Practical Threat Analysis and Risk Management

Threat analysis won't make you sleep any better at night, but it will help ensure that the right things keep you awake.

The last piece of the threat puzzle we'll discuss before plunging into threat analysis is the attacker. Attackers, also sometimes called “actors”, can range from the predictable (disgruntled ex-employees, mischievous youths) to the strange-but-true (drug cartels, government agencies, industrial spies). When you consider possible attackers, almost any type is possible; the challenge is to gauge which attackers are the most likely.

A good rule of thumb in identifying probable attackers is to consider the same suspects your physical security controls are designed to keep out, minus geographical limitations. This is a useful parallel: if you install an expensive lock on the door to your computer room, nobody will ask, “Do you really think the maintenance staff will steal these machines when we go home?”

Computer security is no different. While it's often tempting to say “my data isn't interesting; nobody would want to hack me”, you have no choice but to assume that if you're vulnerable to a certain kind of attack, some attacker eventually will probe for and exploit it, regardless of whether you're imaginative enough to understand why. It's considerably less important to understand attackers than it is to identify and mitigate the vulnerabilities that can feasibly be attacked.

Simple Risk Analysis: ALEs

Once you've compiled lists of assets and vulnerabilities (and considered likely attackers), the next step is to correlate and quantify them. One simple way to quantify risk is by calculating annualized loss expectancies (ALEs).

For each vulnerability associated with each asset, you estimate first the cost of replacing or restoring that asset (its single loss expectancy) and then the vulnerability's expected annual rate of occurrence. You then multiply these to obtain the vulnerability's annualized loss expectancy.

In other words, for each vulnerability we calculate: single loss expectancy (cost) × (expected) annual rate of occurrences = annualized loss expectancy.

For example, suppose Mommenpop, Inc., a small business, wishes to calculate the ALE for denial-of-service (DOS) attacks against their SMTP gateway. Suppose further that e-mail is a critical application for their business; their ten employees use e-mail to bill clients, provide work estimates to prospective customers and facilitate other critical business communications. However, networking is not their core business, so they depend on a local consulting firm for e-mail-server support.

Past outages, averaging one day in length, have tended to reduce productivity by about one-fourth, which translates to two hours per day per employee. Their fallback mechanism is a fax machine, but since they're located in a small town, this entails long-distance telephone calls and is expensive.

All this probably sounds more complicated than it is; it's much less imposing expressed in spreadsheet form (Figure 1).

Figure 1. Itemized Single Loss Expectancy

The next thing to estimate is this type of incident's expected annual occurrence (EAO). This is expressed as a number or fraction of incidents per year. Continuing our example, suppose Mommenpop, Inc. hasn't been the target of espionage or other attacks by its competitors yet, and as far as you can tell, the most likely sources of DOS attacks on their mailserver are vandals, hoodlums, deranged people and other random strangers.

It seems reasonable to guess that such an attack is unlikely to occur more than once every two or three years; let's say two to be conservative. One incident every two years is an average of 0.5 incidents per year, for an EAO of 0.5. Let's plug this in to our ALE formula:

950 ($/incident) × 0.5 (incidents/yr) = 475 ($/yr).

The ALE for DOS attacks on Mommenpop's SMTP gateway is thus $475 per year.

Now suppose some vendors are trying to talk the company into replacing their homegrown Linux firewall with a commercial firewall; this product has a built-in SMTP proxy that will help minimize but not eliminate the SMTP gateway's exposure to DOS attacks. If that commercial product costs $5,000, even if its cost can be spread out over three years (to $2,166 per year after 10% annual interest), such a firewall upgrade would not appear to be justified by this single risk.

Figure 2 shows a more complete threat analysis for our hypothetical business' SMTP gateway, including not only the ALE we just calculated but also a number of others that address related assets, plus a variety of security goals.

Figure 2. Sample ALE-Based Threat Model

In this example analysis, customer data in the form of confidential e-mail is the most valuable asset at risk; if this is eavesdropped or tampered with, customers could be lost (due to losing confidence in Mommenpop), resulting in lost revenue. Different perceived potentials in these losses are reflected in the single loss expectancy figures for different vulnerabilities. Similarly, the different estimated annual rates of occurrence reflect the relative likelihood of each vulnerability actually being exploited.

Since the sample analysis in Figure 2 is in the form of a spreadsheet, it's easy to sort the rows arbitrarily. Figure 3 shows the same analysis sorted by vulnerability.

