Added mitigations and attendant for legal

docs/practices/Communication-And-Collaboration/Training.md

@@ -19,6 +19,8 @@ practice:
      reason: "Ensures that staff are well-trained in operational procedures and best practices."
    - tag: Security Risk
      reason: "Educates team members on security protocols and practices."
+   - tag: Legal Risk
+     reason: "Sometimes, training is required to demonstrate that an organisation complies with certain legal obligations."
   attendant:
    - tag: Schedule Risk
      reason: "Training sessions can take time away from development, impacting schedules."

docs/practices/Deployment-And-Operations/Release.md

@@ -12,6 +12,7 @@ practice:
    - "Software Release Management"
    - "Deployment"
    - "Launch"
+   - "Publication"
   mitigates:
    - tag: Feature Access Risk
      reason: Users are able to access the features you release to them.
@@ -30,6 +31,8 @@ practice:
      reason: "Complex release procedures are a source of process risk."
    - tag: Reliability Risk
      reason: "Releases can introduce discontinuities in software service if not managed well."
+   - tag: Legal Risk  
+     reason: Publishing or releasing code may involve licensing, Intellectual Property, Liability or other legal compliance."
   related:
    - ../Planning-and-Management/Change-Management
    - ../Tools-and-Standards/Version-Control

docs/practices/External-Relations/Contracts.md

@@ -19,6 +19,8 @@ practice:
      reason: "Outlines cost structures and helps manage budget expectations."
    - tag: Schedule Risk
      reason: "Establishes timelines and milestones to keep the project on track."
+   - tag: Legal Risk
+     reason: "A well-written contract establishes the terms under which software is provided or used."
   attendant:
    - tag: Lock-In Risk
      reason: "Contracts can create rigid boundaries that limit flexibility."

docs/practices/External-Relations/Fundraising.md

@@ -25,6 +25,8 @@ practice:
      reason: "Involves giving up a portion of ownership and control to investors."
    - tag: Funding Risk
      reason: "Creates a dependency on investors and their continued support and introduces pressure to meet investor expectations and deliver returns."
+   - tag: Legal Risk
+     reason: "Raising capital invariably involves signing of and adherence to contracts."
   related:
    - ../Planning-And-Management/Stakeholder-Management
    - ../Planning-And-Management/Requirements-Capture

docs/practices/External-Relations/Outsourcing.md

@@ -28,6 +28,8 @@ practice:
      reason: "Sharing responsibilities across multiple organisations can introduce new security risks."
    - tag: Market Risk
      reason: "Increasing the size of the supply chain introduces risks that the state of that supply chain changes with the market."
+   - tag: Legal Risk
+     reason: "Outsourcing relationships may be more legally complex than hiring staff directly."
   related:
    - ../Planning-and-Management/Contract
    - ../Communication-and-Collaboration/Stakeholder-Management

docs/risks/Environmental-Risks/Legal-Risk/Legal-Risk.md

@@ -14,6 +14,14 @@ tags:
  - Risks
  - Legal Risk
  - Environmental Risk
+part_of: Operational Risk
 ---
 
 <RiskIntro fm={frontMatter} />
+
+Software and software services are becoming an increasingly important part of the modern world.  As the [Security Risk](/tags/Security-Risk) article shows, the result is that software has become a critical dependency in the functioning of the modern world, irrespective of whether that software is provided via open source or commercial avenues.  
+
+Jurisdictions around the world are working hard to strengthen their xxx against software failure - whether through increased security requirements, supply chain regulations or data controls.  
+
+If you are building software, you need to account for the [Legal Risks](/tags/Legal-Risk) around that activity.   
+

docs/risks/Environmental-Risks/Security-Risk/Security-Risk.md

@@ -8,12 +8,13 @@ slug: /risks/Security-Risk
 featured: 
   class: c
   element: '<risk class="security" />'
-sidebar_position: 3
+sidebar_position: 1
 tweet: yes
 tags: 
  - Risks
  - Security Risk
  - Environmental Risk
+part_of: Operational Risk
 ---
 
 <RiskIntro fm={frontMatter} />
@@ -60,11 +61,64 @@ It is estimated that [Fortune 500 companies suffered $5.4bn of losses](https://n
 
 ## Example Threats
 
-**See:**  [Mitre Att&ck](https://attack.mitre.org) is a database of Security Risk threats, broken down into:
+### 1. Cybersecurity Threats
+
+Some examples include malware, phishing, Zero-Day Exploits and Distributed Denial of Service (DDos) attacks.  
+
+**See:**  [Mitre Att&ck](https://attack.mitre.org) is a database of Cyber-Security Risk threats, broken down into:
 
  - Tactics: the reasons why an adversary is performing an action.
  - Techniques: how the adversary will attack.
  - Defences: things you can do to defend against adversaries.
 
