{{Short description|Potential negative action or event facilitated by a vulnerability}} {{Use dmy dates|date=October 2019}} {{multiple issues| {{rewrite|date=July 2024}} {{list|date=July 2024}} }}

In computer security, a '''threat''' is a potential negative action or event enabled by a vulnerability that results in an unwanted impact to a computer system or application.

A threat can be either a negative "intentional" event like hacking or an "accidental" negative event or otherwise a circumstance, capability, action, or event (incident is often used as a blanket term).{{Ref RFC|2828}} A ''threat actor'' who is an individual or group that can perform the threat action, such as exploiting a vulnerability to actualise a negative impact. An ''exploit'' is a vulnerability that a threat actor used to cause an incident.

== Phenomenology == right| A basic model of system threats

The term "threat" relates to some other basic security terms as shown in the following diagram:<ref name=rfc2828/>

A resource (both physical or logical) can have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromise the confidentiality, integrity or availability properties of resources (potentially different than the vulnerable one) of the organization and others involved parties (customers, suppliers).<br /> The so-called CIA triad is the basis of information security.

The attack can be ''active'' when it attempts to alter system resources or affect their operation: so it compromises Integrity or Availability. A "''passive attack''" attempts to learn or make use of information from the system but does not affect system resources: so it compromises Confidentiality.<ref name=rfc2828/>

thumb|OWASP: relationship between threat agent and business impact OWASP (see figure) depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system and the related security controls causing a technical impact on an IT resource (asset) connected to a business impact.

A set of policies concerned with information security management, the Information security management systems (ISMS), has been developed to manage, according to risk management principles, the countermeasures in order to accomplish to a security strategy set up following rules and regulations applicable in a country. Countermeasures are also called security controls; when applied to the transmission of information are named security services.<ref name=Vacca>{{cite book |last= Wright |first=Joe |author2= Jim Harmening |editor-last=Vacca |editor-first=John |title=Computer and Information Security Handbook |series=Morgan Kaufmann Publications |year=2009 |publisher= Elsevier Inc |isbn= 978-0-12-374354-1 |page=257 |chapter=15 }} </ref>

The overall picture represents the risk factors of the risk scenario.<ref>{{cite web|url=http://www.isaca.org/Knowledge-Center/Research/Documents/RiskIT-FW-18Nov09-Research.pdf |title=ISACA THE RISK IT FRAMEWORK|work=Isaca.org|access-date=5 November 2013}} {{registration required}}</ref>

The widespread of computer dependencies and the consequent raising of the consequence of a successful attack, led to a new term cyberwarfare.

Nowadays the many real attacks exploit Psychology at least as much as technology. Phishing and Pretexting and other methods are called social engineering techniques.<ref>Security engineering:a guide to building dependable distributed systems, second edition, Ross Anderson, Wiley, 2008 – 1040 pages {{ISBN|978-0-470-06852-6}}, Chapter 2, page 17</ref> The Web 2.0 applications, specifically Social network services, can be a mean to get in touch with people in charge of system administration or even system security, inducing them to reveal sensitive information.<ref>{{cite web|author=Brian Prince |url=http://www.eweek.com/c/a/Security/Social-Engineering-Your-Way-Around-Security-With-Facebook-277803/ |title=Using Facebook to Social Engineer Your Way Around Security |work=Eweek.com |date=7 April 2009 |access-date=5 November 2013}}</ref> One famous case is Robin Sage.<ref>{{cite web|url=http://www.networkworld.com/newsletters/sec/2010/100410sec1.html |title=Social engineering via Social networking |work=Networkworld.com |date=4 October 2010 |access-date=13 February 2012}}</ref>

The most widespread documentation on computer insecurity is about technical threats such as a computer virus, trojan and other malware, but a serious study to apply cost effective countermeasures can only be conducted following a rigorous IT risk analysis in the framework of an ISMS: a pure technical approach will let out the psychological attacks that are increasing threats.

==Threats classification == Threats can be classified according to their type and origin:<ref name=ISO27005>ISO/IEC, "Information technology – Security techniques-Information security risk management" ISO/IEC FIDIS 27005:2008</ref> * Types of threats: ** Physical damage: fire, water, pollution ** Natural events: climatic, seismic, volcanic ** Loss of essential services: electrical power, air conditioning, telecommunication ** Compromise of information: eavesdropping, theft of media, retrieval of discarded materials ** Technical failures: equipment, software, capacity saturation ** Compromise of functions: error in use, abuse of rights, denial of actions Note that a threat type can have multiple origins. * Deliberate: aiming at information asset ** spying ** illegal processing of data * Accidental ** equipment failure ** software failure * Environmental ** natural event ** loss of power supply *Negligence: Known but neglected factors, compromising the network safety and sustainability

