To help you understand how the Heuristic Security assessment approach is different than traditional risk assessment, let’s take a look at a bank, and how the bank’s management would likely deal with the threat of being robbed (simplified of course).
To start at the top, who are the threat actor(s)?
– Criminals, either external or working for the company as malicious insiders
What is their motive?
– To steal money
How will they attempt to do so?
– By armed robbery
– By break-in after hours
– By stealing cash as part of normal operations
What can be done about it?
– By posting armed guards in the lobby
– By installing alarms in the bank
– By storing the cash in the safe at the end of the day
– By instituting procedures to balance the cash drawer daily
The information security equivalent of this process is to start with the What can be done about it, as defined by a security framework such as NIST CSF, and jump on the treadmill of implementing all of the controls specified. What I am attempting to do with Heuristic Security is to look at the problem from the top down, always keeping in mind what your biggest threats are, how these threats can attack your business, and only from there discussing what should be done about them.
Equally important to taking proper action is taking action in a phased approach, where simplified approaches and technologies are deployed first, to be followed by increasing sophistication as the budgets and needs of the business dictate. In the world of security, seeking perfection is most certainly the enemy of the “good enough for now”.
I have a first draft of the Threats/Means matrix ready and will be posting it shortly to help illustrate the likely motives and means for the breaches in the news.