Threat and Risk Control Effectiveness Criteria
Threat criteria can be saved to a 3×3, 4×4 or a 5×5 matrix, which accommodates the bulk of applications in the market today. Threat criteria is associated with ‘Capability’ and ‘Intent’ and users can adjust all aspects of the tables (including labels/ratings, colouring etc.)
Threat Criteria also includes a ‘Threat Tolerance’ setting that allows users to define which Threat Acts are automatically populated within the Risk Register. For example, if Threat Tolerance is set to MEDIUM, for example, only those Threat Acts that are rated at or above MEDIUM will appear within the Risk Register (each threat acts causes a new risk to be created).
The purpose of this is to maintain the risk assessment focus on threats that are regarded as most relevant/significant, while maintaining others for future review.
Setting the Threat Tolerance at the lowest level will result in all Threat Acts appearing withing the Risk Register.
Risk Control Effectiveness Criteria
Risk Control Effectiveness (RCE) criteria is used to generally assess the design, implementation, operation and continual improvement of security controls that protect assets from threats. The set of criteria itself is reasonably simple and reflects an escalating series of values and statements to describe the effectiveness of individual controls.