Threat and Risk Control Effectiveness Criteria
Threat criteria exists in 3×3, 4×4 and 5×5 matrix configuration, which accommodates the bulk of applications. Threat criteria is associated with human derived attributes of ‘Capability’ and ‘Intent’ and users can adjust all aspects of the tables (including labels/ratings, colouring etc.)
Threat Criteria also includes a ‘Threat Tolerance’ setting that allows users to define which Threat Acts are automatically populated within the Risk Register. For example, if Threat Tolerance is set to MEDIUM, for example, only those Threat Acts that are rated at or above MEDIUM will cause a risk to be created within the Risk Register (ordinarily, and if tolerance is set at its lowest rating, each Threat Act causes a new risk to be created).
The purpose of this is to enable assessors to maintain the risk assessment focus on threats that are regarded as most relevant/significant, while maintaining others (in the Threat/Hazard Assessment stage) for future review.
Risk Control Effectiveness Criteria
Risk Control Effectiveness (RCE) criteria is used to generally assess the design, implementation, operation and continual improvement of controls that protect assets from threats/hazards. The set of criteria itself is reasonably simple and reflects an escalating series of values and statements to describe the effectiveness of individual controls.