Threat Scoring and Risk Management

Threat Intelligence teams and Information

Security teams often struggle to communicate to leadership why a specific vulnerability should be taken seriously or given more precedence, especially when the CVSS score is low.

This post is a brief explanation of how to use a threat scoring matrix to consistently evaluate threat actors, then combine that score with a CVSS score to communicate the true risk posed to your organisation. It helps provide a measurable score that can easily be integrated with CVSS scoring systems, thereby also facilitating risk scoring automation. It also allows the leadership to make a well-informed decision as a vulnerability is considered within the context of a comprehensive threat actor profile seeking to exploit the vulnerability. We discuss the example matrix metrics below, and you may download the The Threat Actor Impact Scoring Matrix PDF from here [1]. It uses a five-point scale to scorer a threat actor based on nine criteria: determination, motivation, technical resources, financial resources, intelligence resources, skills/expertise, time they went undetected, team size, and time available to dedicate to malicious activities. It then scores the target (presumably you) on three criteria: probability of successful attack, stage of any technical exploit, and the attacker’s focus.

Continue reading "Threat Scoring and Risk Management"