...
Vulnerability | Threat-source | Threat Action | Category of Harm | Likelihood of Harm Occurrence | Impact of Harm |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions | Common criminal/identity thief | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: common criminals are unlikely to have subject-area expertise to discover a fraud opportunity and there are probably much more attractive targets | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: successful identity theft could result in compromise of sensitive information from the victim's permit records | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions | Disgruntled industry employee | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit data | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions | Competitor | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: release of sensitive information would increase the perpetrator's risk of exposure, which would only make sense if the motive were to cause harm, and not for gain. | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability | Customer (fisher or processor) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation | Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) | Low: agency might expend effort to resolve, but the distress would be limited and short-term |
...