Difference between revisions of "Threat"

Revision as of 00:47, 18 July 2015

The definitions of "Threat" and "Hazard" are very similar, so maybe the terms do not need to be distinguished. A CI-specific usage example for the above terms can be found on the "Hazard" entry.

Definitions

European Definitions

Any indication, circumstance, or event with the potential to disrupt or destroy CI, or any element thereof. ^[1]

The European Commission's CBRN Glossary^[2] defines threat as

The likelihood of occurrence of a hazard or event with a harmful effect. In contrast to risk, a threat is not related to the impact it may cause. In the context of public health, a threat is defined as a substance, condition or event, which by its presence has the potential to rapidly harm an exposed population, sufficiently lead to a major crisis. ^[2]

Other International Definitions

ITU-T

A threat is a potential violation of security. ^[3]

Manace: Violation potentielle de la sécurité. ^[4]

Amenaza: Violación potencial de la seguridad. ^[5]

NATO CEP / EAPC

A threat is any event that has the potential to disrupt or destroy critical infrastructure, or any element thereof. ^[6]

An all hazards approach to threat includes accidents, natural hazards as well as deliberate attacks.

EU Project VITA

A threat is a source of impending danger or harm. ^[7]

The semantics of that definition in the context of CI is that a threat to a CI may give rise to serious consequences to critical societal functions, including the supply chain, health, safety, security, economic or social well-being of people.

National Definitions

Brazil

Ameaça: causa potencial de um incidente indesejado, que pode resultar em dano para um sistema ou organização. ^[8]
Threat is the cause potential of an undesired incident which may result in harm to a system or organisation.

Canada

Threat is the presence of a hazard and an exposure pathway.

Présence d’un danger et d’une voie d’exposition. ^[9] ^[10]

Threats may be natural or human-induced, either accidental or intentional.

Czech Republic

Potential cause of an unwanted incident which may result in damage to a system or organization (Potenciální příčina nechtěného incidentu, jehož výsledkem může být poškození systému nebo organizace). ^[11]

Finland

Uhka: mahdollisesti toteutuva haitallinen tapahtuma tai kehityskulku.

Threat is possibly realising adverse event or development. -unofficial translation- ^[12]

France

(in French) Menace: tout événement physique, phénomène ou activité humaine potentiellement préjudiciable, susceptible de provoquer des décès ou des lésions corporelles, des dégâts matériels ou immatériels, des perturbations sociales et économiques ou une détérioration de l’environnement. Pour la démarche de sécurité des secteurs d’activités d’importance vitale, les menaces seront réputées avoir un caractère malveillant ou être de nature terroriste. ^[13]

A non-official translation is the following:

Any physical event, phenomenon or human activities potentially harmful, that could cause death or injuries, material or immaterial damage, social and economic disruption or environmental degradation. Meant for a security approach of vital activity sectors (CI-sectors), threats will be considered as having a malicious character or as terrorist activities.

Germany

Eine Bedrohung ist ganz allgemein ein Umstand oder Ereignis, durch den oder das ein Schaden entstehen kann. ^[14]

Der Schaden bezieht sich dabei auf einen konkreten Wert wie Vermögen, Wissen, Gegenstände oder Gesundheit. Übertragen in die Welt der Informationstechnik ist eine Bedrohung ein Umstand oder Ereignis, der oder das die Verfügbarkeit, Integrität oder Vertraulichkeit von Informationen beeinträchtigen kann, wodurch dem Besitzer bzw. Benutzer der Informationen ein Schaden entstehen kann. Beispiele für Bedrohungen sind höhere Gewalt, menschliche Fehlhandlungen, technisches Versagen oder vorsätzliche Handlungen. Trifft eine Bedrohung auf eine Schwachstelle (insbesondere technische oder organisatorische Mängel), so entsteht eine Gefährdung.

India

Threat is a circumstance or event with the potential to cause harm to a system, including the destruction, unauthorised disclosure, or modification of data and/or denial of service. ^[15]

Kingdom of Saudi Arabia

Threat is an agent that exploits security vulnerabilities and risks. ^[16]

Netherlands

A threat is an event or a process which potentially can lead to an incident.

