Threat Identification in Information Systems Risk Management

Threat identification is a foundational step in information systems risk management. A threat can be defined as any action, event, or circumstance that has the potential to cause loss, damage, or unauthorized use of an organization’s information assets. These assets may include data, software, hardware, networks, and supporting infrastructure. If realized, threats can expose, alter, destroy, or make information temporarily or permanently unavailable.

Organizations operate in environments where threats are inevitable. They cannot be completely eliminated, but they can and must be effectively managed. Understanding the nature, likelihood, and potential impact of threats enables management to design appropriate security controls that minimize losses and maximize business continuity and value.

Threats and risks are often used interchangeably; however, risk generally represents the likelihood and impact of a threat exploiting a vulnerability. Different levels of management and operational units may perceive and communicate threats differently, depending on their responsibilities, exposure, and objectives. A comprehensive threat identification process brings these perspectives together into a unified framework.

29.1 Types of Threats

Threats to information systems can broadly be classified into two major categories: physical threats and logical threats. Both categories pose serious risks to the confidentiality, integrity, and availability of information assets.

Physical Threats

Physical threats refer to damage or disruption caused to the physical infrastructure that supports information systems. These threats may result from natural events, environmental conditions, or human actions.

• Fire
• Water damage and flooding
• Power failures and energy fluctuations
• Structural damage
• Pollution and environmental hazards
• Unauthorized physical intrusion

Logical Threats

Logical threats cause damage to software, applications, and data without requiring physical access to systems. These threats are often technology-driven and can spread rapidly across interconnected systems.

• Viruses, worms, and malware
• Logical intrusion and hacking attempts
• Unauthorized access and privilege escalation

Likelihood of Threat Occurrence

Once threats are identified, they must be evaluated and ranked based on their probability of occurrence. Historical data, industry studies, and external reports can help estimate likelihood for known threats. For example, insurance data may provide statistics on fire incidents in a given region.

However, for emerging threats such as new malware or zero-day vulnerabilities, reliable historical data may not be available. In such cases, expert judgment, user input, and scenario-based estimation techniques are used. Tools that introduce randomness and unbiased estimation techniques—such as a random number wheel—can sometimes be applied during workshops or brainstorming sessions to simulate uncertainty and encourage objective probability assessment.

In general, the higher the value and criticality of an information asset, the greater its exposure to potential threats. Highly integrated systems such as ERP platforms typically require advanced security controls due to their complexity and business impact.

29.2 Control Analysis

Control analysis evaluates the safeguards that are already in place or planned to reduce the likelihood that a threat will successfully exploit a vulnerability. The objective is to determine an overall likelihood rating that reflects the effectiveness of existing controls within the threat environment.

Security controls can be broadly categorized into technical and non-technical controls.

Technical Controls

Technical controls are implemented through hardware, software, and firmware to enforce security policies.

• Access control mechanisms
• Identification and authentication systems
• Encryption techniques
• Intrusion detection and prevention systems
• Audit and logging mechanisms

Non-Technical Controls

Non-technical controls focus on governance, management, and operational aspects of security.

• Security policies and procedures
• Personnel security and training
• Physical and environmental security

Both technical and non-technical controls can be further classified as:

• Preventive controls: Designed to stop security violations before they occur (e.g., access control, encryption).
• Detective controls: Designed to identify and alert on security violations (e.g., audit trails, intrusion detection).

Likelihood Determination

An overall likelihood rating is derived by considering the following factors:

• Threat-source motivation and capability
• The nature and severity of the vulnerability
• The existence and effectiveness of current controls

29.3 Impact Analysis

Impact analysis measures the adverse consequences that may result if a threat successfully exploits a vulnerability. Before conducting this analysis, organizations must understand:

• System mission and objectives
• System and data criticality
• System and data sensitivity

The impact of a security incident is commonly assessed in terms of its effect on the three core security objectives:

• Loss of Integrity: Unauthorized or accidental modification of data reduces trust and may lead to further security breaches.
• Loss of Availability: System downtime can disrupt operations and negatively affect organizational missions.
• Loss of Confidentiality: Unauthorized disclosure of sensitive information can result in legal penalties, reputational damage, or loss of public trust.

29.4 Risk Determination and Exposure Analysis

Risk determination focuses on assessing how exposed information assets are to identified threats and quantifying potential losses. This analysis applies to both physical and logical threats and typically involves:

• Identifying existing physical and logical controls
• Interviewing employees and stakeholders
• Conducting walkthroughs and inspections
• Evaluating the reliability and effectiveness of controls

Scenarios are often developed to understand how a threat could bypass controls and cause damage. Risk identification should not be confused with risk mitigation, which occurs after risk assessment.

Risk Mitigation Options

• Risk Assumption: Accepting the risk and continuing operations.
• Risk Avoidance: Eliminating the source of risk by discontinuing certain activities.
• Risk Limitation: Implementing controls to reduce impact.
• Risk Planning: Developing and maintaining a formal risk mitigation plan.
• Risk Transference: Transferring risk through insurance or outsourcing.

29.5 Occurrence of Threats

When a threat materializes, outcomes depend on whether controls exist and how effective they are. Controls may fully prevent damage, partially mitigate it, or fail altogether. Over time, cumulative losses can pose a significant threat to system sustainability.

There is no universal standard for acceptable loss levels. Organizations must define materiality thresholds approved by IT governance authorities and review them regularly through audits and assessments.

29.6 Computing Expected Loss

Expected loss is calculated using the following formula:

A = B × C × D

• A = Expected loss
• B = Probability of threat occurrence (%)
• C = Probability of threat success (%)
• D = Financial or operational loss if the threat succeeds

Control Adjustment

Control adjustment evaluates whether additional or modified controls should be implemented. The cost of controls should never exceed the potential benefit gained from reduced risk exposure. Recommended controls must be cost-effective, integrated, and aligned with organizational goals.

Factors influencing control recommendations include effectiveness, legal requirements, organizational policy, operational impact, and system reliability. Existing controls should be reviewed, enhanced, or retired as appropriate, ensuring that security remains practical, sustainable, and responsive to evolving threats.