Pragmatic Cyber Risk Assessment
Security is the mitigation of Risk. Risk is when a Vulnerability can be exploited by an existing Threat and If it gets exploited then it is an attack.
To determine the threat we need to identify the following:
Asset: Which is the vulnerable asset?
Actor: Who may try to exploit it? E.g. Hacker, Company personnel, environment
Access: How the Actor will Access the Asset? E.g. via physical presence, internal network or external network.
Motive: Why the Actor is motivated? E.g. Personal gain, human error, environmental disaster.
Outcome: What will happen if the Attack occurs. E.g. Financial loss, damage to entities etc.
ASPIDA uses ISO 27005 methodology to conduct risk assessment and match all of the following to create a threat profile. Then we identify if there are exploitable vulnerabilities for all of the discovered threats. If there is a match between threat and vulnerability, then the CVSS score is calculated. At the next step we determine the level of acceptable risk. (As industry standard any CVSS score less than 4 is ignored) and on the last phase we mitigate the risk for the rest of the vulnerabilities.