Beruflich Dokumente
Kultur Dokumente
LIKELIHOOD
VERY
UNLIKELY
UNLIKELY
MODERATE
VERY
LIKELY
LIKELY
IMPACT
NEGLIGIBLE
MINOR
MODERATE
SIGNIFICANT
SEVERE
The following matrix demonstrates how risk is calculated based on the impact
and likelihood scores
We can convert this into a numerical value, where the higher the score the
higher the risk:
Terrorism
Network Access
The above diagram was created to help explain the relationship between the various
components of an information risk assessment using the basic formula for risk.
Audiences that are new to Information Security and/or Risk Management may need to
have some of the basic terms explained.
LIKELIH
OOD
that
Threats
will
Exploit
Vulnerabili
ties
to attack
Targets
and
Compromis
e
Informati
on
causing
IMPACT
=
RISK
Accepted by Executive
Reduce Impact
RISK
Transferred to an
can be
External body
http://www.tru.ca/its/infosecurity/
Reduce
Reduce Vulnerability
Reduce Likelihood
Reduce Vulnerability
Reduce Likelihood
RISK
This diagram is shared here for non-commercial use under Creative Commons AttributionNoncommercial-Share Alike 2.5 Canada (http://creativecommons.org/licenses/by-nc-sa/2.5/ca/).
1 Minor
2 Moderate
3 Major
4 Severe
5 Catastrophic
Worst Case
THREAT SOURCES
A threat is any circumstance or event with the potential to adversely impact
organizational operations and assets, individuals, other organizations, or the Nation
through an information system via unauthorized access, destruction, disclosure, or
modification of information, and/or denial of service. There are two aspects to threat
considered in this publication: (i) threat sources; and (ii) threat events.
A threat source is an actor (causal agent) with the intent and method targeted at the
exploitation of a vulnerability or a situation and method that may accidentally exploit a
vulnerability. In general, types of threat sources include: (i) hostile cyber/physical
attacks; (ii) human errors of omission or commission; (iii) structural failures of
organization-controlled resources (e.g., hardware, software, environmental controls); and
(iv) natural and man-made disasters, accidents, and failures beyond the control of the
organization.
ADVERSARIAL
Individual
Outsider
Insider
Trusted Insider]
Privileged Insider
Group
Ad hoc
Established
Organisation
Nation-State
ACCIDENTAL
Ordinary User
Privileged User/Administrator
STRUCTURAL
IT Equipment
Storage
Processing
Communications
Display
Sensor
Controller
Environmental Controls
Temperature/Humidity Controls
Description
Characterist
ics
Capability,
Intent,
Targeting
Range of
effects
Range of
effects
Power Supply
Software
Operating System
Networking
General-Purpose Application
- Mission-Specific Application
ENVIRONMENTAL
Fire
Flood/tsunami
Windstorm/Tornado
Hurricane
Earthquake
Bombing
Overrun
Infrastructure Failure/Outage
Telecommunications
Electrical Power
Range of
effects
Threat Events
Description
Cause
deterioration/destruction of
critical information system
components and functions.
Compromise critical
information systems via
physical access by outsiders.
Compromise information
systems or devices used
externally and reintroduce into
the enterprise.
Compromise design,
manufacture, and/or
distribution of information
system components (including
hardware, software, and
firmware) organizations are
known to use.
Conduct reconnaissance,
surveillance, and target
acquisition of targeted
organizations.
Exploiting vulnerabilities in
information systems timed
with organizational
mission/business operations
tempo.
Exploit vulnerabilities on
internal organizational
information systems.
Installing general-purpose
sniffers on organizationcontrolled information systems
or networks.
Leverage traffic/data
movement allowed across
perimeter (e.g., email
communications, removable
storage) to compromise
internal information systems
(e.g., using open ports to
exfiltrate information).
Insider-based session
hijacking.
Intercept/decrypt weak or
unencrypted communication
traffic and protocols.
Jamming wireless
communications.
Opportunistically stealing or
scavenging information
systems/components.
Perimeter network
reconnaissance/scanning.
Poorly configured or
unauthorized information
systems exposed to the
Internet.
Social engineering by
outsiders to convince insiders
to take armful actions.
Adversary employs phishing attacks targeted at highvalue targets (e.g., senior leaders/executives).
Successfully compromise
software of critical information
systems within organizations.
Unauthorized internal
information system access by
insiders.
Threat Event
Spill sensitive information
Mishandling of critical
and/or sensitive information
by authorized users
Earthquake
Earthquake at primary
facility
Fire
Fire
Flood
Flood
Hurricane
Hurricane
Processing
Resource depletion
Communications Contention
Unreadable display
Description
Authorized user erroneously
contaminates a device, information
system, or network by placing on it or
sending to it information of a
classification/sensitivity which it has not
been authorized to handle. The
information is exposed to access by
unauthorized individuals, and as a
result, the device, system, or network is
unavailable while the spill is
investigated and mitigated.
Authorized privileged user inadvertently
exposes critical/sensitive information.
