Home Page

PTA Professional Edition FAQ and Support Issues

Thanks to your feedback, we've released tens of usability improvements and bug fixes. If there is something about PTA that you think should work better or something you wish it had, drop us a line support@ptatechnologies.com.

Installation and First Time

1. What is the latest PTA Professional Edition version?
2. Should I update my PTA?
3. How do I know the current version of PTA installed on my computer?
4. How to download and install PTA?
5. What are the minimal hardware requirements?
6. What are the supported operating systems?
7. What languages are supported?
8. Problems in invoking PTA for the first time.
9. How to open a PTA project?
10. How to get help on current PTA screen?
11. How to learn more about using PTA features?
12. How to uninstall PTA?

PTA Free Program

13. How to join PTA Free Program?
14. What is the scope of PTA Free Program?

Usability and Methodology

15. How to build your own PTA libraries of security entities checklists?
16. How does PTA relate to security standards and initiatives?
17. How to translate traditional risk assessment fields into PTA terms?
18. How to install a sample PTA project?
19. Is the “monetary value of the assets” the only risk metric that can be entered and tracked in PTA?
20. How PTA saves your data?
21. How to export PTA threat model entities?
22. How to assign assets dollar values, threats probabilities, countermeasures mitigation levels and threats levels of damage to assets where there is little or no historical data?
23. Can I adjust the mitigation effectiveness for individual countermeasures instead of having an aggregate value for the whole mitigation plan?
24. What is the contribution of the Attacker Type entity to the threat model?
25. Two practical tips for building threat models.
26. Can PTA Risk Value exceed system’s Total Assets Value?
27. How does the PTA model connect between mitigating activities and the impact they address?
28. What if a threat has more than one "Threat's Damage to Asset" value?
29. How to assign countermeasures to specific threats?
30. What is the use of the threat model’s history information displayed in the System's Status screen?
31. Using the Risk Mitigation Simulator to refine your overall risk mitigation plan.
32. Assets valuation - setting the value of data assets.
33. Importing threats and vulnerabilities information from spreadsheet.

1. What is the latest PTA Professional Edition version?

Version 1.60 build 1212 - December 07, 2009.

2. Should I update my PTA?

If the PTA Risk Assessment tool is already installed on your computer it is most recommended  to download a free cumulative update for all PTA versions (5 MB size; less than 1 minute download time; 30 seconds installation time). The update, which includes many usability improvements and bug fixes, will not conflict with your existing threat model projects and is fully compatible with all PTA previous releases.

3. How do I know the current version of PTA installed on my computer?

Click the Help | About menu option in PTA main menu. The About dialog displays the current PTA version and build number.

4. How to download and install PTA?

You are invited to visit PTA Professional Edition Risk Assessment Tool download area and download a full trial version of PTA Professional Edition.

We hope the download process is simple - if you received a small notification window asking "Do you want to run or save this file?" then the download is successful and you're ready to install PTA Professional. You may choose the Run option to start installation immediately after downloading (preferred) or the Save option to save the installation file to your disk and install the software later by double clicking the self extracting 'PTAxxxx.exe' file.

Installation is quick and straightforward - just make sure you are a member of the Administrators group on the local machine before you start.

If you choose to run PTA on Windows XP simply locate and double click the self extracting 'PTAxxxx.exe' file. You can set the path of the installation folder according to your preferences. 

If you choose to run PTA on Windows Vista then we advise you run installation process with elevated administrator permissions as follows:

a) Choose the Save option described in the download section above to save the self extracting 'PTAxxxx.exe' file to your disk.
b) Right-click the 'PTAxxxx.exe' file and select the Run as administrator option from the context menu.

5. What are the minimal hardware requirements?

Pentium III or higher with at least 70 Mega free disk space.

6. What are the supported operating systems?

Windows 2000 + SP4 + latest rollout updates.

Windows XP + SP2 or higher.

Windows Server 2003 + SP1 or higher.

Windows Vista Ultimate + SP1 or higher.

PTA is best viewed in 1280 * 1024 screen resolution with large font size (120 DPI) and normal font size (96 DPI). Also supported 1680 * 1050, 1280 * 1024, 1280 * 800 and 1024 * 768 screen resolution with normal font size (96 DPI).  

