IruisRisk Documention
Introduction
The Four-Question Framework for Threat Modeling
Question 1: What are we working on - Creating a threat model
Create a diagram from scratch 
Trust zones and components 
Adding Component details 
Changing Component Visibility by Business Unit
Answer our questionnaire to create a diagram 
Import a template
File Import Feature
Use our AI Assistant, Jeff 
Embedded IriusRisk Project Diagrams in external tools
Question 2: What can go wrong - Assessing Threats in IriusRisk
Analyzing the threats
Filter Threats and Countermeasures by Custom Fields
Threat Details
Fields: Threat Details
Impact: Threat Details
Risk Summary: Threat Details
Risk types and their explanations
Test State: Threat Details
Question 3: What are we going to do about it - Countermeasures
Change the Countermeasures Status
Seeing countermeasures applicable to a Standard
Create Issue Trackers from your Countermeasures
Configuring your Issue Trackers
Question 4: Did we do a good job
Reporting
Compliance Report
Current Risk Summary Report
Technical Countermeasure Report
Technical Threat Report
Export your threat model
Risk Score
Configurable Options in IriusRisk
Security Content
Risk pattern libraries
Risk Calculation
Security Classifications
Standards
Templates
Objects
Components
Assets
Trust Zones
Deleting Tags in Dataflows and Risk Pattern
Workflows
Custom Fields
Rules
Integrations & Imports
Miscellaneous
Version History
See Threat Model Output (Threats and Countermeasures) Changes Over Time
Automated Component Change Detection in IriusRisk
Copy the Project link to share with others
Audit Log
Deleting Tags in Dataflows and Risk Pattern
User Management
APIs to use UUID rather than Username
Using SAML as an authentication-only identity provider
Security Content

Security Content

6
min
Last updated
September 6, 2024
Templates

Contents

Risk pattern libraries

Risk Calculation

Security Classifications

Standards

Under the first menu item, Security Content, you will see four options:

  1. Risk pattern libraries
  2. Risk calculations 
  3. Security classifications
  4. Standards 

Risk pattern libraries 

Here you can view all the risk patterns predefined within the tool. It is provided in a similar view to Threats & countermeasures, whereby the risk patterns are on the left and you can expand accordingly to see more information on the right hand side. 

To create a new risk pattern, click the plus sign, you can then name it, give a description and save it. The below is a fictitious library for an automotive use case. 

This creates your library, but now you need to add your bespoke risk patterns. Expand your new library, select the dots next to the name, and choose +New > Risk pattern.

Next step is creating a risk pattern for the overarching library: 

Then you will need to create a use case:

Next you need to associate the threats to this use case. Although we automate this with the IriusRisk rules engine, for bespoke risk patterns and use cases, this information needs to be added by you. However, you can choose from existing threats, or add your own. 

If creating a new threat, you can follow the structure of the threat detail including selecting the impact in terms of Confidentiality, Integrity, Availability (CIA) and ease of exploitation. You can also add the relevancies within STRIDE-LM and MITRE.

To choose an existing threat, you will be presented with a list where you can search and filter to identify what you need.

These threats will then continue as a thread up to your Custom Library, and can be expanded and edited accordingly:

Adding countermeasures and/ or weaknesses is the same process as threats. You can select from new or existing. And enter the details or search accordingly. If you selected threats that already existed, then some countermeasures will pull through.

To conclude, once you are satisfied with your library and associated risk patterns, you can take further steps such as applying it to existing Projects, make further updates, export it and delete if necessary. 

Risk Calculation

A default calculation is provided in this section, however you can tailor the three areas accordingly based upon your own context, industry and bespoke considerations. Use the scoring or sliders to change these parameters. 

Weightings: Weightings provide the necessary inputs to determine the inherent risk a given threat scenario or threat actor will pose against an asset assigned to a component within a trust zone.

Mitigation factor when: Mitigation factors provide the necessary input values for when inherent risk is being reduced to current risk and then further to projected risk. These values assist in determining the reduction in risk when countermeasures are "implemented" and when tests pass into a "passed' status."

Aggravating factor: This parameter modifies the risk value based on the failed weakness with the greatest impact. If there are no failed weaknesses it will use the maximum impact value (100).

Security Classifications 

These are aligned to CIA, whereby you can change the level of risk associated with items such as personally identifiable information (PII), public data, and/ or cardholder data. 

Click on any item to edit the classifications accordingly to reduce or increase the ratings.

Standards

These can be viewed in a list, and can be sorted alphabetically if you click on ‘Name’. You can easily create your own standards in this area too. Click the blue button which says ‘New standard.  When you are in your Projects view, go to Security Content at the top menu and then choose Standards from the drop down.

The list of Standards we currently have are:

Regulatory & Compliance

- CCPA

- EU-GDPR

- FedRAMP

- HIPAA

- IEC/ANSI 62443

- ISO/ IEC 27002: 2013

- ISO/IEC 27002:2022

- ISO/ SAE 21434

- NIST Cybersecurity Framework

- PCI-DSS v3.2.1

- PCI-DSS v4.0

- PCI Software Security Standard

- SAMM

- UNECE WP.29 Cybersecurity Regulation (CSMS)

Industry Standards

- CWE Top 25

- MITRE ATT&CK Enterprise & ICS

- Mitre D3FEND Framework

- NIST Cybersecurity Framework

- NIST SSDF

- NIST 800-190

- NIST 800-204

- NIST 800-53

- NIST 800-63

- OpenCRE

- OWASP API Security Top 10

- OWASP ASVS v4

- OWASP CSVS

- OWASP Docker Top 10 2018

- OWASP Kubernetes Top 10 2022

- OWASP MASVS

- OWASP Mobile Top Ten 2016

- OWASP Top Ten 2017

- OWASP Top 10 2021

- OWASP Web Security Testing Guide (WSTG)

- SWIFT Cyber Security Controls Framework (CSCF)

Industrial Automation

- IEC/ ANSI 62443 3-3 and 4-2

- ICSA-500

- UNECE WP.29 Cybersecurity Regulation (CSMS)

Operational

- AWS Foundations Benchmark

- AWS Three-Tier Web Architecture Benchmark

- Azure Security Benchmark

- Docker Community Edition Benchmark

- Google Cloud Platform Foundations Benchmark

- Kubernetes Benchmark

- Microsoft Azure Foundations Benchmark

- Oracle Cloud Infrastructure Foundations

- OWASP Docker Top 10 2018

Internet of Things (IoT)

- IoT Security Foundation

- Machine Learning and Artificial Intelligence

Close Modal