EU RM Toolbox Library 03 - Threats Mappings

Threat Category
NATURAL
NATURAL
NATURAL
NATURAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
INDUSTRIAL
ERRORS AND UNINTENTIONAL FAILURES
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
WILFUL ATTACKS
Service-related Threats (Cloud services, services
provided by 3rd parties)
Security Dimensions
Threat
C I A
Fire X
Flood X
Major Accident X
Other Natural Disasters X
Fire X
Water Damage X
Other Industrial Disasters X
Environmental Pollution X
Electromagnetic / Thermal Radiation X
Hardware or Software Failure X
Power Interruption X
Unsuitable temperature or humidity conditions X
Communications services failure X
Interruption of other services or essential supplies X
Media / Equipment Degradation X
Electromagnetic Emanations X
User Errors X X X
System / Security administrator errors X X X
Monitoring errors (logs) X
Configuration errors X X X
Organisational deficiencies X
Malware diffusion X X X
[Re-]routing errors X
Sequence errors X
Accidental alteration of the information X
Destruction of information X
Information leaks X
Software vulnerabilities X X X
Defects in software maintenance / updating X X
Defects in hardware maintenance / updating X
System failure due to exhaustion of resources X
Retrieval of recycled or discarded media X X
Breach of personnel availability X
Manipulation of activity records (log) X
Manipulation of the configuration files X X X
Masquerading of identity X X
Abuse of access privileges X X X
Misuse X X X
[Re-]routing of messages X
Sequence alteration X
Unauthorised access X X
Traffic analysis X
Repudiation (denial of actions) X
Eavesdropping X
Deliberate alteration of information X
Disclosure of information X
Tampering with software X X X
Tampering with hardware X
Denial of services X
Theft of media or documents X X
Theft of equipment X X
Destructive attack X
Enemy over-run X X
Staff shortage X
Extortion X X X
Social engineering X X X
Loss of governance X
Lock-in X
Isolation failure X X X
Management interface compromise X
Insecure or ineffective deletion of data X
Compromise of Service Engine X X X
Subpoena and e-discovery X X
Risk from changes of jurisdiction X X
Data protection risks X
User Privacy and Secondary Usage of Data X
Incidence Analysis and Forensic Support X X X
Insecure Interfaces and APIs X X X

Toolbox Threats
Origin
D (deliberate), A (accidental), E Sup
(environmental)
Hardware, devices and

D A E
equipment
X X
X X
X X
X X
X X X
X X X
X X X
X X X X
X X X X
X X X
X X X X
X X X X
X X
X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X X
X X
X X
X X
X X
X X
X
Toolbox Threats
Supporting Assets
Software and applications Personnel Locations and Utilities
X
X
X X X
X X X
X X X
X X
X X
X
X X
X X X
X X X
X X X
X
Organizational
infrastracture (Incuding ICT
services)
X
X
X
X
X
X
X
Examples / Explanation
Possibility that the fire destroys system resources
Possibility that the water destroys system resources
Incidents that occur without human involvement: lightning, electric storm, earthquake, cyclones, etc. Extern
to the natural environment close to the assets and capable of causing them very serious physical damage.
Possibility that the fire destroys system resources (terrorism, valdalims etc)
Possibility that the water destroys the system’s resources (Leaks, floods, terrorism, vandalism etc)
Accidental disasters due to human activity (explosions,collapses,chemical pollution,electrical overloads,ele
Presence of dust, vapours, corrosive or toxic gases in the ambient air.

