Taxonomy of Threat Sources
Type of Threat Source |
Description |
Characteristics |
|---|---|---|
| ADVERSARIAL
Individual (outsider, insider, trusted insider, privileged insider) Group (ad hoc, established) Organization (competitor, supplier, partner, customer) Nation-State |
Individuals, groups, organizations, or states that seek to exploit the organization’s dependence on cyber resources (i.e., information in electronic form, information and communications technologies, and the communications and information-handling capabilities provided by those technologies). | Capability, Intent, Targeting |
| ACCIDENTAL
User Privileged User/Administrator |
Erroneous actions taken by individuals in the course of executing their everyday responsibilities. | Range of effects |
| STRUCTURAL
Information Technology (IT) Equipment (storage, processing, communications, display, sensor, controller) Environmental Controls (temperature/Humidity controls, power supply) Software (operating system, networking, general-purpose application, mission-specific application) |
Failures of equipment, environmental controls, or software due to aging, resource depletion, or other circumstances which exceed expected operating parameters. | Range of effects |
| ENVIRONMENTAL
Natural or man-made disaster (fire, flood/tsunami, windstorm/tornado, hurricane, earthquake, bombing, overrun) Unusual Natural Event (e.g., sunspots) Infrastructure Failure/Outage (telecommunications, electrical power) |
Natural disasters 3and failures of critical infrastructures on which the
organization depends, but which are outside the control of the organization.
Note: Natural and man-made disasters can also be characterized in terms of their severity and/or duration. However, because the threat source and the threat event are strongly identified, severity and duration can be included in the description of the threat event (e.g., Category 5 hurricane causes extensive damage to the facilities housing mission-critical systems, making those systems unavailable for three weeks). |
Range of effects |
Risk Determination Matrix
|
|
Likelihood | ||||
| Rare | Unlikely | Possible | Likely | Almost Certain | |
| Catastrophic | Moderate | Moderate | High | Very High | Very High |
| Major | Low | Moderate | Moderate | High |
Very High
|
| Moderate | Low |
Moderate
|
Moderate
|
Moderate
|
High |
| Minor |
Very Low
|
Low
|
Moderate
|
Moderate
|
Moderate
|
| Insignificant |
Very Low
|
Very Low
|
Low
|
Low
|
Moderate
|