7. What languages are supported?

Most of the user interface elements such as button titles, menu items etc. are in English. The text fields of the threat model entities e.g. names and descriptions of assets, vulnerabilities etc. can be in any left-to-right language. As of build 1212, PTA enables the display of the local currency symbol in all monetary fields such as countermeasure costs, threat risks and asset values according to the Current format in the Formats tab of the Regional and Language Options dialog (invoked from Window’s Control Panel). 

8. Problems in invoking PTA for the first time.

How to invoke PTA for the first time

Invoke the PTA Risk Assessment tool by clicking the PTA "eye" icon that resides on your computer Desktop or by clicking the Practical Threat Analysis entry in Windows task bar Programs menu (Start | Programs | Practical Threat Analysis).

When you get the first Security Warning message which confirms that the PTA_Runtime.mde file was digitally signed by Eldan Software Systems - check the "Always trust file from this publisher and open them automatically" checkbox before you click the Open button.

If you encounter problems when running PTA for the first time please read the following known issues troubleshooting notes.

Known problems:

8.1) Windows XP is not updated.

If, while running PTA for the first time, you get the following message: "The expression you entered has a function name that Practical Threat Analysis can’t find” it means that your XP version is not updated. In order to run PTA you should upgrade your XP to SP2 with latest security updates. As an "off-the-record rescue" - open the following url and install the latest jet update for Windows XP: http://support.microsoft.com/kb/239114

8.2) Windows Vista administrator rights:

MS Access 2003 is not fully supported on Windows Vista so if you choose to run PTA on Vista then we advise you run PTA with elevated administrator permissions as follows:

a) Be a member of the Administrators group on the local machine
b) Right-click the PTA "eye" icon and select the Run as administrator option from the context menu.

c) You can patch the PTA "eye" shortcut by right clicking it, select Properties and then set the option to always run with elevated administrator Privilege Level by checking the Run this program as administrator option in the Compatibility tab of the shortcut. Using the patched shortcut would be the equivalent of the right-click method described in b).

8.3) Conflict with existing Office 2003 / Office 2007 installations.

PTA Professional is an autonomous Access 2003 application which is not based on Access 2003/2007 being previously installed on your computer. The PTA installation comes with a stand-alone Access 2003 Runtime package which is automatically installed on your machine as part of the standard PTA installation process.

In some rare cases where Microsoft Office 2003 / Office 2007 is already installed on your computer, you may encounter difficulties when trying to invoke PTA for the first time. The most common symptom is getting the following error message: "cannot open ...\PTA_Runtime.mde due to security restrictions"  "Security settings restrict access to the file because it is not digitally signed" .

This is a known issue in which, on several specific MS Office configurations, the existing MS Access security settings blocks the PTA application although it has a valid digital signature certificate issued by VeriSign to Eldan Software Systems. (Probably due to the high level of security, set by default when Access 2003/2007 was installed and disallows the running of macros).

The recommended solution, suggested by Microsoft, is to perform a complete un-install of the Office 2003/2007 package, then install PTA and then reinstall Office.  If you are familiar with the Regedit tool you can save yourself the effort by setting the following registry keys to lower the security level when using Access 2003 Runtime:

ROOT:Local Machine
Key: SOFTWARE\Microsoft\Jet\4.0\Engines
Name:SandBoxMode
Value:#00000002

ROOT:Local Machine
Key: Software\Microsoft\Office\11.0\Access\Security
Name:Level
Value:#00000001

(As always, exercise care when editing the registry.)

Read more:
http://support.microsoft.com/kb/910817
http://geekswithblogs.net/thibbard/archive/2004/08/21/10022.aspx

Read more on MS Access Macro Security issues or contact our support with the description of the problem you encounter and we'll get you through out of this.

Thanks to Verdan Huskic from FER for his contribution on this issue and for David Lee, Enrique and Carlo Tyrberg for their feedback.

8.4) Error 429 - ActiveX component is not properly registered.

If, while running PTA for the first time, you get the following message: "Error Number 429 - ActiveX component can't create object...” it usually means that the appropriate MS Access DAO component is not properly registered. In order to fix it, Microsoft recommends the following:

a) Click Start, and then click Run.
b) Type regsvr32 followed by the path to your DAO file.

