...
Vulnerability | Threat-source | Threat Action | Category of Harm | Likelihood | Impact |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions | Common criminal/identity thief | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: general criminals won't have subject area expertise to discover a fraud opportunity and there are probably much more attractive targets | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
Impersonation in registration and/or transactions | Disgruntled industry employee | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
Impersonation in registration and/or transactions | Competitor | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
Repudiation to escape accountability | Customer (fisher or processor) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation | Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) | Low: agency might expend effort to resolve, but the distress would be limited and short-term |
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
|
|
|
|
| Inconvenience, distress or damage to standing or reputation |
|
|
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
|
|
|
|
| Inconvenience, distress or damage to standing or reputation |
|
|
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
|
|
|
|
| Inconvenience, distress or damage to standing or reputation |
|
|
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
|
|