Threat

From CIPedia
Revision as of 13:26, 1 April 2018 by Eluiijf (talk | contribs)
Jump to navigation Jump to search

The definitions of "Threat" and "Hazard" are very similar, so maybe the terms do not need to be distinguished. A CI-specific usage example for the above terms can be found on the "Hazard" entry.

Definitions

European Definitions

Any indication, circumstance, or event with the potential to disrupt or destroy CI, or any element thereof. [1]

The European Commission's CBRN Glossary[2] defines threat as

The likelihood of occurrence of a hazard or event with a harmful effect. In contrast to risk, a threat is not related to the impact it may cause. In the context of public health, a threat is defined as a substance, condition or event, which by its presence has the potential to rapidly harm an exposed population, sufficiently lead to a major crisis. [2]


ENISA

Threat is any circumstance or event with the potential to adversely impact an asset through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. [3]


European Project Definitions

CIPRNet project

The CIPRNet project [4] uses the following definition:

Threat is any indication, circumstance, or event with the potential to disrupt or destroy critical infrastructure, or any element thereof (EU, 2006)


Other International Definitions

IAEA

Threat is defined as:
(1) A person or group of persons with motivation, intention and capability to commit a malicious act.
(2) A likely cause of harm to people, damage to property or harm to the environment by an individual or individuals with the motivation, intention and capability to commit a malicious act.
An entity with motivation, intention and capability to commit a malicious act.
(4) A characterization of an adversary capable of causing undesirable consequences, including the objectives, motivation and capabilities, e.g. number of potential attackers, equipment, training and attack plan.
(5) The potential cause of an unwanted incident, which may result in harm to a system or organization. [5]



ITU-T

A threat is a potential violation of security. [6]


Manace: Violation potentielle de la sécurité. [7]


Amenaza: Violación potencial de la seguridad. [8]


NATO CEP / EAPC

A threat is any event that has the potential to disrupt or destroy critical infrastructure, or any element thereof. [9]

An all hazards approach to threat includes accidents, natural hazards as well as deliberate attacks.

EU Project VITA

A threat is a source of impending danger or harm. [10]

The semantics of that definition in the context of CI is that a threat to a CI may give rise to serious consequences to critical societal functions, including the supply chain, health, safety, security, economic or social well-being of people.

National Definitions

Albania

Kërcënim/sulm kibernetik (threat/cyber attack) – konsiderohet çdo përpjekje e drejtuar/qëllimshme për të marrë akses, manipuluar, ndërhyrë ose dëmtuar integritetin, konfidencialitetin, sigurinë dhe/ose disponibilitetin e të dhënave, të një aplikimi ose të të dhënave të sistemit kompjuterik, pa patur autoritet ligjor për ta bërë këtë. [11]



Argentina

Amenaza: Una causa potencial de un incidente no deseado, el cual puede ocasionar daños a un sistema u organización. [12]



Australia

Threat: A source of harm that is deliberate or has intent to do harm. [13]



Bosnia and Herzegovina

Pretnja je potencijalni štetni fizički događaj, fenomen ili aktivnost namjernog/zlonamjernog karaktera. [14]



Brazil

Ameaça: causa potencial de um incidente indesejado, que pode resultar em dano para um sistema ou organização. [15]

Threat is the cause potential of an undesired incident which may result in harm to a system or organisation.



Burkina-Faso

Menace: Cause potentielle d’un événement indésirable, pouvant entraîner des dommages au sein d’un système ou d’un organisme. [16]



Canada

Threat is the presence of a hazard and an exposure pathway.

Présence d’un danger et d’une voie d’exposition. [17] [18]

Threats may be natural or human-induced, either accidental or intentional.

Colombia

Amenaza: Violación potencial de la seguridad (Potential violation of safety) [19]

Amenaza informática: La aparición de una situación potencial o actual donde un agente tiene la capacidad de generar una agresión cibernética contra la población, el territorio y la organización política del Estado (Ministerio de Defensa de Colombia)

Translation: A threat generally is a circumstance or event through which harm can occur.

