cyris360-framework

A1 - Catalogue of threat scenarios

There are multiple sources and taxonomies for threat scenarios, including MITRE CAPEC [1]. The sections below is just an example of threat scenarios. You can customize it depending on the needs and context of your business or product/service.

A1.1. Compromise of business asset

  1. Inadequate incident detection & response process
  2. Inadequate identity & access management
  3. Inadequate vulnerability & patch management (Infra, Endpoints)
  4. Inadequate configuration management (Cloud, Network)
  5. Inadequate secret management

A1.2. Loss of (access to) business data

  1. Technical failure of storage system or medium
  2. Storage system inaccessible or unavailable (DDoS)
  3. Loss of secrets (Password, Encryption keys)
  4. Unauthorized malicious activity (Ransomware) [2]

A1.3. Supply chain / Third party risks

  1. Shadow IT (Unregistred/Unmanaged vendors)
  2. Disclosure of (sensitive) information via third party [3,4]
  3. Misuse of (Network/system) access granted to thrid party
  4. Failure to comply with contractual agreement
  5. Vendor bankruptcy

A1.4. Physical threats

  1. Safety hazard (Fire, Pollution, Pandemic)
  2. Theft, Vandalism, Sabotage
  3. Natural disaster (Earthquake, Flood, Storm)[5]
  4. Loss of utilities (Energy, Internet connectivity)

A1.5. People / Insider threats

  1. Lack of security awareness (Social Engineering, Phishing)
  2. Fraud, Tampering, Collusion
  3. Industrial espionnage [6,7,8]
  4. Incapacity/Inability to work

A1.6. Environmental, Regulatory, Sectorial, Regional, and Geopolitical threats

  1. State-sponsored Attacks/Threats (APTs) [9,10]
  2. Violation of applicable reguations (Penalty, Damage to reputation)
  3. Change of regulations leading to undesirable outcome
  4. Financial & Economic disruption/instability
  5. Social unrest, Strike, Extorsion, Embezzlement