Which phase in threat modeling involves quantifying the impact of an attack?

The phase in threat modeling that focuses specifically on quantifying the impact of an attack is the analysis of the impact. This stage critically assesses the potential consequences that could arise from various attack scenarios. It involves determining what assets could be affected, the severity of the impact, the likelihood of the attack occurring, and the overall risk it poses to the organization.

By thoroughly evaluating the potential damage, both in terms of financial loss and operational disruption, practitioners can better understand the urgency and priority needed in addressing specific threats. This analysis helps in making informed decisions regarding risk management and the allocation of resources to mitigate these threats effectively.

In contrast, identifying assets is about recognizing and cataloging valuable components that need protection. Developing controls involves creating security measures to prevent or reduce the impact of identified threats. Reviewing and evaluating occurs after controls have been implemented, ensuring that they are functioning effectively and adapting to any changes in the threat landscape. Thus, quantifying impact is a distinct and critical part of understanding how threats can specifically affect the organization.