The harm refers to a specific value such as financial assets, knowledge, items, or health.

Czech Republic

Potenciální příčina nechtěného incidentu, jehož výsledkem může být poškození systému nebo organizace. [20]

Potential cause of an unwanted incident which may result in damage to a system or organization. [21]



Egypt

Threat: Capabilities, intentions, and attack methods of adversaries to exploit, or any circumstance or event with the potential to cause harm to, information or an information system. [22]



El Salvador

Amenaza (Hazard): Peligro latente que representa la posible manifestación dentro de un período de tiempo y en un territorio particular de un fenómeno de origen natural, socio-natural o antropogénico, que puede producir efectos adversos en las personas, la producción, la infraestructura, los bienes y servicios y el ambiente. [23]

Es un factor de riesgo externo de un elemento o grupo de elementos expuestos, que se expresa como la probabilidad de que un evento se presente con una cierta intensidad, en un sitio especifico y en dentro de un periodo de tiempo definido.

Finland

Uhka: mahdollisesti toteutuva haitallinen tapahtuma tai kehityskulku.

Threat is possibly realising adverse event or development. -unofficial translation- [24]



France

(in French) Menace: tout événement physique, phénomène ou activité humaine potentiellement préjudiciable, susceptible de provoquer des décès ou des lésions corporelles, des dégâts matériels ou immatériels, des perturbations sociales et économiques ou une détérioration de l’environnement. Pour la démarche de sécurité des secteurs d’activités d’importance vitale, les menaces seront réputées avoir un caractère malveillant ou être de nature terroriste. [25]

A non-official translation is the following:

Any physical event, phenomenon or human activities potentially harmful, that could cause death or injuries, material or immaterial damage, social and economic disruption or environmental degradation. Meant for a security approach of vital activity sectors (CI-sectors), threats will be considered as having a malicious character or as terrorist activities.



Germany

Eine Bedrohung ist ganz allgemein ein Umstand oder Ereignis, durch den oder das ein Schaden entstehen kann. [26]

Der Schaden bezieht sich dabei auf einen konkreten Wert wie Vermögen, Wissen, Gegenstände oder Gesundheit. Übertragen in die Welt der Informationstechnik ist eine Bedrohung ein Umstand oder Ereignis, der oder das die Verfügbarkeit, Integrität oder Vertraulichkeit von Informationen beeinträchtigen kann, wodurch dem Besitzer bzw. Benutzer der Informationen ein Schaden entstehen kann. Beispiele für Bedrohungen sind höhere Gewalt, menschliche Fehlhandlungen, technisches Versagen oder vorsätzliche Handlungen. Trifft eine Bedrohung auf eine Schwachstelle (insbesondere technische oder organisatorische Mängel), so entsteht eine Gefährdung.

Unter Gefahr versteht man, einen Zustand, Umstand oder Vorgang, durch dessen Einwirkung ein Schaden an einem Schutzgut entstehen kann. [27]



Guatemala

Amenaza: Fenómeno intencional generado por el poder de otro Estado, o por agentes no estatales, cuya característica es la integración de la capacidad y voluntad hostil que pone en peligro de vulneración particularmente grave, a los intereses y objetivos nacionales, en parte o en todo el país que cuestiona la existencia del mismo Estado. [28]


Amenaza: Fenómeno o evento potencialmente destructor o peligroso, de origen natural o producido por la actividad humana (antrópico), que puede causar muertes, lesiones, epidemias, daños materiales, interrupción de la actividad social y económica, degradación ambiental y amenazar los medios de subsistencia de una comunidad o territorio en un determinado período de tiempo. [29]



Haiti

Menace: C’est une action réelle ou une manifestation que formule un acteur ou des acteurs, dans l’objectif de signifier à un autre ou à d’autres, la capacité ou l’intention d’occasionner un effet négatif à ses biens ou intérêts. Elle implique l’existence d’une volonté de causer un dommage aux biens ou intérêts d’autrui. [30]



Hong Kong

威脅 : 可能對機構及其資產有害的潛在保安因素。

Threat: A potential violation of security that may cause harm to an organisation and its assets. [31]



India

Threat is a circumstance or event with the potential to cause harm to a system, including the destruction, unauthorised disclosure, or modification of data and/or denial of service. [32]



Japan

脅威: セキュリティの侵害についての潜在的可能性。これは、セキュリティを侵害し、加害をもたらす可能性がある状況、能力、行為もしくはイベントがあるとき存在する.

