VECTOR MATRIX ® is a freely distributed cyber-physical risk assessment methodology developed by Cyber Threat Institute to help small and large enterprises manage organizational risks.  VECTOR MATRIX is based on the following formula:  RISK = V+E+C+T+O+R.  Where VECTOR is a mnemonic derived from V = Vulnerability, E = Ease of Execution, C = Consequence, T = Threat-Probability, O = Operational-Importance, R = Resiliency-Gap. 

Step 1:  Vulnerability (V)  -  Assess the vulnerability of asset.  V = attributes, characteristics, design flaws, or components of an asset, business process or function, that make it susceptible or exposed to exploitation or damage from a cyber attack, kinetic attack, or natural disaster. Soft targets (i.e., unprotected systems or assets with widely known flaws) increases an asset's vulnerability whereas hard targets (i.e., robustly constructed systems or assets with added counter-measures) decrease an asset's vulnerability.

Step 2:  Ease-of-Execution (E)  -   Assess ease-of-execution of asset.  E = level of expertise, advanced training, special tools and equipment required to successfully accomplish a cyber or kinetic attack.  A high Ease-of-Execution implies that an adversary or disaster event requires little effort or minimal force to defeat the asset (e.g., non-configured devices with default passwords).  Whereas a low Ease-of-Execution implies that an adversary requires a high level of skill and advanced knowledge of system/network architecture to defeat the asset's design characteristics and existing security measures (e.g., a sophisticated cyber attack utilizing multiple zero-day exploits).   

Step 3:  Consequence (C) -  Assess consequence of asset.  C = injuries, loss of life, loss of production, loss of economic value or brand reputation as a result of a successful cyber attack, kinetic attack, or natural disaster.

Step 4:  Threat-Probability (T) -  Assess threat-probability of asset.  T =  activities or events with the potential to disrupt systems and are caused by nation-states, mercenary hackers, terrorists, hacktivists, blackhats, or natural disasters. To determine the Threat-Probability of an adversarial group, study their capabilities and history of attack methods to determine credibility of threat along with potential threat/attack scenarios. For threats from natural disasters, examine historical hurricane, flood and seismic data for frequency and trends. The Threat-Probability score is the likelihood that an adversary or disaster event will succeed for each given threat/attack scenario.   As detailed within the “instructions” below, the assessment team can choose multiple threat/attack scenarios for each asset, or can decide on the most likely threat/attack scenario that will occur.  See “instructions” at the end for additional guidance.

Step 5:  Operational-Importance (O) -
Assess operational-importance of asset.  O = the degree to which the mission or an organization is impaired by a successful cyber attack, kinetic attack, or natural disaster. Critical assets or key business processes may halt enterprise-wide operations whereas less essential assets may only have a localized impact. Redundant, duplicate, and back-up systems all reduce Operational-Importance.  The top 5% to 20% of total assets that score high for Operation-Importance should be recognized by management as the organization's most critical assets and should be afforded special protections and counter-measures to guarantee the asset's continued availability, integrity, and confidentiality during an attack or natural disaster.  A raw rank order using only Operational-Importance can be used by management to identify and prioritize the organization‘s most ”critical" assets and processes.

Step 6:  Resiliency-Gap (R)  -    Assess resiliency-gap of asset.  R = is the lack of resiliency, the lack of fault-tolerant systems (e.g., RAID and SAN), and the lack of planning/preparedness by an organization that would allow it to recover, reorganize and reconstitute itself to continue operations after a significant cyber attack or natural disaster.  Resiliency-Gap increases an organization's overall risk.  When an asset is considered to have a low degree of resilience it is inherently at risk and yields a high Resiliency-Gap score.  Likewise, when an asset is considered to have a high degree of resilience it yields a low Resiliency-Gap score.

Risk Management Options:   All judgments resulting from this VECTOR MATRIX should be safeguarded by management and shared only on a need-to-know basis. Assessment results should be reviewed periodically and reassessments should occur prior to and after major system upgrades to identify unmitigated or residual risks within the system. Once the total VECTOR MATRIX is complete, management can assess each asset using one or a combination of the following risk management strategies: 1) control risks with counter-measures using technology, devices, new policies and/or training; 2) accept risk if the probability of occurrence or potential impact is relatively low and within the organization's risk tolerance level; 3) transfer risk to other regions of an organization with less risk or transfer risk to third parties, such as insurance companies or contractors with special capabilities; 4) avoid risk by minimizing or closing certain operations or tasks where risks or security implementation costs are too great to justify operations. Finally, when making risk mitigation decisions, management should conduct cost-benefit and trade-off analysis while keeping in mind the following simple advice: “Do not risk more than you can afford to lose,” and “Do not risk a lot to save a little

Instructions:  Using a blank VECTOR MATRIX sheet below, list all organizational assets (router, firewall, mail server, HVAC, etc) under the RISK column, then evaluate each asset using Steps 1 - 6 above to determine how each VECTOR element contributes to overall risk.  Score each VECTOR element on a scale of 1-10 (i.e., 1-2 very low, 3-4 low, 5-6 medium, 7-8 high, 9-10 very high). Initially, it is recommended to use the most likely threat/attack scenario for each asset (include scenario after asset name).  However as the learning curve of the assessment team matures multiple threat/attack scenarios (e.g., 3 to 5+ scenarios) can be listed for each asset (e.g., Asset-1 scenario 1, Asset-1 scenario 2, Asset-1 scenario 3..., Asset-2.1, Asset-2.2, Asset-2.3..., Asset-3.1, Asset-3.2, Asset-3.3, Asset-3.4, Asset-3.5..., etc.).  See "Threat-Probability" above for more detail on how to score each scenario.  The assessment team should be composed of a mixture of knowledgeable IT and non-IT members from various departments to include engineering, physical security, IT, accounting, etc.