Policies, standards, surveys, and assessment questionnaires do not currently provide consistent or complete lists of threats to information for identifying controls, conducting assessments, or establishing priorities in information security. The usual short list of four common threats — unauthorized modification, unauthorized use, destruction, and disclosure — is clearly incomplete and redundant. For example, more extensive lists often include fraud, theft, sabotage, and espionage. However, these threats are legal abstractions that require expertise in criminal law to understand. Often, users and even security specialists don't understand the criminal legal implications of these terms or have a distorted view of them.
展开▼