...
Vulnerability | Threat-source | Threat Action | Category of Harm | Likelihood of Harm | Impact of Harm |
|---|---|---|---|---|---|
Impersonation in registration and/or transactions | Common criminal/identity thief | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Low: common criminals are unlikely to have subject-area expertise to discover a fraud opportunity and there are probably much more attractive targets | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
" | " | " | Unauthorized release of sensitive information | Low: successful identity theft could result in compromise of sensitive information from the victim's permit logbook records | Low: there isn't a great deal of sensitive information in permit records, and probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions | Disgruntled industry employee | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials) | Inconvenience, distress or damage to standing or reputation | Moderate: an employee might have the means, motive, and opportunity, but risk exposure is not significantly different in electronic transactions than it is in paper transactions | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated probably the only information of value that is credibly at risk is catch location, timing, and gear, and the disgruntled employee is likely to already have that information from personal observation. Also, the impact would be limited to the party whose identity has been stolen |
" | " | " | Unauthorized release of sensitive information | Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit logbook data | Low: there isn't a great deal of sensitive information in permit records, and probably the only information of value that is credibly at risk is catch location, timing, and gear, and the disgruntled employee is likely to already have that information from personal observation. Also, the impact would be limited to the party whose identity has been stolen |
Impersonation in registration and/or transactions | Competitor | Impersonation using stolen identity credentials (registration credentials or NPS identity credentials ) | Inconvenience, distress or damage to standing or reputation | Low: a competitor might have a motive, but an electronic system does not make them more likely to have means or opportunity. Risk exposure is not significantly different in electronic transactions than it is in paper transactions. | Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
" | " | " | Unauthorized release of sensitive information | Low: release of sensitive information would increase the perpetrator's risk of exposure, which would only make sense if the motive were to cause harm, and not for gain. | Low: probably the only information of value that is credibly at risk is catch location, timing, and gear, and the people with the means to take advantage of that unique information are already well placed to have that same knowledge or to acquire it by closely observing the victim's fishing activity. Also, the impact would be limited to the party whose identity has been stolen |
Repudiation to escape accountability | Customer (fisher or processor) | Signer claims "I didn't sign that" | Inconvenience, distress or damage to standing or reputation | Low: in most cases a customer who repudiated an e-signed logbook document submission could then be prosecuted for fishing or processing without proper permitswithout following record-keeping and reporting requirements. There will generally be independent evidence of the fishing or processing activity (follow the fish.) | Low: agency might expend effort to resolve, but the distress would be limited and short-term |
lines below are placeholders for possible further work |
|
|
|
|
|
|
|
| Inconvenience, distress or damage to standing or reputation |
|
|
|
|
| Financial loss or agency liability |
|
|
|
|
| Harm to agency programs or public interest |
|
|
|
|
| Unauthorized release of sensitive information |
|
|
|
|
| Civil or criminal violations |
| |