...
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
Transactions-data sensitivity and volume
...
Vulnerability | Threat-source | Intent/Situation | Method | Threat Action | Category of Harm | Likelihood | Impact | |
|---|---|---|---|---|---|---|---|---|
Impersonation | Perpetrator | Intentional misrepresentation Common Criminal, Identity Thief | Impersonation with intent to defraud | Inconvenience, distress or damage to standing or reputation |
|
| ||
|
| Financial loss or agency liability |
|
| ||||
|
|
| Harm to agency programs or public interest |
|
| |||
|
|
| Unauthorized release of sensitive information |
|
| |||
|
|
|
| Civil or criminal violations |
|
| Repudiation | Perpetrator |
Repudiation to escape accountability | Customer (fisher or processor) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation |
|
| |||
|
|
| Financial loss or agency liability |
|
| |||
|
|
| Harm to agency programs or public interest |
|
| |||
|
|
|
| Unauthorized release of sensitive information |
|
| ||
|
|
| Civil or criminal violations |
|
| |||
|
|
| Inconvenience, distress or damage to standing or reputation |
|
| |||
|
|
|
| Financial loss or agency liability |
|
| ||
|
|
|
| Harm to agency programs or public interest |
|
| ||
|
|
|
| Unauthorized release of sensitive information |
|
| ||
|
|
|
| Civil or criminal violations |
|
| ||
|
|
| Inconvenience, distress or damage to standing or reputation |
|
| |||
|
|
|
| Financial loss or agency liability |
|
| ||
|
|
|
| Harm to agency programs or public interest |
|
| ||
|
|
|
| Unauthorized release of sensitive information |
|
| ||
|
|
| Civil or criminal violations |
|
| |||
|
|
| Inconvenience, distress or damage to standing or reputation |
|
| |||
|
|
| Financial loss or agency liability |
|
| |||
|
|
|
| Harm to agency programs or public interest |
|
| ||
|
|
|
| Unauthorized release of sensitive information |
|
| ||
|
|
| Civil or criminal violations |
|
|