== Threats Trends ==

Recent trends in computer threats show an increase in ransomware attacks, supply chain attacks, and fileless malware. Ransomware attacks involve the encryption of a victim's files and a demand for payment to restore access. Supply chain attacks target the weakest links in a supply chain to gain access to high-value targets. Fileless malware attacks use techniques that allow malware to run in memory, making it difficult to detect.<ref>{{Cite web |title=Ransomware Trends, Statistics and Facts in 2023 |url=https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts |access-date=2023-05-09 |website=Security |language=en}}</ref>

=== Common Threats === Below are the few common emerging threats:

* Computer viruses * Trojan horses * Worms * Rootkits * Spyware * Adware * Ransomware * Fileless malware

==Threat classification== Microsoft published a mnemonic, STRIDE,<ref>{{Cite web|url=https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx|title=The STRIDE Threat Model|website=msdn.microsoft.com|date=12 November 2009 |language=en|access-date=28 March 2017}}</ref> from the initials of threat groups: * '''S'''poofing of user identity * '''T'''ampering * '''R'''epudiation * '''I'''nformation disclosure (privacy breach or Data leak) * '''D'''enial of Service (D.o.S.) * '''E'''levation of privilege

Microsoft previously rated the risk of security threats using five categories in a classification called DREAD: Risk assessment model.

The spread over a network of threats can lead to dangerous situations. In military and civil fields, threat level has been defined: for example INFOCON is a threat level used by the US. Leading antivirus software vendors publish global threat level on their websites.<ref>{{cite web|url=http://www.mcafee.com/us/mcafee_labs/gti.html |title=McAfee Threat Intelligence &#124; McAfee, Inc |work=Mcafee.com |access-date=13 February 2012}}</ref><ref>{{cite web|url=http://www.symantec.com/security_response/threatconlearn.jsp |archive-url=https://web.archive.org/web/20070309133105/http://www.symantec.com/security_response/threatconlearn.jsp |url-status=dead |archive-date=9 March 2007 |title=Threatcon – Symantec Corp |work=Symantec.com |date=10 January 2012 |access-date=13 February 2012}}</ref>

==Associated terms== ==={{anchor|Threat agents}}Threat agents or actors=== {{Main|Threat actor}} {{Excerpt|Threat actor|only=lead}}

===Threat action=== '''Threat action''' is an assault on system security. A complete security architecture deals with both intentional acts and accidental events.<ref name=FIPS31>{{cite web|url=http://www.tricare.mil/tmis_new/Policy%5CFederal%5Cfips31.pdf|archive-url=https://web.archive.org/web/20231124115020/https://www.tricare.mil/tmis_new/Policy%5CFederal%5Cfips31.pdf|url-status=dead|archive-date=24 November 2023|title=FIPS PUB 31 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION : JUNE 1974|work=Tricare.mil|access-date=5 November 2013}}</ref>

===Threat analysis=== '''Threat analysis''' is the analysis of the probability of occurrences and consequences of damaging actions to a system.<ref name=rfc2828/> It is the basis of risk analysis.

=== Threat modeling === '''Threat modeling''' is a process that helps organizations identify and prioritize potential threats to their systems. It involves analyzing the system's architecture, identifying potential threats, and prioritizing them based on their impact and likelihood. By using threat modeling, organizations can develop a proactive approach to security and prioritize their resources to address the most significant risks.<ref>{{Cite web |title=Threat Modeling {{!}} OWASP Foundation |url=https://owasp.org/www-community/Threat_Modeling |access-date=2023-05-09 |website=owasp.org |language=en}}</ref>

=== Threat intelligence === {{main article|Cyber threat intelligence}} '''Threat intelligence''' is the practice of collecting and analyzing information about potential and current threats to an organization. This information can include indicators of compromise, attack techniques, and threat actor profiles.<ref>{{Cite web |title=What is Threat Intelligence? {{!}} IBM |url=https://www.ibm.com/topics/threat-intelligence |access-date=2023-05-09 |website=www.ibm.com |date=2 November 2022 |language=en-us}}</ref>

===Threat consequence=== '''Threat consequence''' is a security violation that results from a threat action.<ref name=rfc2828/>

===Threat landscape or environment=== A collection of threats in a particular domain or context, with information on identified vulnerable assets, threats, risks, threat actors and observed trends.<ref>ENISA Threat Landscape and Good Practice Guide for Smart Home and Converged Media (1 Dec 2014)</ref><ref>ENISA Threat Landscape 2013–Overview of Current and Emerging Cyber-Threats (11 Dec 2013)</ref>

==Threat management== Threats should be managed by operating an ISMS, performing all the IT risk management activities foreseen by laws, standards and methodologies.

Very large organizations tend to adopt business continuity management plans in order to protect, maintain and recover business-critical processes and systems. Some of these plans are implemented by computer security incident response team (CSIRT).

