In order to protect your information system from attack and implement cost-effective, risk-commensurate security measures, you need to know and understand the vulnerabilities of your system along with the threat sources that could exploit those vulnerabilities.
Vulnerabilities leave your systems open to a number of activities that can result in losses to your organization, clients, and business partners. Vulnerabilities can be anything from a single damaged file on a laptop, to a weak access control in your facilities, to poor password policies. With the right tools and knowledge, a threat source can exploit system vulnerabilities and gain access to the information stored on them.
A threat source is any person or event with the potential to cause harm to your organization’s operations, assets, individuals, or other organizations. Threat sources can lead to threat events. A threat event is an incident or situation that has the potential to negatively impact your organization. This could be a hacker installing a keystroke monitor on a computer. A threat source can be either adversarial or non-adversarial.
Adversarial threat sources are individuals or groups that seek to exploit your organization’s dependency on cyber resources. Employees, privileged users, and trusted users can all be adversarial threat sources, seeking to defraud your IT systems.
Adversarial Threat Sources and Events
- Fraud and Theft
- Insider Threat – Employees can represent an insider threat to your organization given their familiarity with and access to you systems and applications. Employee sabotage is a critical issue for organizations. Insiders can cause harm in a number of ways including destroying hardware or facilities, planting logic bombs that destroy programs or data, deleting data, entering data incorrectly, or crashing systems.
- A Malicious Hacker – This includes attackers, bot-net operators, criminal groups, insiders, spammers, phishers, spyware, malware, ransomware authors, terrorists, and industrial spies.
- Malicious Code – A virus, Trojan horse, worm, logic bomb, and ransomware.
- Foreign Government or Corporate Espionage
Non-Adversarial Threat Sources and Events
Non-adversarial threat sources don’t intend to cause harm, but have the potential to do so. Non-adversarial threat sources are things like natural disasters, fire, flood, civil unrest, social media, strikes, or errors committed by individuals in the course of performing their everyday job duties. Some examples of non-adversarial threat sources and events include:
- Errors and Omissions
- Loss of Physical and Infrastructure Support
- Loss of Personal Privacy through Information Sharing