đź”’ Cybersecurity for lawyers

User Tools

Site Tools

Trace:
threat_modelling

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
threat_modelling [2019/08/09 19:18] – neilthreat_modelling [2021/10/15 10:25] (current) – neil
Line 5: Line 5:
  
 You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario". You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario".
 +
 +If you are still no wiser about where you should start, try the UK National Cyber Security Centre's [[https://www.ncsc.gov.uk/cyberaware/actionplan|Cyber Security Self-Assessment Tool]].
  
 ====Key points ==== ====Key points ====
-  * [[threat_modelling#What are trying to protect?|What are trying to protect?]]+  * [[threat_modelling#What are you trying to protect?|What are you trying to protect?]]
   * [[threat_modelling#Create an information asset register|Create an information asset register]]   * [[threat_modelling#Create an information asset register|Create an information asset register]]
   * [[threat_modelling#Who is your threat?|Who is your threat?]]   * [[threat_modelling#Who is your threat?|Who is your threat?]]
Line 15: Line 17:
   * [[threat_modelling#Make this a regular thing|Make this a regular thing]]   * [[threat_modelling#Make this a regular thing|Make this a regular thing]]
  
-====What are trying to protect?====+====What are you trying to protect?====
 The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future. The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future.
  
Line 67: Line 69:
  
 Something which is likely to be exploited, and which would cause a high level of harm, is a greater priority than something either unlikely to happen, or which is unlikely to cause much harm if it did happen. Something which is likely to be exploited, and which would cause a high level of harm, is a greater priority than something either unlikely to happen, or which is unlikely to cause much harm if it did happen.
 +
 +Bear in mind that some security controls are appropriate for highly confidential information, but some are less appropriate for less confidential information — the likelihood of harm, or the severity of the harm, does not justify the intrusion or inconvenience. There comes a point at which providing security makes it more difficult for the client to work with you, contrary to their best interests.
 +
  
  
threat_modelling.1565378327.txt.gz · Last modified: 2021/07/06 09:26 (external edit)