Een gebeurtenis of een proces die in potentie tot een incident kan leiden. ^[17]

Norway

An entity that constitutes a real or potential threat to an identifiable goal or in a limited and identifiable context. ^[18]
Trusselaktør: entitet som utgjør en reell eller potensiell trussel mot et identifiserbart mål eller i en avgrenset og identifiserbar sammenheng. ^[19]

Republic of Trinidad & Tobago

A natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. ^[20]

Singapore

A man-made or natural situation or condition that can cause disruption to an organization’s operations or services. ^[21]

United Kingdom (UK)

Threat is the intent and capacity to cause loss of life or create adverse consequences to human welfare (including property and the supply of essential services and commodities), the environment or security. ^[22]

United States

DHS

A natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. ^[23]

NIST

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access,destruction, disclosure, modification of information, and/or denial of service. ^[24]

Other Definitions

Ontario (Canada)

Threat is a person, thing or event that has the potential to cause harm or damage. ^[25]

Menace: personne, chose ou événement considéré comme une cause probable de préjudice ou de dommage. ^[25]

Standard Definitions

ISO/PAS 22399:2007

Potential cause of an unwanted incident, which may result in harm to individuals, a system or organization, the environment or the community. ^[26]

ISO/IEC 27000:2014

Potential cause of an unwanted incident, which may result in harm to a system or organization. ^[27]

Notes

↑ EC COM(2006) 787 final, Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection, EC, Brussels 12.12.2006.
↑ ^2.0 ^2.1 European Commission's CBRN Glossary, 2012
↑ ITU Security in Telecommunications and Information Technology: An overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications, ITU-T, Geneva (2012) - ITU-T X-800.
↑ Sécurité dans les télécommunications et les technologies de l’information: Aperçu des problèmes et présentation des Recommandations UIT-T existantes sur la sécurité dans les télécommunications, ITU-T, Geneva (2012) - ITU-T X.800.
↑ Seguridad de las telecomunicaciones y las tecnologías de la información: Exposición general de asuntos relacionados con la seguridad de las telecomunicaciones y la aplicación de las Recomendaciones vigentes del UIT-T, ITU-T, Geneva (2012) - ITU-T X.800.
↑ NATO EAPC(SCEPC) lexicon 2003.
↑ EU VITA deliverable.
↑ GUIA DE REFERÊNCIA PARA A SEGURANÇA DAS INFRAESTRUTURAS CRÍTICAS DA INFORMAÇÃO Versão 01 (Nov. 2010)
↑ [http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/mrgnc-mngmnt-frmwrk/index-eng.aspx An Emergency Management Framework for Canada (Second Edition)
↑ Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)
↑ Cyber Security Explanatory Glossary (2013)
↑ Vocabulary of Comprehensive Security. Helsinki (TSK 47) (2014)
↑ INSTRUCTION GENERALE INTERMINISTERIELLE RELATIVE A LA SECURITE DES ACTIVITES D’IMPORTANCE VITALE N°6600/SGDSN/PSE/PSN du 7 janvier 2014, PREMIER MINISTRE, SECRETARIAT GENERAL DE LA DEFENSE ET DE LA SECURITE NATIONALE, Direction Protection et Sécurité de l’Etat N° NOR: PRMD1400503J
↑ Glossar und Begriffsdefinitionen BSI
↑ India's DGQA Cyber Security Policy (2015)
↑ Developing National Information Security Strategy for the Kingdom of Saudi Arabia NISS draft 7
↑ Zakboekje Preventie Cybercrime (2008
↑ Cyber Security Strategy for Norway (2012)
↑ Nasjonal strategi for informasjonssikkerhet (2012)
↑ Comprehensive Disaster Management Policy Framework for Trinidad and Tobago
↑ Singapore Standard SS 540: 2008 on Business Continuity
↑ Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)
↑ DHS Risk Lexicon 2010 Edition, September 2010
↑ NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013/NIST SP 800 series
↑ ^25.0 ^25.1 Province of Ontario’s Emergency Management Glossary of Terms
↑ ISO/PAS 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management.
↑ ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary

[1] EC COM(2006) 787 final, Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection, EC, Brussels 12.12.2006.

[CBRN-2] 2.0 ^2.1 European Commission's CBRN Glossary, 2012

[3] ITU Security in Telecommunications and Information Technology: An overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications, ITU-T, Geneva (2012) - ITU-T X-800.

[4] Sécurité dans les télécommunications et les technologies de l’information: Aperçu des problèmes et présentation des Recommandations UIT-T existantes sur la sécurité dans les télécommunications, ITU-T, Geneva (2012) - ITU-T X.800.

[5] Seguridad de las telecomunicaciones y las tecnologías de la información: Exposición general de asuntos relacionados con la seguridad de las telecomunicaciones y la aplicación de las Recomendaciones vigentes del UIT-T, ITU-T, Geneva (2012) - ITU-T X.800.

[6] NATO EAPC(SCEPC) lexicon 2003.

[7] EU VITA deliverable.

