may exist between the area in range and the items outside of
            range? Can assumptions be made regarding issues outside the
            scope of this effort - can we just assume that the power
            requirements, for example, are being assessed in another risk
            assessment?

            The assessor must understand the mission and goals of the area
            being assessed and determine how critical each asset is to the
            interests of the organization. This will aid in determining the
            asset value.


            Threats

            A threat is any circumstance or event with the potential to
            adversely impact organizational operations (including mission,
            functions, image, or reputation), corporate assets, individuals,
            other organizations, or the Nation through an information
            system via unauthorized access, destruction, disclosure, or
                                                               3
            modification of information, and/or denial of service.

            The world is full of threats. Many are accidental - the accidental
            deletion of a field by a user or a simple mistake that interrupts
            operations. Many are intentional - ranging from script kiddies
            (inexperienced persons executing a low-level attack on a
            system) to criminal gangs and APTs. Many threats are based on
            natural events - earthquake, flood, tornado, or simply caused by
            equipment failure. The risk assessor must consider all relevant
            threats (threats that do not apply should not be considered). The
            likelihood of the threat must also be considered, but that can be
            done as a separate activity once all the risks have been


            3  NIST SP800-30 Rev 1 www.csrc.nist.gov