In the previous two posts we discussed Threat Modeling with Open FAIRTM and Threat Modeling using ArchiMateTM. The natural next step is to consider how to integrate all three methods. The FAIR risk analysis example used in this section is constructed using ArchiMate. Use the ArchiMate Specification Reference Cards to understand the symbology. The risk analysis example used in this section is found in Section 2.2 of the Open FAIR Risk Analysis Example Guide. The following image depicts the FAIR Taxonomy with relevant narrative from the Example Guide.
Member of cleaning crew using the authentication credentials written on the sticky-note to log into the HR executive’s computer and gaining unauthorized access to the information they are intended to protect.
Each image in the following shows a portion of the FAIR Taxonomy depicted in ArchiMate. The Distribution notes display Properties contained in the Assessment (a Motivation Element – Represents an external or internal condition that motivates an organization to define its goals and implement the changes necessary to achieve them.) The Distribution values are the Minimum, Most Likely and Maximum values recorded as percent values.
This example shows how a FAIR model can be constructed using ArchiMate. The benefit of this approach is that the FAIR model can be added to views of existing ArchiMate models developed by enterprise architects within an organization. In this way, proposed control improvements can be directly related to the components of the architecture that are being adjusted. Thus, the benefits relate to the entire enterprise architecture, not just one application as is the case with current threat modeling approaches. For example, consider the possible views:
- Multiple application systems
- Shared infrastructure components
- Mapping all system related to each enterprise risk
- Relate components to infrastructure security control requirements
Of course, this benefit cannot be realized until there is a capability with ArchiMate to perform the math associated with FAIR.
This series aimed to ensure understanding by providing Definitions – architecture, FAIR and threat modeling terms, and demonstrate threat model example using ArchiMate – diagram views, control analysis with FAIR.