A Formal Methodology for Modeling Threats to Enterprise Assets

Enterprises usually execute business processes with the help of Information Technology (IT) services which, in turn, are realized by IT assets. Enterprise IT assets contain vulnerabilities that can be exploited by threats to cause harm to business processes and breach security of information assets. Hence, detection of threats is crucial for ensuring business continuity and protection of enterprise information security. Existing threat detection mechanisms are limited in scope owing to absence of methodologies for modeling different categories of threats uniformly. This paper presents a formal methodology that can model diverse types of threats to enterprise assets. The methodology provides sufficient flexibility to enterprises for defining threshold values of threat parameters that suit their specific needs and help them to compute probability of occurrence of threats.