|Change Since 1990||Potential Security Consequence (illustrative, not comprehensive)|
|Cyberphysical systems are physical systems that are controlled at least in part by IT. Physical devices with embedded computing accept data from the physical world (through sensors such as cameras or thermometers) and/or cause changes in the physical world (through actuators such as a motor that causes something to move or a heater that heats a fluid). Such systems are everywhere—in manufacturing assembly lines, chemical production plants, power generation and transmission facilities, automobiles, airplanes, buildings, heating and cooling facilities, and so on—because IT helps to optimize the use and operation of these systems.||IT-based control of cyberphysical systems means that cybersecurity compromises can affect physical systems and may cause death, destruction, or physical damage.|
|Cloud computing has become increasingly popular as a way for businesses (and individuals) to increase the efficiency of their IT operations. By centralizing management and IT infrastructure, cloud computing promises to reduce the cost of computing and increase its accessibility to a geographically dispersed user base.||Concentration of computing resources for many parties potentially offers a “big fat target” for malevolent actors. Cloud computing infrastructure may also provide malevolent actors a platform from which to launch their attack. Greater centralization, however, enables providers of computing services to exercise tighter control over security by highly experienced and more expert security-knowledgeable administrators.|
|The number of Internet users has grown by at least two orders of magnitude in the past two decades, and hundreds of millions of new users (perhaps as many as a billion) will begin to use the Internet as large parts of Africa, South America, and Asia come online in the next decade. Cyberphysical devices will become increasingly connected to the Internet of Things, on the theory that network connections between these devices will enable them to operate more efficiently and effectively.||Inexperienced users are more untutored in the need for security and are thus more vulnerable.
A larger user base means a larger number of potentially malevolent actors.
|The rise of social networking and computing, as exemplified by applications such as Facebook and Twitter, is based on the ability of IT to bring large numbers of people into contact with one another.||Connectivity among friends and contacts offers opportunities for malevolent actors to improperly take advantage of trust relationships.|