NIST SP 800-66r2 ipd INITIAL PUBLIC DRAFT
715 716 717
IMPLEMENTING THE HIPAA SECURITY RULE: A CYBERSECURITY RESOURCE GUIDE
4. Determine the Likelihood of a Threat Exploiting a Vulnerability. In this step, the regulated entity determines the likelihood of a threat successfully exploiting a vulnerability. For each threat event/threat source identified in step 2, consider:
718 719 720
• •
The likelihood that the threat will occur The likelihood that an occurred threat would exploit a vulnerability identified in step 3 to result in an adverse impact
721 722 723 724
A regulated entity might consider assigning a likelihood value (e.g., very low, low, moderate, high, or very high) to each threat/vulnerability pairing, as shown in Table 3. Regulated entities should feel free to use a different likelihood scale based on organizational needs.
725 726 727 728 729 730 731 732 733 734
For example, a regulated entity may determine that the likelihood of a tornado occurring is “Low” (located along the leftmost column of Table 3) but that if it did occur, the tornado would have a “Moderate” likelihood (located along the top of Table 3) of exploiting a weakness in the facility’s physical structure and result in adverse impact. Using Table 3, the regulated entity locates the intersection of the two individual likelihood values to assign an overall likelihood of “Low” to this threat/vulnerability pairing. As another example, the regulated entity may determine that the likelihood of a phishing attack occurring is “Very High” and that the likelihood of the event exploiting a human vulnerability is “Moderate,” resulting in an overall likelihood rating of “High.”
735
Table 3 – Assessment Scale for Overall Likelihood
Likelihood of Threat Event Initiation or Occurrence
Likelihood that Threat Events Result in Adverse Impacts Very Low
Low
Moderate
High
Very High
Very High
Low
Moderate
High
Very High
Very High
High
Low
Moderate
Moderate
High
Very High
Moderate
Low
Low
Moderate
Moderate
High
Low
Very Low
Low
Low
Moderate
Moderate
Very Low
Very Low
Very Low
Low
Low
Low
736 737 738 739 740 741 742
The regulated entity could perform this likelihood assessment for each threat/vulnerability pairing. Consider that some threat events, regardless of their likelihood of occurrence, may have no vulnerability to exploit, resulting in a likelihood rating of “Very Low” or even “N/A.” Conversely, some identified vulnerabilities may have no identified threat event that could exploit the vulnerability, also possibly resulting in a likelihood rating of “N/A.”
14
