Difference between revisions of "Threat Model"

From Open Risk Manual
 
(No difference)

Latest revision as of 10:37, 14 October 2021

Definition

A Threat Model is a formal representation of the risk landscape faced by an individual or organization that explicitly focuses on risks that can be classified as threats.

Classification

  • Attacker centric, focusing on Threat Actor identification and analysis
  • Asset centric, focusing on Asset identification and analysis
  • System centric

Examples

VERIS A4 Threat Model

A cyber incident is viewed as a series of events that adversely affects the information assets of an organization. The VERIS classification employs the A4 threat model[1]: Every cyber incident is comprised of the following elements (the 4 A’s)

  • Actors: Whose actions affected the asset?
  • Threat Action: What actions affected the asset?
  • Assets: Which assets were affected?
  • Attributes: How the asset was affected?


References

  1. VERIS Incident Description
Retrieved from "https://www.openriskmanual.org/wiki/index.php?title=Threat_Model&oldid=26598"
  • Creative Commons Attribution-NonCommercial-ShareAlike
  • Powered by MediaWiki
  • Powered by Semantic MediaWiki