Page324
Disasters or Disruptive Events
Given that organizations’ Business Continuity and Disaster Recovery Plans are created because of the potential of disasters impacting operations, understanding disasters and disruptive events is necessary. The most obvious types of disruptive events that spring to mind when considering BCP and DRP are natural disasters such as hurricanes, tornadoes, earthquakes, and floods. While these are representative of some types of disasters, they are far from the only, or even the most common, types of disruptive events.
One way of classifying the types of disasters that can occur is categorizing them by cause. The three common ways of categorizing the causes for disasters are whether the threat agent is natural, human, or environmental in nature [12].
-
Natural—The most obvious types of threats that can result in a disaster are naturally occurring. This category includes threats such as earthquakes, hurricanes, tornadoes, floods, and some types of fires. Historically, natural disasters have provided some of the most devastating disasters that an organization can have to respond to. However, natural disasters are typically less common than the other classes of threats. The likelihood of a natural threat occurring is usually closely related to the geographical location.
-
Human—The human category of threats represents the most common source of disasters. Human threats can be further classified by whether they constitute an intentional or unintentional threat. Human-intentional attacks represent deliberate, motivated attacks by a human. Human-unintentional attacks are those in which a person unwittingly serves as a threat source. For example, an attacker targeting an organization’s cardholder data by attempting to cause a malware infection within the organization would represent a human-intentional threat; an employee disrupting operations through laziness or carelessness would be considered a human-unintentional threat. While human-intentional threats might be more exciting to run through threat models, human-unintentional threats represent the most common source of disasters. Examples of human-intentional threats include terrorists, malware, rogue insider, Denial of Service, hacktivism, phishing, and social engineering. Examples of human-unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person through lack of knowledge, laziness, or carelessness serves as a source of disruption.
- Environmental—The name environmental threats can be confusing, bringing to mind weather-related phenomena. In this case environmental has little to do with the weather (which would be considered a natural threat) and is focused on environment as it pertains to the information systems or datacenter. The threat of disruption to the computing environment is significant. This class of threat includes items such as power issues (blackout, brownout, surge, spike), system component or other equipment failures, and application or software flaws.
Technical threats are another category of threat. Technical threats can be considered a subset of human threats, but are sometimes referenced separately due to their importance to information security. Common examples of technical threats include malware, Denial of Service, cyber-warfare, cyber-terrorism, hacktivism, phishing, and DNS hijacking. These threats are mitigated with the Cyber Incident Response Plan.
The analysis of threats and determination of the associated likelihood of the threats being manifested is an important part of the BCP and DRP process. Appreciation of the threats will help guide some of the potential risk mitigation or avoidance strategies adopted by the organization. Further, threat analysis will help provide guidance in the planning and prioritization of recovery and response capabilities. In order to be able to perform these threat analyses, a more detailed understanding of the types of threats is needed. Table 8.2 provides a quick summary of some of the disaster events and what type of disaster they constitute.
| Disruptive Event | Type |
|---|---|
| Earthquake/tornado/hurricane/etc. | Natural |
| Strike | Human (intentional) |
| Cyber-terrorism | Human (intentional)/technical |
| Malware | Human (intentional)/technical |
| Denial of service | Human (intentional)/technical |
| Errors and omissions | Human (unintentional) |
| Electrical fire | Environmental |
| Equipment failure | Environmental |
Table 8.2 Examples of Disruptive Events.