- Treat threat and adversary data with the utmost security.
- Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
- Ensure that any digital recordings of this process are kept secure and encrypted.
- Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.
- Requires a process or data mapping exercise's outputs
- Give participants a "cheat sheet" of threats.
Explain the types of threats.
- Confidentiality: If unauthorized individuals find out an asset/process exists.
- Control: If an asset/process can be accessed by unauthorized individuals.
- Integrity: If an asset/process is changed without permission.
- Availability: If an asset/process becomes unavailable.
Consistency: If an asset/process becomes unreliable. (Some use Identity instead or in addition to Consistency, if an asset/process can be spoofed to appear as owning/coming from someone else.)
- Auditability: If you cannot verify that an asset/process is secure.
- Identify a "interaction line" from the process map to start with.
- Generate a list of threats that would cause that interaction to fail.
- Mark the back of the post-it with the interaction name or number.
- Write the threat and their impact on post-its and arrange them in an orderly way.
- If multiple risks cause the same consequence create a new post-it near the new risk.
- Continue doing this for all the interactions in the critical process'.
- Discuss and rearrange threats as groupings emerge.
- Label threat clusters that appear.
- If any of the impacts identified in the pre-mortum or other process-mapping exercises are not covered ask participants where they would go.
- Take photos of the threats once you have finished enumerating them.
- Write risks on one set of post-its and impacts on another color of post-its to make it easy to keep track.
- Look at the "CVSS v3 Base Metrics" for an example of the severity of different threats.
- Give participants a pen and three sticky note pads.
Explain the topic and the categories. gpr_8_impacts
- Staff/People - (which includes families, friends, and beneficiaries): temporary or permanent physical injury, temporary or longer-term psychological damage, death, legal costs, cost of medical treatment, loss of morale or trust in management.
- Organization - loss of or damage to assets, operational inefficiency, loss of program quality or outright suspension; loss of reputation; loss of funding.
- Program - reduced program quality, temporary suspension of the program, forced termination of the program.
- Instruct each person to generate DIRECT impacts based upon the exiting threat clustering from Threat Identification.
- Include only one impact per sticky note.
- Have one participant quickly describe then place an impact on the board writing along side it the threat that causes it.
- Invite others to place similar/the same impacts in proximity and quickly describe how it can occurs.
- Repeat the process until all impacts are included.
- Have participants add stickies for any secondary/cascading impacts
- Discuss and rearrange impacts as groupings emerge.
- Label impact clusters that appear.
- Tell participants to write multiple impacts per color.
- Look for opportunities to create sub-groups.
- Limit the time frame for discussion.
- Take photos of the impact clusters once you have finished enumerating them.
Explain the topic and the categories. gpr_8_likelihood
- "History – a past incidence or pattern of attacks on similar organizations."
- "Intent – specific threats, a demonstrated intention or mindset to attack."
- "Capability – the wherewithal to carry out an attack."
- Brainstorm adversaries who have demonstrated likelihood to impact their work or one of the process'.
- Pick an adversary and write their name on the board.
- Write specific instances of adversary history, intent, and capacity announced by the participants.
- Repeat the process until all adversaries are completed.
- Limit the time frame for discussion.
- Take photos of the adversary lists.
- Create a post-it for each impact.
- Place two points on the wall. On one side are "Inconvenient" impacts that disrupt the organization in a very small way. On the other side are "critical" impacts that may pose life-safety risks to employees, partners, or the general public.
- The low end of the scale may include a fire alarm may cause the staff to lose a half an hour of work time, but does not impact any short or long-term activities.
- The high end of the scale would include events such as a fire that destroys the organizations headquarters and endangers staffs lives or legal issues that cause termination of the program.
- Place each item along the severity line from least to most severe impact.
- Give each item its own place on the scale. No two items can be the same severity.
- Listen carefully to every point of deliberation.
- As risks are placed on the wall, the trainee can use other already ranked risks to help participants identify the right place. "Is a robbery more or less likely than a fire?"
- Take photos of the impact scale once you have finished it.
Threat Identification (30 minutes per process):
Impact Identification (30 minutes per process): This exercise has the trainee lead the participants on a brainstorming of hypothetical consequences (impacts) when the threats identified earlier occur.
Adversary Exploration (Likelyhood):
Impact Ranking: The goal of this exercise is to have the trainee lead the host organization in classifying the severity of the possible impacts from the threats they have just explored.