Concept | Documentation |
Asset | Asset Definition in ISO 27005, Chapter „Identifying and describing information security risks“ [§7.2.1] (Page 17): „An asset is anything that has value to the organization and therefore requires protection.“ Asset Definition NIST SP 800-160v1r1 „The Concept of Assets“ [§3.4] Page 16: „An asset is an item of value. There are many different types of assets. Assets are broadly categorized as either tangible or intangible. Tangible assets include physical items, such as hardware, computing platforms, other technology components, and humans. Intangible assets include humans, firmware, software, capabilities, functions, services, trademarks, intellectual property, data, copyrights, patents, image, or reputation.“ |
Security Objective | The Security Objectives are defined as the CIA-Triad (Confidentiality, Integrity, Availability) (Synonym: Security Attribute, Security Propaty) FIPS PUB 199 - Standards for Security Categorization of Federal Information and Information Systems: "The FISMA defines three security objectives for information and information systems: CONFIDENTIALITY “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542 ] A loss of confidentiality is the unauthorized disclosure of information. INTEGRITY “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [ 44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information. AVAILABILITY “Ensuring timely and reliable access to and use of information…” [44 U.S.C., S EC. 3542 ] A loss of availability is the disruption of access to or use of information or an information system." |
Adversary | Adversary definition from NIST Special Publication 800-30, Glossary [APPENDIX B]: “Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.” |
Target Misuse Case | |
Threat Scenario | |
Likelyhood Parameter | |
ADV use Attack Path to attack SO | The Aversary uses an Attack Vector to attack a Security Objective of an Asset. |
Vulnerability | |
Attack Action | |