diamond_full diamond diamond_half diamond_euro search-icon menu chat-icon close-icon envelope-icon smartphone-call-icon

Threat and Risk Assessment

What is a Threat and Risk Assessment?

The high priority given to information technology in the company requires a comprehensive identification and assessment of the associated security risks. So-called threat and risk analysis are an elementary component of IT risk management. On the basis of many years of practical experience, our company supports you in implementing such analyses tailored to your requirements. In general, the implementation of a Threat and Risk Assessment is aligned with ISO/IEC 27005. If the scope of the assessment is related to the automotive domain (e.g., for the risk assessment of an ECU), our approach is aligned with the requirements of the Threat Analysis and Risk Assessment (TARA) process as defined by ISO/SAE 21434.

placeholder for background/covered-door.jpg

Objective

Assessment of the risk for IT environments or individual components based on defined and developed threat scenarios

Question

What security risks exist for an IT environment or individual components based on given threat scenarios?

Scope

IT environments or individual components

Threat Analysis: Structured Identification of IT Threats

The threat analysis is a structured approach for the identification and evaluation of possible IT / OT-based threats related to an IT environment, an IT system or an application. As part of an IT security assessment, the threat analysis enables an auditor to identify relevant threat and attack scenarios for subsequent audits. Furthermore, the threat analysis is the basis for a well-founded risk analysis.

As a result, the well established approach of threat analysis forms the basis for further (technical) assessments and analyses, and achieves a high level of coverage of the real existing threat landscape.

Typical threat and attack scenarios we examine in a threat analysis range, depending on the assessment scope, from data theft by privileged insiders, through compromised supplier and service-provider accounts, ransomware-driven business disruption and the bypassing of authentication mechanisms, to the manipulation of embedded control units (e.g. in automotive or OT environments). Which scenarios are relevant follows from the context, the assets requiring protection and the specific threat landscape.

A threat analysis consists of the following components:

  • Workshop, interviews and/or analysis of provided documents
    • Capturing the context
    • Identification of assets (such as information or processes requiring protection)
  • Identification and analysis of specific threat and attack scenarios
  • Definition of next steps
  • Documentation and presentation of results

The threat analysis is based on different methods and standards:

  • IT risk management according to ISO / IEC 27005
  • TARA according to ISO / SAE 21434
  • STRIDE Threat Model
  • OWASP Threat Modeling

The results are the basis for the subsequent risk analysis and offer a basic set of relevant threat and attack scenarios for performing security assessments (e.g. penetration tests).

Risk Analysis: Evaluation & Treatment of IT Security Risks

As part of the risk analysis, specific risks for an IT environment, an IT system or an application are assessed on the basis of the previously defined threat scenarios. The ISO/IEC 27005 standard, as part of the ISO 2700X family, provides guidance for the corresponding information security risk management process.

A risk analysis consists of the following components:

  • Workshop, interviews and/or analysis of provided documents
    • Capturing existing security controls
    • Capturing basic information of the IT risk management and the information security management system (ISMS) of the customer
  • Identification and assessment of risks regarding:
    • Impact rating
    • Attack path analysis
    • Attack feasibility rating
    • Risk value determination
  • Risk treatment and prioritization
    • Description and mapping of concrete measures
  • Documentation and Presentation of Results

As a result, you will receive a list of the identified security risks together with a well-founded risk assessment and recommendation of possible technical or organizational measures.

Methods at a Glance: ISO 27005, TARA, STRIDE and OWASP

The methodology used in a threat and risk assessment depends on the assessment scope, the industry and the regulatory context. The established approaches at a glance:

MethodFocusWhen applicable
ISO/IEC 27005General IT risk management, integral part of the ISO 27000 familyEnterprise-wide security evaluations, ISMS conformance, cross-industry application
TARA per ISO/SAE 21434Threat Analysis and Risk Assessment for vehicle and cybersecurity engineeringVehicles, E/E systems and components in scope of ISO/SAE 21434, UNECE R155 or corresponding customer requirements; TARA-style approaches can be adapted for product-level CRA risk assessments
STRIDEThreat classification along Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of PrivilegeArchitecture and design phase, structured threat modeling of technical systems
OWASP Threat ModelingWeb, API and application security, driven by typical attack patternsWeb applications, APIs, mobile apps, application-level security assessments

In practice, we combine methods: for instance a TARA per ISO/SAE 21434 with STRIDE modeling for embedded control units, or an ISO/IEC 27005-based threat analysis followed by an OWASP-driven web application penetration test. What matters is that the chosen methodology covers the specific requirements of your assessment scope.

Frequently Asked Questions About Threat and Risk Assessment

A threat analysis is a structured process that systematically identifies and evaluates possible IT- and OT-based threats to an IT environment, system or application. It describes which threat and attack scenarios are relevant to the assessment scope and forms the basis for a subsequent risk analysis as well as technical security assessments such as penetration tests. SCHUTZWERK aligns threat analyses with ISO/IEC 27005 and uses TARA according to ISO/SAE 21434 in the automotive domain.
Established reference frameworks and methods include IT risk management per ISO/IEC 27005 (guidance for managing information security risks), TARA: Threat Analysis and Risk Assessment per ISO/SAE 21434 (automotive cybersecurity engineering), STRIDE (Microsoft methodology with categories Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) and OWASP Threat Modeling (web and application focus). A TARA is not automatically mandatory for every automotive topic; it becomes relevant in particular for vehicles, E/E systems, components or interfaces in the scope of ISO/SAE 21434, UNECE R155 or corresponding customer and homologation requirements. The choice of method depends on the assessment scope, industry and regulatory context; multiple approaches are frequently combined.
The threat analysis identifies which threats and attack scenarios are relevant to an assessment scope, such as data theft by a privileged insider, a compromised supplier account or manipulation of an embedded device. The risk analysis then evaluates which risks result from those scenarios and how they should be treated. Depending on the method, this includes business impact, likelihood or attack feasibility, existing security controls and possible measures.
A TARA (Threat Analysis and Risk Assessment per ISO/SAE 21434) is needed when the assessment scope falls into the automotive context of ISO/SAE 21434 or UNECE R155, for example new or modified E/E systems, ECUs, communication modules, vehicle functions or vehicle-related backend interfaces. The legal obligation in type approval primarily concerns vehicle manufacturers and evidence for their Cyber Security Management System; suppliers are typically involved through customer requirements and development processes. A TARA is therefore not automatically mandatory for every automotive topic, but can still be useful outside immediate homologation obligations when safety- or security-relevant risks need to be assessed systematically and traceably. SCHUTZWERK supports OEMs and suppliers with the execution and documentation of such TARAs, often combined with STRIDE-based threat modeling at the component level.
The Cyber Resilience Act (Regulation (EU) 2024/2847) does not prescribe a TARA in the ISO/SAE 21434 sense. It requires manufacturers of products with digital elements to perform a documented cybersecurity risk assessment, take its outcome into account during planning, design, development, production, delivery and maintenance, and update it as appropriate during the support period. The risk assessment forms part of the technical documentation for conformity assessment. The main manufacturer obligations apply from 11 December 2027; certain reporting obligations already apply from 11 September 2026. In practice, the CRA risk assessment can combine product-level threat modeling, such as STRIDE or a TARA-style methodology, with risk evaluation along ISO/IEC 27005 principles.

How can we help you?

Call us or schedule an appointment directly

+49 731 977 191 - 0 Schedule an appointment
Free Consultation