Threat Analysis

Page #47 of Chapter: Crypto-for-the-rest-of-us

level indicator


Defensive cryptography must be preceded by a thorough Threat Analysis. Too often one throws in expensive crypto devices that stop no attack, and only burden the legitimate users. The threat is the only justification for any defensive cryptographic measure.

One should distinguish between a 'vulnerability analysis' which many security vendors offer, and use as a means to justify their own crypto tools, and a Threat Analysis. The former identifies areas where a hacker can penetrate with relative ease. Threat analysis by contrast encompasses:

  • vulnerability
  • benefit to the hacker (motivation)
  • available resources (time, money, talent)

    A vulnerability that addresses a situation which is not profitable to the hacker is of less concern than a lesser vulnerability of greater profit for the hacker. Similarly vulnerability that may only be exploited by a well motivated hacker, but who lacks the needed resources, is also of lesser interest.

  • * Version CE-H6703 (SERVER) Crypto Academy