Its best classified according to the nature of risks:
PEOPLE are often referred to as ‘insider’ risks. Either employees or subcontractors/vendors, become a security risk when they, either knowingly or unknowingly through their own behavior, work in a way that creates a risk to information security.
Examples include; sharing passwords, talking about clients on face book and chat rooms, losing assets such as laptops etc.
ASSETS are mostly the hardware and software used by the organisation but are also buildings and other data storage areas
Vendors/Subcontractors often have as much or more access to company systems without the training or monitoring of their use. Often there is no exit strategy on contract completion. Vendors/Subcontractors can also be people working from home such as recruiters, data analysts etc. Vendors can also be providers of cloud services, software developers and other like services. Data is often communicated via email and rarely do companies check to ensure virus protection etc. is in place nor have a process to ensure data is securely removed from vendor assets post project.
Here you’re looking for a quick comeback for any position that will involve system administration (see system security). If they don’t know how to change their DNS server in the two most popular operating systems in the world, then you’re likely working with someone very junior or otherwise highly abstracted from the real world.
• COMPUTERS – data loss through network and hardware failure , breach of systems and hardware infection
• HACKERS/MALWARE/VIRUS – infect computer software and hardware incl. mobile hardware