One of the first steps of an information security risk assessment is to identify the threats that could pose a risk to your business.
According to the risk assessment process of ISO27005, threat identification is part of the risk identification process.
Threats come in various guises, such as natural disasters, a data leak, computer malfunction or even more severe scenarios, such as a bomb or terrorist attack.
How do you identify threats?
It can take quite some time for the risk assessor to try to come up with every possible threat scenario. A more detailed assessment of the likelihood and impact of risks must be undertaken during a later stage in the risk assessment process. At the same time, the likelihood of such a threat occurring also needs to be considered. The reason I mention likelihood here because some threats are so unlikely to occur that risk assessors tend to ignore them – for instance, an earthquake causing destruction in an area where earthquakes have never been recorded.
Once you have identified the threats, the next step is to identify the corresponding weaknesses (or vulnerabilities) in your organisational systems, resources, processes or policies that could be exploited by the threat. It is always useful to start off with a list of known threats to information security, as we have listed below. Of course, ISO27005 provides quite a detailed list of threats and vulnerabilities. These have conveniently been built into vsRisk, enabling the risk assessor to select threats from a predefined list. Additional risks or threats can be added, too.
If you are following an asset-based risk assessment, you may want to first identify the assets, and then choose the specific vulnerabilities that apply to them. ISO27001 no longer specifies that an asset-based risk assessment is important, of course, so you could go straight into identifying threats or risk scenarios.
The below is an example of common threats* to information security.
- Access to the network by unauthorised persons
- Bomb attack
- Bomb threat
- Breach of contractual relations
- Breach of legislation
- Compromising confidential information
- Concealing user identity
- Damage caused by a third party
- Damages resulting from penetration testing
- Destruction of records
- Human disaster (man-made, e.g. sabotage, vandalism, tampering)
- Natural disaster (e.g. earthquake, landslide, volcano, storm, flood, solar flare, transportation accidents)
- Disclosure of information
- Disclosure of passwords
- Errors in maintenance
- Failure of communication links
- Falsification of records
- Industrial espionage
- Information leakage
- Interruption of business processes
- Loss of electricity
- Loss of support services
- Malfunction of equipment
- Malicious code
- Misuse of information systems
- Misuse of audit tools
- Social engineering
- Software errors
- Terrorist attacks
- Lightning strike
- Unintentional change of data in an information system
- Unauthorised access to the information system
- Unauthorised changes of records
- Unauthorised installation of software
- Unauthorised physical access
- Unauthorised use of copyright material
- Unauthorised use of software
- User error