Hi, folks. Edd here. Now, in the previous video, we went through and introduced the concept of thread asset matrix. And I just want to spend a few minutes here as kind of a bridge to doing some examples with you, to just remind you that as we do a thread asset matrix, each of the individual cells in the matrix corresponds to a risk assessment. Does that make sense? So as we look at a cell, as I look at a pairing between an asset, like your hardware and a threat like confidentiality, and I come to some determination that perhaps the cross product is low risk, well, where did that come from? How did I determine that something is low risk? Now, we've talked earlier about a couple of different techniques. One of them being thread trees. So a possibility might be taking that cross-product hardware, confidentiality, and taking that down looking at insiders, outsiders, and combined. Whether it involves an automated attack or a manual attack or combined, and you take that, then it may be that you decide as the engineer that you want to do a thread tree for each of the cells in a threat asset matrix. Ain't that interesting? Each cell is itself a risk management activity. That's pretty profound because the way I want you to think about these things, the way I want you to think about security engineering in general is that as we identify different types or categories of issues that we're going to be working through, each of those categories, each cell in a threat asset matrix is itself a little mini project. Okay? That's something that I think is hard for engineers, developers, hackers to understand. A lot of times you think, "What does a manager do?" Managers. It just seems like all they do is sit there and watch us work. But the essence of management is providing structure around work activity so that the way to think about a threat asset matrix is that it organizes the work activity that allows us to characterize both quantitatively and qualitatively the risk associated with some threat asset pair that resides as a cell in our matrix. And that's all big mouth full of words but what it comes down to is that in a thread asset matrix, it's a mapping of work. So you can see we've shown a chart here that shows a low risk for hardware and confidentiality, makes good sense. But what about software and integrity? Right? If we did the math, we did the analysis, did the risk management activity, we'd come to the conclusion that in most scenarios, the idea that the software in your infrastructure might have malware, might have bot software embedded, might have Trojan horses, could have trapdoors, different types of integrity problems, that's usually really serious. That's something that in most environments. Think about a bank, for example, it's the last thing that you could possibly tolerate. There cannot be that problem. So you can see how confidentiality of your hardware. Pretty important but they're like, "So you know that I'm running this type of processor with this type of OS." I understand that hackers want to know that. I get that. I'm not saying anything is zero risk, but that risk versus malware embedded in the system software, you can see the difference. Does that make sense? It's important because as we get deeper into all of this and as I sort of step away from the management issues as we get further along and dig into some technology, I want you to keep that in mind. I think it's been a technique that I've used for many years. I've been teaching cybersecurity now for almost 30 years. And I find that a lot of my students over the years always want to dive immediately into cryptography, immediately into the fun technical detail. And I always slow them down. Time out. And try and force a thought process where you're understanding that foundation is all about risk management. And you might decide, for example, that the difference between putting cryptography in a system or taping a sign on top of a server and saying, Do not touch this, may be minimal. You may remember from an earlier video, we talked about a soda machine that we were breaking into and came to the conclusion that maybe taping a sign on the soda machine was just as effective as putting some functional mechanism or hanging a camera. So it's an interesting sort of discipline, that cybersecurity is something that requires a little bit of management skill, a little bit of technical skill, but in the context of threat asset matrices, I want you to think of each cell as a risk management activity. Now, what we're going to do, we're going jump into another video. I hope you'll go right on to the next one because we're going to start into a case study where we go through a real network, through a real analysis, and come up with some practical recommendations for what they may do. So I'll see you in the next video.