Radio interference, magnetic fields, ultraviolet light, etc. Thermal effect caused by a damage or exceptiona
Damage causing an exceptional electromagnetic effect.
Failures in the equipment and/or programs.
Failure, shutdown or incorrect sizing of the power supply to the assets arising either from the supplier's ser
distribution system. Sabotage or disturbance of the electrical installation
Deficiencies in the air conditioning of the premises that exceed the working limits for the equipment: exces
humidity, etc.
A cut in the capability to transmit data from one place to another.
Interruption on services or resources on which the operation of the equipment depends
A logical or physical event causing an equipment item to malfunction or as the result of the passing of time
Almost all electrical devices emit radiation to the exterior that can be intercepted by other equipment (radio
of information.
Mistakes by persons when using the services, data, etc. A person commits an operating error, input error o
hardware or software.
Mistakes by persons with responsibilities for installation and operation of the systems / system’s security. A
Administrator commits an operating error, input error or utilisation error on hardware or software.
Lack of records, incomplete records, incorrectly dated records incorrectly attributed records, etc.
Entry of erroneous configuration data. Almost all assets depend on their configuration and this depends on
administrator: access privileges, activity flows, activity records, routing, etc.
When it is not clear who must do exactly what and when, including taking measures on the assets or repor
hierarchy
Unintentional propagation of viruses, spy ware, worms, Trojans, logic bombs, etc.
The sending of information via a system or network using, accidentally, an incorrect route that sent the info
destination. These could be messages among persons / processes / both
The accidental alteration of the order of the messages sent.
The accidental alteration of the information
The accidental loss of the information
Disclosure due to indiscretion. Verbal indiscretion, electronic media, hard copies, etc.
Defects in the code that cause a defective operation without intention on the part of the user but with conse
confidentiality, integrity, availability or to its capacity to operate.
Defects in the procedures or controls for updating the code that allow programs with known defects that ha
manufacturer to continue to be used.
Defects in the procedures or controls for updating equipment that allow its operation under normal circums
the system making retrofitting and upgrading impossible
The lack of sufficient resources causes the system failure when the workload is excessive. Overload of sto
space, mailbox storage, work area, etc.)
The loss of equipment directly causes the lack of means to provide services, that is, their service’s unavail
Accidental absence from the work post: illness disturbances in public order, bacteriological warfare, etc. Ab
authorised personnel held up for reasons beyond their control.
Manipulation of activity records to remove any evidence or traces.
The entry of erroneous configuration data
When attackers manage to appear as authorised users, they enjoy the users’ privileges for their own purpo
When users abuse their privilege level to carry out tasks that are not their responsibility, there are problem
The use of system resources for unplanned purposes, typically of personal interest: games, personal searc
personal databases, personal programs, storage of personal data, etc.
Intentional propagation of viruses, spy ware, worms, Trojans, logic bombs, etc.
The sending of information via a system or network using, deliberately, an incorrect route that sent the info
destination
The alteration of the order of the messages sent. The idea is that the new order changes the meaning of th
prejudicing the integrity of the affected data.
An attacker manages to access the system’s resources without authorisation for doing so, typically taking a
identification and authorisation system.
Without needing to analyse the contents of communications, the attacker can reach conclusions based on
destination, volume and frequency of the exchanges
An entity denies being involved in an exchange with a third party or carrying out an operation. The later rej
undertakings acquired in the past.
Attackers have access to information that is not theirs, without the information itself being altered.
Intentional alteration of the information to obtain a benefit or cause damage.
The intentional deletion of information, to obtain a benefit or cause damage.
Intentional disclosure of information
The intentional alteration of the operation of a program to obtain an indirect benefit when an authorised pe
The intentional alteration of the operation of hardware to obtain an indirect benefit when an authorised pers
The lack of sufficient resources causes the system failure when the workload is too high
Theft of media directly causes a lack of resources to provide the services, that is, non-availability
Theft of equipment directly causes a lack of resources to provide the services, that is, non-availability
Vandalism, terrorism, military action, etc.
When the premises have been invaded and control is lost over the means of work
Deliberate absence from the work post: such as strikes, labour absenteeism, unjustified absences, the bloc
Pressure with threats, on people, to oblige them to act in a certain way.
Taking advantage of the good will of some persons to make them carry out activities of interest to a third p
The loss of governance and control could have a potentially severe impact on the organization’s strategy a
capacity to meet its mission and goals.
Relying strongly on the services of one provider can lead to severe difficulties in changing the provider.
Failure of mechanisms separating storage, memory, routing, and even reputation between different tenant
infrastructure
A management interface is compromised
Deleting data from storage does not in fact mean that the data is permanently removed from the storage. T
at later time byanother customer of an outsourcing partner / provider.
A compromise of the service engine will give an attacker access to the data of all customers, resulting in a
data or denial of service.
Law enforcement authorities may ask operators of IT infrastructures to provide information pertaining to cri
may have to be provided during civil lawsuits.
When data is stored or processed in a data centre located in a country other than the customer country, th
which the change in jurisdiction could affect the security of the information.
Data protection law is based on the premise that it is always clear where personal data is located, who pro
responsible for data processing. Distributed environments appear to conflict with this evidence.
Customers need to ensure with the providers what data can or cannot be used by them for secondary purp
can be mined directly from user data by providers or indirectly based on user behaviour (clicks, etc.)
In the event of a security incident, applications and services hosted at a provider are difficult to investigate
as logging may be distributed across multiple hosts and data centres, in various countries
Provisioning, management, orchestration and monitoring are all performed through APIs. The security and
services is dependent on the security of these interfaces.
Toolbox Threats
Type of threat Threat
NATURAL Fire
NATURAL Water
NATURAL Other Natural Disasters