(Cyber) Threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. [33]



Kingdom of Saudi Arabia

Threat is an agent that exploits security vulnerabilities and risks. [34]



Mexico

Amenaza(s): ​Cualquier posible acto que puedacausaralgúntipodedañoalosactivosde información de las dependencias o entidades de la APF, los Poderes Legislativo y Judicial, los órganos constitucionales autónomos, las empresas productivas del Estado, los Gobiernos​ ​Estatales,​ ​Municipales​ ​y​ ​Delegacionales,​ ​así​ ​como​ ​los​ ​particulares. [35]



Morocco

Menace: Cause potentielle d’un incident indésirable, pouvant entraîner des dommages au sein d’un système ou d’une entité. [36]



Netherlands

A threat is an event or a process which potentially can lead to an incident.

Een gebeurtenis of een proces die in potentie tot een incident kan leiden. [37]

Het hogere doel (intentie) kan zijn het verstevigen van de concurrentiepositie; politiek/landelijk gewin, maatschappelijke ontwrichting of levensbedreiging. [38]



Norway

Trusselaktør: entitet som utgjør en reell eller potensiell trussel mot et identifiserbart mål eller i en avgrenset og identifiserbar sammenheng. [39]

Threat: an entity that constitutes a real or potential threat to an identifiable goal or in a limited and identifiable context. [40]



Oman

Threa": A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. [41]



Philippines

Cyber threats are events, situations and conditions that tend to reduce, degrade and destroy digital infrastructures. [42]


Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. [43]


Threat: The potential for a threat-source to successfully exploit particular information system vulnerability. [44]



Portugal

[Definição] Ameaça: Causa potencial de incidente indesejável que pode resultar em danos para uma organização ou qualquer dos sistemas por ela utilizados. Estas ameaças podem ser acidentais ou deliberadas (com dolo) e caracterizam-se por elementos ameaçadores, alvos potenciais e métodos de ataque. [45]



Republic of Trinidad & Tobago

A natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. [46]



Singapore

A man-made or natural situation or condition that can cause disruption to an organization’s operations or services. [47]



Slovakia

Ohrozenie: Stav systému, ktorý vzniká a trvá v dôsledku existencie a uvedomenia si potenciálneho narušenia jeho rovnovážneho stavu. Je to aktivizované riziko, ktoré pôsobí proti záujmom subjektu, a konkrétnej situácie, ktoré bezprostredne znemožňujú naplnenie jeho záujmov. [48]



Spain

Amenaza (Threat): La posibilidad de compromiso, pérdida o robo de información clasificada OTAN o de servicios y recursos que la soportan. [49]

Una amenaza puede ser definida por su origen, motivación o resultado y puede ser deliberada o accidental, violenta o subrepticia, externa o interna.

Switzerland

Als Gefährdung wird eine konkrete Gefahr bezeichnet, die für ein konkretes Schutzgut besteht. [50]

Die Gefährdung entspricht daher einem potentiellen Ereignis oder einer potentiellen Entwicklung mit möglichen Auswirkungen für ein Schutzgut.