[8] GUIA DE REFERÊNCIA PARA A SEGURANÇA DAS INFRAESTRUTURAS CRÍTICAS DA INFORMAÇÃO Versão 01 (Nov. 2010)

[9] [http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/mrgnc-mngmnt-frmwrk/index-eng.aspx An Emergency Management Framework for Canada (Second Edition)

[canada-10] Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)

[11] Cyber Security Explanatory Glossary (2013)

[TSK-12] Vocabulary of Comprehensive Security. Helsinki (TSK 47) (2014)

[13] INSTRUCTION GENERALE INTERMINISTERIELLE RELATIVE A LA SECURITE DES ACTIVITES D’IMPORTANCE VITALE N°6600/SGDSN/PSE/PSN du 7 janvier 2014, PREMIER MINISTRE, SECRETARIAT GENERAL DE LA DEFENSE ET DE LA SECURITE NATIONALE, Direction Protection et Sécurité de l’Etat N° NOR: PRMD1400503J

[14] Glossar und Begriffsdefinitionen BSI

[15] India's DGQA Cyber Security Policy (2015)

[16] Developing National Information Security Strategy for the Kingdom of Saudi Arabia NISS draft 7

[17] Zakboekje Preventie Cybercrime (2008

[18] Cyber Security Strategy for Norway (2012)

[19] Nasjonal strategi for informasjonssikkerhet (2012)

[20] Comprehensive Disaster Management Policy Framework for Trinidad and Tobago

[21] Singapore Standard SS 540: 2008 on Business Continuity

[22] Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)

[23] DHS Risk Lexicon 2010 Edition, September 2010

[NISTIR7298-24] NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013/NIST SP 800 series

[Ontario-25] 25.0 ^25.1 Province of Ontario’s Emergency Management Glossary of Terms

[26] ISO/PAS 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management.

