IT risk assessment frameworks: real-world experience

Formal risk assessment methodologies try to take guesswork out of evaluating IT risks. Here is real-world feedback on four such frameworks: OCTAVE, FAIR, NIST RMF, and TARA.

Table of Contents
Show More
1 2 Page 4

TARA relies on three main references to reach its predictive conclusions. One is Intel's threat agent library, which defines eight common threat agent attributes and identifies 22 threat agent archetypes. The second is its common exposure library, which enumerates known information security vulnerabilities and exposures at Intel. Several publicly available common exposure libraries are also used to provide additional data. The third is Intel's methods and objectives library, which lists known objectives of threat agents and the methods they are most likely to use to accomplish these goals.

"I quite like what [Intel] has done with TARA and believe that it has promise," says Andrew Jaquith, a senior analyst at Forrester Research. "It is well suited for manufacturers, critical infrastructure providers and others who want to evaluate risks from named actors like industrial spies, nation-states and rogue administrators."

Hayes says he's reviewed information about TARA that Intel has released. "What I really like about TARA is the threat agent view of risk," he says. "There are parts of TARA—the threat agent library and the methods and objectives library—that can be easily used within other risk-assessment methodologies, especially if there is a need to standardize on common threat agents and corresponding methods."

TARA "appears to be a good tool for identifying, predicting and prioritizing threats against your infrastructure," Woerner adds. "You can use it to create common libraries that can be shared among different groups."

The framework "focuses on threats rather than assets, [on] what bad things can happen," Woerner says. "This is both good and bad. By focusing on threats rather than asset value, an assessor may miss the mark in identifying true infrastructure risks. It also seems to make the assumption that the only way to view risk is from the perspective of 'What's the worst thing that could happen?'"

When he's conducting a risk assessment, Woerner asks two critical questions: What's the most likely threat against a specific critical asset and what's the biggest impact that could occur with the asset? "TARA only addresses the likelihood of threat events, but doesn't take into account the risk's impact," he says.

Paul says another drawback of the framework is that it's new and untested. "You don't hear a lot about people using" TARA, he says. "TARA also appears to be yet another qualitative methodology rather than one that can be used for quantitative analysis."

Copyright © 2010 IDG Communications, Inc.

1 2 Page 4
Subscribe today! Get the best in cybersecurity, delivered to your inbox.