Evaluation of threats

Threats can be described as the possible actions that can be taken for example against a

system. Types of threats can be accidental or non-validated changes. Unfortunately, we have to realise that no protection against attacks, failures, mistakes, or natural disasters can ever be

completely absolute.

Threat agents can be defined as one of the following:

1. A malicious person who is deliberately attacking systems for financial reward, power, revenge, or other gain:

• Insider – An insider is a “trusted” person, employee, contractor, or supplier who has information that is not generally known to the public. An insider can present a threat even if there is no intent to do harm. For example, the threat can arise as a result of an insider bypassing security controls “to get the job done.”
• Outsider – An outsider is a person or group not “trusted” with inside access, which can be known, or not, to the targeted organization. Outsiders can have been insiders, or not, at one time.

1. Inadvertent mistake (error) caused by a person who either failed to pay attention or did not recognize the consequences of their action. Computer applications can also have “bugs” or other flaws that cause them to mis-operate. Poorly designed systems and inadequate operating procedures also fall in this category.
2. Equipment failure (failure) that was not any person’s fault, but reflects the fact that electronic and mechanical devices fail in preventing the threat from having success.