Below is a standard list of risks for information security. The list is an example. Of course, you should always look at your own situation and tailor the risks to your own circumstances. However, this provides a basis and saves a lot of work. Suggestions and improvements are always welcome. If you want to know more or seek support? Please contact us.
Version 3.0 : 25-11-2024
| 1 | User makes an unconscious mistake resulting in (digital) sensitive information being accessed by unauthorized individuals. |
| 2 | Hacker deceives an user, leading to unauthorized access to sensitive information. |
| 3 | Hacker tricks an user into making a wrong action or payment, resulting in financial damage. |
| 4 | Disgruntled (former) employee publishes/leaks information. |
| 5 | Employee accidentally leaves physical information lying around, allowing unauthorized access to sensitive information. |
| 6 | Employee lacks sufficient expertise for their job, causing a disruption in information provision. |
| 7 | Uncertainty in roles and/or functions and their associated information rights leads to overly broad authorization and thereby unauthorized access to information. |
| 8 | Changes in roles/functions are not properly managed, resulting in a buildup of rights and consequently unauthorized access to information. |
| 9 | Employee sells sensitive and valuable (personal) data for financial gain, resulting in unauthorized access. |
| 10 | Employee (with privileged rights) makes a (configuration) mistake, allowing unauthorized access to systems. |
| 11 | Employee (with privileged rights) makes a (configuration) mistake, causing systems to become unavailable. |
| 12 | Disgruntled employee (with privileged rights) deletes data, rendering processes inoperable. |
| 13 | Employees use personal applications (Shadow IT), creating unknown vulnerabilities that can be exploited, resulting in process disruption. |
| 14 | Known vulnerabilities in network, infrastructure, OT equipment, workplace, or applications lead to unauthorized access to sensitive information and potentially incorrect information. |
| 15 | Lack of insight into vulnerabilities in network, infrastructure, OT equipment, workplace, or applications leads to unauthorized access and disclosure of information. |
| 16 | Lack of insight into vulnerabilities in network, infrastructure, OT equipment, workplace, or applications leads to information and systems becoming unavailable (e.g., ransomware). |
| 17 | An infected device spreads malware, resulting in equipment becoming unavailable and processes being disrupted. |
| 18 | Equipment is misused, causing irreparable damage and rendering information unavailable. |
| 19 | Legacy systems in the network are vulnerable and used by a hacker as ‘stepping stones’ to gain unauthorized access to data or render information unavailable. |
| 20 | Users are not compelled to use strong authentication or suffer from MFA fatigue, allowing hackers to log in as employees, resulting in unauthorized access to sensitive data. |
| 21 | System changes result in unintended side effects in processes, causing information to become unavailable. |
| 22 | A development, testing, or acceptance system is less secure and gets hacked, resulting in a data breach. |
| 23 | IT maintenance activities disrupt the continuity of care processes, resulting in data being unavailable. |
| 24 | Data is not securely erased, allowing unauthorized access to the information. |
| 25 | In an incident, backups/systems are found to be malfunctioning, resulting in data remaining unavailable and/or non-compliance with legislation. |
| 26 | Due to configuration errors or faulty equipment, data becomes corrupt and information is no longer available. |
| 27 | Data is intercepted during exchange, allowing a malicious actor to view and/or alter the data. |
| 28 | Due to unclear responsibilities, risks are not properly managed, increasing the likelihood of a severe incident. |
| 29 | Incidents are not reported in a timely manner, not properly reported, or not properly managed, making the incident greater and not complying with notification obligations. |
| 30 | There is insufficient budget and/or priority for information security and privacy from management/board, resulting in information security and privacy measures not being implemented or being postponed. |
| 31 | Due to a lack of current knowledge of threats and vulnerabilities, important measures are overlooked, resulting in a large-scale incident. |
| 32 | Due to a lack of knowledge regarding laws and regulations, legal requirements are not met, resulting in fines or reputational damage. |
| 33 | Management prioritizes elsewhere, leading to financial shortages/cutbacks that result in insufficient investments in IT and vulnerable systems. |
| 34 | Due to a disaster (fire, weather conditions, earthquake, or otherwise), the information provision is damaged and/or unavailable. |
| 35 | Due to failing infrastructure (levee breach, pipeline break) or collapse/subsidence, the information provision is damaged and/or unavailable. |
| 36 | Due to failing utilities (electricity, internet), the information provision is unavailable. |
| 37 | Due to vulnerabilities in physical security, a burglar can break into the office and steal datacarriers with sensitive data, resulting in a data breach. |
| 38 | Vandals destroy parts of the infrastructure or other components of the information provision, rendering it unavailable. |
| 39 | Vermin damages cables and/or network equipment, causing connectivity disruptions or making storage unavailable, resulting in disruption in processes. |
| 40 | Due to insufficient control of assets, there is a risk of them falling outside the organization’s sphere of influence. |
| 41 | A lack of clear requirements in the procurement of a system or (Cloud) service leads to vulnerable technology, processes, human aspects, causing a disruption to operations and violation of laws and regulations. |
| 42 | A lack of clear requirements in the purchase of a service leads to vulnerable technology, processes, human aspects, resulting in a data breach. |
| 43 | A supplier or subcontractor of an essential system is hacked, resulting in the information provision being unavailable or unauthorized access to the data. |
| 44 | A supplier fails to report an incident, resulting in the organization not fulfilling its reporting obligations, the incident not being resolved, and the consequences of the incident not being mitigated. |
Underneath older versions
Version 2.0 : 16-05-2024
1. User makes an unconscious mistake resulting in (digital) sensitive information being accessed by unauthorized individuals.
