To ensure more of my colleagues partake in this experience, I’d like to take this opportunity to walk us through the scoping process we teach here at RiskLens as part of our training:
Purpose
We start the scoping process by trying to answer the following question, written in various forms:
Having these answers will let us know how broad or granular our approach should be going forward.
Asset(s)
Once we have solidified the purpose of the analysis, our next move is identifying the asset(s) for the analysis. For a tactical analysis, this answer is relatively straight forward. Yet for a strategic analysis, this may take some additional thought as multiple scenarios covering multiple assets may be required to sufficiently inform stakeholder decisions. In either case, we need to know:
It also doesn’t hurt to get an understanding of the volume, or amount of information contained therein.
Threat(s)
Now that we've identified the purpose of the analysis, and the assets to be included, whom from the threat landscape should we be concerned with? Is the asset, or assets we identified most susceptible to attacks from malicious external actors (i.e. Cyber Criminals, General Hackers, Nation States, etc.) and/or internal actors (i.e. Privileged Insiders, both from a malicious or accidental perspective)? It's important to keep in mind that you can scope all threat actors under the sun, but here we want to leverage the concept of possibility vs probability. If the industry that you're in, and the asset your scoping is of no concern or value to Nation States, you end up providing little to no value to your stakeholders by gathering data and providing results that prove just that. Focus on the probable threat actors to affect the scenario your scoping; your stakeholders will thank you.
.
Loss Type(s)
Now that we have a good understanding of the probable threat landscape that is of most concern to our analysis, how does the loss actually manifest itself? For this purpose, we leverage the C-I-A triad to identify whether the loss type is a release of sensitive information (i.e. Confidentiality), an alteration or information reliability concern (i.e. Integrity) and/or an inability to access or outage issue (i.e. Availability). Identifying how the loss will manifest itself will often aid in identifying which subject matter experts to leverage when gathering the data for an analysis (i.e. Is this a Privacy related concern, or should we reach out to our Disaster Recovery team?).
Loss Event
The last component, identifying how the loss will actually take place, is probably the most critical component of them all. To a novice, this may sound like an obvious or insignificant aspect, but it will and should inform the entire analysis. An example: If conducting a DDoS analysis on a company’s primary retail website, what represents the loss event?:
The answer to these questions should dictate a lot, from: