Excerpts from NIST SP 800-39 and NIST SP 800-30 R1
MULTITIERED ORGANIZATION-WIDE RISK MANAGEMENT
RISK MANAGEMENT PROCESS APPLIED ACROSS THE TIERS
INFORMATION SECURITY REQUIREMENTS INTEGRATION
RELATIONSHIP AMONG RISK FRAMING COMPONENTS
RISK ASSESSMENT PROCESS
GENERIC RISK MODEL WITH KEY RISK FACTORS
Risk, and its contributing factors, can be assessed in a variety of ways, including quantitatively, qualitatively, or semi-quantitatively.
An analysis approach can be: (i) threat-oriented; (ii) asset/impact-oriented; or (iii) vulnerability-oriented.
- Organizations have great flexibility in choosing a particular analysis approach. The specific approach taken is driven by different organizational considerations.
- However, differences in the starting point of the risk assessment can potentially bias the results, causing some risks not to be identified.
- Therefore, identification of risks from a second orientation (e.g., complementing a threat-oriented analysis approach with an asset/impact-oriented analysis approach) can improve the rigor and effectiveness of the analysis.
In addition to the orientation of the analysis approach, organizations can apply more rigorous analysis techniques (e.g., graph-based analyses) to provide an effective way to account for the many-to-many relationships.
- For example, graph-based analysis techniques (e.g., functional dependency network analysis, attack tree analysis for adversarial threats, fault tree analysis for other types of threats) provide ways to use specific threat events to generate threat scenarios.
- Graph-based analysis techniques can also provide ways to account for situations in which one event can change the likelihood of occurrence for another event. Attack and fault tree analyses, in particular, can generate multiple threat scenarios that are nearly alike, for purposes of determining the levels of risk.
- With automated modeling and simulation, large numbers of threat scenarios (e.g., attack/fault trees, traversals of functional dependency networks) can be generated. Thus, graph-based analysis techniques include ways to restrict the analysis to define a reasonable subset of all possible threat scenarios.
- NIST SP 800-39
- NIST SP 800-30 R1