Threat Agents

Anonymous Guy Fawkes mask

A threat agent is an active entity motivated to attack our mobile devices and activities. We may identify threat agents as specific organizations or individuals, like Anonymous, or we may classify them by goals or methods of operation (MOs). For example, shoplifters are a class of threat agent that attacks retail stores.

[This post is another piece of text I’m writing as part of a mobile security writing project. It was originally part of another post, but it can stand on its own.]

A threat agent has the following properties:

  • A set of goals – these may be political, financial, religious, or reflect other personal or community values.
  • A level of motivation – these indicate the types of risks  the agent is willing to take and levels of damage willing to cause in pursuing the goals. These are discussed below.
  • Assets and resources – these indicate the types and amount of effort the agent may expend. Effort may be spent on training or collecting data for an attack as well as the costs of the attack itself.
  • Method of operation/MO – these are the typical features of the agent’s attacks.

The levels of motivation contain two scales. The lower three levels reflect risks in typical social environments, like households or small businesses. The higher three levels represent risks faced in the world at large.

  • Unmotivated – Potential threat agents are not at all motivated to attack.
  • Scant motivation – Threat agents may take advantage of unprotected assets if the risk of detection are small. Attacks won’t occur unless they can succeed with little or no effort or sophistication.
  • Stealth motivation – Threat agents may be motivated to invest in and use established techniques to attack assets, as long as the risk of detection is small.
  • Low motivation – willing to cause detectable damage of limited scope.
  • Moderate motivation – willing to cause damage, though not to cause significant damage or serious injury to people.
  • High motivation – willing to cause significant damage, including death or serious injury of people.

The higher three risks match those in the Risk Management Framework (RMF) developed by the U.S. National Institute of Standards and Technology (NIST) for assessing risk in U.S. government systems.