Quantifying Risk in the Modern Cyber Landscape: The Role of the Organizational Threat Model

The ever-evolving pace of business has left traditional enterprise risk assessments (ERAs) struggling to keep up. Risk assessments can be time-consuming and resource-intensive, and ERAs can only qualify risk without quantification. This means they often fail to provide organizations with the necessary insight into potential threats, leaving them vulnerable to cyber-attacks.

VerSprite recognizes the need to evolve the assessment process into a methodology that provides quantified and qualified risk assessment, as well as an actionable threat model. They turned to the Factor Analysis of Information Risk (FAIR) framework which focuses on detailed aspects of loss frequency, loss magnitude, and threat frequency. These aspects align perfectly with VerSprite’s Organization Threat Model (OTM).

OTM is a seven-stage process inspired by the application threat modeling methodology, PASTA (Process for Attack Simulation and Threat Analysis). The idea is to have risks proven by various important contexts, such as business impact, likelihood, and the effectiveness of native countermeasures or controls that help reduce inherent risk levels. By unifying three distinct security assessment types – business impact assessments, red teaming, and enterprise risk assessment – OTM aims to qualify better on the elements of risk for an organization and quantify how residual risks translate to impact levels against the organization.

VerSprite’s OTM consists of seven stages.

First, the methodology starts with defining the organization’s objectives and ensuring an appropriate level of security requirements to support the business goals while meeting compliance standards. The technical scope is defined, including categorizing any workflow, architectural, and technology components that provide security controls and features.

The organizational structure and network decomposition and analysis come next as stage three. This stage decomposes the organization’s network into essential elements that can be further analyzed for attack simulation and threat analysis from both the attacker’s and the defender’s perspectives. 

Then, threat analysis begins, enumerating possible threats targeting the organization’s various assets. Probable attack scenarios are identified based on threat agent models, security event monitoring, fraud mapping, and threat intelligence reports.

The vulnerability and weakness analysis stage maps vulnerabilities identified for different assets to threats and attack scenarios. 

The attack modeling and simulation stage analyzes how the organization and its context can be attacked by exploiting vulnerabilities and using various attack libraries and vectors. Finally, residual risk analysis and management conclude the process, analyzing residual risks and business impact, identifying gaps in security controls, calculating residual risk, and providing risk mitigation strategies.

For more on PASTA methodology, click here or download the free e-book here.

Tony UcedaVelez, VerSprite Founder and CEO, co-author of PASTA

In the modern evolving cyber landscape, how we assess threats and risks to enterprises must adapt, too,” says Tony UcedaVelez, VerSprite Founder and CEO, co-author of PASTA. “OTM methodology provides an offensive-minded approach to identifying and managing risk. This methodology aims to quantify and qualify business impact, identify gaps in security controls, calculate residual risk, and provide risk mitigation strategies.”

Organizational Threat Model is a comprehensive cybersecurity approach, that considers the latest technological advancements and evolving cyber threats, and it goes beyond the standard ERAs to assess and strengthen security posture. Organizations can stay ahead of the curve by utilizing the OTM methodology and protect their assets and reputations from cyber-attacks.