Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

SCF Risk & Threat Catalog

SCF Risk & Threat Catalog

Posted by SCF Council on Jan 19th 2023

In addition to cybersecurity and privacy controls, the Secure Controls Framework (SCF) contains a separate risk and threat catalog, which have mappings to applicable SCF controls. These risk and threat catalogs are also leveraged within the Security & Privacy Risk Management Model (SP-RMM) that is another free resource from the SCF, which focuses on cybersecurity and privacy risk management. This is all part of the grander concept of Integrated Controls Management (ICM).

The catalogs are built around two key concepts:

  1. If the control fails, what risk is the organization exposed to?
  2. If the threat materializes, will the control function as expected?

Risk Catalog

If you want to assess risk, you need to develop a risk catalog that identifies the possible risk(s) that affect an organization or other form of entity that you want to assess (e.g., Line of Business (LOB)). The use case for the risk catalog is to identify the applicable risk(s) associated with a control deficiency. (e.g., if the control fails, what risk(s) is the organization exposed to?).

In the context of the risk catalog, “risk” is defined as:

  • noun A situation where someone or something valued is exposed to danger, harm or loss.
  • verb To expose someone or something valued to danger, harm or loss.

In the context of this definition of risk, it is important to define underlying components of this risk definition:

  • Danger: state of possibly suffering harm or injury
  • Harm: material / physical damage
  • Loss: destruction, deprivation or inability to use

Risk groupings are broken down into several categories:

  • Access Control
  • Asset Management
  • Business Continuity
  • Exposure
  • Governance
  • Incident Response
  • Situational Awareness
No alt text provided for this image

Access Control

The potential risk(s) from a control deficiency should be approached from the mindset of, “If the control fails, the risk that the organization is exposed to is… “

  • R-AC-1. Inability to maintain individual accountability. The inability to maintain accountability (e.g., asset ownership, non-repudiation of actions or inactions, etc.).
  • R-AC-2. Improper assignment of privileged functions. The inability to implement least privileges (e.g., Role-Based Access Control (RBAC), Privileged Account Management (PAM), etc.).
  • R-AC-3. Privilege escalation. The inability to restrict access to privileged functions.
  • R-AC-4. Unauthorized access. The inability to restrict access to only authorized individuals, groups or services.

Asset Management

The potential risk(s) from a control deficiency should be approached from the mindset of, “If the control fails, the risk that the organization is exposed to is… “

  • R-AM-1. Lost, damaged or stolen asset(s). Lost, damaged or stolen assets.
  • R-AM-2. Loss of integrity through unauthorized changes. Unauthorized changes that corrupt the integrity of the system / application / service.
  • R-AM-3. Emergent properties and/or unintended consequences. Emergent properties and/or unintended consequences from Artificial Intelligence & Autonomous Technologies (AAT).

Business Continuity

The potential risk(s) from a control deficiency should be approached from the mindset of, “If the control fails, the risk that the organization is exposed to is… “

  • R-BC-1. Business interruption. Increased latency, or a service outage, that negatively impact business operations.
  • R-BC-2. Data loss / corruption. The inability to maintain the confidentiality of the data (compromise) or prevent data corruption (loss).
  • R-BC-3. Reduction in productivity. Diminished user productivity.
  • R-BC-4. Information loss / corruption or system compromise due to technical attack. A technical attack that compromises data, systems, applications or services (e.g., malware, phishing, hacking, etc.).
  • R-BC-5. Information loss / corruption or system compromise due to non‐technical attack. A non-technical attack that compromises data, systems, applications or services (e.g., social engineering, sabotage, etc.).

