Vectors & Guidance

The need for generic, high-level Risk Assessment is typically surfaced by factors or requirements far removed from the scope of the activity that is being assessed. Sometimes the need is made clear due to a Rule such as legislation. Other times, this type of activity is demanded as a precursor for Controls in a new technology category that has yet to be fully assessed — such as we have seen with the emergence of artificial intelligence.

When documenting a Vector, it is not necessary to understand the technological intricacies, such as the technologies involved at every step. Instead, the focus is on the opportunity for mistake or malice. These can be documented independently or within a catalog, and may similarly be published as standalone artifacts or alongside related Guidance. An example of Vectors can be found in the MITRE ATT&CK framework as techniques.

The constituent parts of a Guidance, referred to as Guidelines, do not typically stand on their own, and are most often published as a longstanding Guidance Catalog. Each Guideline often includes explanatory context and recommendations for designing optimal outcomes without foreknowledge of implementation details.

Guidance may be written internally for unique circumstances, but it is often developed by industry groups, government agencies, or international standards bodies. Examples include the OWASP Top 10, NIST Cybersecurity Framework, HIPAA, GDPR, CRA, or any of the PCI and ISO standards.

As noted in Figure 5.1, Vector artifacts can be referenced by both Guidance and Threats to accelerate authoring and increase fidelity. Similarly, Guidance artifacts can be referenced by Controls to demonstrate how a particular Control applies the respective Guideline.

Continue Reading