Enclose this path in quotation marks. On Vista 32 bit for example:

regsvr32 "C:\Program Files\Common Files\Microsoft Shared\DAO\DAO360.DLL"

or if you are running on Vista 64 bit

regsvr32 “C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DAO360.DLL"

Read more: http://support.microsoft.com/default.aspx?scid=kb;en-us;319844

Many thanks to Steve Ellis from Grant Thornton for his help in this issue.

8.5) Non-English Windows versions.

If, while running PTA analysis reports for the first time, you get error messages such as "Error 3144: Syntax error in UPDATE or Error 3346..." make sure to set the Regional Options in Control Panel | Regional and Language Options to English.
 

9. How to open a PTA project?

When PTA starts, select a PTA database file (a .thm file) in the file browser dialog box that will open.

If this is your first time using PTA Professional Edition, you are invited to open the CurrencyRates.thm sample database located in the \Samples\CurrencyRates folder.

Concurrent multiuser access to PTA threat model project:

PTA professional edition does not support concurrent multiuser access to database which means that when you open a threat model project located on a network drive, no other instance of PTA can open the same threat model until you close and exit the first instance. The common error displayed in this scenario is "Error 3043: Disk or network error". For more information read the following:

http://support.microsoft.com/kb/114771

In general, multiuser access to the same threat model project may corrupt the threat model database - if you encounter problems of this kind we suggest using your backup :-(.

10. How to get help on current PTA screen?

Clicking the question mark button at the PTA toolbar will open a context sensitive help window with help topics relevant to the currently opened screen.

11. How to learn more about using PTA features?

You can learn more about using PTA Professional Edition Risk Assessment tool by browsing the updated help file that comes with the installation of the tool.

12. How to uninstall PTA?

Use Control Panel Add Remove Programs to remove Practical Threat Analysis. It is recommended to restart the computer after uninstall for a complete removal of the software files.

13. How to join PTA Free Program?   

The trial version you downloaded from our download page is a fully functional version of the PTA Professional Edition Risk Assessment tool which enables you to use the software for your risk assessment missions for 30 days. If you find PTA as productive and indispensable as others have, we hope you'll join the PTA Free Program for Students, Researches and Independent Security Analysts and submit your request to extend the usage period by sending us an email with the following registration details:

1) First and Last Name:
2) Address:
3) Phone:
4) Email:
5) Organization / College / University:
6) Job Title / Position / Academic Level:
7) The area of your profession:

In addition, please email us the “User Code 1” and “User Code 2” numbers as displayed in the “Registration” dialog box that will open when starting the trial version of PTA. (Press the “Yes” button in the "PTA Evaluation" dialog when asked if you would like to purchase registration code).  

As soon as we process your registration details and User Codes, we shall send you an email with the Registration Keys that enable you to extend the usage period of the PTA Professional Edition Risk Assessment tool for a period of 360 days. When you get the email please continue as follows:

1) Enter the Registration Keys you received from us in the appropriate fields of the "Registration" dialog - if everything goes fine you should see a message saying that the "Registration completed successfully!".

2) Continue with the PTA login dialog which says: "PTA evaluation will expire in 360 days. Would you like to extend the usage period now?" - at this stage press the No button to continue evaluation for the next 360 days :-)

Important Note: the PTA 30 days trial version protection is based on capturing the local computer date-time at the moment of installation. DO NOT try to change the system time in order to "extend ;-)" the usage period of PTA since it will disable you to run PTA when you set the system's time back to its correct value. Anyway you don't need to do it - just submit your request to join the PTA Free Program and we'll send you the Registration Keys at the same day. (thanks to Thyago Braga da Silva of Gama Filho University for raising this issue)

14. What is the scope of PTA Free Program?

As a member of the PTA Free Program you may use, free-of-charge, a single instance of PTA Professional Edition for your risk assessment missions. There is no limit to the number of analysis projects you can support. If you wish to install PTA on several workstations in your company and use it as part of your organization / department workload or if you wish to install it at your clients' sites, you are invited to have a look at our PTA Qualified Partner Program for installing PTA Professional Edition on your computers as well as on your clients machines. 

15. How to build your own PTA libraries of security entities checklists?

You can experience with PTA libraries by building a threat model based on the sample ‘MS_Telecom.thl’ library which comes with the standard distribution of PTA Professional Edition as follows - click File | New Project to open a new (blank) PTA project, activate the Tools | Load from Library tool and open the MS_Telecom.thl library (which resides in the Samples\Libraries folder under PTA's installation root). The tool enables you to select the relevant entities from each of the pre-defined security checklists and load them into your threat model by clicking the ‘Load’ button.

