List the Threats
Step 4 in the recommended risk assessment process is "List the threats" This page expands on that step.
During this step, list all possible threat sources such as an exploitation of a vulnerability. Some examples include denial of service attacks which exploit software vulnerabilities, worms which exploit operating system vulnerabilities, and sniffing network traffic for confidential data.
Threat Types - This lists a few threats related to the business which are not specifically computer security threats. See Organizational Threats in the Disaster Recovery section for more information about non-computer related threats.
- Environmental - Flood, freezing, landslide, lightning, earthquake, snow, ice, tornado, hurricane, tidal wave, windstorm, hail, volcano, wildland fire, and windstorm
- Local failure - Water utility failure, electric utility failure, gas utility failure, transportation system failure, waste disposal failure, communications system failure, business supplier failure, epidemic, emergency services failure.
- Equipment failure - Climate control failure, fire, system errors.
- Accidents - Any accident causing harm to persons or equipment including exposure to toxic material.
- Vandalism, theft
Computer Related Threats
Computer related threats include different types of threats from intentional threats to unintentional threats. Threats may be due to the fact that someone accidentally mis-configures some computer software settings. Someone may leave a connection active when it should be de-activated at a time when the active connection creates a vulnerability. Equipment or software malfunction can also cause threats that usually are a denial of service but these malfunctions may create a security vulnerability. The page called Computer Security Threat Sources provides a more comprehensive list of intentional and unintentional computer security related threats.
Aspects of the Threats
Aspects of the threats that should be listed include:
Scenerios - The type of exploit and attack being used that would be a threat and what the target of the attack would be including intermediate targets.
Causes - Normally a vulnerability and a willingness by someone to exploit the vulnerability but could be errors.
Consequences - Includes damage including monitary, personal injury or loss of life and also remediating actions required.
Interrelationships - Relationships to the network, organization, and other systems which may allow the scenario to put them in danger.