IntermediateThreat Assessments

15 min

Threat Assessment Models

Because 'seems dangerous' Is Not a Methodology

There's more than one way to measure danger. Pick the right ruler.

🦔

Bristles(Hedgehog)

"Ah, models. I have opinions. Some models are like Swiss Army knives -- versatile, but you will cut yourself if you use the wrong tool. Pick wisely, and stop trying to use OCTAVE when all you need is CARVER."

Mission Briefing

In the previous lesson, you learned what threat assessment is. Now it is time to get specific. A threat assessment model is a structured framework that ensures consistency, rigour, and reproducibility in your analysis. Without a model, every assessment is a snowflake -- unique, drifting, and likely to melt under scrutiny.

This lesson covers why structured models matter, surveys three widely used frameworks, examines the qualitative-versus-quantitative debate, and introduces the 4 Ds mitigation framework. By the end, you will know which tool to reach for and when.

The human brain is excellent at spotting patterns. It is also excellent at spotting patterns that do not exist. Models help with that.

Field Exercise

Scenario: The Regional Data Centre

You are the threat assessment lead for a regional bank with a data centre that processes all transactions for 14 branches across three states. The security team has reported unusual network reconnaissance traffic originating from an IP address linked to a known cybercrime forum. The data centre has physical access controls, standard antivirus, and a perimeter fence. There is no dedicated security operations centre. Incident response is handled by the IT team during business hours.

Your task: Apply two models to this scenario.

Using CARVER: Score the data centre on all six factors (1-5 scale) and identify the top priority vulnerability.
Using the 4 Ds: Evaluate the bank's current posture across deter, detect, delay, and defend. Which D needs the most attention?

Hint: The lack of a SOC and after-hours incident response means one of the Ds is essentially missing. Which one, and what would you recommend as the first fix?

Debrief — Key Takeaways

›Unstructured threat assessment is vulnerable to cognitive biases like availability, anchoring, confirmation bias, and overconfidence.
›NTAS is for public communication; CARVER is for asset prioritisation; OCTAVE is for organisational cybersecurity risk reviews.
›Qualitative methods are flexible but inconsistent; quantitative methods are precise but prone to false precision. Use a hybrid approach.
›CARVER scores six factors (Criticality, Accessibility, Recuperability, Vulnerability, Effect, Recognisability) to rank targets or assets.
›The 4 Ds framework (Deter, Detect, Delay, Defend) provides a layered mitigation strategy. Let your threat assessment guide resource allocation.
›No single model fits every situation. Build a toolkit of models and choose based on time, audience, and threat type.

TL;DR: Models are training wheels for your brain. Eventually you ride without them. But keep them nearby for steep hills.

Next Mission

Intelligence Failures

Learn from past intelligence failures and how structured analysis could have prevented them.