Mapping ISM Controls to Threat Scenarios: Why We Focus on Threats Before Risks

Introduction

In previous post, [“Understanding ISM Controls, Inherent Risks, and Residual Risks in the Context of NIST RMF”], we discussed how the Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM) provides controls to mitigate risks—not define them. A key takeaway was that misalignments with ISM controls represent residual risks, not the risks themselves.

But how do we determine what those risks are in the first place?

Before we can assess whether ISM controls are effective, we must first understand the threat scenarios that could harm our systems. This post explores why we focus on threats (rather than jumping straight to “risks”) when mapping ISM controls and provides a practical reference table linking ISM topics to likely threat scenarios.

Why Threat Scenarios Come Before Risk

Risk = Threat × Vulnerability × Impact

Risk assessments typically follow this classic formula. However, many organizations make a critical mistake: they skip threat identification and jump straight to control gaps.

Why We Can’t Just List “Risks” Directly

Risks Are System-Specific
- A “weak password policy” might be a high risk for an internet-facing system but low risk for an isolated internal server.
- Without knowing the threat context, we can’t accurately assess risk severity.
Threats Define the Likelihood Factor
- ISM controls don’t exist in a vacuum—they mitigate against specific threats.
- Example:
  - Threat Scenario: “An attacker brute-forces default credentials on an exposed admin portal.”
  - ISM Control: “Multi-factor authentication is used to authenticate privileged users of systems. (ISM-1173).”
  - Without the threat scenario, the control is just a compliance checkbox.
Residual Risk Only Makes Sense with Threat Context
- Saying “We don’t fully comply with ISM #123” is meaningless unless we tie it to:
  - What threat does this control mitigate?
  - How likely is that threat to materialize?
  - What’s the impact if it does?

So Why Provide Threat Scenarios Instead of Risks?

Because risk requires business context (impact, likelihood, system criticality), while threat scenarios are universal.

A threat scenario describes how an attack could happen.
Risk assessment determines how bad it would be for your organization.

By focusing on threats first, we ensure ISM controls are mapped to real-world attack vectors—not just compliance requirements.

Mapping ISM Topics to Threat Scenarios

Below is a reference table linking ISM control topics to likely threat scenarios. This helps bridge the gap between “What does ISM require?” and “Why does it matter?”

