Don’t print this out! Its too long

BSI Germany have an extensive list of threats.

Comprehensive? Well, pretty good.
The kind of thing that could keep a client’s IT staff occupied for weeks. If they had hard copy to annotate and work with.

However it is bottom-up as opposed to top down, dealing with details (aka threats) rather than FMEAfailure modes and their effects.

Its interesting that classical Business Continuity Planning works more along the lines of a FMEA than Threat-Risk Analysis. BCP identifies the business processes that are most essential and hence must be brought back into operation with the most urgency – that is what are the most critical failures that will affect the operation of the business.

The TRA approach has many flaws ranging from the fact that threats are just about infinite and mostly unknown, that vulnerabilities are infinite and unknowable, that they interact in complex ways, which boils down to playing whack-a-mole, and that there is not enough information for statistical analysis.

FMEA on the other hand identifies criticality regardless of the cause.

See also

Zemanta Pixie

About the author

Security Evangelist

Leave a Reply