[ISO27000-14-27] ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

@@ Line 2: / Line 2: @@
 ==Definitions==
-=== European Definitions ===
+=== [[EU|European Definitions]] ===
 {{definition|Any indication, circumstance, or [[event]] with the potential to disrupt or destroy [[CI]], or any element thereof. <ref>[http://eur-lex.europa.eu/LexUriServ/site/en/com%/2006/com2006_0787en01.pdf EC COM(2006) 787 final, Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection, EC, Brussels 12.12.2006.]</ref>}}
@@ Line 10: / Line 10: @@
 === Other International Definitions ===
-==== ITU-T ====
+==== [[ITU-T]] ====
 {{definition|A threat is a potential violation of [[security]]. <ref>ITU Security in Telecommunications and Information Technology: An overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications, ITU-T, Geneva (2012) - ITU-T X-800.</ref>}}<br />
 {{definition|Manace: Violation potentielle de la sécurité. <ref>Sécurité dans les télécommunications et les technologies de l’information: Aperçu des problèmes et présentation des Recommandations UIT-T existantes sur la sécurité dans les télécommunications, ITU-T, Geneva (2012) - ITU-T X.800.</ref>}}<br />
@@ Line 16: / Line 16: @@
 <br />
-==== NATO CEP / EAPC ====
+==== [[NATO|NATO CEP / EAPC]] ====
 {{definition|A threat is any [[event]] that has the potential to disrupt or destroy [[Critical Infrastructure|critical infrastructure]], or any element thereof. <ref>NATO EAPC(SCEPC) lexicon 2003.</ref>}}
 <big>An [[All Hazards|all hazards]] approach to threat includes accidents, [[Natural Hazard|natural hazards]] as well as deliberate attacks.</big><br />
@@ Line 26: / Line 26: @@
 === National Definitions ===
-==== Brazil ====
+==== [[Brazil]] ====
 {{definition| Ameaça: causa potencial de um incidente indesejado, que pode resultar em dano para um sistema ou organização. <ref>[http://www.biblioteca.presidencia.gov.br/publicacoes-oficiais-1/catalogo/orgao-essenciais/gabinete-de-seguranca-institucional/guia-de-referencia-para-seguranca-de-infraestruturas-criticas-da-informacao/at_download/file GUIA DE REFERÊNCIA PARA A SEGURANÇA DAS INFRAESTRUTURAS CRÍTICAS DA INFORMAÇÃO Versão 01 (Nov. 2010)]</ref><br />Threat is the cause potential of an undesired [[incident]] which may result in [[harm]] to a system or organisation.}} <br />
-==== Canada ====
+==== [[Canada]] ====
 {{definition| Threat is the presence of a hazard and an exposure pathway.<br /><br />Présence d’un danger et d’une voie d’exposition. <ref> [http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/mrgnc-mngmnt-frmwrk/index-eng.aspx An Emergency Management Framework for Canada (Second Edition) </ref> <ref name="canada">[http://www.bt-tb.tpsgc-pwgsc.gc.ca/publications/documents/urgence-emergency.pdf Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)]</ref>}}
 Threats may be natural or human-induced, either accidental or intentional.
 <br />
-====Czech Republic====
+====[[Czech Republic]]====
 {{definition|Potential cause of an unwanted incident which may result in damage to a system or organization (Potenciální příčina nechtěného incidentu, jehož výsledkem může být poškození systému nebo organizace). <ref> [http://www.govcert.cz/download/nodeid-3555/ Cyber Security Explanatory Glossary (2013)]</ref>}}
 <br />
-====Finland====
+====[[Finland]]====
 {{definition|Uhka: mahdollisesti toteutuva haitallinen tapahtuma tai kehityskulku.<br/><br/>Threat is possibly realising adverse [[event]] or development. -''unofficial translation''- <ref name=TSK>[http://www.spek.fi/loader.aspx?id=1c66e01d-a75e-4a9a-80ec-9816340ce752 Vocabulary of Comprehensive Security. Helsinki (TSK 47) (2014)]</ref>}}<br />
-==== France ====
+==== [[France]] ====
 {{definition|(in French) Menace: tout événement physique, phénomène ou activité humaine potentiellement préjudiciable, susceptible de provoquer des décès ou des lésions corporelles, des dégâts matériels ou immatériels, des perturbations sociales et économiques ou une détérioration de l’environnement. Pour la démarche de sécurité des secteurs d’activités d’importance vitale, les menaces seront réputées avoir un caractère malveillant ou être de nature terroriste. <ref>[http://circulaire.legifrance.gouv.fr/pdf/2014/01/cir_37828.pdf INSTRUCTION GENERALE INTERMINISTERIELLE RELATIVE A LA SECURITE DES ACTIVITES D’IMPORTANCE VITALE N°6600/SGDSN/PSE/PSN du 7 janvier 2014, PREMIER MINISTRE, SECRETARIAT GENERAL DE LA DEFENSE ET DE LA SECURITE NATIONALE, Direction Protection et Sécurité de l’Etat N° NOR: PRMD1400503J] </ref>}}
 <big>
 A non-official translation is the following:</big>
 {{definition|Any physical event, phenomenon or human activities potentially harmful, that could cause death or injuries, material or immaterial [[damage]], social and economic disruption or environmental degradation. Meant for a security approach of vital activity sectors ([[CI]]-sectors),  [[threat]]s will be considered as having a malicious character or as terrorist activities.}}<br />
-==== Germany ====
+==== [[Germany]] ====
 {{definition|Eine Bedrohung ist ganz allgemein ein Umstand oder Ereignis, durch den oder das ein Schaden entstehen kann. <ref>[https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/Glossar/glossar_node.html Glossar und Begriffsdefinitionen BSI]</ref>}} Der Schaden bezieht sich dabei auf einen konkreten Wert wie Vermögen, Wissen, Gegenstände oder Gesundheit. Übertragen in die Welt der Informationstechnik ist eine Bedrohung ein Umstand oder Ereignis, der oder das die Verfügbarkeit, Integrität oder Vertraulichkeit von Informationen beeinträchtigen kann, wodurch dem Besitzer bzw. Benutzer der Informationen ein Schaden entstehen kann. Beispiele für Bedrohungen sind höhere Gewalt, menschliche Fehlhandlungen, technisches Versagen oder vorsätzliche Handlungen. Trifft eine Bedrohung auf eine Schwachstelle (insbesondere technische oder organisatorische Mängel), so entsteht eine Gefährdung.<br/>