Turkey

Tehdit: Bir kurumun veya sistemin zarar görmesi ile sonuçlanabilecek istenmeyen bir olayın potansiyel nedenini [51]

Threat: The potential cause of an incident that may cause damage to an institution or system. [52]



United Arab Emirates

Threat: A potential source of loss, harm or disruption. [53]



United Kingdom (UK)

Threat is the intent and capacity to cause loss of life or create adverse consequences to human welfare (including property and the supply of essential services and commodities), the environment or security. [54]


Threat: A potential cause of an incident or hazardous situation that may result in harm to an asset, person, system or organization. [55]


United States

DHS
A natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. [56]
NIST
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access,destruction, disclosure, modification of information, and/or denial of service. [57]


Advanced Persistent Threat (APT): An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). [58]

These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

US-CERT
Threat: The combination of a vulnerability, a threat actor, a motive (if the threat actor is a person or persons), and the potential to produce a harmful outcome for the organization. [59]


Uruguay

Amenaza: Causa potencial de un incidente indeseado que puede dar lugar a la perdida de la seguridad de la información. [60]



Other Definitions

Ontario (Canada)

Threat is a person, thing or event that has the potential to cause harm or damage. [61]

Menace: personne, chose ou événement considéré comme une cause probable de préjudice ou de dommage. [61]


Standard Definitions

IETF

A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event that could cause harm. [62]



ISA-62443-*

Threat: circumstance or event with the potential to adversely affect operations (including mission, functions, image or reputation), assets, control systems or individuals via unauthorized access, destruction, disclosure, modification of data and/or denial of service. [63]



ISO/PAS 22399:2007

Potential cause of an unwanted incident, which may result in harm to individuals, a system or organization, the environment or the community. [64]


ISO/IEC 27000:2014

Potential cause of an unwanted incident, which may result in harm to a system or organization. [65]


ISO 22300:2012(en)

Potential cause of an unwanted incident, which can result in harm to individuals, a system or organization (2.2.9), the environment or the community. [66]


