| ID | Description | Risk Analysis | ||||
| Likelyhood | Impact | Computed Risk | ||||
| Avg | Stdev | Avg | Stdev | |||
| Security Issues - Intentional or malicious attacks | ||||||
| Misuse of LCG resources - CPU, storage, network etc | ||||||
| M1 | Resources used to launch online attacks on other sites via DOS, Virus, Worms, SPAM etc | 3.0 | 0.0 | 3.0 | 0.0 | 9.0 |
| M2 | Resources used for offline attacks on other sites, e.g. to crack passwords or pass phrases | 2.0 | 0.0 | 2.0 | 0.0 | 4.0 |
| M3 | Resources used to distribute or share non-LCG data, e.g. copyrighted, illegal,or inappropriate material | 3.0 | 0.0 | 3.0 | 0.0 | 9.0 |
| M4 | Resources misused by inappropriate setting of access control or priority | 3.0 | 0.0 | 1.0 | 0.0 | 3.0 |
| M5 | Use of LCG resources by unauthorized parties | 3.0 | 0.0 | 1.0 | 0.0 | 3.0 |
| M6 | Use of LCG resources for unauthorized purposes, e.g. financial gain | 2.0 | 0.0 | 2.8 | 0.5 | 5.5 |
| Confidentiality and Data integrity issues | ||||||
| C1 | Theft of credentials, e.g. private keys | 3.0 | 0.0 | 2.0 | 0.0 | 6.0 |
| C2 | Data or passwords/pass phrases exposed, e.g. in unprotected files or on the network | 3.0 | 0.0 | 2.0 | 0.0 | 6.0 |
| C3 | Falsification of scientific data, analysis and/or results | 1.8 | 0.5 | 3.0 | 0.0 | 5.3 |
| C4 | Unauthorized monitoring of network communications | 2.0 | 0.0 | 2.0 | 0.0 | 4.0 |
| C5 | Unauthorized access to data | 3.0 | 0.0 | 1.0 | 0.0 | 3.0 |
| C6 | Unauthorized distribution or exposure of data | 2.8 | 0.5 | 2.0 | 0.0 | 5.5 |
| C8 | Identity or usage information is harvested by unauthorized persons | 2.0 | 0.0 | 1.0 | 0.0 | 2.0 |
| Disruption of LCG infrastructure for political or other reasons | ||||||
| D1 | Disruption via exploitation of security holes | 3.0 | 0.0 | 3.0 | 0.0 | 9.0 |
| D2 | Corruption of or damage to data | 1.0 | 0.0 | 2.8 | 0.5 | 2.8 |
| D3 | DOS attacks towards LCG to prevent normal working of network or services | 1.8 | 0.5 | 3.0 | 0.0 | 5.3 |
| D5 | "Poisoned" resources are deployed on LCG to confuse operations, debugging or results | 1.0 | 0.0 | 2.8 | 0.5 | 2.8 |
| D6 | Attack by disgruntled users, employees or ex-employees | 1.0 | 0.0 | 3.0 | 0.0 | 3.0 |
| D7 | Use of "social engineering" methods to attack LCG resources | 3.0 | 0.0 | 2.0 | 0.0 | 6.0 |
| D8 | Damage caused by viruses, worms, trojans or back-doors | 3.0 | 0.0 | 3.0 | 0.0 | 9.0 |
| D9 | Misleading trouble reports to the GOC or incident response mechanisms, to disrupt operations or damage reputation | 1.0 | 0.0 | 2.0 | 0.0 | 2.0 |
| D10 | Modification or defacement of User Interfaces, documentation, monitoring etc, for disruption or advertising | 2.0 | 0.0 | 2.0 | 0.0 | 4.0 |
| Other attacks | ||||||
| O1 | Theft of systems | 1.8 | 0.5 | 1.3 | 0.5 | 2.2 |
| O2 | Theft of software | 1.0 | 0.0 | 1.0 | 0.0 | 1.0 |
| O3 | Physical sabotage of systems | 1.0 | 0.0 | 1.3 | 0.5 | 1.3 |
| O4 | Theft of primary or backup data media | 1.0 | 0.0 | 2.8 | 0.5 | 2.8 |
| Security Issues - Non-intentional or accidental | ||||||
| A1 | Unauthorized use resulting from insecure middleware or bad security design/implementation | 2.0 | 1.0 | 2.7 | 0.6 | 5.3 |
| A2 | Development process results in insecure middleware | 2.7 | 0.6 | 2.3 | 0.6 | 6.2 |
| A3 | Deployment process results in insecure middleware | 1.7 | 0.6 | 2.3 | 0.6 | 3.9 |
| A4 | Development process results in poor fault tolerance and effective loss of service (snowballing failure) | 2.0 | 1.0 | 2.3 | 0.6 | 4.7 |
| A5 | Deployment process results in poor fault tolerance and effective loss of service (snowballing failure) | 1.3 | 0.6 | 2.3 | 0.6 | 3.1 |
| A6 | Failure to perform security audit of new software | 2.7 | 0.6 | 1.7 | 0.6 | 4.4 |
| A7 | Lack of timely patching of systems and middleware for security holes | 2.0 | 1.0 | 2.7 | 0.6 | 5.3 |
| A8 | The need to incorporate legacy resources/applications prevents addressing security holes | 1.7 | 0.6 | 2.7 | 0.6 | 4.4 |
| A9 | Problems from misleading or missing documentation | 1.3 | 0.6 | 1.7 | 0.6 | 2.2 |
| A10 | Lack of critical security services, e.g. CRL's at CA's | 1.7 | 0.6 | 2.0 | 1.0 | 3.3 |
| A11 | Hardware faults | 1.0 | 0.0 | 1.3 | 0.6 | 1.3 |
| A12 | Disasters, e.g. fire or flood | 1.0 | 0.0 | 2.0 | 1.0 | 2.0 |
| A13 | Accidental corruption of or damage to data | 1.3 | 0.6 | 2.0 | 0.0 | 2.7 |
| A14 | Lack of knowledge and/or insufficient training of management, operations and support staff | 2.0 | 0.0 | 1.7 | 0.6 | 3.3 |
| A15 | Security Infrastructure is not well matched to user requirements or expectations, and therefore too restrictive or too open | 2.0 | 0.0 | 1.7 | 0.6 | 3.3 |
| A16 | LCG Authorization controls are insufficient to allow effective management by VO's, groups or users | 1.7 | 0.6 | 2.3 | 0.6 | 3.9 |