Information gathering is a vital function of the risk assessment process and
is used throughout all subprocesses. Information gathering can be conducted
through a number of methods including document reviews, interviewing,
questionnaires, and the use of automated scanning tools.
Document reviews include the review of IT policies and procedures,
systems documentation, user guides, administrator guides, and previ-
ous audit reports. Another set of significant documents are the
initial systems requirements documentation for an in-house devel-
oped application or an RFP for a purchased system. It is also impor-
tant to review any business continuity/disaster recovery plans if they
exist.
Interviews with the business owner, systems support personnel, system
users, and management offer a great deal of information if questions
are asked appropriately. They also offer the interviewee the opportu-
nity to perform a walk-through of the systems operation, mainte-
nance, and development.
Questionnaires are typically used during an interview but can be used
independently. Questions must be worded clearly and tailored to
specific audiences—for example, business owners, systems support
personnel, system users, and management.
Automated scanning tools provide a level of detail that is typically used
to help design controls and gain deep understanding of a systems
architecture.
Threat Assessment
As previously discussed, a threat is any circumstance or event with the
potential to cause harm to an information technology system, and a vulnera-
bility characterizes the absence or weakness of a control or safeguard that could
be exploited. A threat does not present a risk when there is no vulnerability
that can be exploited. Common threats include:
Human threats—acts that are either enabled or caused by human
beings, such as unintentional acts (e.g., accidental data changes)
or deliberate actions (e.g., installation of a worm on a network,
changing data with malicious intent, or destruction of critical
resources).
Environmental threats—power failure, liquid damage, fire, and smoke
damage.
Natural threats—hurricanes, flooding, earthquakes, electrical storms,
and avalanches.
Information Technology Risk Management 141
When assessing threats, it is important to consider all potential threats that
could cause harm to an IT system and its environment. All critical IT systems
should be protected from the following threats:
Fire
Water (both flooding and dry/wet-pipe sprinkler systems)
Te m p e r a t u r e
Humidity
Power failure
Unauthorized physical access
142 Strategic Security Management
Table 7-1
Human Threat Motivation Matrix
Threat Motivation Actions
Hacker Challenge Social engineering
Ego System intrusion, break-ins
Unauthorized system access
Computer criminal Destruction of information Cyber stalking
Monetary gain Fraud (e.g., replay,
Blackmail impersonation, interception)
Spoofing
System penetration
Terrorist Destruction Information warfare
Exploitation System attack (e.g., distributed
Revenge denial of service)
System penetration
Data tampering
Industrial espionage Competitive advantage Economic exploitation
Economic espionage Information theft
Social engineering
Unauthorized system access
(access to classified or
proprietary information)
Insiders (poorly trained, Curiosity Blackmail
disgruntled, malicious, Ego Browsing of proprietary
or terminated Intelligence information
employees) Monetary gain Computer abuse
Revenge Fraud and theft
Unintentional errors and Information bribery
omissions Input of falsified,
corrupted data
Malicious code (e.g., virus,
logic bomb, Trojan horse)
Sale of personal information
System sabotage
Unauthorized system access

Get Strategic Security Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.