Académique Documents
Professionnel Documents
Culture Documents
1 Introduction
Almost every risk assessment methodology (see also comparison provided by ENISA [EN]) comes with at least a short list of example threats. We have not found any prior
analysis work that would explain how-to create, structure and maintain a threat catalog.
The below comparison table contains a sample collection of threat catalogs that are prominent in our environment. The table is by far not exhaustive but serves to illustrate
the differences in extent, scope and structure.
1.5 Mappings
Corporate IT Risk/Security standards can be based on different best practice collections. To support the workflows and governance needs of company the threat catalog
should map the threats against the required controls that mitigate the threat impact. For governance reasons it is also helpful to have a mapping between the threats and
Focus/Origin Operational Risks Operational Risks CIA Risks for information Operational Risks Attacks through internet Application Security Risks
systems
Catalog context -> Base IT security -> Risk Measurement Information Risk Information Risk Assessment Advice for home computer Threat modelling tool
manual -> Basel II Assessment Methodology Methodology security
-> Financial Services and Security Incident
Analysis
Catalog structure 5 chapters: -> Threat categories and Structured list with main Simple list Simple list Structured list with typical
- Force majeur generic risks are a flat list categories: application targets attacks
- Organiz. shortcomings -> covering: - External attack
- Human failure Physical threats - Theft
- Technical failure Legal threats - Service interruption
- Deliberate acts Criminal threats - Internal Misuse
Operational threats - Unforeseen effect of
human error threats change
- Malfuntion
Catalog Size 370 Threats for all 5 -> 70 Threat Categories 49 Threats 37 Threats 12 specific threats (attack 36 detail attacks in 19
chapters -> Over 600 generic risk methods and vulnerability higher level attacks
descriptions sources)
Mapping to ISO NO YES NO No No No
Other mappings To vulnerabilities To mitigation actions To mitigating actions To mitigation actions
To Basel II requirements To asset groups
To mitigating controls
Last updated 2004 2004 Continous Continuous N/A N/A
Table 1: Comparison of existing threat catalogs