Exposure

The potential risk(s) from a control deficiency should be approached from the mindset of, “If the control fails, the risk that the organization is exposed to is… “

  • R-EX-1. Loss of revenue. A negatively impact on the ability to generate revenue (e.g., a loss of clients or an inability to generate future revenue).
  • R-EX-2. Cancelled contract. A cancelled contract with a client or other entity for cause (e.g., failure to fulfill obligations for secure practices).
  • R-EX-3. Diminished competitive advantage. Diminished competitive advantage (e.g., lose market share, internal dysfunction, etc.).
  • R-EX-4. Diminished reputation. Diminished brand value (e.g., tarnished reputation).
  • R-EX-5. Fines and judgements. Financial damages due to fines and/or judgements from statutory / regulatory / contractual non-compliance.
  • R-EX-6. Unmitigated vulnerabilities. Unmitigated technical vulnerabilities that lack compensating controls or other mitigation actions.
  • R-EX-7. System compromise. A compromise of a system, application or service that affects confidentiality, integrity, availability and/or safety.

Governance

The potential risk(s) from a control deficiency should be approached from the mindset of, “If the control fails, the risk that the organization is exposed to is… “

  • R-GV-1. Inability to support business processes. Insufficient cybersecurity and/or privacy practices that cannot securely support the organization's technologies & processes.
  • R-GV-2. Incorrect controls scoping. Missing or incorrect cybersecurity and/or privacy controls due to incorrect or inadequate control scoping practices.
  • R-GV-3. Lack of roles & responsibilities. Insufficient cybersecurity and/or privacy roles & responsibilities that cannot securely support the organization's technologies & processes.
  • R-GV-4. Inadequate internal practices. Insufficient cybersecurity and/or privacy practices that can securely support the organization's technologies & processes.
  • R-GV-5. Inadequate third-party practices. Insufficient Cybersecurity Supply Chain Risk Management (C-SCRM) practices that cannot securely support the organization's technologies & processes.
  • R-GV-6. Lack of oversight of internal controls. The inability to demonstrate appropriate evidence of due diligence and due care in overseeing the organization's internal cybersecurity and/or privacy controls.
  • R-GV-7. Lack of oversight of third-party controls. The inability to demonstrate appropriate evidence of due diligence and due care in overseeing third-party cybersecurity and/or privacy controls.
  • R-GV-8. Illegal content or abusive action. Disruptive content or actions that negatively affect business operations (e.g., abusive content, harmful speech, threats of violence, illegal content, etc.).

Incident Response

The potential risk(s) from a control deficiency should be approached from the mindset of, “If the control fails, the risk that the organization is exposed to is… “

  • R-IR-1. Inability to investigate / prosecute incidents. Insufficient incident response practices that prevent the organization from investigating and/or prosecuting incidents (e.g., chain of custody corruption, available sources of evidence, etc.).
  • R-IR-2. Improper response to incidents. The inability to appropriately respond to incidents in a timely manner.
  • R-IR-3. Ineffective remediation actions. The inability to ensure incident response actions were correct and/or effective.
  • R-IR-4. Expense associated with managing a loss event. Financial repercussions from responding to an incident or loss.

Situational Awareness

The potential risk(s) from a control deficiency should be approached from the mindset of, “If the control fails, the risk that the organization is exposed to is… “

  • R-SA-1. Inability to maintain situational awareness. The inability to detect cybersecurity and/or privacy incidents (e.g., a lack of situational awareness).
  • R-SA-2. Lack of a security-minded workforce. The inability to appropriately educate and train personnel to foster a security-minded workforce. 

Threat Catalog

Similar to defining the risk catalog, if you want to assess risk, you need to develop a threat catalog that identifies possible natural and man-made threats that affect the entity's security & privacy controls. The use case for the threat catalog is to identify applicable natural and man-made threats that affect control execution. (e.g., if the threat materializes, will the control function as expected?)

In the context of the threat catalog, “threat” is defined as:

  • noun A person or thing likely to cause damage or danger.
  • verb To indicate impending damage or danger.

This threat catalog is sorted according to natural (14) and man-made (13) threats.

No alt text provided for this image

Natural Threats

The potential natural threats should be approached from the mindset of, "If the threat materializes, will the control(s) function as expected?"

