CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWRAF > CWE List > CWRAF Vignette Details - Domain human-res  
ID

CWRAF Vignette Details - Domain human-res

The MITRE Corporation
Copyright © 2013
http://cwe.mitre.org/cwraf/

CWRAF version: 0.8.3

Date: April 3, 2013

Project Coordinator:

Bob Martin (MITRE)

Document Editor:

Steve Christey (MITRE)
CWRAF Vignettes - human-res
CWRAF Vignettes - human-res

Within the Common Weakness Risk Analysis Framework (CWRAF), a vignette provides a shareable, formalized way to define a particular environment, the role that software plays within that environment, and an organization's priorities with respect to software security. It identifies essential resources and capabilities, as well as their importance relative to security principles such as confidentiality, integrity, and availability. For example, in an e-commerce context, 99.999% uptime may be a strong business requirement that drives the interpretation of the severity of discovered weaknesses.

Vignettes allow CWSS to support diverse audiences who may have different requirements for how to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.

This page currently contains details for 1 vignettes within the "human-res" domain. These are illustrative only; the CWRAF community will help to refine these and develop others. Feedback is welcome.

Vignette Summary
Vignette Summary
NameDescription
Employee CompensationProduct for managing employee salary and bonuses. PII includes salary, financial transaction (e.g. for direct deposit), social security number, home address, etc.
Vignette Details
Vignette Details

Vignette Definition: Employee Compensation

NameEmployee Compensation
IDemp-comp
Maturitystub
Domainhuman-res
DescProduct for managing employee salary and bonuses. PII includes salary, financial transaction (e.g. for direct deposit), social security number, home address, etc.
ArchetypesWeb server, Web browser, Database
Business Value Context (BVC)Confidentialiy is important to minimize exposure to lawsuits, adverse impacts on morale, identity theft. Integrity is critical to ensure that employee salary is not modified, or the destinations of financial transfers (e.g., modifying a bank account number for direct deposit). Availability is important for timely dispensation of paychecks; otherwise there coule be adverse impacts on morale and possibly higher attrition rates if employees do not feel they can count on being paid on time.
Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication10Potential modification of salary or account information for financial transactions such as direct deposit.
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication7Leak of salary information, adverse impact on morale.
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication5Delay in, or inability to, issue paychecks; adverse impacts on morale and possibly higher attrition rates if employees do not feel they can count on being paid on time.
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication5Delay in, or inability to, issue paychecks; adverse impacts on morale and possibly higher attrition rates if employees do not feel they can count on being paid on time.
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication10Potential modification of salary or account information for financial transactions such as direct deposit.
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication7
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication7
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication4Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesNetwork4Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesEnterprise
Page Last Updated: January 18, 2017