Risk Management: Threats: What threats have been identified, what are their characteristics and relevant history?
Options:Identify the relevant threats from the table and/or alter as necessary. Identify known examples for the enterprise, other similar enterprises, and the general public.
Basis:insiders: Employees, board members, and other internal team members who have legitimate access to information and/or information technology.
Complexity: Insiders typically have special knowledge of internal controls that are unavailable to outsiders, and they have some amount of access. In some cases, they perform only authorized actions - as far as the information systems have been told. They are typically trusted and those in control often trust them to the point where placing internal controls against their attacks are considered offensive.
People who enjoy using computers and exploring the information
infrastructure and systems connected to it.
Complexity: While not generally malicious, these people tend to gather and exploit tools that open holes to other attackers. They also sometimes make mistakes or become afraid and feel they have to cover their tracks, thus causing incidental harm.
People who maliciously break into information systems and
intentionally cause harm in doing so.
Complexity: These people have tools similar to those of hackers, but they use these tools for malicious purposes and can sometimes cause a great deal of harm. They are often bold, and often exploit indirect links to make it hard to trace them back to their source.
People who break into information systems as part of a ceremony
to become members of clubs.
Complexity: Club initiates commonly use copy-cat attacks with minor modifications. A typical example includes writing minor variants on viruses that bypass a known virus detector.
Groups who roam the information infrastructure breaking into systems
and doing harm for fun and profit.
Complexity: These groups are generally willing to exploit commonly known attacks as well as an occasional novel attack. Perception management and dumpster diving are some of their favorite tools. They are often emboldened by group dynamics.
People hired to demonstrate vulnerabilities in systems by
exploiting those vulnerabilities.
Complexity: These people are usually honest, but sometimes they are not. In addition, they often fail to properly repair the systems they try to break into, thus leaving residual vulnerabilities. Their skills vary widely, from rank amateur using off-the-shelf software - to true experts with a high degree of sophistication. It is often hard to tell which is which unless you are an expert.
People who typically have access to physical locations in order
to do routine maintenance tasks.
Complexity: Maintenance people commonly introduce viruses by accident. They often have far more physical access than even highly trusted employees, they are often allowed in sensitive areas alone and at off-hours, they are usually poorly paid and assumed to have little knowledge, and they are often trusted with items of high value.
People who make their living from stealing things.
Complexity: Professional thieves typically use the best tools they can find, practice ahead of time for major thefts, and use highly coordinated efforts to achieve their goals. They have historically tended toward physical means, but this may be changing.
People who hurt other people in order to get what they want.
Complexity: They often extract information in a brutish way, exploiting human frailty and family relationships rather than technical means.
People who damage things for the fun of it.
Complexity: Vandals typically use the path of least resistance, fear being caught, and rapidly flee the scene of the crime.
People who believe in a cause to the point where they take
action in order to forward their ends.
Complexity: These people can be extremely zealous - even when they are misdirected. They often consider one viewpoint to the exclusion of all others, try to maximize harm to their victim without regard to competitive issues or personal gains, and typically use physical means - sometimes with the additional element of publicity as part of their motive.
Private individuals or corporate entities that investigate on a
Complexity: Investigators are willing to do a substantial amount of targeted work toward accomplishing their goals, in some cases they may be willing to violate the law, they often have contacts in government and elsewhere that provide information not commonly available, and they commonly use bribes of one form or another to advance their ends.
crackers for hire:
Crackers who get paid to break into systems and do harm.
Complexity: These people combine technical skills, tools, and money, and can be quite successful, hard to trace, and difficult to defend against.
People who are not as in control over their mental faculties as
most other people.
Complexity: The sky is the limit with a person who doesn't act rationally. The danger is heightened when combined with other threat elements.
Organized groups of professional criminals.
Complexity: These people tend to have money (but usually don't want to spend it on information system attacks), use physical threats to get what they want, and exploit human weaknesses.
Groups that combine forces in order to manufacture and sell
Complexity: These groups typically have a lot of money and are willing to spend it in order to get what they want. They typically want to launder money, eliminate competition, retain control over their dealer networks, and keep law enforcement away. They use violence and physical coercion easily.
terrorists: People who attempt to induce terror in others in order to forward their cause.
industrial espionage experts:
People who specialize in harming companies to the benefit of
Complexity: These people tend to be highly skilled, well paid, and stealthy. They tend to use subtle techniques rather than brute force.
foreign agents and spies:
People who professionally gather information and commit
sabotage for governments.