INDUSTRIAL Fire
INDUSTRIAL Water
INDUSTRIAL Other Industrial Disasters
INDUSTRIAL Other Industrial Disasters
INDUSTRIAL Environmental Pollution

INDUSTRIAL Electromagnetic Pollution
INDUSTRIAL Hardware or Software Failure
INDUSTRIAL Hardware or Software Failure
INDUSTRIAL Power Interruption
Unsuitable temperature or humidity

INDUSTRIAL
conditions
INDUSTRIAL
conditions
INDUSTRIAL Communications services failure
Interruption of other services or

INDUSTRIAL
essential supplies
INDUSTRIAL Media Degradation
INDUSTRIAL Electromagnetic Emanations

User Errors

System / Security administrator errors

Monitoring errors (logs)

Configuration errors

Organisational deficiencies

Malware diffusion

[Re-]routing errors
Sequence errors
ERRORS AND UNINTENTIONAL FAILURES Accidental alteration of the

information

Destruction of information

Information leaks

Software vulnerabilities
ERRORS AND UNINTENTIONAL FAILURES Defects in software maintenance /

updating
ERRORS AND UNINTENTIONAL FAILURES Defects in software maintenance /

updating
ERRORS AND UNINTENTIONAL FAILURES Defects in hardware maintenance /
updating
ERRORS AND UNINTENTIONAL FAILURES System failure due to exhaustion of

resources
ERRORS AND UNINTENTIONAL FAILURES Retrieval of recycled or discarded

media

Breach of personnel availability
Manipulation of activity records (log)

WILFUL ATTACKS
Manipulation of the configuration files

WILFUL ATTACKS
WILFUL ATTACKS Masquerading of identity

WILFUL ATTACKS Abuse of access privileges
WILFUL ATTACKS Misuse
WILFUL ATTACKS Malware diffusion
WILFUL ATTACKS [Re-]routing of messages
WILFUL ATTACKS Sequence alteration
WILFUL ATTACKS Unauthorised access
WILFUL ATTACKS Traffic analysis

WILFUL ATTACKS Repudiation (denial of actions)
WILFUL ATTACKS Eavesdropping
WILFUL ATTACKS Deliberate alteration of information
WILFUL ATTACKS Destruction of information
WILFUL ATTACKS Disclosure of information
WILFUL ATTACKS Disclosure of information
WILFUL ATTACKS Tampering with software

WILFUL ATTACKS Tampering with hardware
WILFUL ATTACKS Denial of services
WILFUL ATTACKS Theft of media or documents
WILFUL ATTACKS Theft of equipment
WILFUL ATTACKS Destructive attack
WILFUL ATTACKS Enemy over-run
WILFUL ATTACKS Staff shortage

WILFUL ATTACKS Extortion
WILFUL ATTACKS Social engineering
Service-related Threats (Cloud services,

Loss of governance
services provided by 3rd parties)

