Threat Scenarios - Methodology
Threat Scenario Construction
Each threat scenario file (S-00X.md) must contain the following elements:
| Field | Description |
|---|---|
| Scenario ID | Unique identifier (S-001, S-002…) |
| Target Asset | Asset impacted, link to asset catalogue (mandatory) |
| Threat Source | External attacker, insider, natural event, etc. |
| Attack Vector | Means to exploit a weakness (phishing, exposed service, mis-configuration) |
| Potential Impact | Business or operational consequences |
| Likelihood | Probability of occurrence (qualitative or quantitative) |
| Impact Rating | Severity of consequences if realized |
| Risk Rating | Combined assessment of Likelihood and Impact |
| Mitigation | Measures to reduce exposure |
| Owners | Responsible teams (Ops/Sec/Dev) |
| References | ISO/NIST/GDPR or internal guidance |
| Response Actions | Steps if scenario occurs (containment, eradication, recovery, post-incident) |
- Risk Rating Calculation: See the Risk Matrix in Risk Modeling Methodology. Likelihood and Impact assessments for each scenario are combined according to the EBIOS RM scoring rules.
- File Format: Markdown with YAML front-matter including
title,version,last_updated,owner,review_frequency.
Methodological References:
- ISO 27001 - Clause 6.1.2 Clause 6.1.2 Risk assessment and treatment ; Control 5.1 Policies for information security ; Control 8.2 Privileged access rights.
- NIST CSF - ID.AM, PR.AC, DE.CM.
- GDPR - Art. 32-35 Security of processing, breach notification, DPIA.
- EBIOS RM - Threat scenario definition, risk scoring.