Issue prioritization, security control types, and functions
The threat-modeling exercise helps you find issues, sometimes more than you expected. The lack of prioritization can leave engineers overwhelmed and unsure of which issues to tackle first.
How to start
First, determine how critical the issue would be to your system. Second, select the security controls that help provide the most protection at the lowest possible cost.
Determine priority of security issues
Security issues are prioritized according to the severity of the risk if an attacker exploits the threat. The labels might change from organization to organization. However, they tend to follow a pattern from low-risk to critical.
Types and functions
Security controls have different types and functions.
There are three main types of security controls that are meant to help you look at three different forms of security.
Examples include:
- Physical: Cameras, badges, and fences
- Technical: Encryption, virtual firewalls, and antivirus
- Administrative: Policies, regulations, and written requirements
Functions are meant to help protect your system against each phase of a potential threat.
Examples include:
- Preventing break-ins with locks.
- Installing cameras to detect break-ins in process.
- Enacting a response plan to correct the break-in.
- Repairing the damage caused by the break-in.
- Deterring future break-ins with signs and added security controls.
In the next few units, we look at priorities, types, and functions.