1. What is the expected level of Attacker for the organization?
The first step to determine your suggested SecCon level is to consider the skill of the attack likely for an environment. The attacker type determines the baseline SecCon level which helps identify the controls necessary to prevent, restrict, or detect the attacker.
3. What is the organization’s tolerance to Risk?
Understanding the culture of an organization is important to determining the extent of the mitigation strategy. Similar to a low vs. high deductible on car insurance, the lower the tolerance, the more significant the investment in security.