Threat assessment, vulnerability analysis, or risk assessment: What do you need before you can do any or all of these?
Obviously, this is, a trick question. It is intended to remind you of what you need to ask first, before addressing these other issues. Before threat assessment, vulnerability analysis, or risk assessment is meaningful, you have to know what you need to protect.
A good way to start this analysis is by asking what could put you out of business. There may be many things that could put you out of business: Fire, flood, natural disaster, loss of trade secrets, excessive latitude allowed to individual traders. The list seems endless, but, in fact, is rather finite, as many of our clients discover in going through this process with us. The one sure thing is that if you do not ask this one question you will never know the answer, and never have appropriate defenses in place.
While the issue of how to protect is the more interesting part of the problem, in truth this is something that should fall naturally out of the cost/benefit analysis. Once you have determined what needs to be protected you can go through all the other steps to assess how vulnerable you are and where. You can figure out from whom or what you need to be protecting yourself, the probability of facing any particular threat, and the cost of an incident if it happens. With this in place you can make rational decisions as to what to protect and how. The bottom line is that without knowing what to protect, you won’t be able to protect it at all.