The open architecture of PTA enables you to easily build your own Plug-In libraries with your customized security checklists – all you have to do is enter the desired security entities into a PTA threat model and then save it as a library (a thl file). PTA automatically organizes the various entities in standalone lists that can be easily integrated into new or existing analysis projects using the ‘Load from Library’ tool. You have full control on the nature and the contents of the libraries - they can contain entities that reflect your specific best practices and knowledge as well as partial or full editions of industry standards. Get some more practical tips at the PTA Professional Forum where you can read how PTA professionals enhanced their risk assessment approach by building their PTA Plug-In Libraries. 

16. How does PTA relate to security standards and initiatives?

How does PTA relate to ISO 17799, BS 7799, ISO 27001, PCI DSS, SSE-CMM, Octave, FITSAF, FIPS 199, GAISP, COBIT, ITIL, NIST, ISF FIRM, IRAM, SPRINT, SARA, BIA, PCI DSS, NERC, FERC and others?

PTA is intended to serve as a helping tool for a security analyst who wishes to apply his/her favorite methodology and not to dictate a ‘built in’ methodology. The open architecture and the flexibility of the data model are intended to entice the analyst to use the basic concepts of PTA in the way that suits him/her best.

PTA complements existing standards, appraisal and compliance procedures by supplying means for converting the knowledge embedded in the security standards into actual assets and threats, relevant vulnerabilities and effective countermeasures and mitigation actions.

The flexible mechanism of Practical Threat Analysis pre-defined security entity libraries facilitates the preparation of the checklists values that are in compliance with the various methodologies. Qualified security professionals are encouraged to prepare verified and credible libraries for marketplace domains where there is a need for a standardized baseline. A few sample threat models and libraries such as the PTA packages for ISO 27001 and PCI DSS 1.1 are available for free download - feel free to use these packages base line for constructing your own customized threat models. 

 

17. How to translate traditional risk assessment fields into PTA terms?

In a nutshell, the mapping of the traditional risk analysis fields to PTA’s terms is as follows:

Minimal Risk = Residual Risk
Asset Value = Asset Value (annual)
Exposure Factor = Threat’s Level of Damage to a specific Asset
Single Loss Expectancy (SLE) = Threat’s Level of Damage to a specific Asset *
Asset Value
Annual Rate of Occurrence (ARO) = Threat’s Probability
Annual Loss Expectancy (ALE) = Threat’s Risk (in $ or in percents of total assets
value)

For example: You have an asset of a computer that gets infected with a remote control virus. The exposure factor is 100% since the system must be rebuilt from scratch at the cost of 100$. The threat may happen 10 times a year. The capture of that threat in PTA is as follows:

The Asset's Value = 100$
The Threat’s Level of Damage to the specific Asset = 100%
The Threat’s Probability = 10 times a year.
The Threat’s Risk = 100$ * 100% * 10 = 1,000$ per year
 

Several PTA sample projects are available for downloading in the Practical Threat Analysis Documents page. Each sample is packed in a WinZip archive (for example CallAccountingCaseStudy.zip). The archive contains the sample threat model database (.thm or .thl file) and a few document files relevant to the project (.doc, .pdf, .txt, .bmp etc). After downloading the archive, please extract the files to a separate folder according to your convenience and than invoke PTA and open the .thm database using the File | Open PTA Project dialog.

*Note: to view the sample threat model you should have PTA Risk Assessment Tool installed on your computer.

In the early stages of our study we were debating with ourselves on how to represent variables such as business reputation, loss of trust etc. In order to develop a robust quantitative method, we wanted to normalize the value of assets and cost of countermeasures in a common system of units that can be processed in order to produce a non-biased risk assessment and prioritized recommendations for mitigating threats based on cost-effectiveness, importance and efficiency.

Consulting with insurance experts has convinced us that anything can and should be assigned monetary values. So we have decided to ask the analyst to express values of assets and derived losses and damages in monetary values (the system calculates the weighted annual monetary value from the one time fee and the recurring portion).

