Annex C (informative)

Examples of typical threats

The following table gives examples of typical threats. The list can be used during the threat assessment process. Threats may be deliberate, accidental
or environmental (natural) and may result, for example, in damage or loss of essential services. The following list indicates for each threat type where D
(deliberate), A (accidental), E (environmental) is relevant. D is used for all deliberate actions aimed at information assets, A is used for all human
actions that can accidentally damage information assets, and E is used for all incidents that are not based on human actions. The groups of threats are
not in priority order.

Type Threats Origin

Fire A, D, E
Physical damage
Water damage A, D, E

Pollution A, D, E

Major accident A, D, E

Destruction of equipment or media A, D, E

Dust, corrosion, freezing A, D, E

Climatic phenomenon E
Natural events
Seismic phenomenon E

Volcanic phenomenon E

Meteorological phenomenon E

Flood E

Failure of air-conditioning or water supply system A, D

Loss of essential
services Loss of power supply A, D, E

Failure of telecommunication equipment A, D

Electromagnetic radiation A, D, E
Disturbance due to
radiation Thermal radiation A, D, E

Electromagnetic pulses A, D, E

Interception of compromising interference signals D

Compromise of
information Remote spying D

Eavesdropping D

Theft of media or documents D

Theft of equipment D

Retrieval of recycled or discarded media D

Disclosure A, D

Data from untrustworthy sources A, D

Tampering with hardware D

Tampering with software A, D

Position detection D

Equipment failure A
Technical failures
Equipment malfunction A

Saturation of the information system A, D

Software malfunction A

Breach of information system maintainability A, D

Unauthorised use of equipment D

Unauthorised
actions Fraudulent copying of software D

Use of counterfeit or copied software A, D

Corruption of data D

Illegal processing of data D

Error in use A
Compromise of
functions Abuse of rights A, D

Forging of rights D

Denial of actions D

Breach of personnel availability A, D, E

Par$cular  a)en$on  should  be  paid  to  human  threat  sources.  These  are  specifically  itemized  in  the  following  table:  

Origin of threat Motivation Possible consequences

Challeng • Hacking
Hacker, cracker e Ego • Social engineering
Rebellion
• System intrusion, break-ins
Status
Money • Unauthorized system access

Destruction of information Illegal • Computer crime (e.g. cyber stalking)

Computer criminal information disclosure Monetary • Fraudulent act (e.g. replay,
gain impersonation, interception)
Unauthorized data alteration • Information bribery
• Spoofing
• System intrusion

Blackmail • Bomb/Terrorism
Terrorist
Destruction • Information warfare
Exploitation
• System attack (e.g. distributed denial of service)
Revenge
Political Gain • System penetration
Media Coverage • System tampering

Competitive advantage • Defence advantage

Industrial espionage
(Intelligence, companies, Economic espionage • Political advantage
foreign governments,
other government • Economic exploitation
interests)
• Information theft
• Intrusion on personal privacy
• Social engineering
• System penetration
• Unauthorized system access (access to
classified, proprietary, and/or technology-related
Curiosity Ego • Assault on an employee
Insiders (poorly trained, Intelligence
disgruntled, malicious, • Blackmail
negligent, dishonest, or Monetary gain
terminated employees) • Browsing of proprietary information
Revenge
Unintentional errors and omissions • Computer abuse
(e.g. data entry error, programming error) • Fraud and theft
• Information bribery
• Input of falsified, corrupted data
• Interception
 Annex D (informative)

Vulnerabilities and methods for vulnerability assessment

D.1 Examples of vulnerabilities

The following table gives examples for vulnerabilities in various security areas, including examples of threats that might exploit these
vulnerabilities. The lists can provide help during the assessment of threats and vulnerabilities, to determine relevant incident scenarios. It is
emphasized that in some cases other threats may exploit these vulnerabilities as well.

