IT risk assessment frameworks: real-world experience

Formal risk assessment methodologies try to take guesswork out of evaluating IT risks. Here is real-world feedback on four such frameworks: OCTAVE, FAIR, NIST RMF, and TARA.

1 2 Page 2
Page 2 of 2

By using a predictive framework to prioritize areas of concern, organizations can proactively target the most critical exposures and apply resources efficiently to achieve maximum results.

The TARA methodology identifies which threats pose the greatest risk, what they want to accomplish and the likely methods they will use. The methods are cross-referenced with existing vulnerabilities and controls to determine which areas are most exposed. The security strategy then focuses on these areas to minimize efforts while maximizing effect.

Intel says awareness of the most exposed areas allows the company to make better decisions about how to manage risks, which helps with balancing spending, preventing impacts and managing to an acceptable level of residual risk. The TARA methodology is designed to be readily adapted when a company faces changes in threats, computing environments, behaviors or vulnerabilities.

TARA relies on three main references to reach its predictive conclusions. One is Intel's threat agent library, which defines eight common threat agent attributes and identifies 22 threat agent archetypes. The second is its common exposure library, which enumerates known information security vulnerabilities and exposures at Intel. Several publicly available common exposure libraries are also used to provide additional data. The third is Intel's methods and objectives library, which lists known objectives of threat agents and the methods they are most likely to use to accomplish these goals.

"I quite like what [Intel] has done with TARA and believe that it has promise," says Andrew Jaquith, a senior analyst at Forrester Research. "It is well suited for manufacturers, critical infrastructure providers and others who want to evaluate risks from named actors like industrial spies, nation-states and rogue administrators."

Hayes says he's reviewed information about TARA that Intel has released. "What I really like about TARA is the threat agent view of risk," he says. "There are parts of TARA—the threat agent library and the methods and objectives library—that can be easily used within other risk-assessment methodologies, especially if there is a need to standardize on common threat agents and corresponding methods."

TARA "appears to be a good tool for identifying, predicting and prioritizing threats against your infrastructure," Woerner adds. "You can use it to create common libraries that can be shared among different groups."

The framework "focuses on threats rather than assets, [on] what bad things can happen," Woerner says. "This is both good and bad. By focusing on threats rather than asset value, an assessor may miss the mark in identifying true infrastructure risks. It also seems to make the assumption that the only way to view risk is from the perspective of 'What's the worst thing that could happen?'"

When he's conducting a risk assessment, Woerner asks two critical questions: What's the most likely threat against a specific critical asset and what's the biggest impact that could occur with the asset? "TARA only addresses the likelihood of threat events, but doesn't take into account the risk's impact," he says.

Paul says another drawback of the framework is that it's new and untested. "You don't hear a lot about people using" TARA, he says. "TARA also appears to be yet another qualitative methodology rather than one that can be used for quantitative analysis."

1 2 Page 2
Page 2 of 2
FREE Download: Get the Spring 2019 digital issue of CSO magazine today!