Step 3: Threat profiling

This phase helps to identify and prioritize threats and understand how they can manifest. Threat profiling starts with the identification of potentially relevant threats through discussion with key stakeholders and analyzing available sources of threat intelligence (e.g., an internal threat intelligence team or external commercial feeds).

Once the threat landscape is built, each threat it contains should be profiled. Threats can be profiled based on two key risk factors: likelihood of initiation — the likelihood that a particular threat will initiate one or more threat events — and threat strength, or how effectively a particular threat can initiate or execute threat events.

Threats can also be further profiled by separating them into an overarching group: adversarial, accidental, or environmental.

Step 4: Vulnerability Assessment

Once threat profiling is completed, the next phase is to identify the degree to which information assets are vulnerable against each identified threat. A vulnerability assessment is used to examine the extent of the relevance of each key control as well as the performance and quality of its implementation.

Each vulnerability must be assessed and expressed in terms of its relative strength of controls. The strength of controls can be calculated based on the stakeholder rating for that control, along with supporting information such as control characteristics, performance, deficiencies, and documentation.

At the end of the assessment, the practitioner will have gained a solid understanding of which information assets are vulnerable against which threat event.