...
Vulnerability | Threat-source | Threat Action | Category of Harm | Likelihood of Harm | Impact of Harm |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions | Common criminal/identity thief | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: common criminals are unlikely to have subject-area expertise to discover a fraud opportunity and there are probably much more attractive targets | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: successful identity theft could result in compromise of sensitive information from the victim's permit records | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions | Disgruntled industry employee | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit data | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions | Competitor | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: release of sensitive information would increase the perpetrator's risk of exposure, which would only make sense if the motive were to cause harm, and not for gain. | Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability | Customer (fisher or processor) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation | Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) | Low: agency might expend effort to resolve, but the distress would be limited and short-term | OMB
Categories of Harm and Impact Definitions for reference
HARM | LOW IMPACT | MODERATE IMPACT | HIGH IMPACT |
|---|---|---|---|
Inconvenience, distress, or damage to standing or reputation | at worst, limited, short-term inconvenience, distress or embarrassment to any party | at worst, serious short term or limited long-term inconvenience, distress or damage to the standing or reputation of any party | severe or serious long-term inconvenience, distress or damage to the standing or reputation of any party (ordinarily reserved for situations with particularly severe effects or which affect many individuals) |
Financial loss or agency liability | at worst, an insignificant or inconsequential unrecoverable financial loss to any party | at worst, a serious unrecoverable financial loss to any party | severe or catastrophic unrecoverable financial loss to any party |
Harm to agency programs or public interest | at worst, an insignificant or inconsequential agency liability | at worst, a serious agency liability | severe or catastrophic agency liability |
Harm to agency programs or public interests | at worst, a limited adverse effect on organizational operations or assets, or public interests. Examples of limited adverse effects are: (1) mission capability degradation to the extent and duration that the organization is able to perform its primary functions with noticeably reduced effectiveness, or (2) minor damage to organizational assets or public interests | at worst, a serious adverse effect on organizational operations or assets, or public interests. Examples of serious adverse effects are: (1) significant mission capability degradation to the extent and duration that the organization is able to perform its primary functions with significantly reduced effectiveness; or (2) significant damage to organizational assets or public interests | a severe or catastrophic adverse effect on organizational operations or assets, or public interests. Examples of severe or catastrophic effects are: (1) severe mission capability degradation or loss of to the extent and duration that the organization is unable to perform one or more of its primary functions; or (2) major damage to organizational assets or public interests |
Unauthorized release of sensitive information | at worst, a limited unauthorized release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in a loss of confidentiality with an expected limited adverse effect on organizational operations, organizational assets, or individuals | at worst, a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with an expected serious adverse effect on organizational operations, organizational assets, or individuals. | a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with an expected severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals |
Harm to personal safety | at worst, minor injury not requiring medical treatment | at worst, moderate risk of minor injury or limited risk of injury requiring medical treatment | a risk of serious injury or death |
Civil or criminal violations | at worst, a risk of civil or criminal violations of a nature that would not ordinarily be subject to enforcement efforts | at worst, a risk of civil or criminal violations that may be subject to enforcement efforts | a risk of civil or criminal violations that are of special importance to enforcement programs |