A Comprehensive List of Threats To Information

Abstract

Policies, standards, surveys, and assessment questionnaires do not currently provide consistent or complete lists of threats to information for identifying controls, conducting assessments, or establishing priorities in information security. The usual short list of four common threats — unauthorized modification, unauthorized use, destruction, and disclosure — is clearly incomplete and redundant. For example, more extensive lists often include fraud, theft, sabotage, and espionage. However, these threats are legal abstractions that require expertise in criminal law to understand. Often, users and even security specialists don't understand the criminal legal implications of these terms or have a distorted view of them. A further problem is that these lists typically fail to include some of the most common threats to organizations as shown by actual experience of information loss. These include such important violations of the law as trespass, burglary, extortion, and larceny, as well as such general threat...