-====India====
+====[[India]]====
 {{definition|Threat is a circumstance or [[event]] with the potential to cause [[harm]] to a system, including the destruction, unauthorised disclosure, or modification of data and/or denial of service.  <ref>[http://www.dgqadefence.gov.in/documents/pdf/cyber-security-policy-dgqa-2015.pdf India's DGQA Cyber Security Policy (2015)] </ref>}} <br />
-====Kingdom of Saudi Arabia====
+====[[Kingdom of Saudi Arabia]]====
 {{definition|Threat is an agent that exploits security vulnerabilities and risks. <ref>[http://www.mcit.gov.sa/Ar/MediaCenter/PubReqDocuments/NISS_Draft_7_EN.pdf Developing National Information Security Strategy for the Kingdom of Saudi Arabia NISS draft 7]</ref>}}
 <br />
@@ Line 55: / Line 55: @@
 {{definition|A threat is an [[event]] or a process which potentially can lead to an [[incident]].<br/><br/>Een gebeurtenis of een proces die in potentie tot een incident kan leiden. <ref>[http://www.pblq.nl/media/63123/HEC%20Zakboekje%20preventie%20cybercrime.pdf Zakboekje Preventie Cybercrime (2008]</ref>}}<br />
-==== Norway ====
+==== [[Norway]] ====
 {{definition|An entity that constitutes a real or potential threat to an identifiable goal or in a limited and identifiable context. <ref>[https://www.regjeringen.no/globalassets/upload/fad/vedlegg/ikt-politikk/cyber_security_strategy_norway.pdf Cyber Security Strategy for Norway (2012)]</ref><br />Trusselaktør: entitet som utgjør en reell eller potensiell trussel mot et identifiserbart mål eller i en avgrenset og identifiserbar sammenheng.  <ref>[https://www.regjeringen.no/globalassets/upload/fad/vedlegg/ikt-politikk/nasjonal_strategi_infosikkerhet.pdf Nasjonal strategi for informasjonssikkerhet (2012)]</ref>}}<br />
-==== Republic of Trinidad & Tobago ====
+==== [[Republic of Trinidad & Tobago]] ====
 {{definition|A natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. <ref>[http://www.odpm.gov.tt/sites/default/files/Comprehensive%20Disaster%20Management%20Policy%20Framework%20for%20Trinidad%20and%20Tobago.pdf Comprehensive Disaster Management Policy Framework for Trinidad and Tobago]</ref>}}<br />
-====Singapore====
+====[[Singapore]]====
 {{definition|A man-made or natural situation or condition that can cause disruption to an organization’s operations or services. <ref>Singapore Standard SS 540: 2008 on Business Continuity</ref>}}<br />
-====United Kingdom (UK)====
+====[[United Kingdom|United Kingdom (UK)]]====
 {{definition|Threat is the intent and capacity to cause loss of life or create adverse consequences to human welfare (including property and the supply of essential services and commodities), the environment or security. <ref> [https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/61046/EP_Glossary_amends_18042012_0.pdf Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)]</ref>}} <br />
 <br />
-==== United States ====
+==== [[United States]] ====
-=====DHS=====
+=====[[DHS]]=====
 {{definition|A natural or manmade occurrence, individual, entity, or action that has or indicates the potential to [[harm]] life, information, operations, the environment, and/or property. <ref> [http://www.dhs.gov/xlibrary/assets/dhs-risk-lexicon-2010.pdf DHS Risk Lexicon 2010 Edition, September 2010]</ref>}}
-=====NIST=====
+=====[[NIST]]=====
 {{definition|Any circumstance or event with the potential to adversely [[impact]] organizational operations (including mission, functions, image, or reputation), organizational [[Asset|assets]], individuals, other organizations, or the Nation through an information system via unauthorized access,destruction, disclosure, modification of information, and/or denial of service. <ref name="NISTIR7298"> [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013/NIST SP 800 series]</ref>}} <br /><br />
 ===Other Definitions===
-==== Ontario (Canada) ====
+==== [[Ontario]] ([[Canada]]) ====
 {{definition|Threat is a person, thing or [[event]] that has the potential to cause [[Harm|harm]] or damage. <ref name="Ontario">[https://www.emergencymanagementontario.ca/english/emcommunity/response_resources/GlossaryOfTerms/glossary_of_terms.html Province of Ontario’s Emergency Management Glossary of Terms ]</ref><br /><br>Menace: personne, chose ou événement considéré comme une cause probable de préjudice ou de dommage. <ref name="Ontario">[https://www.emergencymanagementontario.ca/english/emcommunity/response_resources/GlossaryOfTerms/glossary_of_terms.html Province of Ontario’s Emergency Management Glossary of Terms ]</ref>}}<br />
 === Standard Definitions ===
-==== ISO/PAS 22399:2007 ====
+==== [[ISO|ISO/PAS 22399:2007]] ====
 {{definition|Potential cause of an unwanted [[incident]], which may result in [[harm]] to individuals, a [[system]] or organization, the environment or the community. <ref>[http://www.iso.org/iso/catalogue_detail?csnumber=50295 ISO/PAS 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management.]</ref>}}
-==== ISO/IEC 27000:2014 ====
+==== [[ISO|ISO/IEC 27000:2014]] ====
 {{definition|Potential cause of an unwanted [[incident]], which may result in [[harm]] to a [[system]] or organization. <ref name="ISO27000-14"> [http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=63411 ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary]</ref>}}<br />