...
Vulnerability | Threat-source | Threat Action | Category of Harm | Likelihood of Occurrence | Impact of Harm |
|---|---|---|---|---|---|
System unavailability | Error, component failure, or act of God | Power failure, network failure, computer component failure, operator error, software failure, capacity constraint, etc. | Inconvenience, distress or damage to standing or reputation | Moderate: failures will happen, but competently managed systems typically have availability records of 99% or better | Low: for fishery management decision support typical availability is adequate. Even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience. Smaller scale failures, for instance a failure that prevents reporting from one vessel, would be a minor inconvenience. |
System unavailability | Vandalism | Internet security exploit such as denial-of-service attack | Inconvenience, distress or damage to standing or reputation | Low: this is not an online Internet-exposed system and should have very low vulnerability to network-based exploits. | Low: even in the event of a systemic failure fishery management decision-making would continue and unavailability would be a short-term inconvenience |
System misuse | System administrator, operator, or other agency user | Abuse of insider knowledge and access for unauthorized use or release of information | Unauthorized release of sensitive information | Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security | Moderate: at worst, a release of personal or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with an expected serious adverse effect on organizational operations. |
Impersonation in registration and/or transactions | Common criminal/identity thief | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: common criminals are unlikely to have subject-area expertise to discover a fraud opportunity and there are probably much more attractive targets | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: successful identity theft could result in compromise of sensitive information from the victim's permit records | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions | Disgruntled industry employee | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit data | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions | Competitor | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: release of sensitive information would increase the perpetrator's risk of exposure, which would only make sense if the motive were to cause harm, and not for gain. | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability | Customer (fisher or processor) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation | Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) | Low: agency might expend effort to resolve, but the distress would be limited and short-term |
...