The SAFETAG approach to Risk Assessment & Agency Building
Risk Assessment & Analysis
Functionally, SAFETAG is an information security risk assessment framework. Risk assessment is a systematic approach to identifying and analyzing risks associated with potential hazards to organized human activities. SAFETAG focuses this approach on information security risks. A SAFETAG audit will work to collect the types of information listed in sections below in order to assess the risks an organization faces.
Risk is the current assessment of the possibility of harmful events occurring. Risk is assessed by comparing the threats an actor faces with their vulnerabilities, and their capacity to respond to or mitigate emergent threats.
The SAFETAG evaluation revolves around collecting enough information to identify and assess the various risks an organization and its related actors face so that they can take action strategically.
SAFETAG breaks the risk analysis down into three parts: Program Analysis, Vulnerability Analysis, and Threat Analysis.
Program analysis identifies the priority objectives of the organization and determine its capacities. This process helps the auditor identify and describe the activities, actors, and capacities of an organization.
Definition: The practices and interactions that the organization carries out in order to accomplish their goals. This includes any activity that the organization carries out to accomplish its goals and those that allow the organization to function.
Example: Organizing conferences, publishing press releases, sending out newsletters, legal aid clinics, conducting research, making payments, fund-raising, renewing legal registration status.
- What is the main purpose of the organization?
- What are the processes the organization takes part in and executes to carry out their work?
Definition: The staff, volunteers, partners, beneficiaries, donors, and adversaries associated with the organization.
Example: The core organizational staff, the volunteers, maintenance, cleaning, security, or other non-critical staff; the partner organizations; the individuals and groups that the organization provides services to; groups of unorganized individuals who are opposed to organizational aims, governmental and non-governmental high-power agents and organizations that are opposed to the organizations aims.
- What staff does the organization have?
- Are their volunteers, maintenance, cleaning, security, or other non-critical staff who have access to the office?
- Who does the organization serve?
- Does the organization have any partners?
- Who are the organizations beneficiaries?
- Who is threatened by the work of the organization?
- Who has opposed the organization in the past or might do so in the future?
Understand the organisation’s exposure to threats, points of weakness and the ways in which the organisation may be affected.
Definition: An attribute or feature that makes an entity, asset, system, or network susceptible to a given threat.
Example: Poorly built or unmaintained hardware, software, or offices as well as missing, ignored, or poor policies or practices around security.
Threat analysis is the process of identifying possible attackers and gathering background information about the capability of those attackers to threaten the organization. The basis of this information is a potential threat's history of carrying out specific threats, their capability to carry out those threats currently, and proof that the threat has intent to leverage resources against the target.
Definition: A threat is a possible attack or occurrence that has the potential to harm life, information, operations, the environment, and/or property.
Example: Threats can range from fire, or flood, to targeted malware, physical harassment, or phishing attacks.
Definition: The types of threats the attacker has used historically and and the types of actors which have been targeted by those threats.
- What history of attacks does the threat actor have?
- What techniques have they used? Have they targeted vulnerabilities that the organization currently has?
- Have they targeted similar organizations?
- What is known about the types of threats used by a threat actor to attack similar organizations?
Definition: The means that the attacker has to carry out threats against the organization.
Example: This includes, but is not limited to technical skill, financial support, number of staff hours, and legal power.
- Does the threat actor have the means to exploit a vulnerability that the organization currently has?
- Does the threat actor have the means to leverage widespread threats against all similar organizations, or will they have to prioritize their targets?
Definition: The level of desire for the attacker to carry out threats against the organization.
Example: Intent can be goals or outcomes that the adversary seeks; consequences the adversary seeks to avoid; and how strongly the adversary seeks to achieve those outcomes and/or avoid those consequences.
- Does the threat actor currently have the desire to conduct an attack against this type of organization?
- Is the organization a priority threat target for the threat actor?
SAFETAG differs from many risk assessment tools because it aims to build the host's and staff's capacity so that they are able to address the risks that the auditor has identified. SAFETAG is designed to provide in-audit activities and training that increase an organization's agency to seek out and address security challenges within their organization. To do this an auditor must collect information that allows them to identify organizational areas of strength and weakness - for instance staff expertise, financial resources, willingness to learn, and staff time.
A common refrain among auditors, software developers and other specialists in this sector is that digital security is not about technology; it is about people. This is undeniably true, and the SAFETAG modules — despite their more direct fixation on technology — acknowledge this insight by emphasizing the educational and persuasive roles played by your findings report.
Definition: The combination of strengths, attributes and resources available within the organization that can be used to reduce the impact or likelihood of threats.
Example: Technical skill, financial support, staff and management time, internal processes, relationships, and legal clout.
Definition: The combination of weaknesses, assumptions, regulations, social or cultural practices, and obligations that get in the way of an organization effectively managing digital security risk.
Example: Lack of funding, lack of authority within an organization to mandate practices to their staff, resistance to change, high staff turnover, or digital illiteracy.