Lock-in

Isolation failure

Management interface compromise

Insecure or ineffective deletion of data
Compromise of Service Engine

Subpoena and e-discovery

Risk from changes of jurisdiction

Data protection risks
Service-related Threats (Cloud services, User Privacy and Secondary Usage of

services provided by 3rd parties) Data
Service-related Threats (Cloud services, Incidence Analysis and Forensic

services provided by 3rd parties) Support

Insecure Interfaces and APIs
1.IT Security Risk Man
Security Dimensions
Type of threat Threat
C I A
Natural Fire X
Natural Water X
Natural Other Natural Disasters X

Industrial Fire X
Industrial Water X
Industrial Other Industrial Disasters X
Industrial Other Industrial Disasters X
Industrial Environmental Pollution X

Industrial Electromagnetic Pollution X
Industrial Hardware or Software Failure X
Industrial Hardware or Software Failure X
Industrial Power Interruption X

Industrial X
conditions
Industrial X
conditions
Industrial Communications services failure X
Interruption of other services or

Industrial X
essential supplies
Industrial Media Degradation X
Industrial Media degradation X
Industrial Media degradation X
Industrial Electromagnetic Emanations X

Errors and Unintentional
User Errors X X X
failures

System / Security administrator errors X X X
failures

Monitoring errors (logs) X
failures

Configuration errors X
failures

Organisational deficiencies X
failures

failures

[Re-]routing errors X
failures
Sequence errors X
failures
Errors and Unintentional Accidental alteration of the

X
failures information

failures

Information leaks X
failures

Software vulnerabilities X X X
failures
Errors and Unintentional Defects in software maintenance /

X X
failures updating
Errors and Unintentional Defects in software maintenance /

X X
failures updating
Errors and Unintentional Defects in hardware maintenance /
X
failures updating
Errors and Unintentional System failure due to exhaustion of

X
failures resources

Equipment loss X X
failures

Staff shortage X
failures
Manipulation of activity records (log)

Wilful Attacks X
Manipulation of the configuration files

Wilful Attacks X X X
Wilful Attacks Masquerading of identity X X

Wilful Attacks Abuse of access privileges X X X
Wilful Attacks Misuse X X X
Wilful Attacks Malware diffusion X X X
Wilful Attacks [Re-]routing of messages ? X
Wilful Attacks Sequence alteration X
Wilful Attacks Unauthorised access X X
Wilful Attacks Traffic analysis X

Repudiation (denial of actions)
Wilful Attacks X
Wilful Attacks Eavesdropping X
Deliberate alteration of information

Wilful Attacks X
Wilful Attacks Destruction of information X
Wilful Attacks Disclosure of information X
Wilful Attacks Disclosure of information X
Wilful Attacks Software manipulation X X X

Wilful Attacks Hardware manipulation X
Wilful Attacks Denial of services X
Wilful Attacks Theft X X
Wilful Attacks Theft X X
Wilful Attacks Destructive attack X
Wilful Attacks Enemy over-run X X
Wilful Attacks Staff shortage X

Wilful Attacks Extortion X X X
Wilful Attacks Social engineering X X X
Service-related Threats
(Cloud services, services Loss of governance X
(Cloud services, services Lock-in X
(Cloud services, services Isolation failure X X X
(Cloud services, services Management interface compromise X
(Cloud services, services Insecure or ineffective deletion of data X
(Cloud services, services Compromise of Service Engine X X X
(Cloud services, services Subpoena and e-discovery X X
(Cloud services, services Risk from changes of jurisdiction X X
(Cloud services, services Data protection risks X
User Privacy and Secondary Usage of
(Cloud services, services X
Data
Incidence Analysis and Forensic
(Cloud services, services X X X
Support
(Cloud services, services Insecure Interfaces and APIs X X X
- - - - -
- - - - -
- - - - -
- - - - -
- - - - -
1.IT Security Risk Management Methodology v1.2
Source
D (deliberate),
A (accidental)
D A
X
X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X
X
X
X
X
X
X
X
X X
X
X
X
X X
X X
X X
X X
X X
X X
X X
X
- -
- -
- -
- -
- -
sk Management Methodology v1.2
Notes
MAGERIT v3- Libro 2: Catalogo de elementos - N.1 Fuego