ISM Topic	Threat Scenario Example
Embedding cybersecurity	A lack of clear cybersecurity roles and responsibilities leads to unaddressed vulnerabilities, allowing adversaries to exploit weak security postures.
Championing a positive cybersecurity culture	An insider with privileged access intentionally bypasses security protocols, leading to a data breach.
Building cybersecurity expertise	A lack of cybersecurity expertise at the executive level leads to inadequate oversight of cybersecurity practices, resulting in undetected vulnerabilities.
Identifying critical business assets	Unauthorized access to critical business assets by malicious insiders seeking to exploit or sell sensitive information.
Planning for major cybersecurity incidents	A ransomware attack encrypts critical organizational data, demanding payment for decryption keys.
Providing cybersecurity leadership and guidance	Lack of clear cybersecurity direction leading to inconsistent security practices across the organization.
Overseeing the cybersecurity program	A nation-state actor targets the organization’s cybersecurity program to steal sensitive data or disrupt operations.
Coordinating cybersecurity	A lack of coordination between cybersecurity and business teams leads to the implementation of new business projects without adequate security controls, resulting in vulnerabilities that adversaries can exploit.
Reporting on cybersecurity	Inaccurate or delayed cybersecurity reporting could lead to uninformed decision-making by the board, resulting in unaddressed vulnerabilities.
Overseeing cybersecurity incident response activities	A ransomware attack encrypts critical organizational data, demanding payment for decryption.
Contributing to business continuity and disaster recovery planning	A natural disaster such as a flood disrupts data center operations, leading to prolonged downtime.
Communicating a cybersecurity vision and strategy	Employees lack awareness of cybersecurity policies, leading to accidental data leaks or falling prey to phishing attacks.
Working with suppliers	A supplier with inadequate security measures is compromised, leading to unauthorized access to the organization’s sensitive data shared with the supplier.
Receiving and managing a dedicated cybersecurity budget	Insufficient funding leads to inadequate cybersecurity defenses, making the organization vulnerable to attacks.
Overseeing cybersecurity personnel	Insufficient cybersecurity personnel leads to inadequate monitoring and response to security incidents.
Overseeing cybersecurity awareness raising	An employee inadvertently clicks on a phishing email, leading to unauthorized access to sensitive systems.
System ownership and oversight	A system owner fails to properly delegate or oversee system managers, leading to unauthorized access or changes by an insider.
Protecting systems and their resources	Unauthorized access to sensitive data due to inadequate access controls.
Annual reporting of system security status	Unauthorized access to sensitive system data due to outdated security measures.
Cybersecurity incident management policy	A ransomware attack encrypts critical data, demanding payment for decryption keys.
Cybersecurity incident register	An unauthorized individual gains access to sensitive data due to a lack of incident tracking and response mechanisms.
Insider threat mitigation program	An employee with legitimate access copies sensitive company data to a personal USB drive with the intent to sell it to a competitor.
Access to sufficient data sources and tools	A cyber attacker gains unauthorized access to a system and performs malicious activities without detection due to insufficient logging and monitoring capabilities.
Reporting cybersecurity incidents	An insider with privileged access deliberately exfiltrates sensitive data without authorization.
Reporting cybersecurity incidents to ASD	An adversary gains unauthorized access to a system through a compromised privileged user account, leading to potential data exfiltration or system damage.
Reporting cybersecurity incidents to customers and the public	A data breach occurs where sensitive customer information is exposed to unauthorized parties.
Enacting cybersecurity incident response plans	A ransomware attack encrypts critical data, demanding payment for decryption keys.
Handling and containing data spills	Unauthorized access to sensitive data due to accidental exposure or malicious activity leading to data spill.
Handling and containing malicious code infections	A malicious actor deploys ransomware across the network, encrypting critical data and demanding payment for decryption.
Handling and containing intrusions	An adversary gains unauthorized access to a system and establishes persistence, potentially exfiltrating sensitive data or causing disruption.
Maintaining the integrity of evidence	An insider with privileged access alters or deletes log files to cover their tracks after a security breach.
Cyber supply chain risk management activities	A supplier unknowingly provides IT equipment with pre-installed malware, leading to a data breach within the organization.
Supplier relationship management	A supplier with inadequate security measures inadvertently introduces malware into the organization’s network through compromised software updates.
Sourcing applications, IT equipment, OT equipment and services	A supplier delivers compromised IT equipment with pre-installed malware, leading to unauthorized access to the organization’s network.
Delivery of applications, IT equipment, OT equipment and services	A counterfeit IT equipment is delivered to an organization, compromising the security of the system it is integrated into.
Managed services	A managed service provider’s insider with privileged access intentionally exfiltrates sensitive customer data to sell to competitors.
Assessment of managed service providers	A managed service provider may unknowingly introduce vulnerabilities into the system through inadequate security practices, leading to potential breaches.
Outsourced cloud services	Unauthorized access to sensitive data stored in the cloud by malicious actors exploiting weak access controls.
Assessment of outsourced cloud service providers	A cloud service provider may introduce vulnerabilities through system updates or new services that could be exploited by adversaries.
Contractual security requirements with service providers	A service provider fails to implement agreed-upon security measures, leading to unauthorized access to sensitive data.
Access to systems, applications and data by service providers	A service provider’s employee, acting as an insider threat, accesses sensitive customer data beyond their authorized scope for personal gain or malicious intent.
Cybersecurity strategy	An organisation without a cybersecurity strategy may fail to identify and prioritize critical assets, leading to inadequate protection against evolving cyber threats.
Approval of cybersecurity documentation	Unauthorized changes to cybersecurity documentation could lead to the implementation of inadequate security controls, leaving the system vulnerable to attacks.
Maintenance of cybersecurity documentation	An outdated cybersecurity policy fails to address a newly emerged ransomware variant, leading to an unprepared response and successful system compromise.
Communication of cybersecurity documentation	Stakeholders inadvertently violate security policies due to lack of awareness, leading to unauthorized access or data breaches.
System security plan	An insider with privileged access intentionally modifies the system security plan to omit critical security controls, weakening the system’s defenses.
Cybersecurity incident response plan	A ransomware attack encrypts critical data, demanding payment for decryption.
Change and configuration management plan	Unauthorized changes to system configurations leading to security vulnerabilities.
Continuous monitoring plan	An attacker exploits a previously unknown vulnerability in a web application to gain unauthorized access to sensitive customer data.
Security assessment report	An attacker gains unauthorized access to a system due to unaddressed vulnerabilities identified in a previous security assessment.
Plan of action and milestones	A system’s identified weaknesses from a security assessment are not tracked or remediated, leading to exploitation by adversaries.
Physical access to systems	Unauthorized individuals gain physical access to a secure facility, potentially leading to theft, tampering, or destruction of critical systems and data.
Physical access to servers, network devices and cryptographic equipment	Unauthorized individuals gain physical access to server rooms, leading to theft or tampering with critical hardware.
Physical access to network devices in public areas	Unauthorized individuals gain physical access to network devices in public areas, resetting them to factory defaults to remove security controls.
Bringing radio frequency and infrared devices into facilities	Unauthorized RF or IR devices are brought into secure facilities, potentially capturing or transmitting sensitive information without detection.
Bringing medical devices into facilities	Unauthorized data exfiltration from SECRET or TOP SECRET areas via medical devices with hidden communication capabilities.
Preventing observation by unauthorised people	Unauthorized individuals observe sensitive information displayed on workstation screens through windows.
Securing IT equipment and media	Unauthorized access to sensitive data stored on unsecured IT equipment or media.
Providing cybersecurity awareness training	An employee unknowingly clicks on a malicious link in a phishing email, leading to unauthorized access to the organization’s network.
Managing and reporting suspicious changes to banking details or payment requests	Malicious actors compromise a vendor’s email to alter invoice details, redirecting payments to fraudulent accounts.
