Intel's next challenge is comprehending the risks and threats. The methodology used (Figure 3) outlines the basic components of Intel's security and risk model.

Figure 3: Security and risk model
click image for larger view
 

In the assessment component of Figure 3, risk assessments are conducted as part of Intel's site selection process when considering opening a new facility. The site selection process evaluates political stability, terrorism, IP vulnerability, corruption, crime, and site security services. Each category is rated across five levels ranging from unacceptable to exceeds expectations.

Additional risk assessments are conducted diving deeper into the business to determine risks and threats. Security professionals work closely with internal customers to understand the business environment, and to identify major or minor gaps that could potentially compromise Intel's IP. Security audits are conducted to determine overall compliance with security standards and to find any new security risks. In addition, all risk and security assessment teams use an in-house developed tool as a standard base for all risk assessments. Domestically and internationally, the assessments and audits are conducted annually and randomly.

In the risk assessments component in Figure 3, we evaluate regulatory compliance, ethical and business practices, business issues, espionage, safety, personnel, information technology (IT), IP protection, and physical security. A common risk and threat equation used within Intel evaluates total risk as:

Threats x Vulnerability x Asset value = Total Risk

During this assessment Intel security understands the basic risks and threat without any additional mitigation controls in place. This provides a general overview of the issues Intel will need to address and tells us where to focus our resources.

Adding the mitigation controls provides a clear picture of the residual risks, and Intel can determine if risks and threats have been reduced to an acceptable level.

(Threat x Vulnerability x Asset value) x Mitigation controls = Residual risk

The combination of the two equations yields the likelihood of a risk, potential impact, and a final ranking of each risk (e.g., business, regulatory, ethical, and security).

In the analysis component of Figure 3 an ongoing process that incorporates a team of security professionals across multiple security groups is conducted.

Quarterly cyber threat reports evaluate current and future cyber threats to allow security groups to understand implications to the business environment and the possible mitigation strategies available.

The Threat Agent Group (TAG) provides analysis across an extensive list of "characteristics" that represent the human factor within Intel's threat model. A standardized approach is used that facilitates security professionals to speak in a common language regarding the various threat agents and provides the means to measure the threats in a relative manner.

The threat agent matrix considers non-hostile threats (e.g., employee recklessness or untrained employees) and hostile threats (e.g., terrorist, vandalism, data miners, internal spy, disgruntled employees, corrupt suppliers or government officials, etc.). The process attempts to determine desired outcome, skill level, and resources available to the threat agent, among other criteria.

Additional assessments are also considered: for example, the office of the US Trade Representative [2] maintains an IP report on how well a country is managing IP protection that helps companies like Intel in driving policy changes within restricted countries. Transparency International [3] is another organization viewed by Intel security professionals that identifies various indicators on overall corruption in a given country.

The benefit of having the right data (e.g., corruption indicators, IP protection issues, etc.) allows Intel's security groups to conduct the best analysis possible; which provides a more accurate assessment of the risk and threats.

Business and security groups within Intel need to know who is after Intel's IP and what resources are being brought to bear to counteract this threat. Resources and finances are limited, so having the correct data in a timely fashion allows Intel to focus its resources in the countries that pose the greatest risks to Intel. This allows us to establish the best and widest possible parameters to protect our assets.