List of information security threats, to assess risks to the confidentiality, integrity and availability of information. We identify the most common dangerous behaviors and motivations behind cyber attacks
To address the information security risk assessment provided for in point 6 of ISO 27001:2017, we list a number of threats that could come from the behavior of human resources and the conditions related to security assets and their operation.
We remind you that the dangers, unlike the risks that always and in any case concern the loss of confidentiality, integrity and availability of information, are represented by the causes or circumstances for which a certain negative event (detrimental to the security of the information) may occur.
Dangers (threats) attributable to human behavior
- Insufficient reliability
- Superficiality and carelessness (e.g. voluntary or accidental disclosure of the password)
- Lack of motivation to comply with safety policies by staff in general
- Unawareness of the criticality of information and processing procedures
- Presence of technical vulnerabilities in information management and protection processes
- Hazards (threats) attributable to physical and environmental conditions and security assets
Dangers (threats) attributable to human behavior
- Temperature and humidity
- Fire
- Explosion
- Flooding
- Voltage drops in electricity
- Interruption of electricity
- Earthquake
- Deterioration
- Presence of technical vulnerabilities in asset management and protection processes
- Intrusion and movement of strangers inside the structure
The criticality of information and risk levelsThe identification of hazards (threats) is followed by the risk assessment phase.
The extent of the risk depends on the strategic importance of the information to be protected. The more “critical” the information to be protected, the higher the risk associated with its compromise.
After understanding where the threats to information security come from, let’s now list what are the most common targets of any cyber attacks or in any case what are in general the information for which the risks of loss of confidentiality, integrity and availability are higher.
The critical business information for which the risk assessment must be carried out usually concerns:
- Commercial data
- Contracts
- Partnership agreements
- Projects
- Project Requirements
- Design mode
- Strategies and needs
- New product launches
- Costs and production times
- Financial and contractual information
- Names of customers and suppliers
- Technical data
- Patents, also in the process of registration
- Design and design solutions
- Production plans and schemes
- Design plans and schemes
- Plans and schemes for analysis and development of requirements
- Supply and work specifications
- Technical drawings
- Algorithm Specifications
- Project performance (timing, technologies, results)
- Plans and methods of control in general of production activities
- Processes, formulas
- Particular “sensitive” personal data according to Art. 9 of the European Regulation 2016/679 (GDPR)
- Intellectual property governed by Title IX of the Civil Code – rights to intellectual property and industrial inventions
