You3 next level
Feb 23rd, 2012 by Jesper Kråkhede
You may probably have heard of You3 analysis model before. It used to be just a nice graphical tool for presentation of risks but the last two weeks I have spent some time to actually create an analysis model where the outcome is something very similar to the presentation model.
Using it as a way of describing risks is all well and good but using it to analyse risks and map security mechanisms and impact is something completely new. A common flaw in security is the lack of understanding when a security mechanism actually is active and when it is not. A simple example is hard drive encryption that is active only when the computer is turned off. So if you run a 24/7 business why would you then invest in such a mechanism?
It all falls back to the risk analysis and the understanding of who the culprits are (internal or external). Mapping the actors towards You3 helps you have a sound discussion with any type of security vendor and actually make sure that your money is spent on effective tools rather than something you already have paid for twice.
[…] months ago I wrote a post regarding You3, a model to classify risks with regards to the targeting profile. Looking at bank attacks today we […]