Introduction to HAM533

HAM533 allows more granular threat assessment than low-medium-high models with very little information cost. You select from a limited number of choices for each of three factors (history, access, and means) to generate numeric values for threat probability and impact. The HAM533 model is a good compromise between accuracy and information costs.

History

The first factor is history — the approximate frequency with which the threat occurs. Values range from "improbable" to "continuous." A meteor impact is improbable; a hurricane in Florida might be occasional; Internet script kiddies would be rated continuous.

Access

The second factor is access — the level of access the threat agent has to your assets, ranging from "outsider access" to "privileged access." For natural threats, a rain shower has outsider access while a tornado has privileged access.

Means

The third factor is means — the resources available to the threat agent: "individual," "corporation," or "nation state." A script kiddie has individual means; an advanced persistent threat (APT) has nation state means. For natural threats, this refers to the energy available: a gentle rain is individual, a hurricane is nation state.

Probability & Impact

Every HAM533 threat has two calculated values. Probability is the likelihood the threat will occur. Impact is the effect if it does occur (calculated by holding history at its maximum value of 5). A script kiddie (probability 11%, impact 11%) has many daily occurrences — probability and impact are the same. A pandemic (probability 9%, impact 44%) occurs rarely but with very high impact.

HAM533 Calculator

The calculator is loaded with pre-defined threats. You can:

• Add new threats by clicking "New Threat"
• Edit a threat by double-clicking its entry in the table
• Delete threats by selecting them and clicking "Delete Threat(s)"
• Download your assessment by clicking "Export"

The predefined threats do not represent categorical values — human, natural, and technological threats vary by region and organization.

Threats Versus Promises

HAM533 can also perform a promise assessment. A promise is the upside risk equivalent of a threat. Buying a lottery ticket carries the threat of losing the ticket price, but the promise of a huge return. The threat can be expressed as {H, A, M} = {5, 1, 1}, while the promise of winning is {1, 1, 2}.

Accuracy & Precision

HAM533 does not generate actual probabilities, but it increases the granularity of threat assessments from 3 (low, medium, high) to 45 (5 × 3 × 3) with very little information cost. The HAM metamodel converges on a true probability as you increase the number of choices for each variable, but increasing choices also increases the effect of subjectivity. HAM533 is a good compromise.

Conclusion

HAM533 provides a simple way to assess threats with more granularity than low-medium-high assessments. You can easily convert HAM533 values to qualitative labels. The cell coloring in the threat table uses a continuous gradient from green (low) to red (high).

Remember that a threat assessment is not a risk assessment. Risk is asset value multiplied by threat level multiplied by vulnerability exposure. Even a high-probability threat requires a corresponding asset at risk and a vulnerability through which the threat can act to result in actual risk.