Understanding and Developing a Threat Assessment Model

The wide development of the mobile Internet technology is creating the opportunity for companies to extensively utilise computer systems for the delivery of services. New business models, which rely on electronic payment systems, are emerging and each one is creating a vulnerability to the Critical National Information Infrastructure (CNII). The opportunity for deploying offensive information warfare tactics against the CNII will be greatly enlarged from the introduction of such systems and the open government policy is greatly affecting the above. Organisations have been forced to allocate considerable resources for protecting their information assets. Unfortunately the opportunity still exists for both protected and unprotected systems to be exploited with catastrophic results. Modern security management methods now acknowledge that most risks cannot be completely eliminated and that they need to be managed in a cost effective manner. This paper will concentrate on the development of a methodology for the assessment and analysis of threat and vulnerabilities within the context of a security risk management. We will discuss a threat and vulnerability assessment method developed with the needs of mobile computer systems in mind. This method consists of four stages: a) Assessment Scope, b) Scenario Construction & Modelling, c) Threat Agent & Vulnerability Analysis, and d) Stakeholder Evaluation. This method actively involves stakeholders and focuses upon a technical, socio-technical and business aspect of the system.