Organisation Threats

What are threats and threat types?

Threat types are collections of threats which are interrelated. A threat is a potential risk that has a given likelihood of causing an impact to an organisation. To ensure a consistent approach, threats are considered at an organisation level, and risk assessments that take place must use this list. To view organisational threats, click on “RA Setup” from the main organisation homepage, then select “Organisation Threats”.

Threat Types

Adding new threat types

New threat types can be added by clicking on the “New Threat Type” link in the sidebar. Threat types are placeholders to group together threats and therefore only require a name.

Deleting threat types

Threat types can only be deleted when there are no threats attached to them. Click on a threat type that needs to be deleted and click “Delete Threat Type” from the left hand sidebar.

Adding new threats

New threats can be added by clicking on the “New Threat” link in the sidebar. As well as name, description and threat type, other attributes exist that need to be defined. These threat attributes are described belowbelow.

• Threat Reference - This is an organisation defined reference for the threat, there is not default but it is recommended that a logical naming scheme is used.
• Duration Flag - Some threats could cause an impact more because they affect a resource for a time period that actually has a direct impact. For example, within an office based business, a power cut might cause very little direct impact but would render an office unusable. The impact can then be derived from the impact that was assessed during the BIA.

1.1.3.5       Threat

Threat to resource mapping

Different threats only affect certain types of resources. For each threat that is entered into Abriska, it must be linked to each of the default resource types. This linking is shown within Figure 6 - Threat to resource mapping. To access this list, click on the “Link Threats to Resources” linkfrom asthe highlightedthreat greenlist in Figure 4 - Threat list.sidebar. Figure 6 - Threat to resource mapping For each of the default resource categories (People, Premises etc.), a tick or cross will be shown against each threat. To edit this mapping, click on the category name at the top (Equipment, Information etc)etc.) and a form listing organisation threats will be displayed. Tick the checkboxes next to the required threats and “Submit”.

Resource threat linking hierarchy

To allow an additional level of granularity to be added to this relationship, individual resources or resource sub-categories can have a customised threat linking. From the “Resource Threat Linking” page, click on the “Resource Hierarchy View” (highlighted red in Figure 6 - Threat to resource mapping). The resource hierarchy will be displayed (shown in Figure 7 - Customising the threat to resource mapping hierarchy).View”. Figure 7 - Customising the threat to resource mapping hierarchy If a resource is modified to have a unique threat mapping, any child resource of that resource will inherit the parent’s customised mapping. 1.1.3.7       Threat

Threat to control mapping

If a risk assessment is being used in conjunction with the control maturity assessment,assessment, each threat needs to be linked through to one or more controls. controls. This mapping indicates that the chosen control helps to mitigate a threat by reducing its vulnerability. If no controls are linked to a threat, an error will be highlighted in red. 1.1.3.8       Threat

Threat attributes

If the impact variable is setupset up to calculate risk against then the organisation attributes (i.e. Confidentiality, Integrity and Availability). The default values can be assigned at an organisation level. If values are assigned at this level, these will become default for each entity risk assessment unless specified at a division level.