Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Control Limitations & Complexity of Exploit


In discussing Vulnerabilities we so far have examined the type of Control (Preventative, Corrective and Detective), how well the Control performs (Effectiveness and Efficiency) and its Scope (does the Control limit the loss of Confidentiality, Integrity or Availability). We also need to consider the challenges or limitations that the Control presents to a Threat:

  1. Complexity - How difficult is it to exploit the Control? Does the exploit require significant resources (i.e. experience, training, money, technology, planning etc.), which would create a disincentive for most Threats? In effect, the greater the complexity involved in breaking the Control, the less likely the Control will be exploited.
  2. Access - What level of access to the control is required for an exploit to be successful? Is the Control freely accessible on the Internet or is the Control protected within a guarded data center? How many people (potential Threats) could access the Control with the resources reasonable available to them?
  3. Privilege - Assuming the Threat can overcome the challenges of Complexity and Access, what level of Privilege will the Threat receive? For example, a hacker (the Threat) may be able to run a script (an exploit) to gain access to an Internet site. The severity of the exploit would vary greatly based on the level of authority or privilege that the hacker would gain. If the exploit only allows the Hacker to run reports on the system, it would have a lower severity than if the exploit gave the Hacker system administrator access with the power to change or delete code, monitor user activity, etc.