Types Examples of vulnerabilities Examples of threats

Insufficient maintenance/faulty installation of storage Breach of information system maintainability

Hardware media

Lack of periodic replacement schemes Destruction of equipment or media

Susceptibility to humidity, dust, soiling Dust, corrosion, freezing

Sensitivity to electromagnetic radiation Electromagnetic radiation

Lack of efficient configuration change control

Error in use

Susceptibility to voltage variations Loss of power supply

Susceptibility to temperature variations Meteorological phenomenon

Unprotected storage Theft of media or documents

Lack of care at disposal Theft of media or documents

Uncontrolled copying Theft of media or documents

No or insufficient software testing Abuse of rights

Software
Well-known flaws in the software Abuse of rights

No 'logout' when leaving the workstation Abuse of rights

Disposal or reuse of storage media without proper erasure

Abuse of rights

Lack of audit trail Abuse of rights

Wrong allocation of access rights Abuse of rights

Widely-distributed software Corruption of data

Applying application programs to the wrong data in

Corruption of data
terms of time

Complicated user interface Error in use

Lack of documentation Error in use

Incorrect parameter set up Error in use

Incorrect dates Error in use

Lack of identification and authentication mechanisms

like user authentication Forging of rights

Unprotected password tables Forging of rights

Poor password management Forging of rights

Unnecessary services enabled Illegal processing of data

Immature or new software Software malfunction

Unclear or incomplete specifications for developers

Software malfunction

Lack of effective change control Software malfunction

Uncontrolled downloading and use of software

Tampering with software

Lack of back-up copies Tampering with software

 Lack of physical protection of the building, doors and
windows Theft of media or documents

Failure to produce management reports Unauthorised use of equipment

Lack of proof of sending or receiving a message

Network Denial of actions

Unprotected communication lines Eavesdropping

Unprotected sensitive traffic Eavesdropping

Poor joint cabling Failure of telecommunication equipment

Single point of failure Failure of telecommunication equipment

Lack of identification and authentication of sender and

Forging of rights
receiver

Insecure network architecture Remote spying

Transfer of passwords in clear Remote spying

Inadequate network management

(resilience of routing) Saturation of the information system

Unprotected public network connections Unauthorised use of equipment

Inadequate or careless use of physical access control

Site to buildings and rooms Destruction of equipment or media
Organization

Location in an area susceptible to flood Flood

Unstable power grid Loss of power supply

Lack of physical protection of the building, doors and

windows Theft of equipment

Lack of formal procedure for user registration and

de-registration Abuse of rights

Lack of formal process for access right review

(supervision) Abuse of rights

Lack or insufficient provisions (concerning security) in

contracts with customers and/or third parties Abuse of rights

Lack of procedure of monitoring of information

processing facilities Abuse of rights

Lack of regular audits (supervision) Abuse of rights

Lack of procedures of risk identification and

assessment Abuse of rights

Lack of fault reports recorded in administrator

and operator logs Abuse of rights

Breach of information system maintainability

Inadequate service maintenance response

Lack or insufficient Service Level Breach of information system maintainability

Agreement

Breach of information system maintainability

Lack of change control procedure

Lack of formal procedure for ISMS

documentation control Corruption of data

Lack of formal procedure for ISMS record supervision

Corruption of data

Lack of formal process for authorization of public available

information Data from untrustworthy sources

Lack of proper allocation of information security

Denial of actions
responsibilities

Lack of continuity plans Equipment failure

Lack of e-mail usage policy Error in use

 Lack of procedures for introducing software into
operational systems Error in use

Lack of records in administrator and operator logs

Error in use

Lack of procedures for classified information

handling Error in use

Lack of information security responsibilities in job

descriptions Error in use

Absence of personnel Breach of personnel availability

Personnel
Inadequate recruitment procedures Destruction of equipment or media

Insufficient security training Error in use

Incorrect use of software and hardware Error in use

Lack of security awareness Error in use

Lack of monitoring mechanisms Illegal processing of data

Unsupervised work by outside or cleaning staff

Theft of media or documents

Lack of policies for the correct use of

telecommunications media and messaging Unauthorised use of equipment

Lack or insufficient provisions (concerning information

security) in contracts with employees
Illegal processing of data

Lack of defined disciplinary process in case of

information security incident Theft of equipment

Lack of formal policy on mobile computer usage

Theft of equipment

Lack of control of off-premise assets Theft of equipment

Lack or insufficient 'clear desk and clear screen' policy

Theft of media or documents

Lack of information processing facilities authorization

Theft of media or documents

Lack of established monitoring mechanisms

for security breaches Theft of media or documents

Lack of regular management reviews Unauthorised use of equipment

Lack of procedures for reporting security weaknesses

Unauthorised use of equipment

Lack of procedures of provisions compliance with

intellectual rights Use of counterfeit or copied software