Since PTA is meant to be a practical tool, therefore it keeps all metrics e.g. assets importance, damage levels, countermeasures implementation and risk values in financial units. This does not put any real methodological constraint since, at the end of the day, it is the seasoned analyst who has to interpret the meaning of the output figures, in a way which is consistent with the meaning attached to the input numbers. PTA dynamic calculative engine immediately reflects changes in the input values in a quantitative way and is well suited for the iterative assessment process suggested by most standards. 

Actually, the analyst has a lot of freedom in interpreting what is the exact meaning of "monetary value of the assets" to him/her. After all, these are just numbers and we should be able, in principle, to express any quantitative risk metric using numbers.

The File | Save As option enables you to save to disk a copy of your threat model database at any time. PTA implements a 'behind the scene' backup mechanism as follows:

The latest threat model version is automatically saved to disk whenever you open a threat model project. The backup file is named as the threat model but with a 'bak' extension. In addition, PTA automatically saves a temporary version of your 'in-work' changes which is kept in a file with the same name as the currently opened threat model but with a '~hm' extension instead of 'thm'.

Hope this information will help you manage your threat models repository safely.

The export option of the PTA Professional Edition is hiding in the product's reporting subsystem. You can invoke it by clicking the "Export Report" button in each of the report viewer toolbar (the button on the right side of the view ratio combo box). This feature enables you to save the report's content in several formats e.g. txt, xls, rtf etc.

A more comprehensive way to extract and export data from PTA threat models is to open the thm/ thl threat model files with MS Access 2003. You will be able to retrieve and export the database content via the Access rich export functionality - you'll need of course to have Access 2003 (which is part of MS Office 2003) installed on your workstation.

As discussed in question 19, measuring the value of assets in monetary values is one of the most important issues in PTA calculative foundation. The probability that a threat will materialize is presented in PTA by the traditional ARO parameter (Annual Rate of Occurrence) – which is actually (when no statistical/history data available) an estimation of how many times the analyst believes that the threat will become a real attack. Estimation also applies to the decision on the mitigation level of a given mitigation plan as well as to the decision on the level of damage a threat may cause to a given asset.

So all in all, assigning dollar values, probabilities, mitigation levels and damage levels where there is little or no historical data is an educated guesswork.

The good news are that monetary values, probabilities, mitigation levels and damage levels can be easily changed and the whole model is updated automatically to reflect the changes in risk levels and prioritized recommendations of mitigation plans. It is recommended that the analyst will first establish the threat model with preliminary values and then refine them. Preliminary threat probabilities and levels of damage and mitigation can be refined according to similar incidents historical data gathered from various resources. Preliminary values of assets can be refined according to client's stake-holders feedback (CFO, legal consultants). Moreover - monetary values of assets may be changed by client's personnel to form a 'what-if' analysis. This may contribute to the degree of confidence a client might have in a particular estimate. Analysts are encouraged to install PTA at their clients’ sites – this enables them to send the threat analysis projects (thm files) to the clients and have their authentic feedback.

The PTA calculative model treats a threat mitigation set as a holistic solution which provides a given mitigation level only when all the countermeasures in the set are implemented. For example: if you mark countermeasures C1, C3 and C5 as the members of a specific threat mitigation plan (by checking the ‘In Mitigation Plan’ for the 3 countermeasures in the Threat Details screen) and then set the ‘Maximal Mitigation’ of the threat to 70%, you will see that the specific threat’s risk is reduced by 70% only when C1, C3 and C5 are marked as ‘Already Implemented’ in the appropriate Countermeasure Details screens.

You may justifiably argue that in some cases the implementation of C1 solely may provide some substantive mitigation to the threat although less than the maximal mitigation. We support this situation in our Enterprise Edition where the analyst is able to define several mitigation plans for each threat and thus benefit from maximal flexibility in aggregating the countermeasures in a practical manner. The PTA Professional Edition enables the definition of one mitigation set for a specific threat so the analyst should be more selective.

Important Update: As of Version 1.60 build 1208, PTA Professional Edition enables the definition of several sub mitigation plans for a given threat where each sub mitigation plan has its own set of countermeasures and its own mitigation level. This is a change from the previous mitigation approach, where all countermeasures have to be implemented before the threat is mitigated. The new update supports situations where a reduction in risk could occur when some of the countermeasures are implemented according to the definitions in the Threat’s Sub Mitigation Plans screen. Have a look at the new CurrencyRatesWithTMSes.thm file in the Sample Risk Assessment Projects section of the PTA Documents page. Many thanks to Greg Duval - from VTechnologies Pty Ltd / State of Queensland for his continuous elaboration of this issue.