EBIOS v2 – Section 4: Tools for assessing ISS risks – 01 Fire
MAGERIT v3- Libro 2: Catalogo de elementos - N.2 Daños por agua

EBIOS v2 – Section 4: Tools for assessing ISS risks – 02 Water Damage
MAGERIT v3- Libro 2: Catalogo de elementos - N.* Desastres naturales

EBIOS v2 – Section 4: Tools for assessing ISS risks – 04 Major incident
EBIOS v2 – Section 4: Tools for assessing ISS risks – 06 Climatic Phenomenon
EBIOS v2 – Section 4: Tools for assessing ISS risks – 07 Seismic Phenomenon
EBIOS v2 – Section 4: Tools for assessing ISS risks – 08 Volcanic Phenomenon
EBIOS v2 – Section 4: Tools for assessing ISS risks – 09 Meteorological Phenomenon



MAGERIT v3- Libro 2: Catalogo de elementos - N.1 Fuego

EBIOS v2 – Section 4: Tools for assessing ISS risks – 01 Fire
MAGERIT v3- Libro 2: Catalogo de elementos - I.2 Daños por agua

EBIOS v2 – Section 4: Tools for assessing ISS risks – 02 Water Damage
MAGERIT v3- Libro 2: Catalogo de elementos - I.* Desastres Industriales

MAGERIT v3- Libro 2: Catalogo de elementos - I.* Desastres Industriales

MAGERIT v3- Libro 2: Catalogo de elementos - I.3 Contaminacion Mecanica

EBIOS v2 – Section 4: Tools for assessing ISS risks – 03 Pollution
MAGERIT v3- Libro 2: Catalogo de elementos - I.4 Contaminacion electromagnetica
EBIOS v2 – Section 4: Tools for assessing ISS risks – 14 Electromagnetic radiation
EBIOS v2 – Section 4: Tools for assessing ISS risks – 15 Thermal radiation
EBIOS v2 – Section 4: Tools for assessing ISS risks – 16 Electromagnetic pulses


MAGERIT v3- Libro 2: Catalogo de elementos - I.5 Avería de origen físico o lógico
EBIOS v2 – Section 4: Tools for assessing ISS risks – 28 Equipment failure
EBIOS v2 – Section 4: Tools for assessing ISS risks – 29 Equipment malfunction
MAGERIT v3- Libro 2: Catalogo de elementos - I.5 Avería de origen físico o lógico
MAGERIT v3- Libro 2: Catalogo de elementos - I.6 Corte del suministro eléctrico
EBIOS v2 – Section 4: Tools for assessing ISS risks – 12 Loss of power supply
MAGERIT v3- Libro 2: Catalogo de elementos - I.7 Condiciones inadecuadas de temperatura o humedad
EBIOS v2 – Section 4: Tools for assessing ISS risks – 11 Failure of air-conditioning
MAGERIT v3- Libro 2: Catalogo de elementos - I.7 Condiciones inadecuadas de temperatura o humedad
EBIOS v2 – Section 4: Tools for assessing ISS risks – 11 Failure of air-conditioning
MAGERIT v3- Libro 2: Catalogo de elementos - I.8 Fallo de servicios de comunicaciones

EBIOS v2 – Section 4: Tools for assessing ISS risks – 13 Failure of telecommunication equipment
MAGERIT v3- Libro 2: Catalogo de elementos - I.9 Interrupción de otros servicios y suministros esenciales
MAGERIT v3- Libro 2: Catalogo de elementos - I.10 Degradación de los soportes de almacenamiento de la
información
información
información
MAGERIT v3- Libro 2: Catalogo de elementos - I.11 Emanaciones electromagnéticas

EBIOS v2 – Section 4: Tools for assessing ISS risks – 17 Interception of compromising interfaces signals
MAGERIT v3- Libro 2: Catalogo de elementos - E.1 Errores de los usuarios
EBIOS v2 – Section 4: Tools for assessing ISS risks – 38 Errors in use
MAGERIT v3- Libro 2: Catalogo de elementos - E.2 Errores del administrador

