Threat Risk Assessment (TRA)

 What is Threat Risk Assessment?

A TRA is assessing, from a technology security perspective, people, processes, and infrastructure, applying industry standard assessment methodologies.
The resulting report would include all identified risks, their ratings, and recommendations for remediation

In terms of a Cybersecurity TRA, it generally comprises at least the following:

  • Asset identification and valuation

    • Assets

    • Employees who rely upon these assets

    • Services provided by or through the assets

    • Injuries that may arise due to loss or compromise of the asset

  • Threat Assessment

    • Description of serious threats (activity or agent category level of detail)

    • Indication of assets affected and risk level of compromise

    • Determination of likelihood of an incident

    • Assessment of the damage a threat could cause

  • Vulnerability Assessment

    • Description of serious vulnerabilities (typically grouped)

    • Indication of assets affected and threats facilitated

  • Risk Assessment

    • Description of all assessed residual risks that are unacceptable

    • Concentration of more serious risks and consolidation of as many as possible into remediation groups

    • Identification of controls that are in place

  • Recommendations

    • Summary of each control recommended, with associated costs (if estimated and available)

    • Presentation of residual risks

 Examples of Methodology

In Canada, a common Threat Risk Assessment that is used is the Harmonized Threat and Risk Assessment (HTRA) Methodology developed by the Royal Canadian Mounted Police (RCMP) and the Communications Security Establishment (CSE)

"The Harmonized Threat and Risk Assessment Methodology is designed to address all employees, assets and services at risk. Furthermore, it is easily integrated with project management methodologies and system development life cycles. Analysis may be performed at any level of granularity, from broadly based departmental risk profiles to more tightly focused examinations of specific issues, to meet management needs for responsive solutions at both strategic and operational levels. Use of common tools can promote interoperability when managing risks across shared facilities and interconnected information technology systems, an increasingly important consideration when service delivery responsibilities transcend organizational boundaries. Finally, in the spirit of Modern Comptrollership, objective metrics and analytical reports support the Management Accountability Framework to assess results and performance, especially with respect to risk management, stewardship and accountability"

The HTRA is used by Government of Canada Departments, some Provincial and Territorial Governments and some Private industries as well.  It can be found here.

In the United States, and other jurisdictions, the NIST 800-30, Guide for Conducting Risk Assessments is commonly used. It can be found here. It is similar in layout and includes the following:

NIST TRA Steps

 The Importance of Preparation

A step often forgot by many organizations and even some Auditors is Preparing for a Risk Assessment.  This is important. Doing a TRA for no reason is time and money consuming with resources and budgets already stretched to the limits.  As outlined in the NIST 800-30, the following should be completed prior to beginning a TRA:

  • Identify the purpose of the assessment;

  • Identify the scope of the assessment;

  • Identify the assumptions and constraints associated with the assessment;

  • Identify the sources of information to be used as inputs to the assessment; and

  • Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed during the assessment.

Interested in performing a TRA, or any of our other services?

Your company or organization may or may not yet require a TRA. Maybe a simple Cybersecurity Gap analysis may work for your needs instead. 

Let us help you answer that question!