Skip to main content

Understanding the criticality of your assets is the essential first step to working out how best to manage and secure them. It’s based around a simple question: “What would happen if the asset failed to meet its functional requirements?” The answer is the level of identified consequences. The consequences may range from nominal impact to failure or collapse of the system. 

An accurate understanding of the asset’s criticality enables a business to do two things. Most importantly, they can design an appropriate security strategy for the asset– the right balance of security controls, design complexity (High Availability), and monitoring of risks associated with the asset – without drawing in too many resources. The second benefit is that the IT operation teams can prioritise their efforts for building and revising strategies. 

Assets might include servers, client contact information, sensitive partner documents, trade secrets and so on. Remember, what you as a technician think is valuable might not be what is most valuable for the business. Therefore, you need to work with business users and management to create a list of all valuable assets. For each asset, gather the following information, as applicable:

  • Software
  • Hardware
  • Data
  • Interfaces
  • Users
  • Support personnel
  • Mission or purpose
  • Criticality
  • Functional requirements
  • IT security policies
  • IT security architecture
  • Network topology
  • Information storage protection
  • Information flow
  • Technical security controls
  • Physical security environment
  • Environmental security

Because most organizations have a limited budget for risk assessment, you will likely have to limit the scope of the remaining steps to mission-critical assets. Accordingly, you need to define a standard for determining the importance of each asset. Common criteria include the asset’s monetary value, legal standing and importance to the organization. Once the standard has been approved by management and formally incorporated into the risk assessment security policy, use it to classify each asset as :

  • Low
  • Medium
  • High
  • Critical
  • Catastrophic  

Mitre has published a methodology for identifying cyber critical assets. It is called Crown Jewels Analysis (CJA)Crown Jewels Analysis (CJA) is a process for identifying those cyber assets that are most critical to the accomplishment of an organization’s mission. CJA is also an informal name for Mission-Based Critical Information Technology (IT) Asset Identification. It is a subset of broader analyses that identify all types of mission-critical assets.

Mitre emphasise to identify asset in terms of financial and operational impacts if the asset is compromised.

Rabbon has developed a Critical Asset Assessment service which is inherited from Mitre’s Crown Jewel Analysis.

There are  two main stages of Critical Asset Assessment(CAA) are:

First Stage:

Identify the attributes of an asset like the owner, custodian, information type of an asset. It is critical to set up a layered dependency map, which can help to demonstrate all of the dependencies from cyber assets to organizational missions.

  • Leadership defines and prioritizes organizational mission objectives.
  • Management defines the operational tasks that support the mission objectives and dependencies. Which mission objective depends on which operational task.
  • Operators define the operational tasks’ supporter system functions and dependencies.
  • Tech or IT defines the cyber assets (and dependencies), which supports the system functions.


Second Stage:

We have to carry out the Mission Impact Analysis, which is a bit like the well-known Business Impact Analysis. Risk-to-Mission Assessment Process can help to quantify the impacts. When the Mission Impact Analysis is carried out, we can identify your Critical Assets, the most important cyber assets to an organization’s mission.

The typical process for this stage is:

  • Assign Probability of Failure(PoF) to each asset based on knowledge of consumed life along with survivor curve.


Source –

  • Assign Consequence of Failure (CoF) ranking to each asset based on knowledge of the significance of the failure effect.
  • Assign the Criticality Index to reflect the owner operating standard
  • Map the criticality of an asset to the Criticality Matrix.

This assessment will provide a reasonable picture of the current reliability of your assets and provides you with a good starting point from which to set goals and to identify important elements of your new program. This may seem to be a daunting task at first, so only include the most critical assets (such as the top 20%). You can decide where your cut-off is, though it is best to add less critical assets only after the most critical have been done.

Rabbon has identified that businesses make three major mistakes with asset criticality assessment. Firstly, the methodology they use is too complex, employing far too many criteria which, in the end, doesn’t affect the result. Alternatively, they use a methodology that’s not granular enough. Typically, we see this when a business uses a consequence-likelihood approach based on a risk matrix. Great for working out criticality, but what do you do when you have 300 assets with the same risk rating? The third mistake is not starting from the top of your asset hierarchy. Finding low-criticality systems lets a business identify and screen out hundreds of assets from the lengthy assessment process, enabling them to identify and get to the critical assets much faster. In order to avoid these mistakes, we highly recommend using our GRC tool SIMPLE

We, at Rabbon, consider critical asset assessment as the first step towards the cyber security journey. This assessment is important for your business goals. Rabbon can provide a comprehensive critical asset assessment and corresponding cyber security strategy. 

Our service helps you prioritise your security controls and plans leading to secure management of your critical assets.

Cybersecurity is what we do

Rabbon is a Cybersecurity company based with offices in Sydney and Melbourne. We lead a team of Cyber Security Consultants and GRC Consultants, who help organisations become cyber resilient by providing access to effective and affordable cybersecurity services. We believe that “Cybersecurity is for everyone

You can contact our Cyber Security Consultants for an obligation free consultation.

Phone : +61 2 80513207

Email: [email protected]