8. Analysis Approaches
Analysis approaches differ in terms of the orientation or starting point of the risk assessment, the level of detail, and how risks related to similar threat scenarios are treated. An analysis approach can be:
- Threat-oriented,
- Asset/impact-oriented,
- Vulnerability-oriented.
Threat-oriented Approach
A threat-oriented approach starts by identifying threat sources and threat events, focusing on the development of threat scenarios. Vulnerabilities are identified in the context of threats, and for adversarial threats, impacts are assessed based on adversary intent.
Asset/impact-oriented approach
An asset/impact-oriented approach begins by identifying impacts or consequences of concern and critical assets. This may involve using the results of mission or business impact analyses and identifying threat events that could lead to, or threat sources that could target, these impacts or consequences.
Vulnerability-oriented approach
A vulnerability-oriented approach starts by identifying predisposing conditions or exploitable weaknesses in organizational information systems or their environments, then identifies threat events that could exploit these vulnerabilities, along with the possible consequences. Each analysis approach takes into consideration the same risk factors and involves the same set of risk assessment activities, albeit in a different order. Differences in the starting point of the risk assessment can potentially bias the results, causing some risks to be overlooked.
(Source: NIST SP 800-30)
Therefore, incorporating risks from an additional orientation (e.g., complementing a threat-oriented approach with an asset/impact-oriented approach) can improve the rigor and effectiveness of the analysis.
CSFaaS embodies all three approaches (threat-oriented, asset/impact-oriented, and vulnerability-oriented), ensuring a comprehensive risk assessment that holistically covers threats, impacts, and vulnerabilities, thereby enhancing the rigor and effectiveness of the analysis.