Information Gathering and Risk Assessment

On the ISO2700 forum one user gave a long description of his information gathering process but expressed frustration over what to do with it all all, the assets, the threats and so forth, and trying to make it into a risk assessment.

It was easy for the more experienced of us to see what he was missing.

He was missing something very important — a RISK MODEL
The model determines what you look for and how it is relevant.

Taxonomies are great.
More years ago than I care to mention in my first childhood I encountered at a demonstration of a computer running what was called the “Animals” program. I didn’t know at the time, but it was written in BASIC. Later I found the code. It was a binary/database interactive.

It started by asking “Are you thinking of an animal?” and then went on to try and determine the animal based on past recorded responses. If it failed it asked you for a differentiating question.


No doubt the originator of the program knew of the phylogenetic tree of life – – but the reality was that the kids that had used this didn’t and their classification was a mixture of Aristotelian nonsense and religious prejudice – see
It began with “has two legs” as the first bifurcation. It later became confused between creatures with two legs that didn’t fly but were birds and creatures that had two legs but weren’t birds but could swim. There was no provision for birds that could both swim and fly.

Why, you may ask, is this relevant?
Well the original poster went on to ask:

 Please share some templates that may assist me in completion of
 Information Gathering and subsequently RA.

What he needs, what anyone in this situation needs, is not so much a ‘template’ as a ‘model’
The model will tell you what is and isn’t relevant.

At this point I usually point people to the classical models.
Yes there are other models, but there are damn good reasons for the classical models, and like so many things in life you need to know the basic rules well before you try breaking them. Often its not worth the trouble of breaking them.

We can and do argue about that, but unless you understand it and have applied it a few times you won’t understand the arguments against it.

For example:

The whole point of the classical is that you can do much more than simply build lists or taxonomies. It gives you a reason. If you don’t know what you are protecting against what then talking about controls is meaningless. If you don’t know how serious the risk is then talking about controls is meaningless.  I say RISK, not THREAT. That meteor that flew past yesterday could, if it had hit, wiped out a major city. But we didn’t institute any controls (, because there was no RISK.

So, sadly, we end up with questions like this:

Controls exist to address the threats?

No, controls exist to address RISK. They *may* do that by addressing the threat in some manner, or perhaps you are one of those people who will argue the point that if you squint hard enough and fiddle with the definitions the right way then all controls are “addressing” threats, for some meaning of “addressing“.  Of curse that ignores many opportunities for mitigating the risk by addressing the vulnerability or applying ‘The Three As’.

But before all else you need to define SCOPE.
If you don’t, then you are in the ‘how long is a piece of string’ situation as far as assets and threats are concerned.

SCOPE will let you define you SOA
Your SOA lets you define your OBJECTIVES.

But what you describe isn’t a Risk Analysis.

There are many methods of RA available to use that are applicable to ISO27K (we don’t do RA on stick investing!)

If you really want ‘templates’ look at

Any further and I’d refer you to google and NIST; they might refer you to Octave, Mehari or similar METHODS.

But you still need to have a MODEL, and that why I refer you to the Classical Equation.

Enhanced by Zemanta

About the author

Security Evangelist

Leave a Reply