Elementary Threat · BSI IT-Grundschutz

G 0.26 — Malfunction of Devices or Systems

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.14A.5.15A.5.23A.5.24A.5.25A.5.28A.5.29A.5.34A.7.5A.7.11A.7.12A.7.13A.8.1A.8.3A.8.5A.8.6A.8.8A.8.14A.8.15A.8.16A.8.17A.8.19A.8.20A.8.21A.8.22A.8.23A.8.24A.8.26A.8.27A.8.28A.8.29A.8.31A.8.32 BSI IT-GrundschutzISO 27001ISO 27002

A research department runs a statistical analysis over a large data set. The software used is formally approved for the deployed database system and appears to run without errors. Only weeks later, a random sample shows: every result is wrong. The cause — a silent compatibility issue between the application and the database version.

Malfunctions are among the most insidious IT threats because they often occur without a visible error message. BSI lists them as elementary threat G 0.26 and emphasises: all three protection goals — confidentiality, integrity and availability — can be affected.

What’s behind it?

Modern IT systems are complex — and with complexity comes a growing number of potential points of failure. Malfunctions arise when hardware or software does not operate as intended, while the system still appears to be running. This distinguishes them from total failure (G 0.25), which is immediately apparent.

Causes of malfunction

Material fatigue and wear — Mechanical components such as fans, hard drives and connectors degrade over time. Sporadic faults often signal an eventual failure weeks in advance.
Conceptual weaknesses — Missing error handling in software, inadequate input validation or flawed algorithms lead to incorrect results.
Exceeding operational limits — When a system is operated under load conditions for which it is not designed (too many concurrent users, excessive temperatures), intermittent faults occur.
Incompatibilities — Unsupported combinations of operating system, driver and application produce subtle faults that surface in random samples but rarely in superficial tests.
Missing maintenance — Clogged ventilation grilles, outdated firmware, uncalibrated sensors.

Impact

The real risk lies in how long it takes to detect. A faulty calculation that remains unnoticed for months can cause business decisions to rest on wrong foundations. Compromised database integrity requires extensive forensics to determine the point of first corruption and identify all affected records. Confidentiality is affected when malfunctions cause access controls to fail.

Practical examples

Overheating storage system. A storage array in a server room has a clogged ventilation grille. It does not fail completely but shows sporadic write errors. Only after several weeks does an administrator notice that stored files are incomplete. Reconstructing the affected data holdings takes weeks.

Incompatible analysis software. A department uses a statistical application that, according to the vendor documentation, is not approved for the deployed database system. The analysis appears to work but systematically produces wrong values. The flawed results feed into a quarterly report before a random sample reveals the error.

Network switch with defective port. A single port on a network switch transmits packets with sporadic bit errors. The affected workstation experiences occasional connection drops and corrupted file transfers. Because the errors are intermittent, fault diagnosis takes weeks until the defective port is identified.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 33 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)

Prevention:

A.8.8 — Management of technical vulnerabilities: Regular firmware updates and patches fix known bugs that cause malfunctions.
A.7.13 — Equipment maintenance: Scheduled maintenance cycles detect wear before it leads to malfunction.
A.8.19 — Installation of software on operational systems: Controlled software approval prevents incompatible configurations.
A.8.29 — Security testing in development and acceptance: Tests before production use uncover incompatibilities and faulty behaviour.

Detection:

A.8.15 — Logging: Central logging captures error messages, warnings and anomalies.
A.8.16 — Monitoring activities: Monitoring detects performance drops, increased error rates and deviations from normal behaviour.
A.5.34 — Privacy and protection of personal identifiable information (PII): Integrity checks protect against unnoticed data corruption.

Response:

A.5.24 — Information security incident management planning and preparation: Documented procedures for handling detected malfunctions.
A.8.14 — Redundancy of information processing facilities: Redundant systems can take over while the faulty system is repaired.

BSI IT-Grundschutz

G 0.26 is linked by the BSI IT-Grundschutz catalogue to the following modules:

OPS.1.1.6 (Software tests and approvals) — Requirements for testing and acceptance before productive use.
SYS.1.1 (General server) — Basic protection and maintenance requirements.
INF.2 (Data centre and server room) — Physical protection measures against environment-related malfunctions.
OPS.1.1.7 (Systems management) — Monitoring and proactive management of system states.

Sources

BSI: The State of IT Security in Germany — Annual report with current statistics on IT disruptions
BSI IT-Grundschutz: Elementary Threats, G 0.26 — Original description of the elementary threat
ISO/IEC 27002:2022 Section 7.13 — Implementation guidance on equipment maintenance

ISO 27001 Controls Covering This Threat

A.5.14 Information transfer A.5.15 Access control A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.28 Collection of evidence A.5.29 Information security during disruption A.5.34 Privacy and protection of PII A.7.5 Protecting against physical and environmental threats A.7.11 Supporting utilities A.7.12 Cabling security A.7.13 Equipment maintenance A.8.1 User endpoint devices A.8.3 Information access restriction A.8.5 Secure authentication A.8.6 Capacity management A.8.8 Management of technical vulnerabilities A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.23 Web filtering A.8.24 Use of cryptography A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.31 Separation of development, test and production environments A.8.32 Change management

Frequently asked questions

What distinguishes a malfunction from a total failure?

A total failure (G 0.25) means that a device or system no longer works at all. A malfunction (G 0.26) means that the system continues to run but delivers incorrect or incomplete results. Malfunctions are often harder to detect because the system appears to operate normally on the surface.

Why do malfunctions sometimes remain undetected for a long time?

Many systems produce no error messages during malfunctions because the results appear formally correct. Only spot checks, plausibility tests or cross-comparisons reveal that data are incomplete or corrupted. Regular monitoring and automated integrity checks help uncover such issues early.

What role does maintenance play in preventing malfunctions?

Regular maintenance substantially reduces the likelihood of malfunctions caused by wear and material fatigue. This includes firmware updates, inspection of ventilation systems, replacement of wear parts and calibration of sensors. A documented maintenance plan is one of the most effective preventive measures.