Analyze threats and vulnerabilities in information systems.

Analysis should include concepts such as

• threat – a circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely affect organizational operations, organizational assets, individuals, other organizations, or society
• vulnerability – a characteristic or specific weakness that renders an organization or asset open to exploitation by a given threat or susceptible to a given hazard
• asset (as it relates to a secure environment) – persons, structures, facilities, information and records, information technology systems and resources, materials, processes, relationships, or reputation that has value
• exploit – a technique to breach the security of a network or information system
• attack vector – a path or route used by the adversary to gain access to the target (i.e., asset)
• threat agents – an individual, group, organization, or government that conducts or has the intent to conduct detrimental activities
• safeguards – a practice, procedure, or mechanism that reduces risk.

Process/Skill Questions:

Thinking

• What is an asset in a secure environment?
• What is an attack vector?

Communication

• What information should be communicated to stakeholders when a cyber threat has been identified?
• What are communication consequences if individuals do not understand cybersecurity threat and vulnerability issues?

Leadership

• How can leaders guide others to identify and analyze threat actors?
• How can leaders support others in learning more about threat actors?

Management

• What consequences may result if a person is not alert to the presence of cyber threats?

Teacher Resources:

• National Initiative for Cybersecurity Careers and Studies (NICCS) Links to an external site.
• Information System and Audit Control Association (ISACA) Links to an external site.
• Cybersecurity and Infrastructure Security Agency Links to an external site.