 

The Attacker Types as well as the Entry Points entities are not mandatory for the PTA threat model. They were designed to help the analyst in affirming the validity of the threat scenarios and do not impact the calculation. This is also true for the Tags and the Attached Documents entities which add descriptive fields and additional information to the threat entities.
 

1. When initiating a new threat analysis project it may be productive to reuse the last project you did (or one of the sample projects) as a base line.

2. Keep it simple. The following recipe may look a little counter-intuitive but if you follow the data entry order it will save you grief.

First - Define your assets, the ones that when damaged you’ll feel the blow e.g. “the availability of the company’s Web site – if the site is down we lose money”.

Then - Define countermeasures as mitigating activities. Each countermeasure description should contain a verb e.g. “install and configure a firewall”.

Then - Define vulnerabilities – those static weaknesses, limitations or defects in your system that are waiting to be exploited e.g. “the Web server is vulnerable to access from the Internet”.

Then - Assign countermeasures to each vulnerability. The associated countermeasures should be those that reduce the chances that the vulnerability will be exploited.

Then - Define threats as attack scenarios that damage assets and exploit vulnerabilities. It will be nice if the potential attackers and the attack entry points will be part of the threat description e.g. “a hacker damages the company’s Web site pages by exploiting the fact that the Web server is exposed to the Internet”

Repeat the process until you're satisfied with the results

Read more on how to build your first threat model.

 

System risk is calculated by summing the risk to each of the system’s assets. The value, presented in percents relative to the total value of all assets, can exceed 100%. It is clear that the actual damage to the system’s assets cannot exceed 100%; however, the risk level does not express the actual damage. It reflects the amount of effort that has to be invested in order to mitigate the threats to the system, and since neither the number of threats nor their severity is limited, the risk quantities are not limited to 100%.

For the user’s convenience, a marker line indicating the 100% risk level was added to the system risk status history graph.
 

This question arose from a real life risk assessment case description sent to us. The story goes like that: a risk of fire in the computer room and premises leads to a disruption of operation and loss of data. The fire may be caused by a vulnerability of fire hazards such as cardboard boxes and plastics that are not disposed off according to policy. One possible mitigation activity might be to assign a janitor to sweep the room daily and remove hazards - this is an obvious mitigation activity that reduces risk. Another mitigation activity might be to install an automatic fire-extinguisher. While this activity does not directly address a specific vulnerability, it surely has a mitigation value since it limits the impact of a fire in the computer-room. What is the PTA way to represent an activity that limits a possible damage to the asset itself rather then mitigate a specific vulnerability?

The answer: the PTA threat model encourages analysts to breakdown risk entities into their component pieces. This is how the scenario above would work with PTA (we had enhanced the case story a little bit for didactic purposes…)

The threat:

Computer room burns down accidentally due to fire hazards, and 1M Euro of hardware is destroyed.

Asset: (damaged by the threat)

1. Computer room hardware value 1M Euro

Vulnerabilities: (exploited by the threat)

1. Fire hazards such as cardboard boxes and plastics that are not disposed according to policy.
2. There is no automated fire extinguisher system in the data center.
3. Fire drills are not conducted regularly and equipment is not tested.
4. No one is responsible for the fire brigade activities.

Countermeasures: (associated with the vulnerabilities that were found to be productive in mitigating the threat and therefore are included in the threat’s mitigation plan)

1. Instruct janitor to sweep the room daily and remove hazards
2. Install automated fire extinguisher system
3. Conduct fire drills
4. Appoint and train an ERT (Environmental Response Team)

One more tip – use the PTA Threat Builder - click on Tools | Threat Builder - you will find that it's a great and much easier way to build threat models and relieves you of the necessity for keeping a picture of the data model in your mind...

 

As you all know, the basic PTA threat model enables a single threat to threaten more than one asset (actually the number of assets that can be threatened by a single threat is limited to 999 but as far as we know, no one has complained yet).

Moreover – the model enables you to assign a particular level of damage that the threat might cause to each of the threatened assets. The data-entry field in the Threat Details screen is called Threat's Damage to Asset and it defined as follows:

Threat's Damage Level to Asset is the financial value of damage caused by one incident of a specific threat to a specific asset, expressed as percentage of the asset's value - if level is 100% the damage to the asset is maximal.

