...
Vulnerability | Threat-source | Threat Action | Category of Harm | Likelihood | Impact |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions | Common Criminal, Identity Thief criminal/identity thief | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: general criminals won't have subject area expertise to discover a fraud opportunity and there are probably much more attractive targets | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
Impersonation in registration and/or transactions | Disgruntled industry employee | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Moderate: an employee would might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
Impersonation in registration and/or transactions | Competitor | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: a competitor might have a motive, but an opportunity to profit from fraud, but risk electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
Repudiation to escape accountability | Customer (fisher or processor) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation | Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for failure to file the repudiated document fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) | Low: agency might expend effort to resolve, but the distress would be limited and short-term |
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
|
|
|
|
| Inconvenience, distress or damage to standing or reputation |
|
|
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
|
|
|
|
| Inconvenience, distress or damage to standing or reputation |
|
|
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
|
|
|
|
| Inconvenience, distress or damage to standing or reputation |
|
|
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
|
|