Complexity: These people are highly trained, highly funded, backed by substantial scientific capabilities, directed toward specific goals, and skillful at avoiding detection. They can be very dangerous to life and property.
People tasked with enforcing laws.
Complexity: These people often have powers of search and seizure, are usually poorly paid, wield guns, have powers of arrest, and in much of the world are easily corrupted. They tend to use physical means.
Groups that work as parts of government.
Complexity: These groups are highly funded, often made up largely of professionals, they commonly have indirect powers of search and seizure, sometimes wield guns, have indirect powers of arrest, and in much of the world are easily corrupted. They often use highly sophisticated means.
People who specialize in destroying enemy infrastructure.
Complexity: These groups typically have access to accurate weapons and high explosives, they are oriented toward causing serious physical harm, often have the goal of causing permanent harm, do not hesitate to kill people, and act at the behest of governments, and with their full and open support.
People who work for newspapers, news magazines, television,
radio, or other media elements.
Complexity: Reporters often gain access that others do not have, often use misleading cover stories or false pretenses, commonly try to become friendly with insiders in order to get information, and have extraordinary power to publicly punish what they perceive to be or can construe as misdeeds.
Companies, groups, and governments that compete on a large
scale with your companies, groups, and governments.
Complexity: While economic rivals are usually merely competitive, sometimes they become rather extreme in their desire for technical information and attack in order to gain technical expertise. They tend to be well funded, have a lot of expertise, and typically operate from locations which provide legal cover for their actions.
National governments - countries.
Complexity: When countries decide to attack other countries in the information arena, they often use stealth to try to provide for plausible deniability, however this is not always the case, and they often fail to achieve true anonymity. Responses may lead to escalation - and in some cases - escalation can lead to full-scale war.
Global groups that work together toward common goals.
Complexity: Global coalitions - of corporations, groups, countries, cartels, and other bodies - combine their forces to increase their impact and make it harder to fight them off.
Government-sponsored armed and organized groups.
Complexity: Militaries tend to blow things up, however, in the more advanced military organizations, information is exploited to maximize their advantage and neutralize opponent capabilities. Physical destruction is often avoided in order to preserve infrastructure used after the conflict has ended. They tend to have and use exotic as well as every-day capabilities.
Privately-sponsored armed and organized groups.
Complexity: Paramilitary groups, malicious, and similar organizations tend to be poorly funded and oriented toward physical destruction.
People who specialize in attacking information systems as
part of government-sponsored military operations.
Complexity: Information warriors may use any or all of the known techniques as well as techniques developed especially for their use and kept secret in order to attain military advantage. They tend not to kill people unnecessarily.
People who extort money or goods by threatening harm if not
Complexity: Extortion is commonly used to get money in exchange for not causing harm. It is closely related to kidnaping.
Things fall apart. Stuff happens. Nature calls. People die.
Complexity: Most natural phenomena can be characterized by statistics and dealt with using probabilistic techniques.
People who work under their own control to provide contract
services to others.
Complexity: Consultants often have insider access but are not controlled as are insiders. Technical consultants who use client information technology present a technical threat, while management consultants who often have access to more of the more sensitive information in a company presents a human threat.
People who sell things to you.
Complexity: Vendors are often in competition with each other over sales and with you over pricing and terms. They tend to be in long-term relationships and often work closely with your people. Their economic motives are often not aligned with yours and in some cases, they take advantage of information in order to gain economic advantage in negotiations.
People who you buy things from.
Complexity: Customers are often in competition with you over pricing and terms. Their economic motives are often not aligned with yours and in some cases, they take advantage of information in order to gain economic advantage in negotiations. In some cases, customers have worked their way into companies, extracted information, taken over their suppliers' businesses by taking advantage of the knowledge gained through their interactions.
People who defraud others.
Complexity: Throughout the centuries, people have perpetrated frauds of all sorts in order to gain through taking advantage of others.
Other individuals or companies in the same or similar businesses
and who stand to gain from your loss or who can gain economic advantage by
taking advantage of you.
Complexity: Competitors are commonly perceived as an economic threat, but in large businesses, they are often collaborators on some projects and competitors on others. As a result, information technology is often used to provide access for some purposes. It can be quite tempting to exploit this access and these relationships in competitive areas.
People who believe that crimes are being committed and that they
have a duty to report them to the proper authorities.
Complexity: Whistle blowers are often sincere in their beliefs, have insider access, and sometimes have legitimate cases.