Speakers: Timothy Casey and Steve Mancini
When risk managers assess threats to information assets, they have to understand the potential human threat agents: the categories of people who can harm those information assets. Historically, however, this has been challenging. A key problem is the lack of industry standards or reference definitions of agents. Assessors often have different concepts of even the most common agents, and interpret a seemingly simple term such as “spy” very differently, making it difficult to share information or apply it consistently.
As a result, risk management projects often experience threat creep-- threat definitions are repeatedly re-negotiated as the project progresses, causing many delays. Even if a team agrees on the definitions, information about threats is often fragmented and sensationalized, making it difficult to understand the real threat and how to prioritize it. Additionally, some agents attract considerable publicity, resulting in the most-publicized agents appearing as the biggest threat and receiving a disproportionately large amount of limited mitigation resources.
A cross-organizational team of senior Intel information security specialists decided to create a standardized set of threat agent archetypes, with the goal of improving the accuracy and efficiency of risk assessments. Unable to find a suitable set already in use, they developed their own Threat Agent Library of 23 agent archetypes, each uniquely defined. The library includes both the “usual suspects” and characters that are easily overlooked if not explicitly listed.
The standardized threat agent approach was only recently deployed internally but is already making an impact. It was incorporated into Intel’s main business security and acquisitions risk assessment tools, where it has dramatically streamlined the process. A key manufacturing group reported a 60% improvement in total threat assessment time, reducing the negotiation period from months to days. The agent archetypes also enable focused data collection and accurate threat ranking, allowing Intel IT architecture and mitigation groups to better prioritize resources. Externally, the US DHS has incorporated the library as a cornerstone methodology of its IT Sector Baseline Risk Assessment.
This presentation will describe these elements in further detail, so that the audience can understand the problem we addressed, basics of the library itself and where to access it, and how to apply the concepts to common risk assessment situations.