So where is this question coming from? It has aroused in several cases when the preliminary threats identification process came up with scenarios where it seems that incidents of the same threat cause different damage. For example, an incident of a virus attack can destroy a precious asset such as data stored on disk while another incident of the same virus may have a somewhat less damaging impact like hurting the availability of the system for a short period of time. We were asked if in this case “the threat should be divided into two threats with different damage values or should the threat be assigned with a middle damage value which averages the Threat’s Damage to Asset value.”

All in all, the official answer is:

1. If you are sure that both attack scenarios cannot happen at the same time (e.g. when the virus attacks the precious data it does not affect the system’s availability and vice versa) it is better to divide the threat into two standalone threats, each of which has it own threatened asset (the precious data for one and the availability of the system for the other). In this way you can tune the level of the Threat Damage to Asset value separately for each type of incident.

2. If you believe that both types of attack scenarios go together and that the virus attack will impact both assets, it is better to define one threat which threatens two assets and assign the particular level of damage the attack will cause to each of the assets.

3. If you believe that both option 1 and option 2 may happen (life is quite complicated sometimes) you can define all possibilities (two standalone threats each with its own asset + one threat which threatens both assets) and tune the probabilities of each of the three threats according to you expectations.

The bottom line: a threat is exclusively defined by the vulnerabilities it exploits and by the assets it threatens – so all available combinations are legitimate.
(thanks to Pavel Khizhnyak for his contribution to this discussion).

 

According to the PTA threat model, countermeasures are assigned to vulnerabilities and not directly to threats. The countermeasures which are recommended for the mitigation of a specific threat are dynamically associated to the threat by the PTA calculative engine based on the vulnerabilities which are exploited by the threat.

For assigning countermeasures to a specific vulnerability, use the Vulnerability Details screen. For assigning vulnerabilities for a specific threat, use the Threat Details screen. After associating vulnerabilities to a threat, PTA displays a list of Recommended Countermeasures in the lower part of the Threat Details screen – all left is to decide which of the recommended countermeasures really contribute to the Threat’s Mitigation Plan and mark them by clicking the Include In Mitigation Plan button.

For further information on the PTA's threat model nuances please visit
http://www.ptatechnologies.com/pta3.htm and/or open one of the sample threat models that come with the installation package ( look at the sample folder under the installation root of PTA - the CurrencyRates.thm is a good fit)

 

30. What is the use of the threat model’s history information displayed in the System's Status screen?

The System's Status screen is a "bottom lines monitor" of the threat model project with an updated view of the risk status of the system, as well as indications regarding the progress of the threat analysis process which are displayed in the following graphs:

Risk History is a graph which displays the levels of risk in the system along the time axis of the threat analysis process. Changes in the maximal, minimal and current levels of risks are automatically logged at the end of each PTA session. The aggregated risk values are then presented on the y axis of the Risk History graph in percents of the total value of system assets and are bundled with the date of the change. Examining the Risk History graph can provide you with important information regarding the changes in system realities such as probabilities of threats, threats levels of damages, implementation of countermeasures and all other factors which have influence on the system’s risk level.

Analysis History is a graph which displays the numbers of vulnerabilities, threats and countermeasures defined in the threat model along the time axis of the threat analysis process. The purpose of this graph is to provide indications on the progress of the threat analysis process along the life cycle of the risk assessment project as well as help in assessing if the threat model is up-to-date in an acceptable manner.

Tip: Use the Reset Project's History checkbox in the Set Project Properties dialog to delete all projects’ Risk History and Analysis History records displayed in the System's Status screen. This is a good practice before distributing PTA threat models and security libraries to customers… (Thanks Ira for your note on this issue).

 

31. Using the Risk Mitigation Simulator to refine your overall risk mitigation plan.

The Risk Mitigation Simulator tool enables analysts to simulate the impact of countermeasures implementation on reducing the risk in the system. The outcome of a simulation session is the Mitigation Simulator Results report which displays a list of the countermeasures chosen to be simulated by the user and the value of the system's risk if all countermeasures in the list will be implemented.

