Every organization should build a threat matrix as a way to identify, prepare for, and manage security risks. It can be simple or complex, but just having it and using it as a preparation device will help immensely should a serious problem occur. A standard model might look like this:
Source of Threat | Response Time | Impact Value | |
---|---|---|---|
External | Hacker | Immediate | High |
Internal | Employee | Immediate | High |
Unknown | Terrorist | Immediate | High |
Financial Fraud | Customer | Immediate | Low to High |
Access Denial | Multiple | Immediate | High |
Sabotage | Multiple | Depends on type | Low to High |
Senior management must participate in these discussions and decisions to help balance cost and risk trade-off decisions often made by technical staff that may not have a big-picture organization perspective in mind. Often, cost trade-offs are made that protect the group paying for the improvements, but leave other groups open to a slower recovery, or in some cases being even more exposed than before, as protection they thought they had no longer exists.
Each plan must be adapted to the specific needs of the IT organization, its shareholders, customers and suppliers. A hospital would have a very different plan than a newspaper, for example. A chemical factory would have a different plan than a city government.
A superior threat matrix plan comes from identifying as many vulnerabilities as possible so they can be addressed and reduced in risk. Threat countermeasures containing technical, policy and process elements are also a critical part of the matrix that requires executive participation and support. Determining the degree of risk to absorb and mitigate through investment are often difficult to make. In either case, the organization may incur a very costly bill with little advantage to customers or shareholders other than business continuity at the previous pace. While remaining in business is not entirely negative, not being able to produce a profit may be too large an obstacle to overcome , should the impact exceed estimates.