So how are threats identified? Well I think for the most part they come from a body of knowledge and experience that exists for a given industry and its assets.
The first task then is to work out what the threats are, creating an applicable threat model (well actually the first task is to work out what your assets are - how much they're worth to you, and what a total loss of that asset would cost you in both tangible and intangible terms - but let's assume we're at the threat identification stage). Acceptable choices in managing risk include: 1) accept the risk, 2) mitigate the risk, 3) transfer the risk or 4) avoid the risk. If any of the factors are zero - then risk is is also zero. One formula that is often used to describe the calculation of risk is: risk = threat x vulnerability x impact, which translates to: What is the level of an identified threat (how common is it, how relevant is it to the industry or asset in question), how vulnerable is the asset or system to the threat, and what is the impact if the vulnerability to a specific threat for a specific asset is realized.
Weighting risks allows an organization to make appropriate decisions about how to prioritise and manage risk. The process of producing risk estimates is called risk assessment, and while there are different techniques for performing a risk assessment, the common goal of each is to produce a metric that allows risks to be weighed.
The policy, when combined with legal, businesses and moral responsibilities will (or at least should) influence the choices that are made in managing risk within an organization (the ISO 27000 series of documents is the place to start if you'd like to know more about building an information security management system (ISMS)). The process of estimating and assessing risk should be guided by an information security policy that, among other things, will state the aims, values and objectives of an organization with regards to risk. Estimates about the risks associated with these events can then be used to make decisions about what measures (if any) an organisation will choose to implement as part of its overall information security management strategy. At its most basic level, information security management is about attempting to estimate the probability and impact of unwanted events events that may effect the confidentiality, availability or integrity of information assets. In my first year on the MSc programme at RHUL ISG, I completed a course on security management, and while that hardly makes me an expert (since I'm still new to the world of information security), the course was excellent, and I learned a lot about the fundamentals of building an information security management system. Check it out at The Microsoft SDL Threat Modeling Tool v3 Original post.
Update: 28-11-2008 - Microsoft have released an update - v3 of the SDL Threat Modelling Tool - which is DFD based as opposed to use case driven.