Top 10 Questions for the Threat Agent Risk Assessment (TARA) methodology

I have compiled a collection of the most common questions asked regarding the Threat Agent Risk Assessment (TARA) methodology.TARA Word Cloud.jpg

Top 10 Questions for the Threat Agent Risk Assessment (TARA) methodology
  1. What is the purpose of TARA?
    TARA is a method to distill the immense number of possible threats into a manageable picture of the most likely attacks to occur, based upon the objectives and methods of those who possess the capability and desire to do harm.  It is a way of conducting risk assessments to produce a more understandable and realistic picture, so effective security decisions can be made.
  2. Why should my organization incorporate TARA?
    TARA can help if your organization is challenged with building a practical, accurate, and comprehensive security risk analysis which scales and adapts to the changing risk landscape.  This has been a major challenge in the industry, where vulnerability assessments are the norm and resulting outputs, controls value, and recommendations are nebulous.  TARA may be able to help. 
  3. What are the primary benefits of TARA?
    I have seen 3 primary areas of benefit.
    1. Greatly distilling the cloud of potential attacks, down to a manageable list of likely attacks
    2. Improving the quality of risk and control evaluations, to better understand the value of security investments
    3. Communicating risks and recommendations to management and non-security audiences
    TARA is highly customizable by the user and can help provide relevant information necessary for management to make good security decisions.
  4. Does TARA replace all other methods of risk assessment?
    No.  TARA is a methodology.  It is a way of looking at and assessing the threat landscape.  It complements and integrates with an organization’s embedded tools, methods, and processes.  It can improve results, reduce overall risk analysis effort, and contribute to better decision making.
  5. Is TARA a tool, application, device, or checklist?
    TARA is a way of analyzing risks (risk of loss) based upon the relationship between attacker’s capability and desire to cause loss, the applicable vulnerabilities, controls, and the residual exposures.  The method can be incorporated into risk analysis tools, applications, and processes.
  6. Is TARA relevant for a whole enterprise and applicable to small projects?
    The methodology applies well across the risk assessment spectrum.  It works when determining the overall risk posture of large enterprises and scales to highlight discrete risks for small projects.
  7. Where did TARA come from, is it free to use?
    TARA was created within Intel in response to a need of evaluating the security risks of a very complex, rapidly changing threat landscape for a large, extremely valuable, and diverse environment.  As the saying goes, ‘necessity is the mother of invention’.  Available risk tools and methods were insufficient for the needs.  TARA was created and used very successfully to evaluate and communicate risks and recommendations.  Intel has shared our success with the industry and TARA is free for anyone to adopt and use.
  8. How can I use TARA to communicate risks to non-security audiences?
    TARA results in an easily understandable story of risk.  Even non-security audiences have readily embraced the outputs of TARA as it helps them to understand the sometimes vast and complex world of security risks.
  9. What industries have embraced TARA?
    Over the past few years I have consulted to a number of different industries including: manufacturing, insurance, healthcare, technology, education, financial, government, and security/risk consultancy firms.
  10. Where can I get more information, resources, or help on TARA?
    A number of whitepapers, blogs, presentations, and interviews are available.  As each adoption of TARA is different, an important necessity by design, there is no mandated template or standard playbook.  TARA is customized to meet specific needs of users as a way of embedding threat agent analysis into risk assessments.  

Intel’s original Threat Agent Risk Assessment whitepaper: http://communities.intel.com/community/openportit/blog/2010/01/05/whitepaper-prioritizing-information-security-risks-with-threat-agent-risk-assessment

Related Blogs, Videos, and Papers:
Risk Community Blogs:
Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.