EBIOS v2 – Section 4: Tools for assessing ISS risks – 38 Errors in use
MAGERIT v3- Libro 2: Catalogo de elementos - E.3 Errores de monitorización
MAGERIT v3- Libro 2: Catalogo de elementos - E.4 Errores de configuración
MAGERIT v3- Libro 2: Catalogo de elementos - E.7 Deficiencias en la organización
MAGERIT v3- Libro 2: Catalogo de elementos - E.8 Difusión de software dañino
MAGERIT v3- Libro 2: Catalogo de elementos - E.9 Errores de re-encaminamiento

MAGERIT v3- Libro 2: Catalogo de elementos - E.10 Errores de secuencia
MAGERIT v3- Libro 2: Catalogo de elementos - E.15 Alteración accidental de la información
MAGERIT v3- Libro 2: Catalogo de elementos - E.18 Destrucción de la información
MAGERIT v3- Libro 2: Catalogo de elementos - E.19 Fugas de información
MAGERIT v3- Libro 2: Catalogo de elementos - E.20 Vulnerabilidades de los programas (software)
MAGERIT v3- Libro 2: Catalogo de elementos - E.21 Errores de mantenimiento / actualización de

programas (software)
EBIOS v2 – Section 4: Tools for assessing ISS risks – 31 Software malfunction
EBIOS v2 – Section 4: Tools for assessing ISS risks – 32 Breach of information system maintainability
MAGERIT v3- Libro 2: Catalogo de elementos - E.21 Errores de mantenimiento / actualización de

programas (software)
EBIOS v2 – Section 4: Tools for assessing ISS risks – 31 Software malfunction
MAGERIT v3- Libro 2: Catalogo de elementos - E.23 Errores de mantenimiento / actualización de programas
(hardware)
MAGERIT v3- Libro 2: Catalogo de elementos - E.24 Caída del sistema por agotamiento de recursos
EBIOS v2 – Section 4: Tools for assessing ISS risks – 30 Saturation of the information system
MAGERIT v3- Libro 2: Catalogo de elementos - E.25 Perdida de equipos

EBIOS v2 – Section 4: Tools for assessing ISS risks – 22 Retrieval of recycled or discarded media
MAGERIT v3- Libro 2: Catalogo de elementos - E.28 Indisponibilidad del personal

EBIOS v2 – Section 4: Tools for assessing ISS risks – 42 Breach of personnel availability
MAGERIT v3- Libro 2: Catalogo de elementos - A.3 Manipulación de los registros de actividad (log)
MAGERIT v3- Libro 2: Catalogo de elementos - A.4 Manipulación de la configuración
MAGERIT v3- Libro 2: Catalogo de elementos - A.5 Suplantación de la identidad del usuario
EBIOS v2 – Section 4: Tools for assessing ISS risks – 40 Forging of rights
MAGERIT v3- Libro 2: Catalogo de elementos - A.6 Abuso de privilegios de acceso
EBIOS v2 – Section 4: Tools for assessing ISS risks – 39 Abuse of rights
MAGERIT v3- Libro 2: Catalogo de elementos - A.7 Uso no previsto
MAGERIT v3- Libro 2: Catalogo de elementos - A.8 Difusión de software dañino
MAGERIT v3- Libro 2: Catalogo de elementos - A.9 Re-encaminamiento de mensajes
MAGERIT v3- Libro 2: Catalogo de elementos - A.10 Alteración de secuencia

EBIOS v2 – Section 4: Tools for assessing ISS risks – 36 Corruption of data
MAGERIT v3- Libro 2: Catalogo de elementos - A.11 Acceso no autorizado

EBIOS v2 – Section 4: Tools for assessing ISS risks – 33 Unauthorized use of equipment
MAGERIT v3- Libro 2: Catalogo de elementos - A.12 Análisis de trafico

MAGERIT v3- Libro 2: Catalogo de elementos - A.13 Repudio
EBIOS v2 – Section 4: Tools for assessing ISS risks – 41 Denial of actions
MAGERIT v3- Libro 2: Catalogo de elementos - A.14 Interceptación de información (escucha)

