Contents
Under the first menu item, Security Content, you will see four options:
Here you can view all the risk patterns predefined within the tool. The column widths in the Threats & Countermeasures tab are already dynamic. Now, when you go to Risk Patterns under Security Content, you can expand accordingly to see more information on either side to expand your area of focus.
To create a new risk pattern, click the plus sign, you can then name it, give a description and save it. The below is a fictitious library for an automotive use case.
This creates your library, but now you need to add your bespoke risk patterns. Expand your new library, select the dots next to the name, and choose +New > Risk pattern.
Next step is creating a risk pattern for the overarching library:
Then you will need to create a use case:
Next you need to associate the threats to this use case. Although we automate this with the IriusRisk rules engine, for bespoke risk patterns and use cases, this information needs to be added by you. However, you can choose from existing threats, or add your own.
If creating a new threat, you can follow the structure of the threat detail including selecting the impact in terms of Confidentiality, Integrity, Availability (CIA) and ease of exploitation. You can also add the relevancies within STRIDE-LM and MITRE.
To choose an existing threat, you will be presented with a list where you can search and filter to identify what you need.
These threats will then continue as a thread up to your Custom Library, and can be expanded and edited accordingly:
Adding countermeasures and/ or weaknesses is the same process as threats. You can select from new or existing. And enter the details or search accordingly. If you selected threats that already existed, then some countermeasures will pull through.
To conclude, once you are satisfied with your library and associated risk patterns, you can take further steps such as applying it to existing Projects, make further updates, export it and delete if necessary.
A default calculation is provided in this section, however you can tailor the three areas accordingly based upon your own context, industry and bespoke considerations. Use the scoring or sliders to change these parameters.
Weightings: Weightings provide the necessary inputs to determine the inherent risk a given threat scenario or threat actor will pose against an asset assigned to a component within a trust zone.
Mitigation factor when: Mitigation factors provide the necessary input values for when inherent risk is being reduced to current risk and then further to projected risk. These values assist in determining the reduction in risk when countermeasures are "implemented" and when tests pass into a "passed' status."
Aggravating factor: This parameter modifies the risk value based on the failed weakness with the greatest impact. If there are no failed weaknesses it will use the maximum impact value (100).
These are aligned to CIA, whereby you can change the level of risk associated with items such as personally identifiable information (PII), public data, and/ or cardholder data.
Click on any item to edit the classifications accordingly to reduce or increase the ratings.
These can be viewed in a list, and can be sorted alphabetically if you click on ‘Name’. You can easily create your own standards in this area too. Click the blue button which says ‘New standard. When you are in your Projects view, go to Security Content at the top menu and then choose Standards from the drop down.
The list of Standards we currently have are:
Regulatory & Compliance
- CCPA
- EU-GDPR
- FedRAMP
- HIPAA
- IEC/ANSI 62443
- ISO/ IEC 27002: 2013
- ISO/IEC 27002:2022
- ISO/ SAE 21434
- NIST Cybersecurity Framework
- PCI-DSS v3.2.1
- PCI-DSS v4.0
- PCI Software Security Standard
- SAMM
- UNECE WP.29 Cybersecurity Regulation (CSMS)
Industry Standards
- CWE Top 25
- MITRE ATT&CK Enterprise & ICS
- Mitre D3FEND Framework
- NIST Cybersecurity Framework
- NIST SSDF
- NIST 800-190
- NIST 800-204
- NIST 800-53
- NIST 800-63
- OpenCRE
- OWASP API Security Top 10
- OWASP ASVS v4
- OWASP CSVS
- OWASP Docker Top 10 2018
- OWASP Kubernetes Top 10 2022
- OWASP MASVS
- OWASP Mobile Top Ten 2016
- OWASP Top Ten 2017
- OWASP Top 10 2021
- OWASP Web Security Testing Guide (WSTG)
- SWIFT Cyber Security Controls Framework (CSCF)
Industrial Automation
- IEC/ ANSI 62443 3-3 and 4-2
- ICSA-500
- UNECE WP.29 Cybersecurity Regulation (CSMS)
Operational
- AWS Foundations Benchmark
- AWS Three-Tier Web Architecture Benchmark
- Azure Security Benchmark
- Docker Community Edition Benchmark
- Google Cloud Platform Foundations Benchmark
- Kubernetes Benchmark
- Microsoft Azure Foundations Benchmark
- Oracle Cloud Infrastructure Foundations
- OWASP Docker Top 10 2018
Internet of Things (IoT)
- IoT Security Foundation
- Machine Learning and Artificial Intelligence