Reporting suspicious contact via online services	A malicious actor impersonates a trusted colleague via email to solicit sensitive information from an employee.
Posting work information to online services	An employee inadvertently shares sensitive project details on a public social media platform, leading to unauthorized access by competitors.
Posting personal information to online services	Malicious actors use personal information from online services to build trust and elicit sensitive or classified information from personnel.
Sending and receiving files via online services	Personnel inadvertently download malware-infected files from unauthorised online services, leading to system compromise.
System usage policy	An employee accesses sensitive data without authorization, leading to data leakage.
System access requirements	An unauthorized individual gains access to sensitive system resources due to lack of proper access documentation and controls.
User identification	An unauthorized user gains access to sensitive AUSTEO, AGAO, or REL data by impersonating an authorized user.
Unprivileged access to systems	An employee without proper authorization accesses sensitive data repositories for personal gain or malicious intent.
Unprivileged access to systems by foreign nationals	Foreign nationals gaining unauthorized access to AUSTEO, AGAO, and REL data could lead to espionage or unauthorized disclosure of sensitive information.
Privileged access to systems	A malicious insider with privileged access credentials abuses their permissions to exfiltrate sensitive data.
Privileged access to systems by foreign nationals	A foreign national with privileged access could intentionally or unintentionally disclose sensitive AUSTEO, AGAO, or REL data to unauthorized entities.
Suspension of access to systems	An insider with legitimate access leaves the organization but retains access to sensitive systems and data, potentially leading to unauthorized access or data exfiltration.
Recording authorisation for personnel to access systems	An insider with malicious intent accesses sensitive systems without proper authorization, exploiting lack of accountability in access records.
Temporary access to systems	An insider with temporary access exceeds their authorized permissions to access sensitive data not required for their duties.
Emergency access to systems	An attacker gains unauthorized access to a break glass account and performs malicious activities without detection.
Control of Australian systems	Foreign nationals or entities gain unauthorized access to AUSTEO and AGAO data by infiltrating systems not under the sole control of the Australian Government.
Cabling infrastructure standards	Improperly installed cabling can lead to physical damage, causing system downtime or data loss.
Use of fibre-optic cables	Unauthorized interception of data transmitted over copper cables due to electromagnetic eavesdropping.
Cable register	An insider with physical access to the facility intentionally reroutes or disconnects critical network cables to disrupt operations or exfiltrate data.
Floor plan diagrams	Unauthorized individuals gain access to sensitive areas by exploiting outdated or inaccurate floor plan diagrams.
Cable labelling processes and procedures	An unauthorized individual gains physical access to the network infrastructure and disconnects or reroutes cables, causing service disruption.
Labelling cables	Incorrectly patched cables leading to unauthorized access to sensitive systems.
Labelling building management cables	Incorrectly labeled cables leading to accidental disconnection or misconnection of critical building management systems, such as fire control or security systems, during maintenance or upgrades.
Labelling cables for foreign systems in Australian facilities	Unintended cross-patching of cables leading to unauthorized data flow between Australian and foreign systems.
Cable colours	An insider accidentally connects a non-classified system to a SECRET or TOP SECRET network due to indistinguishable cable colors, leading to unauthorized data access or leakage.
Cable colour non-conformance	Unauthorized individuals may mistakenly or intentionally access or tamper with cables carrying sensitive information due to incorrect or unclear labeling, leading to data breaches or system compromises.
Cable inspectability	An adversary gains physical access to a facility and tampers with network cabling to intercept or disrupt communications.
Common cable bundles and conduits	An unauthorized individual gains physical access to a common cable bundle or conduit, allowing them to intercept or tamper with data transmitted between systems.
Common cable reticulation systems	Unauthorized access or tampering with cables leading to data interception or service disruption.
Enclosed cable reticulation systems	Unauthorized individuals gaining physical access to network cables to intercept or tamper with data transmissions.
Covers for enclosed cable reticulation systems	Unauthorized individuals tampering with or damaging cables within enclosed reticulation systems to disrupt network connectivity or intercept data transmissions.
Sealing cable reticulation systems and conduits	Unauthorized individuals attempt to physically access TOP SECRET cable reticulation systems to intercept or tamper with sensitive data transmissions.
Labelling conduits	Unauthorized individuals may attempt to access or tamper with conduits carrying TOP SECRET information, potentially leading to data breaches or espionage.
Cables in walls	Unauthorized individuals gaining physical access to network cables to intercept or tamper with data transmissions.
Cables in party walls	Unauthorized individuals or entities gaining physical access to TOP SECRET cables running through shared walls, leading to potential eavesdropping or data interception.
Wall penetrations	An unauthorized individual gains physical access to a TOP SECRET area by exploiting gaps in wall penetrations.
Wall outlet boxes	Unauthorized physical access to wall outlet boxes could lead to tampering with network cabling, resulting in unauthorized network access or data interception.
Labelling wall outlet boxes	Incorrectly connecting IT equipment to a wall outlet box due to lack of clear labelling, leading to potential power supply issues or connection to unauthorized networks.
Wall outlet box colours	An unauthorized individual attempts to connect a device to a SECRET or TOP SECRET system by mistakenly plugging into an incorrect outlet due to lack of clear color differentiation.
Wall outlet box covers	An unauthorized individual gains physical access to a secure area and attempts to tamper with network cables to intercept or disrupt communications.
Fly lead installation	Excessive lengths of TOP SECRET fibre-optic fly leads create clutter, increasing the risk of accidental damage or intentional tampering, potentially leading to unauthorized access or data leakage.
Connecting cable reticulation systems to cabinets	Unauthorized individuals gain physical access to the cable reticulation systems and cabinets to tamper with or modify the cabling, potentially leading to data interception or service disruption.
Terminating cables in cabinets	An unauthorized individual gains physical access to network cabinets and connects a malicious device to intercept or manipulate data traffic.
Terminating cables on patch panels	An insider with physical access to the network infrastructure deliberately cross-patches SECRET and TOP SECRET cables to facilitate unauthorized data access or exfiltration.
Physical separation of cabinets and patch panels	Unauthorized personnel accidentally or intentionally cross-patch connections between TOP SECRET and non-TOP SECRET systems, leading to unauthorized access to sensitive information.
Audio secure rooms	Unauthorized individuals or entities eavesdropping on sensitive audio conversations within TOP SECRET audio secure rooms.
Power reticulation	An adversary cuts power to a TOP SECRET system to disrupt operations and prevent access to critical information.
Electromagnetic interference/electromagnetic compatibility standards	Unauthorized interception of sensitive data transmitted via electromagnetic emissions from IT equipment.
Emanation security doctrine	Unauthorized interception of sensitive information through electromagnetic emissions from electronic devices.
Emanation security threat assessments	Interception and analysis of compromising signals emitted by SECRET and TOP SECRET systems, leading to unauthorized access to classified information.
Telephone system usage policy	An insider with access to sensitive information discusses classified details over a non-secure telephone line, leading to interception by adversaries.
Personnel awareness	An employee discusses classified information over a non-secure telephone line in a public area, leading to eavesdropping by unauthorized individuals.
Protecting conversations	Unauthorized interception of sensitive or classified telephone conversations by adversaries.
Cordless telephone systems	Malicious actors intercept unencrypted communications from cordless telephone systems to gather sensitive or classified information.
Speakerphones	Unauthorized individuals eavesdropping on sensitive conversations transmitted through speakerphones in TOP SECRET areas.
Off-hook audio protection	Background conversations are inadvertently transmitted during a call, potentially exposing sensitive information to unauthorized parties.
Video conferencing and Internet Protocol telephony infrastructure hardening	An attacker exploits unpatched vulnerabilities in the Session Initiation Protocol server to gain unauthorized access.
Video-aware and voice-aware firewalls and proxies	Unauthorized access to video or voice communications leading to eavesdropping or data interception.
Protecting video conferencing and Internet Protocol telephony traffic	An attacker intercepts unencrypted video conferencing traffic to eavesdrop on confidential discussions.
