Compensating controls are cyber security mechanisms put in place to satisfy specific security compliance standards for regulatory purposes[1] or to meet a manufacturer’s guidelines.[2] Such controls are not intended to be less stringent. Rather, the controls must – at a minimum – satisfy the rigor of the original security requirement.[3] The purpose of compensating controls is to give organizations an alternative means by which they can achieve the required security and defensive levels when the prescribed method are impractical or infeasible due to business or technological constraints. However, regardless of the reason for implementation, quantifying compensating controls must be done on a regular basis to ensure the requisite security standard(s) are met or exceeded even as the threat environment evolves.

Traditionally, the only way to assess the strength of an organization’s compensating controls within its IT system was through pen testing – a costly, slow, and resource-intensive proposition. The ability to conduct dynamic what-if analysis using different compensating controls or different control configurations has, of course, been technologically and financially infeasible.

Recently, though, ThreatModeler™ has changed that. Quantifying compensating controls of an IT system with ThreatModeler™ can be done in minutes; against the list of unique, relevant threats and their associated risk levels; either as a what-if analysis or to assess the strength of deployed components; and is as easy as “dragging-and-dropping” an icon onto an on-screen canvas.

Including Compensating Controls

ThreatModeler™ provides users with an easy-to-use graphical interface that allows threat models to be created in much the same way an application or system architect might whiteboard a new project in an Agile production environment. It only takes minutes to create or update a threat model. Once the visual diagram is completed the ThreatModeler™ Intelligent Threat Engine will enumerate all the relevant threats, their risk rating, their source within the threat model, and their status.

With threat model completed, quantifying compensating controls only requires adding the control component to the visual diagram and clicking the Mitigate button. Immediately the status of the specific threats which the compensating control addresses are changed from “open” to “mitigated.” Reversing the operation only requires deleting the control from the diagramming canvas.

Users can add as many or as few compensating controls to their threat models, in any configuration, and select which threats a particular control mitigates. Analysis of the compensating controls can be done for a single application or the organization’s comprehensive attack surface.

Why Quantifying Compensating Controls Matters

Every InfoSec professional knows – and C-level executives and Directors are increasingly understanding – an organization’s cyber assets are both valuable and critical for continuing operations. Wall Street analysts estimate that enterprises spend as much as 54% more on acquiring cyber assets than they do on traditional assets. Furthermore, analysts argue that the difference between a company’s book value and their market capitalization serves as a proxy for the organization’s troves of consumer information; vendor details; digitized internal communique, plans, and other documents; and the software, algorithms, and IT systems used to gather, maintain, and manage it all.[4] Facebook, for example, had a 2015 closing book value of $44.2 billion. However, their market cap at that same time was approximately $320 billion, meaning the value of their cyber assets was in the ballpark of $275.8 billion – more than six times the value of all their other assets combined.

Compensating controls are all about protecting the organization’s cyber assets – feasibly and cost-effectively – against the existing relevant threats and a plethora of new potential threats emerging daily. Quantifying compensating controls provides objective assurance that the requisite levels of security are met without needing to patch every application for each new threat retroactively.

By quantifying compensating controls with ThreatModeler™, organizations can

  • Satisfy assessors that the PCI DSS or other regulatory defensive and security standards are met or exceeded in relation to specific threats;
  • Provide objective assurance to device manufacturers that the organization’s IT environment will allow the 3rd party device to function within its security operating parameters;
  • Demonstrate to cyber insurance underwriters that the organization’s security standards are within ideal guidelines; and
  • Assure customers, vendors, and the board of directors that the organization’s deployed controls are effectively managing current and emerging threats.

ThreatModeler™ is the only threat modeling platform that provides organization’s enterprise threat modeling capacity – including the ability to quantify the strength of their existing compensating controls or to perform what-if analysis on proposed controls.

Click here to schedule a demo and see for yourself how ThreatModeler™ makes quantifying compensating controls easy and effective.


[1] Rouse, Margaret. “Compensating Control (alternative control).” WhatIs.com. TechTarget: Newton. November 2016.

[2] “Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff.” Food and Drug Administration: Silver Spring. December 28, 2016.

[3] Tagle, Pierre. “Compensating Controls: Risky Business or Risk-Based Approach?” Secure Works: Atlanta. April 25, 2016.

[4] Monga, Vipal. “Accounting’s 21st Century Challenge: How to Value Intangible Assets.” The Wall Street Journal. Dow Jones & Company: New York. March 21, 2016.