Sources of service failure

[rto]

I'm looking at some examples to articulate common risk scenarios and uses of OISRU.

One common scenario is around the service unavailability event that can, naturally, have many sources. For example:

• Criminal or hacktivist are sensible sources for DDoS-type scenarios
• Compromised supplier is suitable for a supplier outage (e.g. ISP failure)

For a 'wear and tear' or 'component failure' type scenario, my thinking is that the source of this is ineffective internal on the basis that proactive maintenance is required for any machinery/hardware/software/service.

It is, perhaps, a little unfair in the event of a manufacturing defect were failure occurs significantly before the Mean Time Between Failures. Though defects could be considered compromised supplier. (And, hopefully, they may not occur anywhere nearly frequently enough to warrant serious inclusion in the identified risk scenarios.)

Do we consider the current source lists sufficient to cover these type of 'wear and tear' scenarios?

[oracuk]

I am questioning first whether wear and tear of technology components are technology risks rather than information security risks.

I could see a failure of a technology component, especially one supporting a security control, as an event that leads to & contributes to a security risk but I think that is a technology risk.

[oracuk]

I would be pleased to see a technology risk universe (possibly derived from COBIT scenarios) and a privacy risk universe that are compatible with the Information Security risk universe but I think they are separate concerns and I'm not convinced we should extend OISRU. Maybe if we found appropriate privacy and technology experts to contribute we could look at a broader framework.