Video conferencing unit and Internet Protocol phone authentication	An unauthorised device connects to the video conferencing or IP telephony network, potentially intercepting or injecting malicious data.
Traffic separation	Unauthorized access to video conferencing or IP telephony traffic could lead to eavesdropping or disruption of communications.
Internet Protocol phones in public areas	Malicious actors exploit IP phones in public areas to gain unauthorized access to the organization’s data network.
Microphones and webcams	Malicious actors exploit microphones and webcams in SECRET and TOP SECRET areas by tricking users into installing malicious applications that activate these devices for unauthorized surveillance.
Denial of service response plan	An attacker floods the organization’s video conferencing and IP telephony services with excessive requests, rendering them unavailable to legitimate users.
Fax machine and multifunction device usage policy	Unauthorized individuals intercepting fax transmissions containing sensitive information.
Sending fax messages	A fax machine, previously used to send sensitive information via cryptographic equipment, is reconnected to an unsecured network and automatically resends the sensitive data in clear text.
Receiving fax messages	An unauthorized individual accesses sensitive information from a received fax left unattended at the fax machine.
Simultaneously connecting multifunction devices to networks and digital telephone systems	An attacker exploits the MFD’s dual connection to bypass network security measures and gain unauthorized access to sensitive data transmitted over the digital telephone system.
Authenticating to multifunction devices	Unauthorized individuals access multifunction devices to print, scan, or copy sensitive documents without proper authentication, leading to potential data leakage.
Scanning and copying documents on multifunction devices	Unauthorized individuals access sensitive documents scanned or copied on a multifunction device (MFD) due to improper network classification settings.
Logging multifunction device use	An insider with malicious intent uses an MFD to print, scan, or copy sensitive documents without authorization, intending to leak or misuse the information.
Observing fax machine and multifunction device use	An insider uses a fax machine or MFD to send sensitive information to an unauthorized recipient without detection.
Privately-owned mobile devices and desktop computers	Unauthorized access to classified data stored on privately-owned devices by malicious actors.
Organisation-owned mobile devices and desktop computers	An insider with malicious intent accesses and exfiltrates classified data stored on an organization-owned device.
Connecting mobile devices and desktop computers to the internet	An attacker exploits a split tunnel VPN to gain unauthorized access to an organization’s internal network from the internet.
Mobile device management policy	An employee’s mobile device is lost or stolen, potentially exposing sensitive corporate data to unauthorized individuals.
Approved mobile platforms	Unauthorized access to sensitive or protected systems or data through compromised mobile devices.
Data storage	A mobile device containing sensitive data is lost or stolen, allowing unauthorized access to the stored information.
Data communications	An adversary intercepts unencrypted sensitive data transmitted between mobile devices and a corporate network.
Maintaining mobile device security	A malicious actor gains unauthorized access to a corporate network by exploiting vulnerabilities in an employee’s poorly secured mobile device.
Mobile device usage policy	Unauthorized access to sensitive organizational data stored on a lost or stolen mobile device.
Personnel awareness	An employee unknowingly discusses sensitive information over an unsecured mobile device in a public space, leading to eavesdropping by malicious actors.
Using paging, message services and messaging apps	An adversary intercepts unencrypted messages sent via paging or messaging apps to gather sensitive information.
Using Bluetooth functionality	An attacker intercepts Bluetooth communications between paired devices to steal sensitive data.
Using mobile devices in public spaces	An adversary observes sensitive data displayed on a mobile device screen in a public space, leading to unauthorized access to classified information.
Maintaining control of mobile devices	A mobile device containing sensitive information is lost or stolen, leading to unauthorized access to the data.
Mobile device emergency sanitisation processes and procedures	A malicious actor gains physical access to a lost or stolen mobile device containing sensitive data.
Before travelling overseas with mobile devices	Unauthorized access to sensitive data stored on mobile devices by foreign intelligence services.
While travelling overseas with mobile devices	A mobile device left unattended in a hotel room is stolen, leading to unauthorized access to sensitive data.
After travelling overseas with mobile devices	Mobile devices used overseas may be compromised with malware or spyware, enabling unauthorized access to organizational systems and data upon reconnection to the network.
Evaluated product selection	A firewall product not evaluated against a Protection Profile (PP) may fail to adequately filter malicious network traffic, leading to unauthorized access.
Delivery of evaluated products	An adversary intercepts and alters a software product during delivery, replacing the evaluated version with a malicious one.
Using evaluated products	An attacker exploits a vulnerability in a software product that was not evaluated for security, leading to unauthorized access to sensitive data.
IT equipment management policy	Unauthorized individuals gain physical access to IT equipment, leading to data theft or tampering.
Hardening IT equipment configurations	An attacker exploits default credentials on a network device to gain unauthorized access.
IT equipment registers	Unauthorized IT equipment is introduced into the organization’s network, potentially leading to data breaches or network compromise.
Labelling IT equipment	A user accidentally inputs sensitive data into an IT equipment not approved for such data, leading to unauthorized data exposure.
Labelling high assurance IT equipment	An adversary attempts to tamper with high assurance IT equipment to insert malicious hardware or extract sensitive information without detection.
Classifying IT equipment	Unauthorized access to sensitive data due to improper classification of IT equipment leading to data leakage.
Handling IT equipment	Unauthorized individuals gain physical access to IT equipment containing sensitive data, leading to potential data breaches.
Maintenance and repairs of high assurance IT equipment	Unauthorized maintenance personnel could introduce malicious hardware or software during repairs, compromising the integrity of high assurance IT equipment.
On-site maintenance and repairs	Unauthorized technicians accessing sensitive data during maintenance or repairs.
Off-site maintenance and repairs	Unauthorized access to sensitive data stored on IT equipment during off-site maintenance.
Inspection of IT equipment following maintenance and repairs	Unauthorized modifications or malware insertion into IT equipment by maintenance personnel.
IT equipment sanitisation processes and procedures	Unauthorized individuals recover sensitive data from improperly sanitized IT equipment sold or discarded by the organization.
IT equipment destruction processes and procedures	Unauthorized individuals gaining access to sensitive data stored on decommissioned IT equipment.
Sanitising IT equipment	Unauthorized individuals gaining access to sensitive data stored on improperly sanitized IT equipment.
Sanitising highly sensitive IT equipment	Unauthorized access to AUSTEO or AGAO data by foreign entities due to inadequate sanitization of IT equipment.
Destroying high assurance IT equipment	Unauthorized individuals gaining access to sensitive data stored on high assurance IT equipment after its disposal.
Sanitising printers and multifunction devices	Unauthorized individuals gaining access to sensitive information left on printer cartridges or MFD print drums.
Sanitising televisions and computer monitors	Unauthorized individuals gaining access to sensitive information displayed on televisions or computer monitors due to burn-in or image persistence.
Sanitising network devices	Unauthorized individuals recover sensitive network configuration data or credentials from improperly sanitized network devices after disposal.
Sanitising fax machines	Unauthorized access to sensitive information stored in the memory of a fax machine after its disposal.
IT equipment disposal processes and procedures	Unauthorized individuals recover sensitive data from improperly disposed IT equipment.
Disposal of IT equipment	Unauthorized individuals recover sensitive data from improperly disposed IT equipment.
Media management policy	An insider with malicious intent copies sensitive data onto removable media and shares it with unauthorized parties.
Removable media usage policy	An employee uses an unapproved USB drive to transfer sensitive company data, inadvertently introducing malware into the corporate network.
Removable media register	Unauthorized use of removable media to exfiltrate sensitive data from the organization.
Labelling media	Unauthorized access to sensitive information due to improper handling of unlabeled or incorrectly labeled media.
Classifying media	Unauthorized personnel access sensitive data stored on unclassified media due to improper labeling.
Reclassifying media	Unauthorized access to sensitive data due to improper reclassification of media.
Handling media	An unauthorized individual gains physical access to unencrypted media containing sensitive data, leading to data exposure.