To invoke the tool click the Tools | Mitigation Simulator menu option. The Countermeasures pane at the left side of the tool’s screen populates a list of the system's countermeasures - each row in the list displays the basic information of a specific countermeasure. Note that the grayed rows represent countermeasures which are already implemented and therefore cannot take part in the simulation since their contribution to the system's current risk was already taken in account. The number of the countermeasures in the list is displayed in parenthesis on the top left corner of the pane.

For simulating a specific countermeasure as implemented and adding it to the simulated mitigation plan, check the Simulate field in the countermeasure row or select the countermeasure row and click the Mark/Un-Mark button at the bottom right corner of the pane. Whenever a specific countermeasure is checked (or unchecked) as simulated, the following screen feedback will be encountered:

• If the countermeasure was marked as simulated, the color of the row's text will change to blue. If the countermeasure was un-marked as simulated, the color of the row's text will change back to black. The updated number of countermeasures included in the simulated mitigation plan is displayed in parenthesis at the top of the Mitigation Simulator screen.

• The information and figures in the System's Risk pane on the right side of the screen will update to reflect the current Simulated Risk Level and Simulated Mitigation Cost. The Simulated Top Risk Threats will update to reflect changes in threats' risk levels which take into account the simulated countermeasures.

Clicking the Create Report button will generate the Mitigation Simulator Results report which displays the simulation results in the PTA reports viewer and enables printing and distributing the simulation results.

 

32. Assets Valuation - setting the value of data assets.

Question: "...Since data assets have no intrinsic value I am calculating the value by the impact on the business should the asset be lost for a period of time. I am using a simple formula: the annual turnover of the company divided down into an amount per working day. I then use this figure as a fixed amount depending upon the amount of time the asset is unavailable. The problem I am having is putting this into PTA fixed and recurring asset values. The period you have set is for a year when often a system can be recovered within 7 days. How can I implement this method of evaluating data assets in PTA?"

Answer:

• The value of the data asset should be given as a recurring yearly figure (cost per year) which expresses the loss that will be caused to the organization when the asset is not available for the whole year.

• Your estimate of the actual amount of time for which the asset is not available in one threat incident, should be entered in the “Threat’s Damage to Asset” field which appears in the in the Assets tab of the Threat Details screen. The Damage is expressed in percents of the asset’s yearly value so in your example of 7 days loss, it roughly translates to 2%.

When you define a threat, you have to enter the threat’s probability which expresses the excepted number of threat incidents per year. In addition you enter the damage one threat incident causes to a specific asset in terms of percents from the yearly value of the asset. PTA then calculates the damage per incident from the value of the asset per year.

So even if your initial approach is phrased in terms of cost of damage per incident, you should translate it to a yearly figure when you enter the asset’s value and trust PTA to translate it back when needed. For example if you estimate that 7 days of unavailability of a specific data asset worth 10,000 Euro then the yearly value of this asset is the loss that will be caused to the organization if the asset will not be available for the whole year which makes 10,000 * 365 / 7 = ~ 520,000 Euro.

Notes:

In PTA, the value of an asset is kept internally as a value per year no matter whether you entered a yearly recurring figure or a fixed value together with the number of years the asset will last or any combination of these 2 input methods.

You are invited to have a look at what our partners write on how to valuate information assets:

1. How do I assign a dollar value to an assets?…should I use the purchase value of the asset, replacement value or expected damage to the company if the asset were stolen or exploited?
How to valuate information assets

2. A Sarbanes-Oxley IT security assessment was performed for a NASDAQ-traded advanced technology company during the months of October-November 2007. The objectives for the study were to evaluate the internal and external threats that impact the company’s information assets.
The SOX case study

You may consider using the Import Entities from Text to Library tool which enables importing the data of threat model entities into a new blank PTA library.

The data to be imported should be organized in comma-delimited text files so you should first save the Excel sheets you wish to import in a comma separate text format and then adjust the data according to the conventions detailed in the PTA help file ( read more in the PTA Screens | Import Entities from Text to Library section ).

The PTA Professional Edition distribution also includes a full set of empty template import files (in the \ImportTemplates folder under the PTA installation root) and
a set of populated text sample files (located in the \Samples\ImportText folder under the PTA installation root.)

Once the imported entities are organized in a PTA library you can integrate them in any threat model you wish – read more about PTA libraries in the PTA Screens | Load Entities from Library section in the PTA help file.

 

***

Download PTA Professional Edition  -   Practical Threat Modeling Documents
Home Page