List the Threats

Step 4 in the recommended risk assessment process is "List the threats" This page expands on that step.

During this step, list all possible threat sources such as an exploitation of a vulnerability. Some examples include denial of service attacks which exploit software vulnerabilities, worms which exploit operating system vulnerabilities, and sniffing network traffic for confidential data.

Organizational Threats

Threat Types - This lists a few threats related to the business which are not specifically computer security threats. See Organizational Threats in the Disaster Recovery section for more information about non-computer related threats.

  • Environmental - Flood, freezing, landslide, lightning, earthquake, snow, ice, tornado, hurricane, tidal wave, windstorm, hail, volcano, wildland fire, and windstorm
  • Local failure - Water utility failure, electric utility failure, gas utility failure, transportation system failure, waste disposal failure, communications system failure, business supplier failure, epidemic, emergency services failure.
  • Equipment failure - Climate control failure, fire, system errors.
  • Accidents - Any accident causing harm to persons or equipment including exposure to toxic material.
  • Vandalism, theft

Computer Related Threats

Computer related threats include different types of threats from intentional threats to unintentional threats. Threats may be due to the fact that someone accidentally mis-configures some computer software settings. Someone may leave a connection active when it should be de-activated at a time when the active connection creates a vulnerability. Equipment or software malfunction can also cause threats that usually are a denial of service but these malfunctions may create a security vulnerability. The page called Computer Security Threat Sources provides a more comprehensive list of intentional and unintentional computer security related threats.

Aspects of the Threats

Aspects of the threats that should be listed include:

  • Scenerios - The type of exploit and attack being used that would be a threat and what the target of the attack would be including intermediate targets.
  • Causes - Normally a vulnerability and a willingness by someone to exploit the vulnerability but could be errors.
  • Consequences - Includes damage including monitary, personal injury or loss of life and also remediating actions required.
  • Interrelationships - Relationships to the network, organization, and other systems which may allow the scenario to put them in danger.