5 THREAT AND VULNERABILITY ASSESSMENT
In 2002, US Secretary of State Donald Rumsfeld said the following during a briefing:
There are known knowns; there are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t know.
This is partly true of threats, but very true of vulnerabilities.
CONDUCTING THREAT ASSESSMENTS
Some experts believe that the threat and vulnerability assessments should be carried out ahead of the impact assessments; others disagree and opt for the reverse arrangement.
The author believes that, in practice, either method will suffice as long as the information assets have been clearly ...