THREAT

A cyber criminal, hacktivist or nation state group try to steal data from the system

LIKELIHOOD

What value might data in the system have to an attacker?
Does the data have exchange value? Can it be sold?
Could an attacker demand a ransom if they obtained the data?
Are there specific reasons an attacker might target the data in your system?
Can the data be used to escalate privledge into other systems?

IMPACT

How might data loss impact the organisation's reputation?
Might there be a breakdown in trust with any parent organisation or customers?
Might this trigger an investigation or penalties by a regulator?
Might there be a financial cost in terms of revenue? Ransoms?
What impact if data allows escalation of privledge to more sensitive systems?

Sensible Conversations about Security

THREAT

A cyber criminal or hacktivist group mount a denial of service attack on the system

LIKELIHOOD

Could an attacker demand a ransom were your system unavailable?
Is it in the interest of any group to impact your reputation by taking your system down?
Are there knock on effect on third parties or clients which an attack could benefit from?

IMPACT

What is the impact on revenue or operations if the system is down?
How long could the system be down until it really hurt? 5 mins? 1 hour? 1 week?

Sensible Conversations about Security

THREAT

A regulator investigates an infringement of the General Data Protection Regulation

LIKELIHOOD

Do you process the personal data of EU residents?
Might an EU resident raise a complaint to a regulator about your organisation?
Is it likely that you will be subject to a data breach?

IMPACT

Fines for failing to report a data breach can be up to 2% yearly revenue
Fines for non compliance with GDPR can be up to 4% of global yearly revenue
Penalties in most cases will be public record, leading to a reputational impact

Sensible Conversations about Security

THREAT

An end user or third party tries to commit fraud by providing false information

LIKELIHOOD

Are there previous examples of this kind of threat for this or similar systems?
Could someone to gain financially by making an application or other action using your system?
Could someone cause harm or mischief to a third party by using your system?

IMPACT

What is the impact of a single fraudulent transaction?
How does this change if there are means of replaying or multiplying the fraud?

Sensible Conversations about Security

THREAT

A disgruntled employee or ex-exployee tries to embarrass or hurt the organisation

LIKELIHOOD

Are there signs of poor morale? Are managers aware of concerns of this type?
Is it possible that someone could be laid off under a dispute?
If something like this is detected, there will be legal implications. Would someone take the risk?
Are there previous examples of this kind of threat?

IMPACT

What impact could someone with a normal level of access to the system make?
What impact could someone with high levels of technical access to system make?

Sensible Conversations about Security

THREAT

A new form of ransomware or a wiper worm tries to spread from adjacent networks

LIKELIHOOD

Does the system connect to other networks?

IMPACT

What would be the impact if you had to rebuild your environment from scratch?
Would there be dataloss if the environment was destroyed?
How long would the system be unavailable for in the event of a rebuild?

Sensible Conversations about Security

THREAT

A developer or admin makes an error in configuring or securing the system

LIKELIHOOD

Human error can never be ruled out, although you can use automation and review to reduce issues.

IMPACT

What might be the impact of misconfiguring access control?
What might be the impact of a misconfiguration of transport encryption?

Sensible Conversations about Security

THREAT

A random botnet or scriptkiddy mounts an automated attack on the system

LIKELIHOOD

Should be considered likely if the system connects to the Internet

IMPACT

What is the business impact of spam comments, applications or signups?
What is the effect of a system component being taken offline?
What is the impact of a user account being brute-forced and access sold?
What is the rebuild / forensic cost if a machine is compromised?

Sensible Conversations about Security

THREAT

An internal user tries to access sensitive information out of curiosity

LIKELIHOOD

Does the system have a large number of end users?
Does the system store sensitive data that people might find of interest?

IMPACT

What is the administrative cost of a data breach?
What is the reputational impact if personal nformation leaks to press?
What is the privacy impact on the individual?
Could there be regulatory impact?

Sensible Conversations about Security