Figure 3. Same Analysis Sorted by Vulnerability

This is useful for adding up ALEs associated with the same vulnerability. For example, there are two ALEs associated with in-transit alteration of e-mail while it traverses the Internet or ISPs, at $2,500 and $750, for a combined ALE of $3,250. If a training consultant will, for $2,400, deliver three half-day seminars for the company's workers on how to use free GnuPG software to sign and encrypt documents, the trainer's fee will be justified by this vulnerability alone.

We also see some relationships between ALEs for different vulnerabilities. In Figure 3 we see that the bottom three ALEs all involve losses caused by the SMTP gateway's being compromised. In other words, not only will an SMTP gateway compromise result in lost productivity and expensive recovery time from consultants ($1,200 in either ALE, at the top of Figure 3), it will expose the business to an additional $31,500 risk of e-mail data compromises, for a total ALE of $32,700.

Clearly, the ALE for e-mail eavesdropping or tampering caused by system compromise is high. Mommenpop, Inc. would be well-advised to call that $2,400 trainer immediately.

Problems with relying on the ALE as an analytical tool include its subjectivity (note how often in the example I used words like “unlikely” and “reasonable”) and, therefore, the fact that the experience and knowledge of whoever's calculating, rather than empirical data, ultimately determine its significance. Also, this method doesn't lend itself too well to correlating ALEs with each other (except in short lists as shown in Figures 2 and 3).

The ALE method's strengths, though, are its simplicity and its flexibility. Anyone sufficiently familiar with their own system architecture and operating costs, and possessing even a general sense of current trends in IS security (e.g., from reading CERT advisories and incident reports now and then), can create lengthy lists of itemized ALEs for their environment with little effort. If such a list takes the form of a spreadsheet, ongoing tweaking of its various cost and frequency estimates is especially easy.

Even given this method's inherent subjectivity (not completely avoidable in practical threat-analysis techniques), it's extremely useful as a tool for enumerating, quantifying and weighing risks. A well-constructed list of annualized loss expectancies can help you optimally focus your IT security expenditures on the threats likeliest to affect you in ways that matter.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Practical Threat Analysis Latest Version - Jan 2008

Zeev Solomonic's picture

I would like to inform you that on January 2008 we released an updated version of Practical Threat Analysis (PTA) Professional Edition tool (1.54 - build 1204). The latest version includes usability enhancements which we hope will increase productivity when building large threat models via the data entry screens. In addition, as of build 1202, PTA Ptofessional can run on Windows Vista Ultimate 32 and 64 bit versions.

PTA Professional Edition is avalilable for free download - I invite you to review the latest version's new features and download the updated software from the following link:

You are also invited to have a look at the updated versions of the PTA for PCI DSS and ISO 27001 freeware security libraries that can be downloaded from the following url:

On this month we are celebrating the third year of the PTA Free Program initiative which enables students, academic researches and independent security consultants to use PTA free-of-charge for their professional missions. Let me take this opportunity to wish you success in your ongoing threat analysis projects and a continuing fruitful use of PTA. We are happy that the Practical Threat Analysis methodology and tool has been found productive by many thousands of professionals world-wide and became the de-facto standard for calculative risk assessment projects.

Feel free to introduce PTA to your professional colleagues and do not hesitate to contact us when the usage period is about to end - we will be happy to send you renewal keys !

Yours Sincerely,

Zeev Solomonik

R&D - PTA Technologies

PTA - Practical Threat Analysis quantitative method

Zeev's picture

Dear colleagues,

I would like to inform you that on November 19, 2005 we released an updated version of PTA Professional (1.51 - build 1190) with major usability improvements. The latest version supports the popular ROSI (Return On Security Investment) quantitative criterion for comparing security solutions.

You are invited to review the latest version's new features and download a free copy of the software from the following link:

PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.

PTA is free-of-charge for students, researchers, software developers and independent security consultants. Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community.

I'll be happy to have your comments and answer your questions on any issue.


Zeev Solomonik
Chief Technology Officer
PTA Technologies

Practical threat analysis tool for software systems

Adi Amir's picture

I ran into and downloaded a version of PTA (Practical Threat Analysis) tool that implements a calculative threat modeling methodology. They have a free program for students and independent software developers.

The tool enhances Mick Bauer’s ideas. It calculates threats and countermeasures priorities and produces the most effective risk reduction policy which reflects changes in system assets and vulnerabilities. Countermeasures’ priorities are expressed as a function of the system’s assets values, degrees of damage, threats probabilities and degrees of mitigation provided by countermeasures to the threats.

I have found it very productive to explicitly define the contribution of each countermeasure to the mitigation of a threat. They also have a very productive feature that let me mark those countermeasures that are already implemented and see their quantitative affect on reducing the system risk.

I hope this may help someone

Adi Amir