There are elements in IriusRisk that hold parameterized security values:
- At system level:
- Trustzones: trust rating (how much secure is this trustzone)
- Assets: CIA triad (confidentiality, integrity and availability)
- Risk calculation parameters:
- Asset Value Weighting
- Mitigation Factor if Countermeasure Implemented
- Ease Of Exploitation Weighting
- Exposure Weighting
- Business Impact Weighting
- Mitigation Factor if Countermeasure Test Passed
- Mitigation Factor if Countermeasure Test not Passed
- Vulnerability Found Factor
- At content level:
- Threats: CIA triad (confidentiality, integrity and availability) and ease of exploitation (how easy is to exploit this threat)
- Weaknesses: impact (how much harm can produce)
- Countermeasures: mitigation (how much risk is mitigated from a threat if implemented)
See How are current and projected risk calculated to know the details about how these fields are used.
By default, the security content produced by IriusRisk tries to be as accurate as possible, although there are some cases in which it is difficult to determine the real value of these parameters. We tend to use the values chosen by the official source of information of the content if the source already provides them. Otherwise, we set the maximum possible value by default and allow users to modify them in their threat models accordingly.
We expect that everyone has a different view of these values and it's perfect if you are not on the same page with us. When performing a threat modelling activity it is important to set the correct values so that IriusRisk can provide a close approximation of business reality.
In summary:
- At system level:
- Trustzones: we provide five trustzones with the following trust ratings:
- Internet: 1
- Public: 1
- Public Cloud: 60
- Trusted Partner: 80
- Private Secured: 100
- Assets: we provide four assets with the following values:
- Credit Card Data: C: Very High I: Very High A: Medium
- Customer Data: C: Very High I: Very High A: Low
- Personally Identifiable Information: C: Very High I: Very High A: Low
- Protected Health Information: C: Very High I: Very High A: Low
- Risk calculation parameters:
- Asset Value Weighting: 1
- Mitigation Factor if Countermeasure Implemented: 1
- Ease Of Exploitation Weighting: 1
- Exposure Weighting: 1
- Business Impact Weighting: 1
- Mitigation Factor if Countermeasure Test Passed: 1
- Mitigation Factor if Countermeasure Test not Passed: 1
- Vulnerability Found Factor: 0
- Trustzones: we provide five trustzones with the following trust ratings:
- At content level:
- Threats: CIA values are automatically set for CAPEC threats and manually in other cases as well as the ease of exploitation
- Weaknesses: impact: 100 by default
- Countermeasures: mitigation: this value varies with the number of countermeasures in a threat. We try to set a uniform mitigation value for each countermeasure, so that a threat is fully mitigated if all of its countermeasures have been implemented. It's usually calculated by the following formula: 100 / number of countermeasures in a threat + remainder
- The total sum of the mitigation values in a threat must add up to 100. E.g. 34+33+33 on threats with three countermeasures or 25+25+25+25 on threats with four countermeasures.
I would like to modify these values myself. How can I do it?
The following list contains where you should go if you want to edit the values after logging into IriusRisk:
- At system level:
- Trustzones: Objects -> Trustzones
- Assets: Objects -> Assets
- Risk calculation parameters: Security content -> Risk calculation
- At content level:
- On libraries: Security content -> Risk pattern libraries -> <Selected library> -> Risk Patterns -> Use cases -> Threats
- On projects: Projects -> <Selected project> -> Threats
- From there you should also be able to modify weaknesses and countermeasures
Note: users cannot edit the content in the default libraries but they can do it after it has been imported into a project.
Comments
0 comments
Please sign in to leave a comment.