The information security risk assessment: identifying threats

One of the first steps of an information security risk assessment is to identify the threats that could pose a risk to your business.

According to the risk assessment process of ISO27005, threat identification is part of the risk identification process.

Threats come in various guises, such as natural disasters, a data leak, computer malfunction or even more severe scenarios, such as a bomb or terrorist attack.

How do you identify threats?Risk

It can take quite some time for the risk assessor to try to come up with every possible threat scenario.  A more detailed assessment of the likelihood and impact of risks must be undertaken during a later stage in the risk assessment process. At the same time, the likelihood of such a threat occurring also needs to be considered. The reason I mention likelihood here because some threats are so unlikely to occur that risk assessors tend to ignore them – for instance, an earthquake causing destruction in an area where earthquakes have never been recorded.

Once you have identified the threats, the next step is to identify the corresponding weaknesses (or vulnerabilities) in your organisational systems, resources, processes or policies that could be exploited by the threat. It is always useful to start off with a list of known threats to information security, as we have listed below. Of course, ISO27005 provides quite a detailed list of threats and vulnerabilities. These have conveniently been built into vsRisk, enabling the risk assessor to select threats from a predefined list. Additional risks or threats can be added, too.

If you are following an asset-based risk assessment, you may want to first identify the assets, and then choose the specific vulnerabilities that apply to them.  ISO27001 no longer specifies that an asset-based risk assessment is important, of course, so you could go straight into identifying threats or risk scenarios.

The below is an example of common threats* to information security.

  1. Access to the network by unauthorised persons
  2. Bomb attack
  3. Bomb threat
  4. Breach of contractual relations
  5. Breach of legislation
  6. Compromising confidential information
  7. Concealing user identity
  8. Damage caused by a third party
  9. Damages resulting from penetration testing
  10. Destruction of records
  11. Human disaster (man-made, e.g. sabotage, vandalism, tampering)
  12. Natural disaster (e.g. earthquake, landslide, volcano, storm, flood, solar flare, transportation accidents)
  13. Disclosure of information
  14. Disclosure of passwords
  15. Eavesdropping
  16. Embezzlement
  17. Errors in maintenance
  18. Failure of communication links
  19. Falsification of records
  20. Fire
  21. Fraud
  22. Industrial espionage
  23. Information leakage
  24. Interruption of business processes
  25. Loss of electricity
  26. Loss of support services
  27. Malfunction of equipment
  28. Malicious code
  29. Misuse of information systems
  30. Misuse of audit tools
  31. Pollution
  32. Social engineering
  33. Software errors
  34. Strike
  35. Terrorist attacks
  36. Theft
  37. Lightning strike
  38. Unintentional change of data in an information system
  39. Unauthorised access to the information system
  40. Unauthorised changes of records
  41. Unauthorised installation of software
  42. Unauthorised physical access
  43. Unauthorised use of copyright material
  44. Unauthorised use of software
  45. User error
  46. Vandalism


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.