Sanitising media before first use	New media purchased from a supplier contains hidden malicious software that activates upon first use, compromising the system it is connected to.
Using media for data transfers	Malicious actors could exploit rewritable media to exfiltrate sensitive data from a destination system back to the source system.
Media sanitisation processes and procedures	Unauthorized individuals recover sensitive data from improperly sanitized media.
Volatile media sanitisation	Unauthorized individuals recover sensitive data from volatile memory after a system shutdown.
Treatment of volatile media following sanitisation	An adversary gains physical access to volatile media previously used in a TOP SECRET environment and exploits remanence effects to recover classified information.
Non-volatile magnetic media sanitisation	Unauthorized access to sensitive data stored on decommissioned or repurposed non-volatile magnetic media due to inadequate sanitization.
Treatment of non-volatile magnetic media following sanitisation	Unauthorized individuals gaining access to classified information stored on non-volatile magnetic media that was believed to be sanitized.
Non-volatile erasable programmable read-only memory media sanitisation	Unauthorized access to sensitive data stored on decommissioned EPROM devices by malicious actors.
Non-volatile electrically erasable programmable read-only memory media sanitisation	Unauthorized access to sensitive data stored on EEPROM after device disposal or transfer.
Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation	Unauthorized recovery of classified data from sanitized non-volatile EPROM and EEPROM media by adversaries.
Non-volatile flash memory media sanitisation	Unauthorized individuals gain access to discarded or repurposed flash memory media containing sensitive data.
Treatment of non-volatile flash memory media following sanitisation	Unauthorized individuals recover classified information from non-volatile flash memory media that was not fully sanitized due to wear leveling or bad memory blocks.
Media that cannot be successfully sanitised	Unauthorized individuals gain access to sensitive data stored on improperly sanitized media.
Media destruction processes and procedures	Unauthorized individuals recover sensitive data from improperly destroyed media.
Media that cannot be sanitised	Unauthorized individuals recover sensitive data from improperly disposed media, leading to data breaches.
Media destruction equipment	Unauthorized individuals gaining access to sensitive data from improperly destroyed media.
Media destruction methods	An adversary gains physical access to discarded storage media and retrieves sensitive data.
Treatment of media waste particles	Unauthorized individuals or entities gaining access to classified information from improperly destroyed media waste particles.
Degaussing magnetic media	Unauthorized individuals gaining access to sensitive data stored on decommissioned magnetic media.
Supervision of destruction	Unauthorized individuals may attempt to recover sensitive data from improperly destroyed media.
Supervision of accountable material destruction	Unauthorized individuals may attempt to recover or steal sensitive information from improperly destroyed media.
Outsourcing media destruction	Unauthorized individuals gaining access to non-accountable material during the outsourcing process.
Media disposal processes and procedures	Unauthorized individuals recover sensitive data from improperly disposed media, leading to data breaches.
Disposal of media	Unauthorized individuals recover sensitive data from improperly disposed media.
Operating system selection	An attacker exploits a memory corruption vulnerability in an operating system to execute arbitrary code, gaining unauthorized access to sensitive data or system resources.
Operating system releases and versions	An attacker exploits a known vulnerability in an outdated operating system to gain unauthorized access to sensitive data.
Standard Operating Environments	Malicious actors exploit inconsistent or poorly configured workstations and servers to gain initial network access.
Hardening operating system configurations	An attacker exploits default credentials or unnecessary services enabled by default to gain unauthorized access to the system.
Application management	Malicious actors use social engineering to trick unprivileged users into installing harmful applications, leading to system compromise or data theft.
Application control	An attacker attempts to execute malicious scripts or executables on a workstation to gain unauthorized access or disrupt operations.
Command Shell	An attacker gains unauthorized access to a system and uses the Command shell to execute malicious commands or scripts to exfiltrate sensitive data.
PowerShell	An attacker uses PowerShell to execute malicious scripts that compromise system integrity.
Host-based intrusion detection and response	An attacker deploys a new variant of ransomware that evades signature-based detection, encrypting critical files on a workstation.
Software firewall	Malicious actors exploit common protocols to propagate malware or exfiltrate data from a network.
Antivirus software	Malicious actors exploit software vulnerabilities to deploy malware that can steal, corrupt, or deny access to sensitive data.
Device access control software	Malicious actors use removable media to introduce malware into a network, compromising system integrity.
Operating system event logging	An attacker gains unauthorized access to a system by exploiting weak credentials and attempts to escalate privileges.
User application selection	An adversary exploits a memory corruption vulnerability in a poorly designed user application to execute arbitrary code, leading to unauthorized access to sensitive data.
User application releases	An attacker exploits a known vulnerability in an outdated web browser to deliver malware to a user’s system.
Hardening user application configurations	An attacker exploits a vulnerability in a default-configured web browser to deliver malware, gaining unauthorized access to sensitive data.
Microsoft Office macros	A malicious actor sends a phishing email with an attached Office document containing a macro that, when enabled, installs malware on the victim’s computer.
Server application selection	A server application with insecure programming practices is exploited by an attacker to execute arbitrary code, leading to unauthorized access to sensitive data.
Server application releases	An attacker exploits a known vulnerability in an outdated server application to gain unauthorized access to sensitive data.
Hardening server application configurations	An attacker exploits default credentials on a server application to gain unauthorized access.
Restricting privileges for server applications	A malicious actor exploits a vulnerability in a server application running with elevated privileges, gaining unauthorized access to sensitive system files and data.
Microsoft Active Directory services	An attacker gains unauthorized access to Active Directory services to escalate privileges and move laterally across the network.
Microsoft Active Directory Domain Services domain controllers	An attacker gains unauthorized access to a domain controller and extracts hashed credentials, enabling offline brute force attacks.
Microsoft Active Directory Domain Services account hardening	Malicious actors exploit misconfigured AD DS accounts to gain unauthorized access, move laterally, and escalate privileges within the network.
Microsoft Active Directory Domain Services security group memberships	A malicious insider with access to a highly-privileged security group exploits their membership to escalate privileges and gain unauthorized access to sensitive systems.
Microsoft Active Directory Certificate Services	An attacker compromises a Certification Authority (CA) server to issue fraudulent certificates, enabling man-in-the-middle attacks or unauthorized access to secure systems.
Microsoft Active Directory Federation Services	An attacker compromises an AD FS server to gain unauthorized access to federated systems and data.
Microsoft Entra Connect	An attacker gains unauthorized access to the Microsoft Entra Connect server, allowing them to manipulate identity synchronization between on-premises AD DS and cloud-based Entra ID, potentially granting elevated privileges or access to sensitive systems.
Server application event logging	An attacker gains unauthorized access to a server application and modifies or deletes critical data.
Authenticating to systems	An unauthorized individual gains access to a system by guessing or stealing a user’s credentials.
Insecure authentication methods	An attacker intercepts weakly hashed credentials during authentication, allowing them to gain unauthorized access to the network.
Multi-factor authentication	An attacker gains access to a user’s password through phishing and attempts to log in to the system.
Single-factor authentication	Malicious actors use credential cracking tools to recover username and password pairs from hashed credentials obtained from a system.
Setting credentials for user accounts	An attacker impersonates a legitimate user to gain unauthorized access to sensitive systems or data by exploiting weak or compromised credentials.
Setting credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts	An attacker gains access to a workstation with a local administrator account using common credentials and uses those credentials to compromise additional systems within the network.
Changing credentials	An adversary gains unauthorized access to a user’s credentials through a phishing attack and uses them to access sensitive systems.
Protecting credentials	An adversary uses screen scraping or shoulder surfing to capture credentials entered by a user.
User account lockouts	An attacker systematically attempts to guess user credentials through repeated login attempts to gain unauthorized access.
