When conducting a qualitative risk assessment, the first thing you will do is develop a list of threats that your organization is likely to encounter. You will want to develop a list that at a minimum includes the following:
- Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation through an information system through unauthorized access, destruction, disclosure, or modification of information, and/or denial of service
- Threat source: The intent and method targeted at the intentional exploitation of a vulnerability, or a situation and method that may accidentally exploit a vulnerability
- Description: A short narrative that defines the threat / threat source pairing, helping to ensure a uniform application of this information throughout the risk management process:
Threat |
Threat source |
Threat description |
Storage failure |
Structural |
Storage critical to your organization's operations ceases to function causing a disruption in your organization's operations. |
Internet outage |
Structural |
An internet outage occurs causing a disruption in communication between customers, business partners, and critical applications. |
Insider threat |
Human |
A trusted user within your organization uses their knowledge of the organization to circumvent technical security controls and organizational policy in order to harm the organization. |
Insider threat |
Human |
Similar to the preceding example, however in this case the user has elevated privileges on the information system allowing them to have a greater negative impact on the organization. |
External hacking |
Human |
An external user or organization targets your organization in order to exfiltrate sensitive information, or to cause a disruption in your organization's operations. |
Flood |
Natural disaster |
A flood event occurs that disrupts your organization's operations. |
Fire |
Natural disaster |
A fire event occurs that disrupts your organization's operations. |
Hurricane |
Natural disaster |
A hurricane event occurs that disrupts your organization's operations. |
Now that we have gone through the exercise of identifying threats, we need to conduct further analysis to see if we have an active threat source that is able to carry out the threat against our organization.
A valid threat source is characterized as follows:
- A source that targets your organization to exploit a vulnerability
- A situation where a vulnerability may be accidentally exploited
Considering this, you would now analyze your list of threats and determine if any of these threats meet these criteria. For the purposes of our example, we will determine that a flood or hurricane are not threats to our environment due to our geographic location. Our remaining threats are still valid in our example as we have determined that they could be specifically targeted or could be accidentally exploited.