changes like damage or disaster as shown in Figure 4-1 . Such incidents are then defined as attacks .
Neither a hazard or threat leads imminently to an accident or attack , but both have the potential for creating a real problem . For example , nearly any physical system has a fire-hazard , or a lossof-power-hazard and any internet-connected system has the threat of a hacker-attack . That moment when a system is really affected by a hazard or threat is considered an incident .
We see clear differences between hazards and threats in the way there are introduced in the text above :
• A hazard may lead to an accident but never to an attack .
• A threat may lead to an attack but never to an accident .
• A hazard-caused incident is random and not intentional .
• A threat-caused incident is intentional and not random .
• Trustworthiness Reliability / Safety / Privacy / Resilience Methods protect the system from hazard-caused incidents .
• Trustworthiness Security Methods protect the system from threat-caused incidents .
For example , a Trustworthiness Privacy Method could demand as an operational directive that all files containing social security numbers , are permanently encrypted , except when they are viewed or edited e . g ., Excel files in Excel . And another operational directive specifies that social security numbers cannot be sent via external email . However , an incident could occur where an employee erroneously forgets these directives and copies social security numbers out of Excel via clipboard into an external email .
To prevent this incident from causing a severe accident of violating privacy by emailing , a mail server extension service could scan all outgoing emails for information looking like social security numbers and interrupt the sending operation . Such a blocker would also prevent any employee from trying to intentionally send out the social security numbers as part of a hacker attack , likely warning security departments about the incident as well . This blocker is an additional Trustworthiness Privacy / Security Method but realized as a software tool , not just an operational directive , and preventing accidents and attacks .
A summary of the differences between hazards and threats is shown in Table 4-1 .
10 July 2022