STORM Independent Ancillary Processes

The STORM Threat Assessment Process (STAP) transforms information about threats into a single quantitative threat assessment value. The most common STAP transform is the History, Access, Means (HAM) transform. HAM provides threat probability and impact information.

The following HAM533 calculator demonstrates a simple application of the HAM transform to assess threat probability and impact. The full HAM transform provides methods for non-linear selection weighting and variable value ranges.

The STORM Asset Valuation Process (SAVP) transforms information about assets into a single quantitative asset valuation. There are multiple SAVP transforms, of which the most common are Basic Criticality (BC) and Container-Content-Process (CCP).

Basic Criticality (SAVP/BC)

Using SAVP/BC, you simply assess a discrete asset criticality (you may define the scale, but for simple environments the most common scale is 1-10) of each asset. SAVP/BC is easy to use, and produces actionable risk assessment results quickly at the expense of precision.

Container-Content-Process (SAVP/CCP)

SAVP/CCP assesses three possible dimensions of asset value—the value of the container, the value of the content (usually intellectual property or business value), and the value of the processes associated with the asset. SAVP/CCP includes a discrete maturity index from 0 to 5. At maturity 0, each dimension is measured as a discrete value (e.g. 1-10) and the values are combined using the STORM composite measurement algorithm. At maturity 5, each dimension is considered an actual monetary value, and the asset value is the simple sum of the dimension values.

The STORM Vulnerability Assessment Process (SVAP) transforms information about vulnerabilities into a single quantitative exposure percentage. A common SVAP transform for technical vulnerabilities is the CVSS Adaptation (CVSSA). SVAP transforms for general vulnerabilities include the Simple Exposure Model (SEM) and the Capability-Resource-Visibility-Effects (CRVE) transform.

CVSS Adaptation (CVSSA)

SVAP/CVSSA converts common vulnerability scoring system (CVSS) scores (any version) associated with technical vulnerabilities into values between 0 and 1. For example, a CVSS score of 9.3 is transformed to an SVAP/CVSSA value of .93.

Simple Exposure Model (SEM)

SVAP/SEM may be used to assess arbitrary vulnerabilities, including non-technical vulnerabilities, by estimating the exposure to assets caused by the vulnerability. SVAP/SEM requires the assessor to estimate the exposure to assets of a vulnerability.

Capability-Resource-Visibility-Effects (CRVE)

SVAP/CRVE may be used to assess arbitrary vulnerabilities, including non-technical vulnerabilities, by selecting the effects of the vulnerability (on confidentiality, integrity, and availability), the ease of access to the vulnerability (visibility), the skills required to exploit the vulnerability (capability), and the resources required to exploit the vulnerability (resource).

The STORM Control Evaluation Process (SCEP) transforms information about controls into a single quantitative control assessment value. This value may be used independently to assess the value of controls, or it may be used in a STORM or other risk management program to offset the exposure associated with one or more vulnerabilities.

For example, suppose you have an asset A with an SAVP valuation of .4, a threat T with an STAP probability evaluation of .5, and a vulnerability V with an SVAP exposure of .5. The risk associated with this triple is:

R = A • V • T = .4 • .5 • .5 = .1

Now introduce a control C with an SCEP value of .75, which means the exposure associated with vulnerability V is reduced by 75%:

R = A • V • T • (1 - C) = .4 • .5 • (1 - .75) • .5 = .025

SCEP transformations support multiple controls and different relationships between controls, including control dependencies.