...
Vulnerability | Threat-source | Threat Action | Category of Harm | Likelihood of Harm | Impact of Harm |
|---|---|---|---|---|---|
Impersonation in e-logbook transactions | Common criminal/identity thief | Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim | Inconvenience, distress or damage to standing or reputation | Low: common criminals are unlikely to have subject-area expertise to discover an incrimination or defamation opportunity and there are probably easier attacks | Low: impersonated parties or agency staff would be likely to notice during dockside interview process and/or subsequent data review, and when detected, the impact could be effectively mitigated |
" | " | Impersonation using stolen identity credentials, for access to sensitive information | Unauthorized release of sensitive information | Low: successful identity theft could result in compromise of sensitive information from the victim's logbook records but an uninformed criminal would be unlikely to find or identify sensitive information | Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
Impersonation in e-logbook transactions | Disgruntled industry employee | Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim | Inconvenience, distress or damage to standing or reputation | Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions | Low: impersonated parties or agency staff would be likely to notice during dockside interview process and/or subsequent data review, and when detected, the impact could be effectively mitigated |
" | " | Impersonation using stolen identity credentials, for access to sensitive information | Unauthorized release of sensitive information | Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in e-logbook data | Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
Impersonation in e-logbook transactions | Competitor | Impersonation using stolen identity credentials, with fraudulent reporting of false data to incriminate or defame victim | Inconvenience, distress or damage to standing or reputation | Low: a competitor might have a motive, but an electronic system makes them less likely to have means or opportunity. Risk exposure is reduced significantly in electronic transactions versus paper transactions. | Low: impersonated parties or agency staff would be likely to notice during dockside interview process and subsequent data review, and when detected, the impact could be effectively mitigated |
" | " | Impersonation using stolen identity credentials, for access to sensitive information | Unauthorized release of sensitive information | Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. | Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability | Customer (fisher) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation | Low: in most cases a customer who repudiated an e-logbook submission could then be prosecuted for fishing without reporting. There will generally be independent evidence of the fishing or processing activity (follow the fish, also follow the VMS track.) | Low: agency might expend effort to resolve, but the distress would be limited and short-term |
...
Categories of Harm and Impact Definitions for reference
IMPACTS HARM | LOW IMPACT | MODERATE IMPACT | HIGH IMPACT |
|---|---|---|---|
Inconvenience, distress, or damage to standing or reputation | at worst, limited, short-term inconvenience, distress or embarrassment to any party | at worst, serious short term or limited long-term inconvenience, distress or damage to the standing or reputation of any party | severe or serious long-term inconvenience, distress or damage to the standing or reputation of any party (ordinarily reserved for situations with particularly severe effects or which affect many individuals) |
Financial loss or agency liability | at worst, an insignificant or inconsequential unrecoverable financial loss to any party | at worst, a serious unrecoverable financial loss to any party | severe or catastrophic unrecoverable financial loss to any party |
Harm to agency programs or public interest | at worst, an insignificant or inconsequential agency liability | at worst, a serious agency liability | severe or catastrophic agency liability |
Harm to agency programs or public interests | at worst, a limited adverse effect on organizational operations or assets, or public interests. Examples of limited adverse effects are: | at worst, a serious adverse effect on organizational operations or assets, or public interests. Examples of serious adverse effects are: | a severe or catastrophic adverse effect on organizational operations or assets, or public interests. Examples of severe or catastrophic effects are: |
Unauthorized release of sensitive information | at worst, a limited unauthorized | at worst, a release of personal, | a release of personal, U.S. |
Harm to personal safety | at worst, minor injury not | at worst, moderate risk of minor | a risk of serious injury or death |
Civil or criminal violations | at worst, a risk of civil or | at worst, a risk of civil or | a risk of civil or criminal |
