Related Article: Top 10 risks you should include in your risk register
Type | Risk | Risk Description |
Fraud | Fraud | The fraudulent actions of internal or external actors leading to unexpected financial, material, or reputational loss. |
Fraud | Manipulation of information | The intentional manipulation of data to mislead information systems or internal/external actors. |
Fraud | Falsification of records | The intentional manipulation of data in order to falsify organizational records. |
Internal/External Threats | Sabotage | The intentional disruption of the organization's operations and/or intentional damage to organizational assets. |
Internal/External Threats | Theft | The theft of organizational assets (mobile devices, laptops, documents, storage media, hardware, etc.) without permission. Theft may include the loss of confidential information as well as physical assets. |
Internal/External Threats | Unauthorized sharing of information | The disclosure of information with unauthorized individuals or entities that results in the loss of confidential or proprietary information. |
Internal/External Threats | Unauthorized physical access | Any individual accessing an organization's facilities without the proper authorization. |
Internal/External Threats | Coercion, extortion, or corruption | The attempt to harm or otherwise disrupt the company resulting from employee being coerced, extorted, or corrupted. |
Internal/External Threats | Absence of personnel | Key personnel and their competencies being unavailable. The absence of personnel could be due to many reasons, including approved absence from work or a worker's strike. |
Internal/External Threats | Abuse of resources | The unauthorized use of organizational resources, including the use of memory, CPU cycles, or other non-physical IT resources. |
Internal/External Threats | Anonymous proxies | The use of anonymous proxy tools to engage in illicit or improper behavior on organizational assets. |
Internal/External Threats | Absence of cybersecurity roles and responsibilities | The lack of cybersecurity roles and responsibilities for the entire workforce, including third-party party stakeholders such as vendors and suppliers. These cybersecurity reporting structures and processes enable the organization to correctly respond to security incidents. |
Internal/External Threats | Vulnerability management plan | The lack of an implemented vulnerability management plan. This may result in unknown and exploitable security gaps. |
Internal/External Threats | Security event analysis | The failure to analyze potential or actual security events to identify exploitable attack vectors. This may result in damage to both organizational assets and information systems. |
Internal/External Threats | Vulnerability testing and research | The failure to research or test for unaddressed vulnerabilities, resulting in exploitable attack vectors. This may result in damage to both organizational assets and information systems. |
Data Loss | Loss of data via mobile applications | The loss of organizational data from using improperly configured mobile applications. |
Data Loss | Loss of data via web applications | The loss of organizational data from using unauthorized web applications. |
Data Loss | Loss of data via network | The loss of organizational data caused by unsecured network traffic. |
Data Loss | Loss of data availability | The loss of data availability due to improper backup or availability zone configurations. |
Data Loss | Loss of data via cloud | The loss of organizational data due to improper cloud controls or configurations. |
Data Loss | Loss of data integrity via permissions | The loss of, or manipulation of, organizational data due to improperly configured permissions. |
Data Loss | Infection of removable media | The improper use of removable media, such as thumb drives or removable hard drives, resulting in the spread of malware. |
Data Loss | Role-based access control | The failure to implement role-based access control to critical systems. Access control should apply the principles of least privilege and of separation of duties to grant individuals only enough access to perform their duties. |
Data Loss | Appropriate system authentication | The failure to implement single-factor or multi-factor authentication for users, devices, and other assets. Authentication methods should be appropriate to the risk of the transaction (i.e., with consideration to individuals’ security and privacy risks, and other organizational risks). |
Data Loss | Data encryption | The interception of improperly secured information, in transmission or at rest, due to lack of appropriate encryption. |
Data Loss | Unsecured Wi-Fi | The loss of organization data due to unsecured networks or rogue access points. |
Third-party Risk | Damage to IT assets by third-parties | The threat of damage to IT assets by a third-party. |
Third-party Risk | Security failure by third-parties | The threat of breach or damage to organizational assets by third-party vendors. |
Third-party Risk | Damage due to penetration testing | Harm to information systems or organizational data due to improperly scoped or improperly executed penetration testing. |
Natural Disaster | Natural disasters | The disruption of business processes related to the effects of natural disasters (e.g., earthquakes, floods, landslides, tsunamis, heavy rains, heavy snowfalls, heavy winds, etc.). |
Natural Disaster | Fire | Damage or disruption of assets, people, or facilities due to fire caused by internal or external factors. |
Natural Disaster | Pollution, dust, corrosion | Damage or disruption to IT assets, including hardware, due to pollution, dust, or corrosion. |
Natural Disaster | Water | Damage or disruption to IT assets, including hardware, due to water. |
Natural Disaster | Humidity | Damage or disruption to IT assets, including hardware, due to extreme humidity. |
Natural Disaster | Extreme weather | Damage or disruption to IT assets, including hardware, due to extreme temperatures. |