Skip to main content

Advances, Systems and Applications

Table 1 ENISA’s list of risk scenarios and their categories

From: A risk assessment model for selecting cloud service providers

Risk category

Risk name

Policy & Organizational

P1. Lock-in


P2. Loss of governance


P3. Compliance challenges


P4. Loss of business reputation due to co-tenant activities


P5. Cloud service termination or failure


P6. Cloud provider acquisition


P7. Supply chain failure


T1. Resource exhaustion (under or over provisioning)


T2. Isolation failure


T3. Cloud provider malicious insider - abuse of high privilege roles


T4. Management interface compromise (manipulation, availability of infrastructure)


T5. Intercepting data in transit


T6. Data leakage on up/download, intra-cloud


T7. Insecure or ineffective deletion of data


T8. Distributed denial of service (DDoS)


T9. Economic denial of service (EDOS)


T10. Loss of encryption keys


T11. Undertaking malicious probes or scans


T12. Compromise service engine


T13. Conflicts between customer hardening procedures and cloud environment


L1. Subpoena and e-discovery


L2. Risk from changes of jurisdiction


L3. Data protection risks


L4. Licensing risks

Not Specific to the Cloud

N1. Network breaks


N2. Network management (ie, network congestion / mis-connection / non-optimal use)


N3. Modifying network traffic


N4. Privilege escalation


N5. Social engineering attacks (ie, impersonation)


N6. Loss or compromise of operational logs


N7. Loss or compromise of security logs (manipulation of forensic investigation)


N8. Backups lost, stolen


N9. Unauthorized access to premises (including physical access to machines and other facilities)


N10. Theft of computer equipment


N11. Natural disasters