The NIST Generic Risk Model

NIST Generic Risk Model

Generic Risk Model with Key Risk Factors (NIST SP 800-30 R1)

Key Risk Factors


Risk is a function of the likelihood of a threat event’s occurrence and potential adverse impact should the event occur.


In assessing likelihoods, organizations examine vulnerabilities that threat events could exploit and also the mission/business function susceptibility to events for which no security controls or viable implementations of security controls exist (e.g., due to functional dependencies, particularly external dependencies).


The level of impact from a threat event is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Risk Model

Risk models differ in the degree of detail and complexity with which threat events are identified. When threat events are identified with great specificity, threat scenarios can be modeled, developed, and analyzed.


Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Threat events are caused by threat sources.

Threat Source

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent.

Threat Actor

An individual or a group posing a threat.

Threat Event

An event or situation that has the potential for causing undesirable consequences or impact.


A bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability

NIST Special Publication 800-39 provides guidance on vulnerabilities at all three tiers in the risk management hierarchy and the potential adverse impact that can occur if threats exploit such vulnerabilities.

Threat Scenario

In general, risks materialize as a result of a series of threat events, each of which takes advantage of one or more vulnerabilities. Organizations define threat scenarios to describe how the events caused by a threat source can contribute to or cause harm. Development of threat scenarios is analytically useful, since some vulnerabilities may not be exposed to exploitation unless and until other vulnerabilities have been exploited.

A threat scenario tells a story, and hence is useful for risk communication as well as for analysis.

Predisposing Condition

A predisposing condition is a condition that exists within an organization, a mission or business process, enterprise architecture, information system, or environment of operation, which affects (i.e., increases or decreases) the likelihood that threat events, once initiated, result in adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation.

The concept of predisposing condition is also related to the term susceptibility or exposure. Organizations are not susceptible to risk (or exposed to risk) if a threat cannot exploit a vulnerability to cause adverse impact. For example, organizations that do not employ database management systems are not vulnerable to the threat of SQL injections and therefore, are not susceptible to such risk.


Continue reading

Awards from The ISACA Taiwan Chapter


Top 3 Award

I passed the four ISACA certification exams (CISM, CRISC, CISA, and CGEIT) with 49 days in total or 175 study hours in 2018.

I was happily surprised that the Taiwan chapter gives awards to the Top 3 exam takers by the scaled score in each testing window of the year, and I am the lucky one in the Top 3 for each ISACA certification exam.

It’s my pleasure to be invited to give a brief address and share my experience with the chapter members.

Experience Sharing

This post, 我的ISACA考試經驗分享–吳文智, is my exam prep sharing in Chinese; I hope this helps.



CISSP Practice Questions

You are the development team leader and recently found your nightly build failed from time to time. Eve was a disgruntled developer in your team and quit last month. She is responsible for part of the solution and not authorized to integrate the solution. She installed a program running under the local system privilege to delete, on Monday midnights, some source code in the local code repository pushed to the central code repository to be integrated.

1. What is the program installed by Eve called?
A. Encapsulation
B. Maintenance hook
C. Multipartite
D. Logic bomb

2. You decide to conclude that Eve is accountable for the failures of the nightly builds. Which of the following is the least important?
A. Authentication
B. Authorization
C. Auditing
D. Non-repudiation

Continue reading

What is Discovery in a Civil Case?


Discovery is the pre-trial phase in a lawsuit in which each party investigates the facts of a case, through the rules of civil procedure, by obtaining evidence from the opposing party and others by means of discovery devices including requests for answers to interrogatories, requests for production of documents and things, requests for admissions, and depositions.

  1. Requests for answers to interrogatories
  2. Requests for production of documents and things
  3. Requests for admissions
  4. Depositions

Electronic discovery

Electronic discovery or “e-discovery” refers to discovery of information stored in electronic format (often referred to as Electronically Stored Information, or ESI).



CISSP Practice Questions

CISSP Practice Questions

Your company is procuring computer systems to support the new business of video streaming services. You are responsible for ensuring the computer systems are compliant with the security policies in your company. Which of the following is your most concern?
A. Trusted Computing Base
B. System Design Flaws
C. Security Kernel
D. Implicit Covert Channels

Continue reading

Information Security Governance



Information Security Governance

As a CISO, how do you govern information security? What are governance, risk, and compliance?

The Amicliens InfoSec Conceptual Model is a blueprint for you to prepare for the CISSP exam, while the Information Security Governance blueprint guides you through your CISM journey.

Both blueprints cover the topic of GRC. To nurture your business mindset, think about operations, management, and governance.