2. Hacker deceives an user, leading to unauthorized access to sensitive information.
3. Hacker tricks an user into making a wrong action or payment, resulting in financial damage.
4. Disgruntled (former) employee publishes/leaks information.
5. Employee accidentally leaves physical information lying around, allowing unauthorized access to sensitive information.
6. Employee lacks sufficient expertise for their job, causing a disruption in information provision.
7. Uncertainty in roles and/or functions and their associated information rights leads to overly broad authorization and thereby unauthorized access to information.
8. Changes in roles/functions are not properly managed, resulting in a buildup of rights and consequently unauthorized access to information.
9. Employee sells sensitive and valuable (personal) data for financial gain, resulting in unauthorized access.
10. Employee (with privileged rights) makes a (configuration) mistake, allowing unauthorized access to systems.
11. Employee (with privileged rights) makes a (configuration) mistake, causing systems to become unavailable.
12. Disgruntled employee (with privileged rights) deletes data, rendering processes inoperable
13. Employees use personal applications (Shadow IT), creating unknown vulnerabilities that can be exploited, resulting in process disruption.
14. Known vulnerabilities in network, infrastructure, OT equipment, workplace, or applications lead to unauthorized access to sensitive information and potentially incorrect information.
15. Lack of insight into vulnerabilities in network, infrastructure, OT equipment, workplace, or applications leads to unauthorized access and disclosure of information.
16. Lack of insight into vulnerabilities in network, infrastructure, OT equipment, workplace, or applications leads to information and systems becoming unavailable (e.g., ransomware).
17. An infected device spreads malware, resulting in equipment becoming unavailable and processes being disrupted.
18. Equipment is misused, causing irreparable damage and rendering information unavailable.
19. Legacy systems in the network are vulnerable and used by a hacker as ‘stepping stones’ to gain unauthorized access to data or render information unavailable.
20. Users are not compelled to use strong authentication or suffer from MFA fatigue, allowing hackers to log in as employees, resulting in unauthorized access to sensitive data.
21. System changes result in unintended side effects in processes, causing information to become unavailable.
22. A development, testing, or acceptance system is less secure and gets hacked, resulting in a data breach.
23. IT maintenance activities disrupt the continuity of care processes, resulting in data being unavailable.
24. Data is not securely erased, allowing unauthorized access to the information.
25. In an incident, backups/systems are found to be malfunctioning, resulting in data remaining unavailable and/or non-compliance with legislation.
26. Due to configuration errors or faulty equipment, data becomes corrupt and information is no longer available.
27. Data is intercepted during exchange, allowing a malicious actor to view and/or alter the data.
28. Due to unclear responsibilities, risks are not properly managed, increasing the likelihood of a severe incident.
29. Incidents are not reported in a timely manner, not properly reported, or not properly managed, unnecessarily exacerbating them.
30. There is insufficient budget and/or priority for information security and privacy from management/board, resulting in information security and privacy measures not being implemented or being postponed.
31. Due to a lack of current knowledge of threats and vulnerabilities, important measures are overlooked, resulting in a large-scale incident.
32. Due to a lack of knowledge regarding laws and regulations, legal requirements are not met, resulting in fines or reputational damage.
33. Management prioritizes elsewhere, leading to financial shortages/cutbacks that result in insufficient investments in IT and vulnerable systems.
34. Due to a disaster (fire, weather conditions, earthquake, or otherwise), the information provision is damaged and/or unavailable.
35. Due to failing infrastructure (levee breach, pipeline break) or collapse/subsidence, the information provision is damaged and/or unavailable.
36. Due to failing utilities (electricity, internet), the information provision is unavailable.
37. Due to vulnerabilities in physical security, a burglar can break into the office and steal datacarriers with sensitive data, resulting in a data breach.
38. Vandals destroy parts of the infrastructure or other components of the information provision, rendering it unavailable.
39. Due to insufficient control of assets, there is a risk of them falling outside the organization’s sphere of influence.
40. A lack of clear requirements in the procurement of a system or (Cloud) service leads to vulnerable technology, processes, human aspects, causing a disruption to operations and violation of laws and regulations.
41. A lack of clear requirements in the purchase of a service leads to vulnerable technology, processes, human aspects, resulting in a data breach.
42. A supplier or subcontractor of an essential system is hacked, resulting in the information provision being unavailable or unauthorized access to the data.
43. A supplier fails to report an incident, resulting in the organization not fulfilling its reporting obligations, the incident not being resolved, and the consequences of the incident not being mitigated.