Session termination	An attacker gains access to a user’s session through session hijacking and performs unauthorized actions.
Session locking	An unauthorised individual gains access to a user’s authenticated session on a shared or public computer.
Screen locking	An unauthorised individual gains physical access to a workstation left unattended and accesses sensitive data.
Logon banner	Unauthorized users gain access to sensitive systems without understanding the legal consequences of misuse.
Functional separation between computing environments	A malicious actor exploits a vulnerability in the hypervisor to gain unauthorized access to other virtual machines running on the same physical server.
System administration processes and procedures	An insider with privileged access intentionally misconfigures a network device to bypass security controls, leading to unauthorized access.
Separate privileged operating environments	A malicious actor gains access to an administrator’s unprivileged account and uses it to escalate privileges, compromising the entire network.
Administrative infrastructure	An attacker gains unauthorized access to administrative credentials and uses them to compromise critical servers.
Patch management processes and procedures	An attacker exploits a known vulnerability in an unpatched operating system to gain unauthorized access to sensitive data.
Software register	An attacker exploits a known vulnerability in outdated software to gain unauthorized access to the system.
Scanning for unmitigated vulnerabilities	An attacker exploits a known vulnerability in an unpatched system to gain unauthorized access.
Mitigating known vulnerabilities	An attacker exploits a known vulnerability in an internet-facing server to gain unauthorized access.
Cessation of support	An attacker exploits a known vulnerability in an unsupported operating system to gain unauthorized access to sensitive data.
Digital preservation policy	Data becomes inaccessible due to obsolete hardware or software, leading to loss of critical information.
Data backup and restoration processes and procedures	A ransomware attack encrypts critical business data, rendering it inaccessible.
Performing and retaining backups	A ransomware attack encrypts critical data, rendering it inaccessible to authorized users.
Backup access	An insider with malicious intent accesses and exfiltrates sensitive data from backups.
Backup modification and deletion	An insider with privileged access intentionally deletes critical backup files to disrupt business operations.
Testing restoration of backups	A ransomware attack encrypts critical data, making it inaccessible without the decryption key.
Event logging policy	An insider with privileged access manipulates system logs to cover unauthorized activities.
Centralised event logging facility	An attacker gains unauthorized access to a system and modifies or deletes log entries to cover their tracks.
Event log details	An attacker gains unauthorized access to a system and modifies or deletes event logs to cover their tracks.
Event log monitoring	An attacker gains unauthorized access to a system and modifies or deletes log entries to cover their tracks.
Event log retention	An attacker gains unauthorized access to a system and deletes or alters event logs to cover their tracks.
Development, testing, staging and production environments	A developer accidentally deploys untested code from the development environment directly to production, causing system outages.
Secure software development	An attacker exploits a buffer overflow vulnerability in a web application to execute arbitrary code.
Software bill of materials	A malicious actor exploits a known vulnerability in an open-source component included in a software product, leading to unauthorized access or data exfiltration.
Network application programming interfaces	An attacker exploits a poorly secured network API to gain unauthorized access to sensitive data.
Software input handling	An attacker injects malicious SQL commands through a web form, leading to unauthorized database access.
Web security policy response headers	An attacker injects malicious scripts into a web application to execute cross-site scripting (XSS) attacks against users.
Software interaction with databases	An attacker exploits a vulnerability in a web application to inject malicious SQL commands, gaining unauthorized access to sensitive database information.
Software security testing	An attacker exploits a vulnerability in the software to gain unauthorized access to sensitive data.
Vulnerability disclosure program	A security researcher discovers a critical vulnerability in an organization’s software but has no clear way to report it, leading to potential exploitation by malicious actors.
Reporting and resolving vulnerabilities	A software vulnerability is exploited by an attacker to gain unauthorized access to sensitive data.
Software event logging	An attacker exploits a vulnerability in the software, causing it to crash or behave unexpectedly, which could lead to unauthorized access or data leakage.
Secure web application design and development	An attacker exploits a SQL injection vulnerability in a web application to gain unauthorized access to the database.
Web application frameworks	An attacker exploits a vulnerability in a web application’s input validation to inject malicious scripts.
Web application interactions	An attacker intercepts unencrypted communications between a user and a web application to steal sensitive data.
Web application programming interfaces	An attacker exploits a vulnerability in a web API to gain unauthorized access to sensitive data.
Web application output encoding	An attacker injects malicious scripts into a web application’s output, which are then executed in the context of a user’s browser session.
Web application firewalls	Malicious actors discover the IP addresses of origin servers, bypassing the WAF to directly attack the servers.
Functional separation between database servers and web servers	A malicious actor exploits a vulnerability in the web server to gain unauthorized access to the database server, leading to data exfiltration or corruption.
Communications between database servers and web servers	Malicious actors intercept unencrypted data transmissions between database and web servers to steal sensitive information.
Network environment	A malicious actor gains access to a user workstation and uses it as a stepping stone to attack the database server on the same network segment.
Segregation of development, testing, staging and production database servers	A developer accidentally deploys untested code to the production database, causing data corruption.
Database register	An attacker exploits an unregistered database to exfiltrate sensitive data unnoticed.
Protecting databases	An attacker gains unauthorized access to database files, copies them, and performs offline analysis to extract sensitive information.
Protecting database contents	An insider with legitimate access to a database abuses their privileges to access, modify, or delete sensitive information not required for their role.
Segregation of development, testing, staging and production databases	Unauthorized access to sensitive production data by developers or testers using non-production environments.
Database event logging	An attacker gains unauthorized access to a database and modifies or deletes sensitive data without detection.
Email usage policy	An employee inadvertently clicks on a malicious link in an email, leading to a malware infection.
Webmail services	Employees use non-approved webmail services to send sensitive company data, bypassing organizational email security controls.
Protective markings for emails	An insider accidentally sends an email containing sensitive information to an unauthorized recipient.
Protective marking tools	An insider accidentally sends an email with sensitive information to an unauthorized recipient due to incorrect protective marking.
Handling emails with inappropriate, invalid or missing protective markings	An adversary sends an email with a higher protective marking than the receiving system’s classification to cause a data spill.
Email distribution lists	An email containing sensitive Australian government data is sent to a distribution list with unknown membership, leading to unauthorized access by foreign nationals.
Centralised email gateways	An attacker spoofs the email domain of a trusted organization to send phishing emails to employees.
Email gateway maintenance activities	Malicious actors exploit vulnerabilities in poorly maintained backup or alternative email gateways to deliver phishing emails or malware to an organization’s network.
Open relay email servers	Spammers exploit open relay email servers to send unsolicited bulk emails, leading to blacklisting of the server’s IP address.
Email server transport encryption	An attacker intercepts unencrypted email communications between servers to read or alter the contents.
Sender Policy Framework	An attacker sends emails pretending to be from a legitimate domain to trick recipients into revealing sensitive information.
DomainKeys Identified Mail	An attacker sends emails with forged sender addresses to trick recipients into revealing sensitive information.
Domain-based Message Authentication, Reporting and Conformance	An attacker spoofs the domain of a legitimate organization to send phishing emails to its customers, attempting to steal sensitive information.
Email content filtering	An adversary sends an email with a malicious attachment designed to exploit vulnerabilities in the recipient’s system.
Blocking suspicious emails	An employee receives an email that appears to be from a trusted internal source, but is actually a phishing attempt designed to steal credentials.
Notifications of undeliverable emails	An attacker spoofs sender addresses in spam emails, causing receiving servers to generate undeliverable notifications that flood innocent third parties, potentially leading to denial of service or reputational damage.
