Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits


The Capability of a person or entity to cause harm is dependent on the following factors:

  1. Motivation - It is important to identify the root cause of why the person acted to harm the organization, because you can reduce the level of risk by eliminating the motivation. For example, an employee can be motivated to rob his or her employer by the need to support a drug habit. The prevalence of this motivation can be reduced through drug testing and training managers in monitoring employee behaviour for signs of drug abuse.
  2. Experience - How much experience or training does the person have in the methods available to exploit a control weakness? An employee in a credit card processing company may know all of the steps necessary to process payments and the effectiveness of the controls. Compare this to a criminal who decides to steal customer information from the credit card processing company and needs to learn the systems and processes before they can identify the deficient controls.
  3. Resources - How much time, money, personnel and technology is available to the Threat to exploit the Vulnerability?
  4. Prevalence - How many people or entities are potential Threats (e.g. the more people or entities, the greater the possibility that someone will exploit the Vulnerability).
People Risk

Note, the Experience and Resource level of the Threat should be correlated with the Complexity of the Control. The more complex the Control, the greater level of Experience and Resources that will be necessary to exploit it.