________________________________________________________________________________________________
Special Publication 800-39 Managing Information Security Risk
Organization, Mission, and Information System View
Threat Sources
Threat sources cause events having undesirable consequences or adverse impacts on organizational operations and
assets, individuals, other organizations, and the Nation. Threat sources include: (i) hostile cyber/physical attacks; (ii)
human errors of omission or commission; or (iii) natural and man-made disasters. For threats due to hostile cyber
attacks or physical attacks, organizations provide a succinct characterization of the types of tactics, techniques, and
procedures employed by adversaries that are to be addressed by safeguards and countermeasures (i.e., security controls)
deployed at Tier 1 (organization level), at Tier 2 (mission/business process level), and at Tier 3 (information system
level)—making explicit the types of threat-sources that are to be addressed as well as making explicit those not being
addressed by the safeguards/countermeasures. Adversaries can be characterized in terms of threat levels (based on
capabilities, intentions, and targeting) or with additional detail. Organizations make explicit any assumptions about
threat source targeting, intentions, and capabilities. Next, organizations identify a set of representative threat events.
This set of threat events provides guidance on the level of detail with which the events are described. Organizations
also identify conditions for when to consider threat events in risk assessments. For example, organizations can restrict
risk assessments to those threat events that have actually been observed (either internally or externally by partners or
peer organizations) or alternatively, specify that threat events described by credible researchers can also be considered.
Finally, organizations identify the sources of threat information found to be credible and useful (e.g., sector Information
Sharing and Analysis Centers [ISACs]). Trust relationships determine from which partners, suppliers, and customers,
threat information is obtained as well as the expectations placed on those partners, suppliers and customers in
subsequent risk management process steps. By establishing common starting points for identifying threat sources at
Tier 1, organizations provide a basis for aggregating and consolidating the results of risk assessments at Tier 2
(including risk assessments conducted for coalitions of missions and business areas or for common control providers)
into an overall assessment of risk to the organization as a whole. At Tier 2, mission/business owners may identify
additional sources of threat information specific to organizational missions or business functions. These sources are
typically based on: (i) a particular business or critical infrastructure sector (e.g., sector ISAC); (ii) operating
environments specific to the missions or lines of business (e.g., maritime, airspace); and (iii) external dependencies
(e.g., GPS or satellite communications). The characterization of threat sources are refined for the missions/business
functions established by organizations—with the results being that some threat sources might not be of concern, while
others could be described in greater detail. At Tier 3, program managers, information system owners, and common
control providers consider the phase in the system development life cycle to determine the level of detail with which
threats can be considered. Greater threat specificity tends to be available later in the life cycle..
Vulnerabilities
Organizations identify approaches used to characterize vulnerabilities, consistent with the characterization of threat
sources and events. Vulnerabilities can be associated with exploitable weakness or deficiencies in: (i) the hardware,
software, or firmware components that compose organizational information systems (or the security controls employed
within or inherited by those systems; (ii) mission/business processes and enterprise architectures (including embedded
information security architectures) implemented by organizations; or (iii) organizational governance structures or
processes. Vulnerabilities can also be associated with the susceptibility of organizations to adverse impacts,
consequences, or harm from external sources (e.g., physical destruction of non-owned infrastructure such as electric
power grids). Organizations provide guidance regarding how to consider dependencies on external organizations as
vulnerabilities in the risk assessments conducted. The guidance can be informed by the types of trust relationships
established by organizations with external providers. Organizations identify the degree of specificity with which
vulnerabilities are described (e.g., general terms, Common Vulnerability Enumeration [CVE] identifiers, identification
of weak/deficient security controls), giving some representative examples corresponding to representative threats.
Organizational governance structures and processes determine how vulnerability information is shared across
organizations. Organizations may also identify sources of vulnerability information found to be credible and useful. At
Tier 2, mission/business owners may choose to identify additional sources of vulnerability information (e.g., a sector
ISAC for information about vulnerabilities specific to that sector). At Tier 3, program managers, information system
owners, and common control providers consider the phase in the system development life cycle—and in particular, the
technologies included in the system – to determine the level of detail with which vulnerabilities can be considered.
Organizations make explicit any assumptions about the degree of organizational or information system vulnerability to
specific threat sources (by name or by type).
Consequences and Impact
Organizations provide guidance on how to assess impacts to organizational operations (i.e., mission, functions, image,
and reputation), organizational assets, individuals, other organizations, and the Nation (e.g., using FIPS 199, CNSS
Instruction 1253, or a more granular approach). Organizations can experience the consequences/impact of adverse
events at the information system level (e.g., failing to perform as required), at the mission/business process level (e.g.,
failing to fully meet mission/business objectives), and at the organizational level (e.g., failing to comply with legal or
regulatory requirements, damaging reputation or relationships, or undermining long-term viability). Organizations
determine at Tier 1, which consequences and types of impact are to be considered at Tier 2, the mission/business
CHAPTER 3 PAGE 35