You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are concerned that the hacker can type in SQL expressions in the login form to bypass the authentication. Which of the following best describes your concern?
A. Risk exposure
B. Threat event
C. Threat scenario
D. Risk profile
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Threat scenario.
Threat Scenario
Any combination between a threat source and a threat event that exploits vulnerabilities forms a threat scenario.
A threat event can be expressed in the format of tactics, techniques, and procedures (TTP for short). It’s a good practice to describe a threat event by starting with a verb so that it can be matched with threat sources to shape threat scenarios.
The “hacker” (threat source) can “type in SQL expressions in the login form to bypass the authentication. (threat event)”
Risk Exposure
- Exposure is the state of not being protected entirely or partially from risks.
- Risk exposure is the “contact of an entity, asset, system, network, or geographic area with a potential hazard.” (DHS Risk Lexicon, 2010)
It’s common for security guys to treat “exposure” as “not protected” and “coming across dangers.” However, the following definition is generally accepted in the discipline of risk management:
Risk exposure is a measure of risk in case it materializes. It can be measured by monetary value in terms of potential financial loss or a score by scaling the likelihood and consequences.
Risk profile
- A description of the overall (identified) risk to which the enterprise is exposed. (ISACA, 2019)
- A risk profile is a structured and complete description of any set of risks recorded in the risk register.
- A risk profile is a summary that lists estimates for all the risks associated with a strategy, program, project or activity. Risk profiles are documented and visualized using different methods but are typically based on estimates for the probability and impact of a list of identified risks. (Spacey, 2017)
Here we have a Threat scenario = “hacker” (threat source) can “type in SQL expressions in the login form to bypass the authentication. (threat event)”
But in the 20191028, “R003 – The attackers might initiate distributed denial of services (DDOS).” is called a threat event in your solution and not threat scenario.
I can’t see the difference.
A threat scenario introduced in the NIST Generic Risk Model is not a complete description of a risk. According to ISO 31000, a risk is the effect of uncertainty on objectives. A threat scenario refers to the situation that a threat source initiates a threat event; it doesn’t describe the effect, an crucial part of a risk.