Threats {t}

If you would like to stay in touch sign up for our Newletter below!


What Threats are there to the Organisations Assets?

The next component to consider is what Threat you have to your Asset. Threat is measured as a percentage, ranging from zero percent, implying no threat, to one hundred percent, implying a constant threat.

There are many different threats to an organisation, for example fire, theft, flood etc. When it comes to Information Technology the threat we need to be concerned about is a simple one, the loss of, the compromise of, or the unauthorised access to, data.

Information Technology has a function to provide access to data that we can trust, to the correct people at the correct time. Allowing non-authorised user access to data at anytime is a failure of the IT function, not making the correct data available to authorised users when access is required, would also be a failure of the IT function, finally allowing authorised user access to compromised data at anytime would be a failure of the IT Function.

This is often referred to as CIA, Confidentiality, Availability, and Integrity, the assurance of which is the responsibility of the IT Function.

When measuring your Threat, you can measure the Threat to individual bits of data, individual servers, individual networks or the entire enterprise. For example, Cyber criminals specifically target Card Holder Data, such as credit card numbers and customer names, they are unlikely to be interested in disrupting your network, therefore they would be a high threat to card holder data, and a lower threat to the network, and more likely a medium to high threat to the Enterprise.

Represented as a percentage you would say that the threat to your Card Holder Data, from cyber criminals is constant, therefore would have a threat ratio equal to one hundred percent:

Threat = 100%

When considering Enterprise IT Risk management we need to understand if our organisation has a threat to the organisation as a whole. Most organisations assume that if they do not have rich target data, such as card holder data, or if they are a smaller organisation that “hackers have not heard of”, then their threat level would be low.

However that is not the case. If you are connected to the Internet, which pretty much every enterprise is, that is concerned about IT Risk Management, then you are a target, and the threat is constant.

To understand why you are a target you need to understand how hackers target you. Typically they do not target a specific organisation; they scan the internet for low hanging fruit, for servers that have not been patched, or servers with default passwords and usernames. It is not personal; it is an automated script or process that is looking for weaknesses in your counter measures.

These scripts are run twenty fours a day, seven days a week, even on Christmas day, on tens of thousands of machines across the globe. Your network is being probed every day, and most likely several times a day. Once they breach your network, they will target high value data, but you need to understand that you are a target every day.

We can therefore conclude, the Threat to the Enterprise is constant, regardless of the type of organisation you are, or the type of data your store.

Threat = 100%

If we only had Threats to our Assets, valued at say, $10 million dollars, then our Risk can be calculated with the following formula:

RISK = Threat{t} x Valuation{VaR}

Risk = 100%(t) x $10,000,000(Va)

Risk = $10,000,000

But of course we are likely to have some countermeasures in place to mitigate the threats.

| IT Risk Management | IT Risk Measurement | IT Risk Formula | IT Risk Calculations |

Please read our "Terms" before making a comment.

blog comments powered by Disqus
To The Top