its Maximal, Minimal and Current Risk values. In addition, the report displays the threats that threaten each of the assets and their relevant calculative parameters such as <b>Level of Damage </b>and <b>Threat’s Probability</b>.<br>  </font></p> <h3 align="left"><font face="Verdana" size="1">Detailed Vulnerabilities </font> </h3> <p align="left"><font face="Verdana" size="1">Shows a detailed list of all vulnerabilities ordered by their IDs and the threats associated with each of the vulnerabilities.</font></p> <h3 align="left"><font face="Verdana" size="1">Detailed Countermeasures </font> </h3> <p align="left"><font face="Verdana" size="1">Shows a detailed list of all countermeasures ordered by their IDs and the vulnerabilities and threats associated with each of the vulnerabilities.</font></p> <h3 align="left"><font face="Verdana" size="1">Top Threats by Current Risk</font></h3> <p align="left"><font face="Verdana" size="1">This report produces a chart of top risky threats, ordered by their <b>Current Risk Level</b>. The threats’ names and their risk values in $ are displayed above the chart.</font></p> <p align="center"> </p> <p align="center"><font face="Verdana" size="1">Customized Reports</font></p> <p align="left"><font face="Verdana" size="1">If you wish to provide threat analysis reports tailored to your clients’ needs, we offer personalized, private professional development programs. For more information please contact <a href="mailto:zeev@ptatechnologies.com?subject=Customize PTA Technology">Zeev Solomonik</a> or have a look at our <a target="content" href="PTAforOEMFrameset.htm"> Solutions for Security Consultants and Service Providers</a>.</font></p> <p align="center"><font face="Verdana" size="1"><br> ***</font></p> <p align="center"> </p> <p align="center"><font face="Verdana" size="1"> <b><a target="content" href="ProductsFrameset.htm">PTA Software Tools for Practical Threat Analysis</a></b><br> <a target="_top" href="http://www.ptatechnologies.com/">Home Page</a></font></p> </body>