EBIOS v2 – Section 4: Tools for assessing ISS risks – 19 Eavesdropping
MAGERIT v3- Libro 2: Catalogo de elementos - A.15 Modificación deliberada de la información
MAGERIT v3- Libro 2: Catalogo de elementos - A.18 Destrucción de la información
MAGERIT v3- Libro 2: Catalogo de elementos - A.19 Divulgación de información

EBIOS v2 – Section 4: Tools for assessing ISS risks – 23 Disclosure
EBIOS v2 – Section 4: Tools for assessing ISS risks – 27 Position detection
MAGERIT v3- Libro 2: Catalogo de elementos - A.19 Divulgación de información

EBIOS v2 – Section 4: Tools for assessing ISS risks – 23 Disclosure
EBIOS v2 – Section 4: Tools for assessing ISS risks – 27 Position detection
MAGERIT v3- Libro 2: Catalogo de elementos - A.22 Manipulación de programas

EBIOS v2 – Section 4: Tools for assessing ISS risks – 26 Tampering with software
MAGERIT v3- Libro 2: Catalogo de elementos - A.23 Manipulación de los equipos
EBIOS v2 – Section 4: Tools for assessing ISS risks – 25 Tampering with hardware
MAGERIT v3- Libro 2: Catalogo de elementos - A.24 Denegación de servicio

EBIOS v2 – Section 4: Tools for assessing ISS risks – 30 Saturation of the Information system
MAGERIT v3- Libro 2: Catalogo de elementos - A.25 Robo

EBIOS v2 – Section 4: Tools for assessing ISS risks – 20 Theft of media or documents
EBIOS v2 – Section 4: Tools for assessing ISS risks – 20 Theft of Equipment
MAGERIT v3- Libro 2: Catalogo de elementos - A.25 Robo

EBIOS v2 – Section 4: Tools for assessing ISS risks – 20 Theft of media or documents
EBIOS v2 – Section 4: Tools for assessing ISS risks – 20 Theft of Equipment
MAGERIT v3- Libro 2: Catalogo de elementos - A.26 Ataque destructivo

EBIOS v2 – Section 4: Tools for assessing ISS risks – 05 Destruction of equipment or media
MAGERIT v3- Libro 2: Catalogo de elementos - A.27 Ocupación enemiga
MAGERIT v3- Libro 2: Catalogo de elementos - A.28 Indisponibilidad del personal

EBIOS v2 – Section 4: Tools for assessing ISS risks – 42 Breach of personnel availability
MAGERIT v3- Libro 2: Catalogo de elementos - A.29 Extorsión
MAGERIT v3- Libro 2: Catalogo de elementos - A.30 Ingeniería social (picaresca)
ENISA 2012 - Cloud Computing Benefits, risks and recommendations for information security – R2 Loss
ofgovernance
ENISA 2012 - Cloud Computing Benefits, risks and recommendations for information security – R1 Lock-in
ENISA 2012 - Cloud Computing Benefits, risks and recommendations for information security – R7 Isolation failure
ENISA 2012 - Cloud Computing Benefits, risks and recommendations for information security – R11 Insecure or
ineffective deletion of data
ENISA 2012 - Cloud Computing Benefits, risks and recommendations for information security – R14 Compromise of
service engine
ENISA 2012 - Cloud Computing Benefits, risks and recommendations for information security – R19 Subpoena and
discovery
ENISA 2012 - Cloud Computing Benefits, risks and recommendations for information security – R20 Risk from
changes of jurisdiction
ENISA 2012 - Cloud Computing Benefits, risks and recommendations for information security – R21 Data protection
risks
OWASP – Cloud top 10 Security Risks –R5 User privacy and secondary usage of data
OWASP – Cloud top 10 Security Risks –R8 Incidence analysis and forensic support
CSA 2016 – Top Threats to Cloud Computing-Threat 3: Insecure Interfaces and APIs
-
-
2.ISO/IEC 27005:2018
Type of threat
Physical damage
Natural events
Physical damage
Natural events
Natural events
Natural events
Natural events
Physical damage
Physical damage
Physical damage
Physical damage
Physical damage
Disturbance due to radiation
Technical failures
Technical failures
Loss of essential services
Physical damage
Physical damage
Technical failures
Technical failures
Compromise of information
Compromise of functions
-
-
Technical failures
Technical failures
Technical failures
Technical failures
Technical failures
Unauthorized actions
-
Technical failures
Physical damage
-
-
-
-
2.ISO/IEC 27005:2018
Origin
D (deliberate),
Threat A (accidental),
E (environmental)
D A E
X
Fire X X
Flood
Major accident X X
Climatic phenomenon
Seismic phenomenon
X
Volcanic phenomenon
Meteorological phenomenon X
Fire X X X
Water damage X X X
Major accident X X X
Destruction of equipment or media X X X
Pollution X X X
Electromagnetion radiation X X X
Thermal radiation X X X
Electromagnetic pulses X X X
Equipment failure X
Equipment malfunction X
Loss of power supply X X X
Dust, corrosion, freezing X X X

