A threat is the potential for a person or a thing to exercise (accidentally trigger or intentionally exploit) a flaw or weaknesses (vulnerability) within an organization. There are several types of threats that my occur within an information system or operating environment Threats are usually grouped into general categories such as natural, human, and environmental, for example:
|Storm damage (e.g., flood)||Fire||Lightning strikes||Tornado|
|Computer abuse||Unauthorized access to Privacy Act and proprietary information||Terrorism|
|Sabotage or vandalism||System tampering||Spoofing|
|Fraud||Impersonation and social engineering||Hacking|
|Negligence or human error||Theft||Falsified data|
|Long-term power failure||Chemical leakage||Pollution|
The desired outcome of identifying and reviewing (assessing) threats and vulnerabilities is determining potential and actual risks to the organization. Risk is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organizations. Risk is established by considering the potential impact and likelihood of a vulnerability being exploited by a threat. Risk only exists when threats have the capability of triggering or exploiting vulnerabilities. The following formula is used to determine a risk score:
For this assessment, numeric rating scales are used to establish impact potential (0-6) and likelihood probability (0-5).
|IMPACT SCALE||LIKELIHOOD SCALE|
|1. Impact is negligible||0. Unlikely to occur|
|2. Effect is minor, major agency operations are not affected||1. Likely to occur less than once per year|
|3. Organization operations are unavailable for a certain amount of time, costs are incurred. Public/customer confidence is minimally affected||2. Likely to occur once per year|
|4. Significant loss of operations, significant impact on pubic/customer confidence||3. Likely to occur once per month|
|IMPACT SCALE||LIKELIHOOD SCALE|
|5. Effect is disastrous, systems are down for an extended period of time, systems need to be rebuilt and data replaced||4. Likely to occur once per week|
|6. Effect is catastrophic, critical systems are offline for an extended period; data are lost or irreparably corrupted; public health and safety are affected||5. Likely to occur daily|
When determining impact, consider the value of the resources at risk, both in terms of inherent (replacement) value and the importance of the resources (criticality) to the organization’s successful operation.
Factors influencing likelihood include: threat capability, frequency of threat occurrence, and effectiveness of current countermeasures (security controls). Threats caused by humans are capable of significantly impairing the ability for an organization to operate effectively. Human threats sources include:
|Insiders:||Employees, owners, stock holders, etc.|
|General contractors and subcontractors||Cleaning crew, developers, technical support personnel, and computer and telephone service repair crew|
|Former employees:||Employees who have retired, resigned, or were terminated|
|Unauthorized users:||Computer criminals, terrorists, and intruders (hackers and crackers) who attempt to access agency/enterprise resources.|
Finally, use the following table to determine and understand the potential criticality (risk level) of each threat/vulnerability based on the calculated risk value.
|SCORE||RISK LEVEL||RISK OCCURRENCE RESULT|
|21-30||High Risk||Occurrence may result in significant loss of major tangible assets, information, or information resources. May significantly disrupt the organization’s operations or seriously harm its reputation.|
|11-20||Medium Risk||Occurrence may result in some loss of tangible assets, information, or information resources. May disrupt or harm the organization’s operation or reputation. For example, authorized users aren’t able to access supportive data for several days.|
|1-10||Low Risk||Occurrence may result in minimal loss of tangible assets, information, or information resources. May adversely affect the organization’s operation or reputation. For example, authorized users aren’t granted access to supportive data for an hour.|
- Babbie, E. (2011). The Basics of Social Research. 5th Ed. Wadsworth, Cengage Learning, California.
- Jiang, W. (2003). Cryptography: What is secure? SANS Institute InfoSec Reading Room. (https://www.sans.org/reading-room/whitepapers/vpns/cryptography-secure-886).
- Schutt, R. K. (2014). Investigating the Social World: The Process and Practice of Research 8th. Sage, California.