This section translates the incident narrative of “who did what to what (or whom) with what result” into a form more suitable for trending and analysis. To accomplish this, VERIS employs the A4 threat model developed by Verizon’s RISK Team. In the A4 model, an incident is viewed as a series of events that adversely affects the information assets of an organization. Every event is comprised of the following elements (the 4 A’s), which provide the top-level structure for metrics in this section.
Actors: Whose actions affected the asset?
Actions: What actions affected the asset?
Assets: Which assets were affected?
Attributes: How the asset was affected?
Describing the incident is a process of classifying all elements (and sub-elements) for all significant events. It is our position that the 4 A’s represent the minimum information necessary to adequately describe any incident or threat scenario. Furthermore, this structure provides an optimal framework within which to measure frequency, associate controls, link impact, and many other concepts required for risk management.