1.9

# Threat and risk modelling

The core steps in a risk assessment are the creation of threat and risk models. These are essential to understand how the the system may be attacked, how likely that is to occur, and what the cost might be.

## Asset types

A mobile device may contain many different assets that the owner may consider valuable and that are wanted by an attacker. These can be divided into two main categories:

1. Information assets: these include passwords, credit card details, emails, business information etc. and can be subdivided into:

• information assets managed by the device
• information assets managed by applications
2. Function assets: these represent functions or actions that can be performed that may have value like, make calls, send SMS, take photos, record sound etc.

Controlling access to assets is therefore very important. In particular, in the case of BYOD, any attack on the assets controlled by a device could have a high impact, as the device not only contains personal information, but also business information as well.

## What is risk?

The word risk has lots of different meanings in everyday use, but we need to be more precise.

The question we are trying to address when performing a risk assessment is “how much should I spend (time, money, effort) to protect my assets?”.

Or put another way, “how much will it cost me if I am attacked, how likely is that to happen, and so how much should I spend to prevent that happening?”.

The concept of risk therefore relates to probability (of an attack occurring) and impact (the cost to me of the attack).

(Recall the definitions of threats, vulnerabilities, and impact.)

Risk is defined as follows:

Risk = Probability x Impact

The probability of an attack occurring depends upon the threats and the vulnerabilities and therefore the above is often written as:

Risk = (Threats + Vulnerabilities) x Impact

Technically the above equation does not make sense mathematically. What it is meant to convey is that the probability is a function of the threats and vulnerabilities.

Note for Nerds: the correct mathematical definition of risk is as the expected value of the impact (represented as a random variable):

Here $p_{\textrm{attack}}$ is the probability of an attack, and $I_{\textrm{attack}}$ is the impact of that attack.

## How do you evaluate the impact of a threat/risk/attack?

There are range of different schemes that can be used to classify the impact of known threats/attacks/risks:

### STRIDE for threat modelling and DREAD for risk modelling

The Microsoft Threat Modeling Process uses an aggregated model:

• STRIDE helps you to identify and categorise threats from the attacker: Spoofing Identity, Tampering with Data, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

• DREAD helps you to determine the security risk for each threat using a value-based risk model : Damage, Reproducibility, Exploitability, Affected Users, and Discoverability.

### Trike: an open source threat modeling methodology and tool

Trike uses a risk-based approach and has distinct implementation, threat, and risk models, instead of using the STRIDE/DREAD aggregated threat model (attacks, threats, and weaknesses).

### CVSS: Common Vulnerability Scoring System

CVSS provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores.

The NVD CVSS V2 calculator provides vulnerability severity ratings of ‘Low’, ‘Medium’ and ‘High’.

### OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation

OCTAVE is a heavyweight risk methodology approach originating from Carnegie Mellon University’s Software Engineering Institute (SEI) in collaboration with CERT. OCTAVE focuses on organisational risk, not technical risk.