Network documentation	An attacker gains unauthorized access to network documentation, using it to identify vulnerabilities and plan an attack.
Network encryption	An attacker intercepts unencrypted data transmitted over a network, gaining unauthorized access to sensitive information.
Network segmentation and segregation	An attacker gains initial access to a low-security network segment and attempts to move laterally to high-value systems.
Using Virtual Local Area Networks	An attacker gains unauthorized access to a network segment, potentially leading to data exfiltration or lateral movement within the network.
Using Internet Protocol version 6	Malicious actors exploit IPv6 tunneling protocols to bypass network defenses by encapsulating IPv6 traffic within IPv4 packets.
Network access controls	An unauthorized individual connects a rogue device to the network to intercept or manipulate data.
Functional separation between servers	A compromised web server is used to launch attacks against a database server within the same network segment.
Networked management interfaces	An attacker exploits an exposed networked management interface to gain unauthorized access to network infrastructure, leading to data exfiltration or service disruption.
Network management traffic	An attacker gains unauthorized access to network management interfaces to manipulate network configurations.
Using the Server Message Block protocol	An attacker exploits vulnerabilities in SMB version 1 to execute arbitrary code on a target system.
Using the Simple Network Management Protocol	An attacker exploits default SNMP community strings to gain unauthorized access to network devices.
Using Network-based Intrusion Detection and Prevention Systems	An attacker exploits a vulnerability in a web server to gain unauthorized access to sensitive data.
Blocking anonymity network traffic	Malicious actors use anonymity networks to conduct reconnaissance on an organization’s network without revealing their identity.
Encrypted Domain Name System Services	Malicious actors intercept unencrypted DNS queries to gather intelligence on user browsing habits and internal network structures.
Protective Domain Name System Services	Malicious actors attempt to communicate with known malicious domains for command and control purposes.
Flashing network devices with trusted firmware before first use	Malicious firmware is pre-installed on network devices by a compromised vendor, allowing unauthorized access or control once the device is deployed.
Default user accounts and credentials for network devices	An attacker gains unauthorized access to a network device using default credentials, potentially leading to data breaches or network compromise.
Disabling unused physical ports on network devices	An unauthorized individual gains physical access to a network device and connects a malicious device to an unused port, potentially leading to unauthorized network access or data exfiltration.
Regularly restarting network devices	Malicious actors compromise a network device but fail to establish persistence, remaining active only until the next restart.
Network device event logging	An attacker gains unauthorized access to a network device and modifies configurations to bypass security controls.
Choosing wireless devices	Unauthorized access to the wireless network by adversaries exploiting non-standard or vulnerable wireless devices.
Public wireless networks	An attacker connects to the public wireless network and exploits vulnerabilities to gain unauthorized access to the organization’s internal network.
Administrative interfaces for wireless access points	An attacker gains unauthorized access to the wireless network by exploiting the administrative interface over a wireless connection, leading to potential network compromise.
Default settings	An attacker exploits weak default settings on a wireless access point to gain unauthorized access to the network.
Media Access Control address filtering	An unauthorized device attempts to connect to a wireless network by spoofing the MAC address of a legitimate device.
Static addressing	A rogue device attempts to connect to a wireless network to gain unauthorized access to network resources.
Confidentiality and integrity of wireless network traffic	An attacker intercepts unencrypted or weakly encrypted wireless communications to eavesdrop or manipulate data.
802.1X authentication	An attacker gains unauthorized access to a wireless network by bypassing weak authentication mechanisms.
Evaluation of 802.1X authentication implementation	An attacker impersonates a legitimate user to gain unauthorized access to the network by exploiting weaknesses in the 802.1X authentication process.
Generating and issuing certificates for authentication	Malicious actors steal certificates from devices to gain unauthorized access to wireless networks.
Caching 802.1X authentication outcomes	An attacker gains unauthorized access to a wireless network by exploiting a cached PMK from a previously authenticated device, bypassing the need for full re-authentication.
Fast Basic Service Set Transition	An attacker intercepts unsecured authenticator-to-authenticator communications during Fast Basic Service Set Transition, gaining access to encryption keys and compromising the security of the wireless network.
Remote Authentication Dial-In User Service authentication	An attacker intercepts unencrypted RADIUS authentication messages to steal user credentials.
Interference between wireless networks	Wireless networks operating on overlapping frequencies in close proximity cause signal interference, leading to degraded network performance or complete service disruption.
Protecting management frames on wireless networks	An attacker sends spoofed deauthentication frames to disconnect legitimate users from the wireless network.
Wireless network footprint	An adversary intercepts wireless communications from outside the organization’s facilities due to excessive broadcast power.
Cloud-based hosting of online services	A distributed denial-of-service (DDoS) attack overwhelms the organization’s online services, making them unavailable to legitimate users.
Capacity and availability planning and monitoring for online services	A sudden surge in user traffic overwhelms the system, leading to service degradation or outage.
Using content delivery networks	Malicious actors bypass CDN protections by directly targeting the origin server’s IP address, leading to potential data breaches or service disruptions.
Denial-of-service attack mitigation strategies	A malicious actor floods a website with excessive traffic, rendering it inaccessible to legitimate users.
Communications security doctrine	Unauthorized interception of sensitive communications by adversaries to gain access to classified information.
Approved High Assurance Cryptographic Equipment	An adversary intercepts and decrypts sensitive communications due to the use of weak or compromised cryptographic equipment.
Cryptographic key management processes and procedures	An attacker gains unauthorized access to cryptographic keys, enabling them to decrypt sensitive data or impersonate legitimate users.
Encrypting data at rest	Unauthorized access to sensitive data stored on a lost or stolen device.
Encrypting data in transit	An attacker intercepts unencrypted data transmitted over a network to steal sensitive information.
Data recovery	An organization loses access to critical encrypted data due to the accidental deletion or corruption of encryption keys by an administrator.
Handling encrypted IT equipment and media	An unauthorized individual gains physical access to encrypted IT equipment or media and attempts to bypass encryption to access sensitive data.
Transporting cryptographic equipment	During transportation, cryptographic equipment in a keyed state could be intercepted by adversaries, leading to unauthorized access to sensitive keying material.
Reporting cryptographic-related cybersecurity incidents	An adversary gains unauthorized access to cryptographic equipment, leading to potential decryption of sensitive communications.
Using ASD-Approved Cryptographic Algorithms	An adversary exploits weak cryptographic algorithms to decrypt sensitive communications without authorization.
Asymmetric cryptographic algorithms	An attacker intercepts and decrypts sensitive communications due to weak cryptographic algorithms.
Using Diffie-Hellman	An adversary intercepts encrypted communications and attempts to decrypt them using brute force or quantum computing techniques.
Using Elliptic Curve Cryptography	An attacker exploits a weak elliptic curve to break the encryption and gain unauthorized access to sensitive data.
Using Elliptic Curve Diffie-Hellman	An adversary intercepts encrypted communications and attempts to derive the shared secret key using brute force or quantum computing techniques.
Using the Elliptic Curve Digital Signature Algorithm	An attacker intercepts and alters digital communications to impersonate a legitimate entity.
Using post-quantum cryptographic algorithms	An adversary with access to a quantum computer decrypts sensitive data encrypted with traditional cryptographic algorithms.
Using the Module-Lattice-Based Digital Signature Algorithm	An adversary intercepts and alters digitally signed messages to impersonate a legitimate sender.
Using the Module-Lattice-Based Key Encapsulation Mechanism	An adversary intercepts encrypted communications and attempts to decrypt them using quantum computing capabilities.
Using Rivest-Shamir-Adleman	An adversary intercepts encrypted communications and attempts to decrypt them using brute force or quantum computing techniques.
Using Secure Hashing Algorithms	An attacker exploits weak hashing algorithms to reverse engineer passwords from stolen hash databases.