 
-##
+### 2.  Physical Security Threats
+
+**Threat:** External actors engaged in unauthorized access, theft or vandalism.
+
+**Threat:** Natural disasters such as fires, floods or earthquakes.
+
+### 3.  Personnel-Based Threats
+
+**Threat**: Insider attacks (see [Agency Risk](tag/Agency-Risk) for more examples.
+
+**Threat**: Social engineering - persuading employees to reveal sensitive information or grant elevated access.
+
+### 4. Software Supply Chain Threats
+
+**Threat**: The software supply chain - malware can be embedded in third-party components.  
+
+
+#### Examples of Common Supply Chain Attacks
+
+| Attack Name                                                                                                                                                    | Description                                                                                                                                                                                                                                                                                                                                                    | Example                                                                                           |
+|----------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
+| [Dependency/Manifest Confusion](https://fossa.com/blog/dependency-confusion-understanding-preventing-attacks/)                                                 | An attacker publishes a package with the same name as a private package used by a specific company but in a public repository. If the company's build system is not properly configured, it may pull the malicious public package instead of the intended private one.                                                                                         | [Alex Birsan](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)                  |
+| [Package Stealing/Hijacking](https://jfrog.com/blog/five-examples-of-infection-methods-attackers-use-to-spread-malicious-packages/#Software-Package-Hijacking) | Attackers can sometimes take over abandoned or poorly maintained packages and introduce malicious changes. They then publish the updated malicious version, and dependent systems automatically pull in these updates.                                                                                                                                         | [us-parser-js](https://www.rapid7.com/blog/post/2021/10/25/npm-library-ua-parser-js-hijacked-what-you-need-to-know/)                                                                             |
+| [Malicious Forks/Masquerading](https://www.bleepingcomputer.com/news/security/35-000-code-repos-not-hacked-but-clones-flood-github-to-serve-malware/)          | An attacker might create a fork of a popular open-source project, introduce malicious changes, and then attempt to promote or advertise this fork to unsuspecting users.                                                                                                                                                                                       | [Stephen Lacy](https://twitter.com/stephenlacy/status/1554697077430505473)                        |
+| [RepoJacking](https://www.bleepingcomputer.com/news/security/millions-of-github-repos-likely-vulnerable-to-repojacking-researchers-say/)                       | An attack where a malicious actor registers a username and creates a repository used by an organization in the past but which has since changed its name. Doing so results in any project or code that relies on the dependencies of the attacked project to fetch dependencies and code from the attacker-controlled repository, which could contain malware. | [CTX](https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-analysis-repo-jacking/) |
+| [Piggybacking on Legitimate Packages/Pull Request Sneaking](https://github.com/mortenson/pr-sneaking)                                                          | Some attackers contribute malicious code to popular and legitimate projects, usually through pull requests. If not thoroughly reviewed, the malicious code might get merged into the main project.                                                                                                                                                             | [Teleport](https://goteleport.com/blog/hack-via-pull-request/)                                    |
+| [Download Count Inflation/Star Jacking](https://www.crn.com/news/security/checkmarx-attackers-hijacking-github-ratings-to-infect-as-many-targets-as-possible-) | To make a malicious package look popular and trustworthy, attackers artificially inflate the download count.                                                                                                                                                                                                                                                   | [Pampyio](https://www.pepy.tech/projects/pampyio)                                                 |
+| [Trojan Package](https://jfrog.com/blog/five-examples-of-infection-methods-attackers-use-to-spread-malicious-packages/#Trojan-Package)                         | In the trojan package infection method, the attacker publishes a fully functional library but hides malicious code in it.                                                                                                                                                                                                                                      | `lemaaa`                                                                                          |
+| [Joke Packages](https://dev.to/codesphere/javascript-flaws-5-stupid-npm-packages-5fi)                                                                          | Not strictly an attack, but publishing packages as jokes.  Can harm the supply chain and cause dependency bloat.                                                                                                                                                                                                                                               | [true](https://www.npmjs.com/package/true)                                                        |
+| [Cache Poisoning](https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/)                                                                       | Exploiting weaknesses in parameter handling by package managers.                                                                                                                                                                                                                                                                                               | [Rack](https://security.snyk.io/vuln/SNYK-RUBY-RACK-1061917)                                      |
+| [TypoSquatting](https://jfrog.com/blog/five-examples-of-infection-methods-attackers-use-to-spread-malicious-packages/#Typosquatting)                           | Typosquatting is the practice of obtaining (or squatting) a famous name with a slight typographical error.                                                                                                                                                                                                                                                     | "Amzon.com"                                                                                       |                                                                                       |
+
+**See:** [JFrog Blog on Infection Methods](https://jfrog.com/blog/five-examples-of-infection-methods-attackers-use-to-spread-malicious-packages/)
+
+### 5. Hardware Supply Chain Threats
+
+**Threat**: Malicious modifications to hardware components. 
+
+**See**: 
+ - [Alleged compromised chip in a network router](https://www.theverge.com/2018/10/5/17942838/apple-amazon-china-hack-servers-supermicro)
+ - [concerns around Huawei](https://news.sky.com/story/huawei-blocked-tech-must-be-stripped-from-uks-5g-network-by-2027-12028177) 
+ - [The NSA modifying hardware](https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/). 
+
+### 6. Emerging Technology Risks
+
+**Threat**: Internet-of-Things (IOT) smart devices get exploited (e.g. baby monitors, thermostats).
+
+**Threat**: AI tools generating personalised phishing emails, deepfakes, spam.
+
+**Threat**: Eventually, quantum computing may pose a threat to existing encryption algorithms.