Threat Susceptibility: Achieving Cyber Resiliency Goals

Cyber resiliency goals (i.e., anticipate, withstand, recover, and adapt) support the linkage between the risk management decisions at the mission or business process and system levels and the organization’s risk management strategy. To address cyber resiliency, an organization’s risk management strategy needs to include its threat-framing with respect to cyber threats, its strategies for achieving […]

Threat Susceptibility: From Risk Management To Active Defense

In our previous blog post in this series, Threat Susceptibility: Countermeasures and Risk Remediation Options, we continued our MITRE ATT&CK example and focused on identifying mitigations and security controls that were mapped to the TTPs the organization was susceptible to. In this post, we’ll discuss those mitigations and security controls in the context of Risk […]

Threat Susceptibility: Countermeasures and Risk Remediation Options

In the blog post, ‘The Art of Attack vs The Science of Resilience’ Omri wrote “Cyber risk analysis and management is completely dependent on an understanding of how attackers attack in general, and specifically how attack techniques and methods can be used to threaten your organization. That understanding then needs to be translated into an […]

Threat Susceptibility Assessments: Challenges & Opportunities

What are some of the challenges in assessing cyber threat susceptibility? Penetration Testing is probably the most well-known and most used method for assessing threat susceptibility. These human-driven assessments can be very effective, but the results are a snapshot in time. The organization’s attack surface and the cyber threat landscape are constantly changing and evolving. […]

Assessing Risk using Threat Susceptibility

  What are the targets of cyber threats? In the NIST cybersecurity framework core function of ‘Identify,’ organizations are tasked to do ‘Asset Management’ where they need to discover and maintain an inventory of assets that are resources to the business. These resources need to be prioritized based on their classification, criticality, and business value.  […]