Failure of air-conditioning or water supply system X X
Failure of telecommunication equipment X X
Equipment failure
Equipment malfunction
Interception of compromising interface signals X

Error in use X
Error in use X
-
-
Software malfunction X
Software malfunction X
Breach of information system maintainability X X

Breach of information system maintainability X X
Saturation of the information system X X
Retrieval of recycled or discarded media X
Breach of personnel availability X X X
Forging of rights X
Abuse of rights X X
Remote spying X
Corruption of data X
Unauthorised use of equipment X
-
Denial of actions X
Eavesdropping X
Disclosure X X
Position detection X
Tampering with software X X

Tampering with hardware X
Saturation of the information system X X
Theft of media or documents X
Theft of equipment X
Breach of personnel availability X X X

-
-
-
-
Data from untrustworthy sources X X
Advanced persistant threat X
Fraudulent copying of software X
Use of counterfeit or copied software X X
Illegal processing of data X

EU RM Toolbox Library 03 - Threats Mappings

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EU RM Toolbox Library 03 - Threats Mappings

Uploaded by

Copyright:

Available Formats

Threat Category

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

ERRORS AND UNINTENTIONAL FAILURES

Other Natural Disasters X

Other Industrial Disasters X

Electromagnetic / Thermal Radiation X

Hardware or Software Failure X

Unsuitable temperature or humidity conditions X

Communications services failure X

Interruption of other services or essential supplies X

Media / Equipment Degradation X

System / Security administrator errors X X X

Monitoring errors (logs) X

Accidental alteration of the information X

Defects in software maintenance / updating X X

Defects in hardware maintenance / updating X

System failure due to exhaustion of resources X

Retrieval of recycled or discarded media X X

Breach of personnel availability X

Manipulation of activity records (log) X

Manipulation of the configuration files X X X

Abuse of access privileges X X X

Repudiation (denial of actions) X

Deliberate alteration of information X

Tampering with software X X X

Tampering with hardware X

Theft of media or documents X X

Management interface compromise X

Insecure or ineffective deletion of data X

Compromise of Service Engine X X X

Subpoena and e-discovery X X

Risk from changes of jurisdiction X X

Data protection risks X

User Privacy and Secondary Usage of Data X

Incidence Analysis and Forensic Support X X X

Insecure Interfaces and APIs X X X

Hardware, devices and

Software and applications Personnel Locations and Utilities

Possibility that the fire destroys system resources

Possibility that the water destroys system resources

Accidental disasters due to human activity (explosions,collapses,chemical pollution,electrical overloads,ele

Presence of dust, vapours, corrosive or toxic gases in the ambient air.

Interruption on services or resources on which the operation of the equipment depends

The accidental alteration of the information

The accidental loss of the information

The entry of erroneous configuration data

Intentional alteration of the information to obtain a benefit or cause damage.

The intentional deletion of information, to obtain a benefit or cause damage.

Intentional disclosure of information

Vandalism, terrorism, military action, etc.