  • NT-1 Drought & Water Shortage. Regardless of geographic location, periods of reduced rainfall are expected. For non-agricultural industries, drought may not be impactful to operations until it reaches the extent of water rationing.
  • NT-2 Earthquakes. Earthquakes are sudden rolling or shaking events caused by movement under the earth’s surface. Although earthquakes usually last less than one minute, the scope of devastation can be widespread and have long-lasting impact.
  • NT-3 Fire & Wildfires. Regardless of geographic location or even building material, fire is a concern for every business. When thinking of a fire in a building, envision a total loss to all technology hardware, including backup tapes, and all paper files being consumed in the fire.
  • NT-4 Floods. Flooding is the most common of natural hazards and requires an understanding of the local environment, including floodplains and the frequency of flooding events. Location of critical technologies should be considered (e.g., server room is in the basement or first floor of the facility).
  • NT-5 Hurricanes & Tropical Storms. Hurricanes and tropical storms are among the most powerful natural disasters because of their size and destructive potential. In addition to high winds, regional flooding and infrastructure damage should be considered when assessing hurricanes and tropical storms.
  • NT-6 Landslides & Debris Flow. Landslides occur throughout the world and can be caused by a variety of factors including earthquakes, storms, volcanic eruptions, fire, and by human modification of land. Landslides can occur quickly, often with little notice. Location of critical technologies should be considered (e.g., server room is in the basement or first floor of the facility).
  • NT-7 Pandemic (Disease) Outbreaks. Due to the wide variety of possible scenarios, consideration should be given both to the magnitude of what can reasonably happen during a pandemic outbreak (e.g., COVID-19, Influenza, SARS, Ebola, etc.) and what actions the business can be taken to help lessen the impact of a pandemic on operations.
  • NT-8 Severe Weather. Severe weather is a broad category of meteorological events that include events that range from damaging winds to hail.
  • NT-9 Space Weather. Space weather includes natural events in space that can affect the near-earth environment and satellites. Most commonly, this is associated with solar flares from the Sun, so an understanding of how solar flares may impact the business is of critical importance in assessing this threat.
  • NT-10 Thunderstorms & Lightning. Thunderstorms are most prevalent in the spring and summer months and generally occur during the afternoon and evening hours, but they can occur year-round and at all hours. Many hazardous weather events are associated with thunderstorms. Under the right conditions, rainfall from thunderstorms causes flash flooding and lightning is responsible for equipment damage, fires and fatalities.
  • NT-11 Tornadoes. Tornadoes occur in many parts of the world, including the US, Australia, Europe, Africa, Asia, and South America. Tornadoes can happen at any time of year and occur at any time of day or night, but most tornadoes occur between 4–9 p.m. Tornadoes (with winds up to about 300 mph) can destroy all but the best-built man-made structures.
  • NT-12 Tsunamis. All tsunamis are potentially dangerous, even though they may not damage every coastline they strike. A tsunami can strike anywhere along most of the US coastline. The most destructive tsunamis have occurred along the coasts of California, Oregon, Washington, Alaska and Hawaii.
  • NT-13 Volcanoes. While volcanoes are geographically fixed objects, volcanic fallout can have significant downwind impacts for thousands of miles. Far outside of the blast zone, volcanoes can significantly damage or degrade transportation systems and also cause electrical grids to fail.
  • NT-14 Winter Storms & Extreme Cold. Winter storms is a broad category of meteorological events that include events that range from ice storms, to heavy snowfall, to unseasonably (e.g., record breaking) cold temperatures. Winter storms can significantly impact business operations and transportation systems over a wide geographic region.

Man-Made Threats

The potential man-made threats should be approached from the mindset of, "If the threat materializes, will the control(s) function as expected?"

