Search in ISMS Guides


Thursday, August 16, 2007

What is PTA ?

Software technology and tools for performing Practical Threat Analysis

PTA (Practical Threat Analysis) is a software technology and a suite of tools that enable users to find the most beneficial and cost-effective way to secure computerized systems and applications according to their specific functionality and environment.

How does it work?

The threat analysis process begins by describing the specific threats and vulnerabilities of the system. The threats are then associated with assets that might be damaged. The process continues by finding the exact countermeasures that will fit different threats. The risk level, potential damage and countermeasures required are all presented in real $ values. PTA automatically calculates the level of risk and the maximum available mitigation and advises on the most cost effective way to mitigate threats and reduce overall system risk.

Who should use PTA?

PTA was designed to assist the work of security consultants, software security engineers and information security officers.

When should Practical Threat Analysis be done?

The best time to use PTA is during system design phase. Potential losses and security countermeasures may be defined at the start and prevent future problems. For systems already in operation, PTA can identify areas of corrective actions. Since threats, vulnerabilities and countermeasures vary throughout a system’s life cycle, threat analysis should be a continuous task.

What are the common problems arising during system threat analysis?

  1. Analyzing only a particular ‘environment’, for example networking, makes it difficult to thoroughly explore threats. This is especially true in complex applications with many interfaces.
  2. Analyzing a system only once during it's life cycle.
  3. There is no quantitative valuation of the severity of threats in real $ value.
  4. The outcome of the analysis does not include clear recommendations on the most efficient and cost-effective countermeasures required.
  5. Threat analysis models are not dynamic; changes in any parameter of the model will not be immediately reflected in the countermeasures recommended.

Quickly build threat models, analyze risks and manage risk mitigation policies

Using PTA, analysts can quickly build threat models, analyze risks and manage risk mitigation policies relevant to the application's domain. Inputs may be obtained from a variety of external sources e.g. vulnerability scanners, real-time network analyzers, security event repositories and security standards databases. The information can be entered manually as well as automatically.

PTA will save you time and money. In addition to recommending the most cost effective countermeasures, PTA presents the current level of security of the monitored system. Once used, PTA enables dynamic changes in each of the defined threats, vulnerabilities, assets and countermeasures parameters. This allows an effective and continuous security management, throughout the application's life cycle without duplicating efforts and at minimal cost.

Threat Analysis Methodology in-depth - Calculative Threat Analysis Software Tools
Home Page

1 comment:

Anonymous said...

Dear colleagues,

I would like to inform you that on September 2007 we released an updated version of PTA Professional Edition (1.54 - build 1201) with major usability improvements.

PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of you business, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.

PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version's new features and download a free copy of the software from our site:

PTA fully supports the PCI DSS 1.1 standard as well as the ISO27001 and other popular standards. Download a free copy of PTA for PCI DSS and ISO27001 security libraries from the following url:

Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I'll be happy to have your comments and answer your questions on any issue.


Zeev Solomonik
R&D - PTA Technologies