Risks can be grouped in many ways, but here is how I group them.
Top level groupings
1. Risks that confidentiality will not be sustained
2. Risks that data integrity may not be sustained
3. Risks that the system may not be available
For confidentiality, the risks are usually one of three types:
- unauthorized outsiders trying to gain access to information on the system
- insiders with legitimate access to the system who try to get access to information on it that they are not authorized to have access to
- inadvertent disclosure of information by mistakes made by authorized individuals - such as posting internal company information on the public website instead of the protected internal server or sending an email to the wrong person
For integrity, the risks are usually
- malicious outsider breaking into the system to destroy or alter files
- malicious insider abusing their access to destroy or alter files
- accidental corruption of data through insider mistakes
- physical damage to storage media leading to data corruption
- corruption of data in transit
For availability, the risks are usually
- denial of service attacks by malicious outsiders
- denial of service attacks by malicious insiders
- denial of service because of hardware failures
- denial of service because of software failures
- natural disasters like floods, fire, lightning, etc.
