Grand Duchy of Luxembourg
National Cybersecurity Competence Center Luxembourg - nc3.lu
Advice & Guidance
Cybersecurity Glossary
Threat
In this section
EBIOSv2
Threats by Groups
PHYSICAL DAMAGE
NATURAL EVENTS
LOSS OF ESSENTIAL SERVICES
DISTRIBUTION DUE TO RADIATION
COMPROMISING INFORMATION
TECHNICAL FAILURES
UNAUTHORISED ACTIONS
Threat Qualification
THEIR ORIGIN
THEIR ATTACK
THEIR TYPE
VulnerabilitiesThreatsAssets Link
Security Goals
EBIOS 2010
TYPES OF SUPPORT GOODS
IMPACTS
SOURCES OF THREATS
MEHARI Threats by Threat Group

Threat

Threats exploit asset vulnerabilities and create impact. The interactions between assets, threats, and vulnerabilities are analysed during risk management.

It is impossible for an organisation to completely exclude the existence of threats. In terms of security, we therefore generally apply EBIOSv2.

EBIOSv2

EBIOS: Expression of Needs and Identification of Security Objectives (Expression des Besoins et Identification des Objectifs de Sécurité).

Threats by Groups

EBIOSv2 [1] offers a list of generic Threatening Agents (e.g. threats):

PHYSICAL DAMAGE

  • Fire
  • Water damage
  • Pollution
  • Major disaster
  • Destruction of equipment or supports
  • Dust, corrosion, frost

NATURAL EVENTS

  • Climatic phenomenon
  • Seismic phenomenon
  • Volcanic phenomenon
  • Meteorological phenomenon
  • Flood

LOSS OF ESSENTIAL SERVICES

  • Air conditioning failure
  • Energy Power Loss
  • Loss of telecommunication

DISTRIBUTION DUE TO RADIATION

  • Electromagnetic radiation
  • Thermal radiation
  • Electromagnetic pulses (EMI)

COMPROMISING INFORMATION

  • Interception of compromising spurious signals
  • Remote spying
  • Passive listening
  • Theft of media or documents
  • Theft of equipment
  • Recovery of recycled or discarded media
  • Disclosure
  • Information without guarantee of origin
  • Equipment trapping
  • Software trapping
  • Geolocation

TECHNICAL FAILURES

  • Hardware failure
  • Equipment malfunction
  • Information system saturation
  • Software malfunction
  • Attack on the maintainability of the information system

UNAUTHORISED ACTIONS

  • Illegal use of equipment
  • Fraudulent copying of software

Threat Qualification

EBIOSv2 threats can be classified according to:

THEIR ORIGIN

  • E: Environmental - all incidents that are not caused by human actions
  • D: Deliberate - for all deliberate actions targeting assets
  • A: Accidental - used for all human actions that can accidentally damage assets

THEIR ATTACK

  • D: Availability
  • I: Integrity
  • C: Confidentiality

THEIR TYPE

  • N: Natural
  • H: Human
  • E: Environmental

This section refers to the generic vulnerabilities of the EBIOS v2 document - Section 4 - Tools (Assessment).

We can identify:

Security Goals

Section 2 Generic security objectives of the EBIOS v2 document - Section 5 - Tools (Processing) [4] proposes for each of the 7 types of high-level entities/assets a list of generic security objectives effectively addressing the identified generic vulnerabilities previously.

Section 3.2 Requirements from ISO 17799 of the same EBIOS v2 document - Section 5 - Tools (Processing) [5] proposes safety requirements related to each of the clauses of ISO/IEC 17799: 2000 (and not the version of the standard published in 2005.

EBIOS 2010

EBIOS 2010 [6] offers a different presentation from version 2, both in terms of the presentation of threats and the overall approach.

EBIOS 2010 is divided into the following areas:

TYPES OF SUPPORT GOODS

  • SYS - IT and telephony systems
  • ORG - Organisations
  • LOC - Premises

IMPACTS

  • Impacts on the operation
  • Human impacts
  • Impacts on property
  • Other impacts

SOURCES OF THREATS

  • Human sources
    • Malicious deliberate
      • Internal (human) source
        • Weak capacities
        • Important capacities
        • Unlimited capacities
      • External (human) source
        • Low capacities
        • Important capacities
        • Unlimited capacities
    • Accidental without intention to harm
      • Internal (human) source
        • Low capacities
        • Important capacities
        • Unlimited capacities
      • External (human) source
        • Low capacities
        • Important capacities
        • Unlimited capacities
      • Non-human sources

MEHARI Threats by Threat Group

  • Natural disasters
    • Fire
    • Water damage
    • Natural disasters
  • Industrial disasters
    • Fire
    • Water damage
    • Industrial disasters
    • Mechanical pollution
    • Electromagnetic pollution
    • Physical or logical failure
    • Power cut
    • Inadequate temperature and/or humidity conditions
    • Communication services failure
    • Interruption of other essential services and supplies
    • Degradation of information storage media
    • Electromagnetic emanations
  • Unintended errors and failures
    • User errors
    • Administrator errors
    • Control errors (log)
    • Configuration errors
    • Organizational deficiencies
    • Diffusion of harmful software
    • Redirection errors
    • Sequence errors
    • Information leaks
    • Information alteration
  • Introduction of false information
    • Information degradation
    • Information destruction
    • Disclosure of information
    • Program vulnerabilities (software)
    • Maintenance/program update errors (software)
    • Equipment maintenance/updating errors
    • System collapse caused by resource depletion
    • Loss of equipment
    • Staff unavailability
  • Deliberate attacks
    • Configuration manipulation
    • Beating user identity
    • Abuse of access privileges
    • Unintended use
    • Diffusion of harmful software
    • Message redirection
    • Sequence alteration
    • Unauthorised access
    • Traffic analysis
    • Repudiation
    • Information interception (listening)
    • Modification of information
    • Introduction of false information
    • Information corruption
    • Disclosure of information
    • Program manipulation
    • Refusal of service
    • Theft of equipment
    • Destructive attack
    • Enemy occupation
    • Staff unavailability
    • Extortion
    • Social engineering