Threat management must identify, evaluate, and categorize threats. There are two primary methods of threat assessment: * Information security audit * Penetration test Many organizations perform only a subset of these methods, adopting countermeasures based on a non-systematic approach, resulting in ''computer insecurity''.

Information security awareness is a significant market. There has been a lot of software developed to deal with IT threats, including both open-source software and proprietary software.<ref>See :Category:Computer security companies, :Category:Free security software, and :Category:Computer security software companies for partial lists.</ref>

===Cyber threat management===

Threat management involves a wide variety of threats including physical threats like flood and fire. While ISMS risk assessment process does incorporate threat management for cyber threats such as remote buffer overflows the risk assessment process doesn't include processes such as threat intelligence management or response procedures.

Cyber threat management (CTM) is emerging as the best practice for managing cyber threats beyond the basic risk assessment found in ISMS. It enables early identification of threats, data-driven situational awareness, accurate decision-making, and timely threat mitigating actions.<ref>{{cite web|url=https://www.ioctm.org/What-is-Cyber-Threat-Management |title=What is Cyber Threat Management |work=ioctm.org |access-date=28 January 2015}}</ref>

CTM includes: * Manual and automated intelligence gathering and threat analytics * Comprehensive methodology for real-time monitoring including advanced techniques such as behavioral modelling * Use of advanced analytics to optimize intelligence, generate security intelligence, and provide Situational Awareness * Technology and skilled people leveraging situational awareness to enable rapid decisions and automated or manual actions

== Threat hunting == '''Cyber threat hunting''' is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions."<ref>{{Cite web|url=http://www.techrepublic.com/article/cyber-threat-hunting-why-this-active-strategy-gives-analysts-an-edge/|title=Cyber threat hunting: How this vulnerability detection strategy gives analysts an edge – TechRepublic|website=TechRepublic|access-date=7 June 2016}}</ref>

The SANS Institute has conducted research and surveys on the effectiveness of threat hunting to track and disrupt cyber adversaries as early in their process as possible. According to a survey performed in 2019, "61% [of the respondents] report at least an 11% measurable improvement in their overall security posture" and 23.6% of the respondents have experienced a 'significant improvement' in reducing the dwell time.<ref>{{Cite web |last1=Fuchs |first1=Mathias |last2=Lemon |first2=Joshua |title=SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters |url=https://www.sans.org/media/analyst-program/2019-threat-hunting-survey-differing-experienced-hunters-39220.pdf |url-status=live |archive-url=https://web.archive.org/web/20220301090638/https://www.sans.org/media/analyst-program/2019-threat-hunting-survey-differing-experienced-hunters-39220.pdf |archive-date=2022-03-01 |access-date=2022-05-11 |publisher=SANS Institute |pages=2, 16 |language=en}}</ref>

==See also== {{Portal|Technology}} * Cyber threat hunting * {{annotated link|Emergency management}}, i.e. societal threats * Internet Engineering Task Force (IETF) * Information security audit * Information security * Intrusion detection system * IT risk * Physical security * Vulnerability management

==References== <ref>{{cite web|url=https://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf |title=Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems|work=Carc.nist.gov|access-date=5 November 2013}}</ref><ref>{{cite web|url=http://www.enisa.europa.eu/act/rm/cr/risk-management-inventory/glossary#G51 |title=Glossary – ENISA |publisher=Enisa.europa.eu |date=24 July 2009 |access-date=5 November 2013}}</ref><ref>Technical Standard Risk Taxonomy {{ISBN|1-931624-77-1}} Document Number: C081 Published by The Open Group, January 2009.</ref><ref name=FAIRW>{{cite web|url=http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf|title=An Introduction to Factor Analysis of Information Risk (FAIR)|work=Riskmanagementinsight.com|date=November 2006|access-date=5 November 2013|url-status=dead|archive-url=https://web.archive.org/web/20141118061526/http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf|archive-date=18 November 2014}}</ref><ref>Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)</ref><ref>HMG IA Standard No. 1 Technical Risk Assessment</ref><ref name=":0">{{Cite web|url=https://sqrrl.com/solutions/cyber-threat-hunting/|title=Cyber Threat Hunting – Sqrrl|website=Sqrrl|language=en-US|access-date=7 June 2016}}</ref><ref>{{cite web|url=http://niatec.info/Glossary.aspx?term=5652&alpha=T |title=Glossary of Terms |work=Niatec.info |date=12 December 2011 |access-date=13 February 2012}}</ref> {{Reflist}}

==External links== {{Commons category}} *[http://fismapedia.org/index.php?title=Term:Threat Term in FISMApedia]{{dead link|date=May 2025|bot=medic}}{{cbignore|bot=medic}} *[https://ioctm.org/Cyber-Threat-Management-Framework Cyber Threat Management Framework] {{Information security}}

{{Authority control}}

{{DEFAULTSORT:Threat (computer security)}} Category:Computer security exploits Category:Security compliance