The classification of information risks can be based on the following criteria:
- basic aspects of information security;
- time of occurrence;
- source of occurrence;
- the nature of the information asset;
- the nature of the threat to information security;
- the nature of the consequences;
- mechanism of impact.
The main aspects of information security are: availability, integrity and confidentiality of information.
Accessibility refers to the ability of a subject to access data on request at any time provided for by the schedule of work.
The ability to receive data on request depends on the operability and workload of the elements of the information system and its data transmission channels.
The risk of information being compromised can depend both on hardware malfunction and software malfunctions in the company and on successful network attacks on the information system from outside.
This type of risk directly depends on the reliability of the hardware and software components of the information system, as well as on the level of competence of the personnel managing their work.
Availability is also impaired by non-compliance with different standards both during the design phase and during the production or operation stages of the system.
Integrity refers to the relevance and consistency of information, the level of its protection against destruction and unauthorized change and deletion.
The integrity risk is ensured by the probabilities of equipment and software failure, the degree of thoughtfulness of algorithms and the reliability of access facilities for system users who have the right to edit information, the probability of undocumented capabilities in the system, the imperfection of the organizational structure of the IS, as well as non-compliance with the requirements of standards at the stage of design, production and operation of the system.
Confidentiality refers to the level of information protection against unauthorized access.
The risk of breach of confidentiality also depends on the level of user authentication algorithms, the probability of undocumented situations when working with IS, imperfection of the organizational structure, non-compliance with standards and a human factor.
According to the time of occurrence, information risks are allocated to retrospective, current and prospective risks.
Analysis of retrospective risks, their nature and methods of their minimization allows more accurate forecasting of current and future risks.
By the environment of occurrence, risks are divided into external and internal.
External risks are not affected by the internal component of the enterprise, they are not related to the direct activities of the enterprise and cannot affect their level in any way.
Their level is due to the political situation in the country and between states, the economic situation on the market, the social level of citizens, etc.
Internal information risks include risks that depend on the direct activities of the enterprise and its personnel.
The following factors may affect their level: the organization's production capacity, the level of technical equipment, the degree of personnel qualification, the availability of information protection tools, and the presence of job descriptions when working with the IS.
By the nature of an information asset, information risks can be divided into hardware and software risks.
Hardware risks arise when leaving the standing of IS complexes, such as: servers, personal computers, network switches and routers, production equipment, machines, etc.
Software risks are directly related to failures in the enterprise software, actions of malicious software, operating systems of IS users, as well as related to information leakage and actions of network attacks.
By forming a classification related to the nature of the information security threat, the following risks can be distinguished: Organizational risks are risks associated with the activities of personnel operating and servicing IS, problems of the internal control system, poorly developed work rules, that is, risks associated with the internal organization of the company's work.
Technical risks are related to equipment, software, their tasks, methods of design, development and operation of IS.
These risks are directly related to the IS lifecycle.
Natural information risks include risks that are independent of human activity.
They can cause damage that can lead to a complete shutdown of the enterprise.
They are related to the activities of natural phenomena, such as earthquakes, floods, storms, hurricanes, etc.
In addition to the above classifications, risks can be classified by the nature of the consequences.
An acceptable risk is a risk at the onset of which organizations will suffer losses that do not exceed the expected profit from the activities of the enterprise and its activities continue to be reasonable.
A critical risk is a risk that threatens the enterprise with losses that exceed the expected profit from the enterprise's activities and can lead to the loss of all funds invested in the implementation of the project.
If the damage to the occurrence of a risk exceeds its profit from direct activity or exceeds the property condition of the enterprise, then such risks are called catastrophic.
They also include the risks associated with the danger to life and health of people or the occurrence of environmental disasters, as well as the risks caused by irreparable damage to the industrial enterprise.
The impact mechanism constitutes the largest classification group of information risks.
On this basis, information risks can be divided into:
- specialist errors;
- hardware failures and failures;
- network equipment failures and failures;
- software failures and failures;
- unauthorized access;
- copyright infringement;
- distribution of false information;