Understand the key steps in the cyber risk analysis for your development project and the TARA procedure in detail. With this knowledge, you gain the ability to make informed decisions about risk management and the efficiency-oriented implementation of cybersecurity measures.
Assets
Assumptions
Impact Assessment
Thread Analysis
Controls
Attack Path Analysis
Risk Assessment
In the cybersecurity risk analysis and in the Threat Analysis and Risk Assessment methodology process, the assets represent the starting point for any subsequent protection requirements analysis and are therefore far more than just an arbitrary list of technical components.
Understood in depth, this means that not only a system to be developed, such as a physical control unit or data objects, is considered, but also the functional context, interactions within the system and their operational environment are taken into account.
It is therefore critical to precisely identify assets in terms of their relevance for the functional relationships in the system and their significance for safety-critical operations.
Incomplete, unclean or unstructured asset identification without targeted categorization and illumination of interactions leads to imprecise risk assessment. This becomes especially critical in view of the product lifecycle and the need for constant updating.
Assets
Assumptions
Impact Assessment
Thread Analysis
Controls
Attack Path Analysis
Risk Assessment
Assumptions are the cornerstone of any systematic cyberrisk analysis.
Systematically developed assumptions serve as a basis for argumentation in decision-making when the reality is still unknown or simply cannot (yet) be known and a decision must nevertheless be made in the course of a comprehensive analysis.
Nevertheless, they are often not specifically modelled.
System or impact assumptions (e.g. about technical system requirements, software states or network segmentation) must be systematically documented, tracked, and validated.
Especially in agile and distributed development environments, in which framework conditions and system-relevant circumstances change, outdated or implicit assumptions act as "silent weak points" for the effective risk analysis.
Assets
Assumptions
Impact Assessment
Threat Analysis
Controls
Attack Path Analysis
Risk Assessment
The Impact assessment involves developing the damage scenario of threats in a structured manner along the CIA characteristics of an asset.
This involves systematically evaluating the cybersecurity-relevant effects (safety, financial, operational and privacy) for different stakeholders.
Cybersecurity analysts and engineers are faced with the responsible task of evaluating damage scenarios using meaningful evaluation criteria: For example, safety and finance are two completely different domains with different importance to the respective stakeholders. However, the analysis should not be biased. Impact assessments need to be rigorous, objective and properly recorded.
Assets
Assumptions
Impact Assessment
Threat Analysis
Controls
Attack Path Analysis
Risk Assessment
The systematic identification of potential threats ("THREAT ANALYSIS") is at the heart of the cyber risk analysis process.
It is far more than just looking at a threat database.
The aim is to systematically link identified assets with damage scenarios and associated attack possibilities.
The aim is to compile a complete list that takes into account a dynamic threat landscape with up-to-date threat catalogues (HEAVENS (2.0), STRIDE, AutoISAC ATM etc.) as well as the increasingly complex context of the given architecture, operating modes and system behavior.
Assets
Assumptions
Impact Assessment
Threat Analysis
Controls
Attack Path Analysis
Risk Assessment
In the context of a conscientiously conducted cyber risk analysis/TARA, cybersecurity measures ("security controls") are not just a bouquet of protection options, but must always be precisely tailored to the risk contextualization that has been developed.
The challenge here is to be able to anchor controls in the system architecture in line with the security-by-design concept.
In addition to technical effectiveness, conformity with (regulatory) cybersecurity requirements and complex interactions with compatibility and functionality must also be properly considered when selecting controls.
Assets
Assumptions
Impact Assessment
Threat Analysis
Controls
Attack Path Analysis
Risk Assessment
Attack path analysis is a central knowledge process within cyber risk analysis/TARA: The systematic investigation of how an attacker can cause which threat scenario from which entry point via which steps.
This involves a well-founded analysis of what an attack path might look like and modeling this sequence in a comprehensible way and evaluating it consistently along the given parameters - despite the rapidly increasing complexity of more sophisticated development projects.
In the course of attack path analysis, certain neuralgic nodes or critical attack chains can be identified based on metrics - a fundamentally important contribution to cyber risk analysis.
Assets
Assumptions
Impact Assessment
Threat Analysis
Controls
Attack Path Analysis
Risk Assessment
The final and decisive step in cyber risk analysis is the RISK ASSESSMENT, in which the previously identified threats and their attack paths are combined with their potential impact and attackability in order to assess the risks.
This assessment is usually carried out using a combination of "impact" (extent of damage) and "feasibility" (feasibility of the attack), either qualitatively (e.g. high/medium/low) or quantitatively (e.g. with risk values or scoring models).
The aim is not to eliminate all risks, but to reduce them to an acceptable level - taking into account regulatory requirements, technical feasibility and economic viability.
Meet our experts who will discuss the TARA methodology with you in terms of methodology and application and present the CYMETRIS approach to you.
At CYMETRIS, innovative concepts in the implementation of cybersecurity meet state-of-the-art software-based solutions in combination with modern AI technology.
