Information gathering is a vital function of the risk assessment process and
is used throughout all subprocesses. Information gathering can be conducted
through a number of methods including document reviews, interviewing,
questionnaires, and the use of automated scanning tools.
Document reviews include the review of IT policies and procedures,
systems documentation, user guides, administrator guides, and previ-
ous audit reports. Another set of significant documents are the
initial systems requirements documentation for an in-house devel-
oped application or an RFP for a purchased system. It is also impor-
tant to review any business continuity/disaster recovery plans if they
exist.
Interviews with the business owner, systems support personnel, system
users, and management offer a great deal of information if questions
are asked appropriately. They also offer the interviewee the opportu-
nity to perform a walk-through of the systems operation, mainte-
nance, and development.
Questionnaires are typically used during an interview but can be used
independently. Questions must be worded clearly and tailored to
specific audiences—for example, business owners, systems support
personnel, system users, and management.
Automated scanning tools provide a level of detail that is typically used
to help design controls and gain deep understanding of a system’s
architecture.
Threat Assessment
As previously discussed, a threat is any circumstance or event with the
potential to cause harm to an information technology system, and a vulnera-
bility characterizes the absence or weakness of a control or safeguard that could
be exploited. A threat does not present a risk when there is no vulnerability
that can be exploited. Common threats include:
Human threats—acts that are either enabled or caused by human
beings, such as unintentional acts (e.g., accidental data changes)
or deliberate actions (e.g., installation of a worm on a network,
changing data with malicious intent, or destruction of critical
resources).
Environmental threats—power failure, liquid damage, fire, and smoke
damage.
Natural threats—hurricanes, flooding, earthquakes, electrical storms,
and avalanches.
Information Technology Risk Management 141
When assessing threats, it is important to consider all potential threats that
could cause harm to an IT system and its environment. All critical IT systems
should be protected from the following threats:
Fire
Water (both flooding and dry/wet-pipe sprinkler systems)
Te m p e r a t u r e
Humidity
Power failure
Unauthorized physical access
142 Strategic Security Management
Table 7-1
Human Threat Motivation Matrix
Threat Motivation Actions
Hacker • Challenge • Social engineering
• Ego • System intrusion, break-ins
• Unauthorized system access
Computer criminal • Destruction of information • Cyber stalking
• Monetary gain • Fraud (e.g., replay,
• Blackmail impersonation, interception)
• Spoofing
• System penetration
Terrorist • Destruction • Information warfare
• Exploitation • System attack (e.g., distributed
• Revenge denial of service)
• System penetration
• Data tampering
Industrial espionage • Competitive advantage • Economic exploitation
• Economic espionage • Information theft
• Social engineering
• Unauthorized system access
(access to classified or
proprietary information)
Insiders (poorly trained, • Curiosity • Blackmail
disgruntled, malicious, • Ego • Browsing of proprietary
or terminated • Intelligence information
employees) • Monetary gain • Computer abuse
• Revenge • Fraud and theft
• Unintentional errors and • Information bribery
omissions • Input of falsified,
corrupted data
• Malicious code (e.g., virus,
logic bomb, Trojan horse)
• Sale of personal information
• System sabotage
• Unauthorized system access
Get Strategic Security Management now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
