Categorizing threat : building and using a generic threat matrix.

The key piece of knowledge necessary for building defenses capable of withstanding or surviving cyber and kinetic attacks is an understanding of the capabilities posed by threats to a government, function, or system. With the number of threats continuing to increase, it is no longer feasible to enumerate the capabilities of all known threats and then build defenses based on those threats that are considered, at the time, to be the most relevant. Exacerbating the problem for critical infrastructure entities is the fact that the majority of detailed threat information for higher-level threats is held in classified status and is not available for general use, such as the design of defenses and the development of mitigation strategies. To reduce the complexity of analyzing threat, the threat space must first be reduced. This is achieved by taking the continuous nature of the threat space and creating an abstraction that allows the entire space to be grouped, based on measurable attributes, into a small number of distinctly different levels. The work documented in this report is an effort to create such an abstraction.

[1]  Rudolph V. Matalucci,et al.  Infrastructure and Architectural Surety SM , 2000 .

[2]  Jason Edwin Stamp,et al.  Threat Analysis Framework. , 2007 .

[3]  James W. Purvis Sabotage at Nuclear Power Plants , 1999 .

[4]  Vasilis Fthenakis,et al.  Security risk analysis for chemical process facilities , 2003 .

[5]  David Patrick Duggan Generic threat profiles. , 2005 .

[6]  C. Wilson,et al.  Terrorist Capabilities for Cyberattack: Overview and Policy Issues , 2005 .

[7]  Gary Ackerman,et al.  Assessing Terrorist Motivations for Attacking Critical Infrastructure , 2006 .

[8]  G. B. Varnado,et al.  Critical Infrastructure Systems of Systems Assessment Methodology , 2006 .

[9]  J. Stamp,et al.  Common vulnerabilities in critical infrastructure control systems. , 2003 .

[10]  Gilbert V. Herrera,et al.  A Scalable Systems Approach for Critical Infrastructure Security , 2002 .

[11]  Sara A. Daly,et al.  The Dynamic Terrorist Threat: An Assessment of Group Motivations and Capabilities in a Changing World , 2004 .

[12]  R L Durling,et al.  Vulnerability And Risk Assessment Using The Homeland-Defense Operational Planning System (HOPS) , 2005 .

[13]  Gary L. Guzie Vulnerability Risk Assessment. , 2000 .

[14]  Dean T. Olson,et al.  The Path to Terrorist Violence: A Threat Assessment Model for Radical Groups at Risk of Escalation to Acts of Terrorism , 2005 .

[15]  David P. Duggan Generic attack approaches for industrial control systems , 2006 .

[16]  2006 Annual Report on Organized Crime in Canada , 2007 .

[17]  Paul Baybutt Assessing risks from threats to process plants: Threat and vulnerability analysis , 2002 .

[18]  Jerrold M. Post,et al.  The Radical Group in Context: 1. An Integrated Framework for the Analysis of Group Risk for Terrorism , 2002 .

[19]  Jerrold M. Post,et al.  The Radical Group in Context: 2. Identification of Critical Elements in the Analysis of Risk for Terrorism by Radical Group Type , 2002 .