Vectors & Guidance

The lowest level of the model provides high-level information pertaining to cybersecurity. These data points fall into two categories: Vectors and Guidance.

Whether a sensitive activity is in the design, development, or deployment phase, it benefits the organization to understand the failure modes introduced by the activity. After understanding the failure modes for a process, such as information technology systems, the defensive work can begin.

Vectors are (1) opportunities for an attacker to exploit a vulnerability in the system, or (2) a path by which neglect could result in unintentional negative outcomes. When documenting a Vector, it is not necessary to understand the technological intricacies — such as the technologies involved at every step. Instead, the focus is on the opportunity for mistake or malice. These can be documented independently or within a catalog, and may similarly be published as standalone artifacts or alongside mitigation guidance. An example of vectors can be found within the MITRE ATT&CK framework.

Guidance is a concerted documentation effort to help bring about an optimal future without foreknowledge of the implementation details. The constituent parts of guidance, guidelines, do not typically stand on their own, and are most often published as a longstanding guidance catalog. Each guideline often includes explanatory context and recommendations for designing optimal outcomes.

Guidance may be written internally for unique circumstances, but it is often developed by industry groups, government agencies, or international standards bodies. Examples include the OWASP Top 10, NIST Cybersecurity Framework, HIPAA, GDPR, CRA, or any of the PCI and ISO standards.

Vector artifacts can be referenced by both Guidance and Threats to accelerate authoring and increase fidelity. Similarly, Guidance artifacts can be referenced by Controls to demonstrate how a particular control applies the respective guidance statement.

Continue Reading