by The Open University
Available in 39 free installments
Owner:
For the purposes of this unit, we define a threat to an information asset as a possible way in which the asset can have its security requirements breached, and we define the outcome of a threat as the way in which the asset's security requirements would be breached if the threatened action were to occur. Recall from Section 4 that the security requirements are confidentiality, integrity and availability.
A complete picture of the relationship between an information asset, the threats to it and their outcomes is set out in Figure 4. Figure 4 is adapted from Figure 5-4 of Alberts and Dorofee (2003).
View larger imageFigure 4 The relationship between an information asset, the threats to it and their outcomesLong descriptionFigure 4 classifies the threats into four types, as follows.
Deliberate actions by people, which can come from two groups of persons: those inside an organisation and those outside it. Examples include a malcontent employee shredding important documents and a hacker attacking a password file. The threats from deliberate actions by people can be further classified into malicious and non-malicious threats.
Accidental actions by people, which again can come from the same two groups: those inside and those outside an organisation. Examples might be an employee accidentally deleting an important file and a family member spilling coffee on the keyboard of a computer.
System problems, which include: hardware problems (for example, a server crash making the files on a hard disk unrecoverable); software problems (such as bugs, or the system clock being incorrect and causing a backup program to function incorrectly); and malicious code (maybe a virus or Trojan horse).
Other events include power cuts, telecommunications failures, fire, rodents, meteorites, earthquakes, volcanic eruptions, cosmic rays, and so on. Even severe weather conditions can be a threat to some equipment.
The figure also identifies four possible outcomes for each threat, as follows.
Disclosure of the asset, such as when a hacker releases an online trader's customers' credit card details. In this case, the outcome of the threat is a breach of an information asset's confidentiality requirements.
Modification of the asset, such as a fraudulent increase in the balance of a bank account. Here, the outcome is a breach of an information asset's integrity requirements.
Destruction or loss of the asset, the hardware it resides upon, or the software that interacts with it, such as the loss of an important file due to scratched optical backup media. In this case the outcome is a breach of an information asset's long-term availability requirements.
Interruption of access to the asset, such as a web-server upgrade interrupting online access to an organisation's web services. Here the outcome is a breach of an information asset's short-term availability requirements.
Related to the concept of threat is that of attack: a threat is a way of breaching the security requirements of an information asset; an attack is an attempt to breach them. Any threat could turn into an attack, which could be successful or unsuccessful. An unsuccessful attack has no impact.
The impact on an organisation of a successful attack on an information asset will depend on how, and to what degree, the organisation's operations are disrupted. For instance, the impact could be measured in terms of: the embarrassment caused to the organisation, or its loss of reputation; the harm caused by its being unable to fulfil its mission; lost revenue, wasted investment, or other financial loss; or legal or regulatory liabilities incurred.
The relationship between threat and impact is a simple one: a threat has the potential to have an impact on an organisation.
(a) Define ‘threat? and ‘attack? in relation to an information asset.
(b) Distinguish between the ‘outcome? of a threat and the ‘impact? of an attack.
(c) Describe, with examples, the possible types of threat to an information asset.
(d) Describe the possible outcomes of a threat to an information asset, in each case stating which of the asset's security requirements has been breached.
(e) Read the Reuters report entitled ‘Top secret military plans found on city dump?. Identify the information asset, the threat to it and the outcome of the threat. What do you think was the impact of the security breach?
(a) A threat is a possible way in which an information asset can have its security requirements breached. An attack is an attempt to breach the security requirements of an asset.
(b) The outcome of a threat is the way in which the security requirements of an information asset would be breached if the threatened action were to occur. The impact of an attack is the cost to the organisation, in terms of financial loss, loss of reputation, etc. of the breach of an information asset's security requirements.
(c) The types of threat are:
deliberate actions by people: examples include writing and distributing a virus and pasting your password on your computer screen;
accidental actions by people: a common example of this is dropping a portable computer;
system problems: an example is a word processor crashing and corrupting an important document;
other events: examples include a fire or flood in a server room.
(d) The possible outcomes are:
the disclosure of the asset, leading to a breach of confidentiality;
the modification of the asset, giving rise to a breach of integrity;
the destruction or loss of the asset, the hardware it resides upon, or the software that interacts with it, leading to a breach of availability;
the interruption of access to the asset, giving rise to a breach of availability.
(e) The information asset consisted of secret ground plans to military installations in Cyprus. The threat is the disposal of these plans as ordinary rubbish, which is probably a deliberate action by someone inside the military. The outcome is the disclosure of the physical documents, presumably in breach of their confidentiality requirements. The impact is difficult to assess, but certainly included embarrassment and loss of reputation, and may even have had much more serious effects, such as making critical information available to hostile groups.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