  • MT-1 Civil or Political Unrest. Civil or political unrest can be singular or wide-spread events that can be unexpected and unpredictable. These events can occur anywhere, at any time.
  • MT-2 Hacking & Other Cybersecurity Crimes. Unlike physical threats that prompt immediate action (e.g., "stop, drop, and roll" in the event of a fire), cyber incidents are often difficult to identify as the incident is occurring. Detection generally occurs after the incident has occurred, with the exception of "denial of service" attacks. The spectrum of cybersecurity risks is limitless and threats can have wide-ranging effects on the individual, organizational, geographic, and national levels.
  • MT-3 Hazardous Materials Emergencies. Hazardous materials emergencies are focused on accidental disasters that occur in industrialized nations. These incidents can range from industrial chemical spills to groundwater contamination.
  • MT-4 Nuclear, Biological and Chemical (NBC) Weapons. The use of NBC weapons are in the possible arsenals of international terrorists and it must be a consideration. Terrorist use of a “dirty bomb” — is considered far more likely than use of a traditional nuclear explosive device. This may be a combination a conventional explosive device with radioactive / chemical / biological material and be designed to scatter lethal and sub-lethal amounts of material over a wide area.
  • MT-5 Physical Crime. Physical crime includes "traditional" crimes of opportunity. These incidents can range from theft, to vandalism, riots, looting, arson and other forms of criminal activities.
  • MT-6 Terrorism & Armed Attacks. Armed attacks, regardless of the motivation of the attacker, can impact a businesses. Scenarios can range from single actors (e.g., "disgruntled" employee) all the way to a coordinated terrorist attack by multiple assailants. These incidents can range from the use of blade weapons (e.g., knives), blunt objects (e.g., clubs), to firearms and explosives.
  • MT-7 Utility Service Disruption. Utility service disruptions are focused on the sustained loss of electricity, Internet, natural gas, water, and/or sanitation services. These incidents can have a variety of causes but directly impact the fulfillment of utility services that your business needs to operate.
  • MT-8 Dysfunctional Management Practices. Dysfunctional management practices are a manmade threat that expose an organization to significant risk. The threat stems from the inability of weak, ineffective and/or incompetent management to (1) make a risk-based decision and (2) support that decision. The resulting risk manifests due (1) an absence of a required control or (2) a control deficiency.
  • MT-9 Human Error. Human error is a broad category that includes non-malicious actions that are unexpected and unpredictable by humans. These incidents can range from misconfigurations to misunderstandings or other unintentional accidents.
  • MT-10 Technical / Mechanical Failure. Technical /mechanical failure is a broad category that includes non-malicious failure due to a defect in the technology, materials or workmanship. Technical / mechanical failures are unexpected and unpredictable, even when routine and preventative maintenance is performed. These incidents can range from malfunctions to reliability concerns to catastrophic damage.
  • MT-11 Statutory / Regulatory / Contractual Obligation. Laws, regulations and/or contractual obligations that directly or indirectly weaken an organization's security & privacy controls. This includes hostile nation states that leverage statutory and/or regulatory means for economic or political espionage and/or cyberwarfare activities.
  • MT-12 Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) Data. Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) data is information an organization utilizes for business processes even though the data is untrustworthy, due to the data's currency, accuracy, integrity and/or applicability.
  • MT-13 Artificial Intelligence & Autonomous Technologies (AAT). Artificial Intelligence & Autonomous Technologies (AAT) is a broad category that ranges from non-malicious failure due to a defect in the algorithm to emergent properties or unintended consequences. AAT failures can be due to hardware failures, inherent biases or other flaws in the underlying algorithm. These incidents can range from malfunctions, to reliability concerns to catastrophic damage (including loss of life).

Interesting Threat Insights

Four of the most “interesting” threats require an organization to take a serious look at its management practices, since the greatest threat is often inside the organization:

  1. MT-8: Dysfunctional Management Practices
  2. MT-9: Human Error
  3. MT-10: Technical / Mechanical Failure
  4. MT-11: Statutory / Regulatory / Contractual Obligation
  5. MT-12: Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) Data