Using symmetric cryptographic algorithms	An attacker intercepts encrypted communications and uses pattern recognition to deduce the plaintext content due to the use of Electronic Codebook Mode.
Transitioning to post-quantum cryptography	A nation-state actor utilizes a cryptographically relevant quantum computer to break asymmetric cryptographic algorithms, compromising secure communications and data integrity.
Post-quantum traditional hybrid schemes	An adversary with access to a cryptographically relevant quantum computer (CRQC) could decrypt communications protected only by traditional cryptographic algorithms, compromising the confidentiality and integrity of the data.
Using ASD-Approved Cryptographic Protocols	An adversary intercepts communications encrypted with a weak cryptographic protocol, decrypts the data, and gains unauthorized access to sensitive information.
Configuring Transport Layer Security	An attacker intercepts unencrypted or weakly encrypted communications between a client and server, leading to data exposure or manipulation.
Configuring Secure Shell	An attacker exploits vulnerabilities in SSH version 1 to gain unauthorized access to a system.
Authentication mechanisms	An attacker gains unauthorized access to a system by brute-forcing weak passphrase-based SSH authentication.
Automated remote access	Malicious actors exploit unrestricted access from unknown IP addresses to automatically authenticate to systems without passphrases.
SSH-agent	An attacker gains access to a workstation with an unlocked SSH-agent, allowing them to use the cached private keys to access remote systems without needing the passphrase.
Configuring Secure/Multipurpose Internet Mail Extension	An attacker intercepts and decrypts email communications protected by S/MIME version 2.0 due to its weaker cryptography, gaining unauthorized access to sensitive information.
Mode of operation	An attacker intercepts unencrypted IP packets to eavesdrop on sensitive data transmitted over a network.
Protocol selection	An attacker intercepts unencrypted data transmitted over a network, leading to unauthorized access to sensitive information.
Key exchange	An attacker intercepts and decrypts sensitive data transmitted over an IPsec connection due to weak or compromised key exchange mechanisms.
Encryption algorithms	An adversary intercepts encrypted IPsec communications and attempts to decrypt the data using a brute-force attack on weaker encryption algorithms.
Pseudorandom function	An attacker intercepts encrypted communications and attempts to decrypt them by exploiting weak or predictable random data generation.
Integrity algorithms	An attacker intercepts and alters data transmitted over an IPsec connection to manipulate communication between two parties.
Diffie-Hellman groups	An attacker intercepts and decrypts IPsec key exchanges due to weak Diffie-Hellman groups, compromising the confidentiality of the communication.
Security association lifetimes	An attacker gains unauthorized access to a network by exploiting a long-lived security association, allowing them to intercept or manipulate data over an extended period.
Perfect Forward Secrecy	An adversary compromises a long-term private key, allowing them to decrypt past communications that were encrypted using that key.
Implementing gateways	An external attacker exploits a vulnerable service exposed to the internet to gain unauthorized access to the internal network.
System administrators for gateways	An insider with administrative privileges abuses their access to manipulate gateway configurations, allowing unauthorized data exfiltration.
System administration of gateways	A malicious actor gains unauthorized access to a lower security domain network and attempts to pivot to a higher security domain through a compromised gateway.
Authenticating to networks accessed via gateways	An unauthorized individual gains access to a corporate network by exploiting weak or missing authentication mechanisms on a gateway.
Border Gateway Protocol routing security	An attacker hijacks BGP routes to redirect internet traffic through their own network for interception or manipulation.
Gateway event logging	An attacker exploits a vulnerability in a gateway to gain unauthorized access to the network.
Assessment of gateways	Unauthorized access to network resources through misconfigured gateways.
Implementing Cross Domain Solutions	Unauthorized transfer of classified information from a SECRET or TOP SECRET network to a lower classification level network.
Consultation on Cross Domain Solutions	Unauthorized data exfiltration across security domains due to misconfigured Cross Domain Solutions (CDSs).
Separation of data flows	An attacker exploits a vulnerability in a network device to intercept or manipulate data flowing between different security domains.
Cross Domain Solution event logging	An insider with privileged access attempts to exfiltrate sensitive data across domains without authorization.
User training	An untrained user inadvertently clicks on a malicious link in a phishing email, leading to unauthorized access to sensitive systems.
Using firewalls	Unauthorized access to an organization’s internal network from a public network.
Using diodes	An adversary attempts to exfiltrate sensitive data from a secure network to an external server.
Web usage policy	Employees accessing malicious websites leading to malware infections.
Using web proxies	An employee unknowingly accesses a malicious website that hosts malware, leading to a network compromise.
Web proxy event logging	An attacker uses a compromised internal account to exfiltrate sensitive data through web traffic.
Using web content filters	Employees inadvertently accessing malicious websites leading to malware infections.
Transport Layer Security filtering	Malicious actors use encrypted channels to deliver malware or exfiltrate sensitive data without detection.
Allowing and blocking access to domain names	Malicious actors use unauthorized domain names to exfiltrate sensitive data from an organization’s network.
Performing content filtering	Malicious actors attempt to deliver malware or phishing content through email or web traffic to compromise internal systems.
Encrypted files	Malicious actors use encrypted files to bypass network security measures, allowing unauthorized data exfiltration or malware delivery.
Archive files	An attacker embeds malicious content within an archive file to bypass content filtering mechanisms.
Antivirus scanning	A malicious actor uploads a file containing malware to a system to compromise it.
Automated dynamic analysis	An executable file downloaded from the internet contains malware that attempts to establish unauthorized network connections upon execution.
Allowing specific content types	An attacker uploads a malicious executable file disguised as a legitimate document to compromise a system.
Content validation	An attacker uploads a malicious file disguised as a legitimate document to exploit a vulnerability in the file parsing functionality of an application.
Content checking	An insider attempts to exfiltrate sensitive data by embedding it within seemingly innocuous files.
Content conversion	An adversary embeds malicious macros in a Microsoft Word document to execute unauthorized commands when the document is opened.
Content sanitisation	An adversary embeds malicious macros in a Microsoft Office document to execute arbitrary code when the document is opened.
Validating file integrity	An attacker modifies a file in transit to include malicious code, which could compromise the receiving system.
Using peripheral switches	An unauthorized data transfer occurs between systems of differing sensitivity levels connected via a peripheral switch due to insufficient assurance in the switch’s operation.
Data transfer processes and procedures	Unauthorized transfer of sensitive AUSTEO, AGAO, or REL data to foreign systems not cleared to receive such data.
User responsibilities	A user inadvertently transfers sensitive data to an unauthorized system, leading to data exposure.
Manual import of data	An employee unknowingly imports malware-infected files from a USB drive into the corporate network, leading to a system-wide infection.
Authorising export of data	Unauthorized export of SECRET or TOP SECRET data by an insider to an external entity without proper review and authorization.
Manual export of data	An insider with malicious intent exports classified data to removable media without proper authorization, leading to unauthorized disclosure.
Monitoring data import and export	An insider with authorized access exports sensitive data to an unauthorized external location for personal gain or espionage.

How to Use This Table

Start with the Threat Scenario
- Ask: “Is this threat relevant to our environment?”
Check ISM Alignment
- “Do we have the recommended control in place?”
Assess Residual Risk
- “If the control is missing/weak, how does that affect our exposure to this threat?”

Bringing It All Together: A Risk-First Approach

Identify Threat Scenarios (What could go wrong?)
Map to ISM Controls (How does ISM suggest we prevent it?)
Determine Residual Risk (What’s left unmitigated?)

This approach ensures that:

ISM controls are applied where they matter most.
Compliance efforts align with real security outcomes.
Risk decisions are based on actual threats, not just checkboxes.

Next Steps for Practitioners

For Auditors: Don’t just report ISM gaps—explain what threats those gaps expose.
For Security Teams: Use threat modeling (e.g., MITRE ATT&CK) to prioritize ISM control implementation.
For Leadership: Demand risk context, not just compliance status.

Final Thoughts

ISM controls are most effective when tied to real adversarial behaviors, not treated as standalone requirements. By starting with threat scenarios—not just control gaps—we ensure that our security efforts are risk-driven, not just compliance-driven.

Mapping ISM Controls to Threat Scenarios

2025/06/07

He Who Must Not Be Named