MARS - 4 Simple Steps to Get Started With Cyber Security MARS - 4 Simple Steps to Get Started With Cyber Security

By Henry Haverinen


Advanced software solutions are essential for product companies who want to maintain a competitive edge. But how to apply new technology without exposing the business or customers to security risks?

Threat analysis is a standard tool in the toolbox of every mature software organization. But before diving into architectural topics, it’s a good idea to take a business-driven look at the security needs.

Intopalo’s security assessments start with a MARS workshop for making sure that we address the right questions for the business. It is a manuscript that condenses the essential starting points for business-driven security assessment, so work can start without wasting any time or money. MARS is a mnemonic that stands for Motivation, Assets, Raiders and Setbacks. Here’s an abridged recipe for using MARS as the first four steps to get started with cyber security.

Step 1 — Motivation

As security is hardly ever the actual goal but a means to an end, it makes sense to keep the business goals clearly in mind. The Motivation step goes through the business objectives of the system that is being analyzed as well as the business objectives for doing a security assessment.

The business case for security can be based on mitigating risks that are often directed towards the brand, customer loyalty or business continuity. You may also identify new opportunities that become possible if certain security concerns can be pushed off the table.

You can also consider the security objectives of your system. For example, objectives could be defined for the privacy of personal information, the accountability and auditability of certain user actions, and the availability and dependability of the service.

Step 2 — Assets

Step 2 identifies the digital or physical assets that need protection against security threats. The assets can be services, information, equipment or the environment. Draw a diagram of the system and its environment and identify the most business-critical components. Pay special attention to where data flows and where it is stored, as this will be essential information for the actual threat analysis. An initial look at data flows and data storage will help you prioritize and focus the threat analysis on the right areas.

Take into account the technology selections that have been made and any planned or likely changes in the environment. It’s also important to look at all life-cycle phases: development, deployment, maintenance and end of life.

In many industrial applications, availability and dependability are the most important security objectives. In these cases, you can design a dependability model of the system, which includes the classification of data flows for additional dependability related attributes such as real-time requirements and alarm management. The PICARD extension is a framework for creating a dependability model. You can read more about PICARD in “Cyber Security: Analytics, Technology and Automation”, ISBN 978-3-319-18302-2. See the chapter “Towards Dependable Automation” by Jari Seppälä and Mikko Salmenperä on pages 229-249.

Step 3 — Raiders

In the Raiders step, potential attackers of other kinds of threat agents are identified. For instance, there are targeted and untargeted attacks, friendly and unfriendly threat agents, attackers with different amounts of resources. The motivation to attack may be monetary gain, protest, show-off or industrial espionage.

Different attack channels can be used, and it’s good to list and prioritize them.

Legitimate users, such as developers, administrators, partners or customers may pose risks to the system, often by accident.

Step 4 — Setbacks

What is the worst thing that could happen to your system? What are other cost and damage scenarios that could take place? You can find checklists and examples from standards such as NIST SP 800-82, Chapter 4.1.2


After the MARS analysis, you have written down the business objectives and the security objectives of the system, built an overview of the system and its environment, and you have the first version of attack models and identified threat agents available. This will give you an excellent basis for effective and prioritized threat modeling.