Consequence-Based Analysis 

Shamrock Cyber’s Consequence-Based Analysis is used to assess risk to mission or business operations. There are three categories of consequence-based analysis: a system function, a negative outcome, and a technical capability that, through the system function, enables the negative outcome. When present and combined in a system, these components have the potential to harm the system.

The Shamrock Cyber team partners with cyber defenders, sponsors, and operators to understand system operations and better plan for cyberattacks. The team gathers mission-focused information to understand the unacceptable outcomes and conditions set by sponsors. Assessments for threats and vulnerabilities are gathered or performed and used to build the various cases.

Cases include:

• Abuse Case – damage caused by intentional acts of an adversary 
• Misuse Case – damage caused by unintentional acts and human error
• Hazard Case – damage caused by non-human events in the system’s operating environment

Outcomes

• Consequence Profiles, such as adversary dossiers, explain the risks and consequences those risks can have on operations. Each case is linked to one or more technical elements that directs system security and defense personnel in the identification, design, and implementation of security controls, vulnerability remediations, or risk mitigations.
• Visual Consequence Profiles encapsulate the consequence profiles in a dashboard-like view that is easily understood and referenced by non-cyber stakeholders and mission owners.