See also

  1. Hazard
  2. Natural Hazard
  3. Technological Hazard
  4. Vulnerability

Notes

  1. EC COM(2006) 787 final, Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection, EC, Brussels 12.12.2006.
  2. 2.0 2.1 European Commission's CBRN Glossary, 2012
  3. ENISA Risk Glossary
  4. http://www.ciprnet.eu/
  5. IAEA - Nuclear Security Series Glossary Version 1.3 (November 2015)
  6. ITU Security in Telecommunications and Information Technology: An overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications, ITU-T, Geneva (2012) - ITU-T X-800.
  7. Sécurité dans les télécommunications et les technologies de l’information: Aperçu des problèmes et présentation des Recommandations UIT-T existantes sur la sécurité dans les télécommunications, ITU-T, Geneva (2012) - ITU-T X.800.
  8. Seguridad de las telecomunicaciones y las tecnologías de la información: Exposición general de asuntos relacionados con la seguridad de las telecomunicaciones y la aplicación de las Recomendaciones vigentes del UIT-T, ITU-T, Geneva (2012) - ITU-T X.800.
  9. NATO EAPC(SCEPC) lexicon 2003.
  10. EU VITA deliverable.
  11. Dokumenti i Politikave për Sigurinë Kibernetike 2015 - 2017
  12. Oficina Nacional de Tecnologías de Información ADMINISTRACION PUBLICA NACIONAL Disposición 3/2013 - Apruébase la “Política de Seguridad de la Información Modelo” (2013)
  13. Protective Security Policy Framework - Glossary Oct 2017
  14. RADNA VERZIJA OSOBLJA KOMISIJE: Procjena rizika i mapiranje smernice za upravljanje katastrofama
  15. GUIA DE REFERÊNCIA PARA A SEGURANÇA DAS INFRAESTRUTURAS CRÍTICAS DA INFORMAÇÃO Versão 01 (Nov. 2010)
  16. CIRT-BF Glossary
  17. An Emergency Management Framework for Canada (Second Edition)
  18. Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)
  19. Lineamientos de política para ciberseguridad y ciberdefensa (2011)
  20. Výkladový slovník kybernetické bezpečnosti (2013)
  21. Cyber Security Explanatory Glossary (2013)
  22. Glossary of the National Telecom Authority (NTA), Egypt
  23. Glosario de Riesgo, Ministerio de Medio Ambiente y Recursos Naturales, El Salvador
  24. Vocabulary of Comprehensive Security. Helsinki (TSK 47) (2014)
  25. INSTRUCTION GENERALE INTERMINISTERIELLE RELATIVE A LA SECURITE DES ACTIVITES D’IMPORTANCE VITALE N°6600/SGDSN/PSE/PSN du 7 janvier 2014, PREMIER MINISTRE, SECRETARIAT GENERAL DE LA DEFENSE ET DE LA SECURITE NATIONALE, Direction Protection et Sécurité de l’Etat N° NOR: PRMD1400503J
  26. Glossar und Begriffsdefinitionen BSI
  27. Glossar BBK
  28. Plan Estratégico de Seguridad de la Nación 2016-2020, Guatemala
  29. PLAN NACIONAL DE GESTIÓN INTEGRAL DEL RIESGO POR LA TEMPORADA DE DESCENSO DE TEMPERATURA EN LA REPÚBLICA DE GUATEMALA 2015-2016, Guatemala
  30. [http://[www.md.gouv.ht/Livre_Blanc.pdf LIVRE BLANC SUR LA SÉCURITÉ ET LA DÉFENSE NATIONALE POUR LE DÉVELOPPEMENT ÉCONOMIQUE ET SOCIAL DURABLE D’HAÏTI, Juin 2015 ]
  31. Glossary for Information Security Terms/資訊保安詞彙表
  32. India's DGQA Cyber Security Policy (2015)
  33. RFC2828 (Japanese translation)
  34. Developing National Information Security Strategy for the Kingdom of Saudi Arabia NISS draft 7
  35. Estragia Nacional de Ciberseguridad (November 2017)
  36. DIRECTIVE NATIONALE DE LA SECURITE DES SYSTEMES D'INFORMATION, Marocco 2013
  37. Zakboekje Preventie Cybercrime (2008
  38. NCSC, Cyber Security Beeld Nederland 5 (2015)
  39. Nasjonal strategi for informasjonssikkerhet (2012)
  40. Cyber Security Strategy for Norway (2012)
  41. Oman CERT Glossary
  42. Philippine National Cyber Security Plan 2005
  43. DND GLOSSARY OF CYBER SECURITY TERMS (v.4)
  44. DND GLOSSARY OF CYBER SECURITY TERMS (v.4)
  45. Glossário Centro National de Cibersegurança Portugal
  46. Comprehensive Disaster Management Policy Framework for Trinidad and Tobago
  47. Singapore Standard SS 540: 2008 on Business Continuity
  48. BEZPEČNOSTNÁ RADA SLOVENSKEJ REPUBLIKY
  49. CIBERSEGURIDAD. RETOS Y AMENAZAS A LA SEGURIDAD NACIONAL EN EL CIBERESPACIO, MINISTERIO DE DEFENSA (2010)
  50. Leitfaden Schutz kritischer Infrastrukturen 2015
  51. 2016-2019 UlUSAL SİBER GÜVENLİk STRATEJİSİ (Sept. 2016)
  52. Turkey's National Cyber Security Strategy 2016-2019 (2016)
  53. Abu Dhabi Safety and Security Planning Manual
  54. Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)
  55. Code of Practice Cyber Security for Ships, DSTL (2017)
  56. DHS Risk Lexicon 2010 Edition, September 2010
  57. NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013/NIST SP 800 series
  58. NIST Special Publication 800-53 Rev 4: Security and Privacy Controls for Federal Information Systems and Organizations (April 2013)
  59. Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide (2016)
  60. Glossary CERTuy
  61. 61.0 61.1 Province of Ontario’s Emergency Management Glossary of Terms
  62. IETF RFC449 Internet Security Glossary 2
  63. ISA-62443 series
  64. ISO/PAS 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management.
  65. ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
  66. ISO 22300:2012(en) Societal security — Terminology