Storage
Storage
Disk error
Pervasive disk error
Windstorm or
Tornado
Windstorm/tornado at
primary facility
Windstorm or
Tornado
Windstorm/tornado at
backup facility
to resource depletion.
Corrupted storage due to a disk error.
Multiple disk errors due to aging of a set
of devices all acquired at the same time,
from the same supplier.
Windstorm/tornado of organizationdefined strength at primary facility
makes facility inoperable.
Windstorm/tornado of organizationdefined strength at backup facility
makes facility inoperable or destroys
backups of software, configurations,
data, and/or logs.
Vulnerability
Terminated employees'
accounts are not removed
from the system or made
inactive
Threat-Source
Adversarial insiders (continuing
employees with ill intent and
knowledge of terminated
employee user IDs and
passwords) and/or adversarial
outsiders (unauthorized external
individuals)
Adversarial outsiders:
unauthorized users (e.g.,
hackers, terminated employees,
computer criminals, terrorists)
Adversarial outsiders:
unauthorized users (e.g.,
hackers, disgruntled employees,
computer criminals, terrorists)
Environmental - Fire
Threat Action
Accessing the company's network
(whether remotely or through
having an otherwise valid reason
for being physically present within
the organization), logging into an
application as a terminated
employee, and accessing
company proprietary data or
protected health information.
Using telnet to XYZ server and
browsing files with guest ID.
of:
1) The likelihood of a given threat-sources attempting to exercise a given
vulnerability
2) The magnitude of the impact should a threat-source successfully exercise the
vulnerability
3) The adequacy of planned or existing security controls for reducing or eliminating
risk
Likelihood
Likelihood is an indication of the probability that a potential vulnerability may be
exercised given the threat environment.
Consider the following factors:
1) Threat-source motivation and capability
2) Nature of the vulnerability
3) Existence and effectiveness of current or planned controls
Likelihood
Level
Likelihood Definition
Anticipated frequency of occurrence is:
Very
High
Error, accident, or act of nature is almost certain to occur; or occurs > 100
times a year.
Error, accident, or act of nature is highly likely to occur; or occurs between
10-100 times p.a
Error, accident, or act of nature is somewhat likely to occur; or occurs
between 1-10 times p.a.
Error, accident, or act of nature is unlikely to occur; or occurs less than once
a year, but more than once every 10 years.
Error, accident, or act of nature is highly unlikely to occur; or occurs < once
every 10 years.
High
Medium
Low
Negligibl
e
Impact
The level of impact from a threat event is the magnitude of harm that can be expected
to result from the unauthorized disclosure, modification, disruption, destruction, or loss
of information and/or denial of service. Such adverse impact, and hence harm, can be
experienced by a variety of organizational and non-organizational stakeholders
including, for example, heads of agencies, mission and business owners, information
owners/stewards, mission/business process owners, information system owners, or
individuals/groups in the public or private sectors relying on the organizationin
essence, anyone with a vested interest in the organizations operations, assets, or
individuals, including other organizations in partnership with the organization, or the
Nation (for critical infrastructure-related considerations)
The following are adverse impacts that should be considered when scoring:
Type of Impact
Impact
Harm to
Inability to perform current missions/business functions.
o In a sufficiently timely manner.
Operations
o With sufficient confidence and/or correctness.
o Within planned resource constraints.
Inability, or limited ability, to perform missions/business functions in the
future.
o Inability to restore missions/business functions.
o In a sufficiently timely manner.
o With sufficient confidence and/or correctness.
o Within planned resource constraints.
Harms (e.g., financial costs, sanctions) due to noncompliance.
o With applicable laws or regulations.
o With contractual requirements or other requirements in other binding
agreements.
Direct financial costs.
Relational harms.
o Damage to trust relationships.
o Damage to image or reputation (and hence future or potential trust
relationships).
Harm to
Damage to or loss of physical facilities.
Damage to or loss of information systems or networks.
Assets
Damage to or loss of information technology or equipment.
Damage to or loss of component parts or supplies.
Damage to or of loss of information assets.
Loss of intellectual property.
Harm to
Identity theft.
Individuals Loss of Personally Identifiable Information [or Protected Health
Information].
Injury or loss of life.
Damage to image or reputation.
Physical or psychological mistreatment.
Harm to
Harms (e.g., financial costs, sanctions) due to noncompliance.
o With applicable laws or regulations.
Other
o With contractual requirements or other requirements in other binding
Organizati
agreements.
ons
Direct financial costs.
Harm to
the nation
Magnitude
of Impact
Very
High
High
Medium
Low
Negligi
ble
Relational harms.
o Damage to trust relationships.
o Damage to reputation (and hence future or potential trust
relationships).
Damage to or incapacitation of a critical infrastructure sector.
Loss of government continuity of operations.
Relational harms.
o Damage to trust relationships with other governments or with
nongovernmental entities.
o Damage to national reputation (and hence future or potential trust
relationships).
Damage to current or future ability to achieve national objectives.
Impact Definition