The information security risk assessment: identifying threats

One of the first steps of an information security risk assessment is to identify the threats that could pose a risk to your business.

According to the risk assessment process of ISO27005, threat identification is part of the risk identification process.

Threats come in various guises, such as natural disasters, a data leak, computer malfunction or even more severe scenarios, such as a bomb or terrorist attack.

How do you identify threats?

It can take quite some time for the risk assessor to try to come up with every possible threat scenario.  A more detailed assessment of the likelihood and impact of risks must be undertaken during a later stage in the risk assessment process. At the same time, the likelihood of such a threat occurring also needs to be considered. The reason I mention likelihood here because some threats are so unlikely to occur that risk assessors tend to ignore them – for instance, an earthquake causing destruction in an area where earthquakes have never been recorded.

Once you have identified the threats, the next step is to identify the corresponding weaknesses (or vulnerabilities) in your organisational systems, resources, processes or policies that could be exploited by the threat. It is always useful to start off with a list of known threats to information security, as we have listed below. Of course, ISO27005 provides quite a detailed list of threats and vulnerabilities. These have conveniently been built into vsRisk, enabling the risk assessor to select threats from a predefined list. Additional risks or threats can be added, too.

If you are following an asset-based risk assessment, you may want to first identify the assets, and then choose the specific vulnerabilities that apply to them.  ISO27001 no longer specifies that an asset-based risk assessment is important, of course, so you could go straight into identifying threats or risk scenarios.

The below is an example of common threats* to information security.

1. Access to the network by unauthorised persons
2. Bomb attack
3. Bomb threat
4. Breach of contractual relations
5. Breach of legislation
6. Compromising confidential information
7. Concealing user identity
8. Damage caused by a third party
9. Damages resulting from penetration testing
10. Destruction of records
11. Human disaster (man-made, e.g. sabotage, vandalism, tampering)
12. Natural disaster (e.g. earthquake, landslide, volcano, storm, flood, solar flare, transportation accidents)
13. Disclosure of information
14. Disclosure of passwords
15. Eavesdropping
16. Embezzlement
17. Errors in maintenance
18. Failure of communication links
19. Falsification of records
20. Fire
21. Fraud
22. Industrial espionage
23. Information leakage
24. Interruption of business processes
25. Loss of electricity
26. Loss of support services
27. Malfunction of equipment
28. Malicious code
29. Misuse of information systems
30. Misuse of audit tools
31. Pollution
32. Social engineering
33. Software errors
34. Strike
35. Terrorist attacks
36. Theft
37. Lightning strike
38. Unintentional change of data in an information system
39. Unauthorised access to the information system
40. Unauthorised changes of records
41. Unauthorised installation of software
42. Unauthorised physical access
43. Unauthorised use of copyright material
44. Unauthorised use of software
45. User error
46. Vandalism

*Source: Infopedia.info