Classifying Threats

Read this section, which describes threat agent, the actions a threat agent can take, and how to classify threat agents as non-target specific, employees, criminals, corporations, human-unintentional, human-intentional, or natural.

System Fundamentals For Cyber Security/Cyber Threats and Defenses

In computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. A threat can be either intentional (i.e., intelligent; e.g., an individual cracker or a criminal organization) or accidental (e.g., the possibility of a computer malfunctioning, or the possibility of a disaster such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event.

Threat Classification

Threats can be classified according to their type and origin:

Types of Threats

  • Physical Damage - due to fire, water, climate, seismic activity, vandalism, etc.
  • Loss of Essential Services - electrical power, air conditioning, telecommunications, theft, hardware / software failures, etc.
  • Compromise of Functions - user error, abuse of rights, denial of actions, etc.

Origin of Threats

A single threat may have multiple origins:

  • Spying
  • Illegal processing of data
  • Accidental
  • Equipment failure
  • Software failure
  • Environmental

Threat Model

People can be interested in studying all possible threats that can:

  • affect an asset,
  • affect a software system
  • are brought by a threat agent

Threat Agents

Threat Agents

Individuals within a threat population; Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.

Threat agents can take one or more of the following actions against an asset:

  • Access – simple unauthorized access
  • Misuse – unauthorized use of assets (e.g., identity theft, setting up a porn distribution service on a compromised server, etc.)
  • Disclose – the threat agent illicitly discloses sensitive information
  • Modify – unauthorized changes to an asset
  • Deny access – includes destruction, theft of a non-data asset, etc.

It’s important to recognize that each of these actions affects different assets differently, which drives the degree and nature of loss. For example, the potential for productivity loss resulting from a destroyed or stolen asset depends upon how critical that asset is to the organization’s productivity. If a critical asset is simply illicitly accessed, there is no direct productivity loss. Similarly, the destruction of a highly sensitive asset that doesn’t play a critical role in productivity won’t directly result in a significant productivity loss. Yet that same asset, if disclosed, can result in significant loss of competitive advantage or reputation, and generate legal costs. The point is that it’s the combination of the asset and type of action against the asset that determines the fundamental nature and degree of loss. Which action(s) a threat agent takes will be driven primarily by that agent’s motive (e.g., financial gain, revenge, recreation, etc.) and the nature of the asset. For example, a threat agent bent on financial gain is less likely to destroy a critical server than they are to steal an easily pawned asset like a laptop.

It is important to separate the concept of the event that a threat agent get in contact with the asset (even virtually, i.e. through the network) and the event that a threat agent act against the asset.

OWASP collects a list of potential threat agents in order to prevent system designers and programmers insert vulnerabilities in the software.

The term Threat Agent is used to indicate an individual or group that can manifest a threat. It is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company.

Threat Agent = Capabilities + Intentions + Past Activities

These individuals and groups can be classified as follows:

  • Non-Target Specific: Non-Target Specific Threat Agents are computer viruses, worms, trojans and logic bombs.
  • Employees: Staff, contractors, operational/maintenance personnel, or security guards who are annoyed with the company.
  • Organized Crime and Criminals: Criminals target information that is of value to them, such as bank accounts, credit cards or intellectual property that can be converted into money. Criminals will often make use of insiders to help them.
  • Corporations: Corporations are engaged in offensive information warfare or competitive intelligence. Partners and competitors come under this category.
  • Human, Unintentional: Accidents, carelessness.
  • Human, Intentional: Insider, outsider.
  • Natural: Flood, fire, lightning, meteor, earthquakes.

Threat Analysis

Threat analysis is the analysis of the probability of occurrences and consequences of damaging actions to a system. It is the basis of risk analysis.

Threat Consequence

Threat consequence is a security violation that results from a threat action. (Includes disclosure, deception, disruption, and usurpation.) 

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Last modified: Tuesday, November 17, 2020, 10:34 PM