How does the PTA model connect between mitigating activities and the impact they address?
This question arose from a real life risk assessment case description sent to us. The story goes like that: a risk of fire in the computer room and premises leads to a disruption of operation and loss of data. The fire may be caused by a vulnerability of fire hazards such as cardboard boxes and plastics that are not disposed off according to policy. One possible mitigation activity might be to assign a janitor to sweep the room daily and remove hazards – this is an obvious mitigation activity that reduces risk. Another mitigation activity might be to install an automatic fire-extinguisher. While this activity does not directly address a specific vulnerability, it surely has a mitigation value since it limits the impact of a fire in the computer-room. What is the PTA way to represent an activity that limits a possible damage to the asset itself rather then mitigate a specific vulnerability? The answer: the PTA threat model encourages analysts to breakdown risk entities into their compon
