A1 - Catalogue of threat scenarios
There are multiple sources and taxonomies for threat scenarios, including MITRE CAPEC [1]. The sections below is just an example of threat scenarios. You can customize it depending on the needs and context of your business or product/service.
A1.1. Compromise of business asset
- Inadequate incident detection & response process
- Inadequate identity & access management
- Inadequate vulnerability & patch management (Infra, Endpoints)
- Inadequate configuration management (Cloud, Network)
- Inadequate secret management
A1.2. Loss of (access to) business data
- Technical failure of storage system or medium
- Storage system inaccessible or unavailable (DDoS)
- Loss of secrets (Password, Encryption keys)
- Unauthorized malicious activity (Ransomware) [2]
A1.3. Supply chain / Third party risks
- Shadow IT (Unregistred/Unmanaged vendors)
- Disclosure of (sensitive) information via third party [3,4]
- Misuse of (Network/system) access granted to thrid party
- Failure to comply with contractual agreement
- Vendor bankruptcy
A1.4. Physical threats
- Safety hazard (Fire, Pollution, Pandemic)
- Theft, Vandalism, Sabotage
- Natural disaster (Earthquake, Flood, Storm)[5]
- Loss of utilities (Energy, Internet connectivity)
A1.5. People / Insider threats
- Lack of security awareness (Social Engineering, Phishing)
- Fraud, Tampering, Collusion
- Industrial espionnage [6,7,8]
- Incapacity/Inability to work
A1.6. Environmental, Regulatory, Sectorial, Regional, and Geopolitical threats
- State-sponsored Attacks/Threats (APTs) [9,10]
- Violation of applicable reguations (Penalty, Damage to reputation)
- Change of regulations leading to undesirable outcome
- Financial & Economic disruption/instability
- Social unrest, Strike, Extorsion, Embezzlement