| Electricity (asset): IT requires electricity to work. |
| Sensitive information (asset): [elaborate as appropriate] |
| Employee (threat agent): a person employed by an organisation for wages or salary. They pose a threat because they might inadvertently against the interests of the organisation. In contrast to contractors their loyalty lies with the organisation. |
| Fire, water and adverse operating conditions (threat agent): These pose a threat as at one extreme they may prevent the IT from working properly and at the other destroy it completely, along with personnel and the place of work etc. Adverse operating conditions includes cyclone, dust storms, earthquakes etc. which can lead to destruction through building collapse. |
| Suppliers (threat agent): third party organisations that supply components that form part of the organisation's product(s). The term is defined in ISO 9001 to describe the supply chain thus: supplier --> organisation --> customer |
| Arbitrary program code can be executed (vulnerability) : a common software vulnerability (e.g. a buffer overflow) that allows the an attacker to cause the victim's computer to execute a short program of the attacker's creation. |
| Component failure (vulnerability): electrical components (resistors, capacitors, integrated circuits etc) may fail after use. |
| Ease by which software can be changed (vulnerability): The whole value of software is the ease by which it can be changed. The idea is, of course, to change the software for the better, but it could also be changed for the worse and therein lies the vulnerability. |
| Electromagnetic radiation (vulnerability): All electrical devices create electric fields when they are operated. It is possible to detect these and determine for example, what information is being displayed on a computer screen. The strength of the signals is a function of the strength of the source of radiation, the distance between it and the receiver and the nature of any intervening obstacles. |
| Ignorance, misunderstanding and human fallibility (vulnerability): People, however well intentioned, may act out of ignorance of what is expected of them to maintain security. They may misunderstand what to do and they may make mistakes. |
| Information containers are not particularly heavy and can be easily moved (vulnerability): Such is the nature of modern day computing that a great deal of information can be packed into a very small device. Being easily transportable, a great deal of information can be lost. |
| Information containers can be damaged/destroyed (vulnerability): being physical devices, information containers are not impervious to damage or destruction. |
| Information is extractable from its container (vulnerability): The utility of the container is information, once deposited into the container can be extracted. There is be an intended way to do this, but there may be other ways as well. For example, a hard disc could be removed from the computer that uses it and put into another in order to read it. |
| Need for power and favourable operating conditions (vulnerability): Without power and favourable operating conditions computers will either not function at all, or not function reliably. |
| People are gullible (vulnerability): People can be the victims of social engineering and persuaded to disclosure security sensitive information such as passwords. |
Adverse press coverage (impact) : A security incident may attract adverse publicity in the press and other forms of media. On a scale of 1-5 this impact has been rated as a  . |
Fraud (impact): On a scale of 1-5 this impact has been rated as a  if it is performed by an insider and if performed by an outsider. |
Inability to carry out some or all of our business (impact): On a scale of 1-5 this impact has been rated as a maximum of  dependent on how much of our organisation is affected. |
| Loss of the monetary value of assets (impact): Some assets posses a monetary value, being for example the cost of replacement. On a scale of 1-5 this impact has been rated as a maximum of . |
| Unanticipated costs (impact):A security incident may result in extra costs. On a scale of 1-5 this impact has been rated as a . |
| Undesirable disclosure of information (impact):
On a scale of 1-5 this impact has been rated as a maximum of depending on the sensitivity of the information disclosed. |
| |