Run a workshop with stakeholders
Running a workshop with the key stakeholders of the information system allows you to more accurately identify its risks.
Workshops — different perspectives and skill sets
There are many tools and techniques that can be used for working together, but we find that multi-disciplinary workshops are the most effective. They make sure that you’re seeing multiple perspectives and drawing on the different skill sets of each stakeholder.
Identifying risks — do not skip or skim over this step
Being thorough in identifying risks to an information system is critical. If a risk is not identified at this stage, it will not be included in the risk analysis phase.
Risks
A risk is a threat that can exploit a vulnerability in an information system. This results in an undesirable outcome that prevents, degrades or delays your organisation in achieving its business objectives.
Workshop for identifying risks
In this workshop, you and the participants discuss the sources of threats and their possible reasons for occurring. You may need to schedule a follow-up workshop to:
- describe the risk scenarios
- list the causes of each risk
- list the effects if the risks happen.
What can go wrong with workshops
You might miss identifying risks if:
- you have not included all stakeholders that are relevant to the information system
- people are not committed to setting up a successful risk assessment.
Setting up successful risk assessments
Sources of threats to an information system
Government organisations can decide if they need to create risk scenarios for each group or specific threats, or both.
Threat groups and their types
These lists are for helping you to get the workshop discussions going — they are not complete lists of all possible threats to an information system.
Individuals
- Employees or contractors
- Customers or clients
- Service provider employees or contractors
- Hackers
- Hacktivists or activists
- Criminals
- Terrorists
External organisations
- Service providers
- Hacktivist or activist groups
- Foreign governments
- State-sponsored action groups
- Organised crime syndicates
- Terrorist groups
Technical events
- Malicious code — for example, viruses and worms
- Defective code
- Equipment failure
- Failure of air-conditioning
- Loss of power supply
Accidental events
- Fire
- Water damage
- Major accident
- Destruction of equipment or media
Natural events
- Weather — for example, an electrical storm
- Earthquake
- Volcanic eruption
- Flood
Possible reasons for threats from individuals and external organisations
Government organisations can decide if it’s important to consider the intent of the threat source — their actions may be accidental, deliberate or malicious.
Individuals
Individuals might exploit a vulnerability in an information system to:
- minimise their effort to complete a process or procedure
- receive a financial gain
- seek revenge
- gain knowledge or information
- assert power
- achieve peer recognition and respect
- satisfy curiosity
- further political or social aims
- terrorise certain target groups or individuals
- enhance personal status with other individuals or groups.
External organisations
External organisations might exploit a vulnerability in an information system to:
- gain a competitive advantage
- achieve an economic advantage
- get a military advantage
- acquire a political advantage
- further political or social aims
- receive a financial gain
- terrorise certain target groups.
Other factors
The motivation for individuals and external organisations exploiting vulnerabilities in an information system might be sped up or slowed down by other factors, such as:
- available equipment
- quality of equipment
- expertise
- experience
- opportunities being available — for example, an employee has full access to source code or an information system is exposed to the internet.
Utility links and page information
Last updated