A threat is defined as \u201ca person or thing likely to cause damage or danger.\u201d \u00a0Threats are all around us, but we shouldn\u2019t treat all threats as equal.\u00a0 Too often we fail to identify threats because they aren\u2019t readily apparent or we consider them to be too small.<\/p>\n
Threats and vulnerabilities are both part of the overall risk equation.\u00a0 While organizations are getting better at identifying and fixing weaknesses, many still don’t understand the potential threat landscape.\u00a0 We’ve all heard, “Oh no one would ever want to attack us. We’re so small and our systems have no value.”\u00a0 I can hear Target saying that about their HVAC systems. Malicious hackers can use anything connected to a production network in order to gain access. \u00a0It shouldn\u2019t be assumed that a small target means it can\u2019t be hit.<\/p>\n
All organizations should conduct assessments to understand the multitude of threats they face both in and out of their cybersystems. Threat modeling is still a new arena in security, but it’s gaining in prevalence.\u00a0 In CSOOnline (http:\/\/www.csoonline.com\/<\/a>), George V. Hulme has an article, “Can threat modeling keep security a step ahead of the risks<\/a>?” where he makes a case for more effective threat modeling.\u00a0He references how a CISO uses threat modeling to understand the organization\u2019s risks, prioritize security spending, and focus security efforts.<\/p>\n