Access: The ability, right, or permission to approach, enter, communicate with the target to exploit a vulnerability to cause an incident. Access can also be granted via a proxy.
Actor: An individual, group, organization, or nation-state whose actions may cause an incident. Actors fall into two categories depending on their intent—hostile and non-hostile. Hostile actors intend to harm or inappropriately use critical IT Sector functions and sub-functions to cause an incident, and these actors conduct deliberate actions for that result. Non-hostile actors do not intend to inappropriately use critical IT Sector functions and sub-functions to cause an incident, but their action or inaction causes one.
Actor Autonomy: The autonomy by which the actor performs their daily duties.
Capabilities: The combination of resources and access of an actor to damage, disrupt, or destroy critical IT Sector functions.
Careless: Operating in a negligent manner with wanton or reckless disregard of policies, plans, and procedures.
Confidentiality: The unauthorized disclosure of information residing on information systems that support the critical sub-function.
Consequence: The effect of an event, incident, or occurrence. For the purposes of the IT Sector Baseline Risk Assessment, the expected range of direct and indirect impacts that can occur should a threat exploit vulnerabilities in a critical function.
First-order impacts: Consequences that directly affect the critical IT Sector function.
Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of critical IT Sector functions and sub-functions.
Intent: The purpose of an actor’s operation (i.e., strategic objective) and the tactical outcome used to achieve that objective.
Likelihood of threat: The probability of an incident occurring. Many factors need to be considered in making this assessment ranging from the chance occurrence of a natural event to the deliberate or accidental act of an actor.
Limits: The legal and ethical codes and/or beliefs that may constrain an actor. When determining actor limits, the maximum or worst case scenario should be assumed.
Manmade Threat: Incidents that are either enabled by or caused by human beings, such as unintentional acts (e.g., inadvertent data entry) or deliberate actions.
Natural Threat: A non-manmade incident caused by biological, geological, seismic, hydrologic, or meteorological conditions or processes in the natural environment. The threat posed by natural events is dependant on the location, community infrastructure, and climate. Natural threats will be assessed using a different process than that being used to analyze manmade threats from various actors.
Policy Adherence: A determination of the attitude the actor has towards function/sub-function, corporate, organizational, or other policies.
Reckless: Operating in a negligent manner in willful or wanton disregard of policies, plans, and procedures.
Resources: The sophistication, money, people (including skill level), time, and tools that the actor uses to cause an incident.
Risk: The potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.
Role in Function: Determine the role the actor plays within the function considering access to critical systems as well as the actors overall autonomy within the function.
Second-order impacts: Consequences that affect entities inside and outside the IT Sector that depend on the function or sub-function.
Skill level: The special training or expertise that the actor possesses and/or requires to cause an incident.
Sophistication: An actor’s ability to align, structure, integrate, innovate, and develop the necessary means to cause an incident.
Strategic Objective: What the actor hopes to accomplish by causing an incident (i.e., motivation or “why”). In the case of an accident or unintentional incident, the strategic objective will be articulated as “No stated objective/unintentional.”
Tactical Outcome: What the actor does or does not do to cause an incident.
Tactical Means: The specific action or inaction that enables the tactical outcome (i.e., how the tactical outcome is realized). These actions or inactions impact the target.
Target: The people, process, technology, or physical elements of critical IT Sector functions and/or sub-functions destroyed, incapacitated, or exploited to cause an incident.
Threat: The natural or manmade incidents (intentional or unintentional) that would be detrimental to the IT Sector.
Tools: The technology, materials, or instruments used to cause an incident.
Visibility: The extent to which an actor’s identity is hidden, either through their own actions or through other circumstances.
Vulnerability: A physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard.
Work Environment Stress: A measure of the stress, both physical and psychological, placed upon the actor by their work environment.