1.What am I concerned about?
Select a digital asset-Digital Assets Includes: Systems, Processes, data, technology.
- What could fo wrong?
Identify attack scenarios: Attackers & thier tactics, techniques, procedures. identify available detection methods.
- What can protected from attacks?
Check existing controls: Preventive, detective & administrative controls. Check adequacy & effectiveness.
- Is Protection sufficient?
Estimate residual risk: Cummulative risk for business interuption, regulatory fines, data loss & brand impact.
- How do I justly cost for action?
Build business case: Add new controls, improve effectiveness, replace with better controls. Cost of doing vs cost of not doing?