There is much debate in the
information security
world regarding the proper definition of security. I have seen dozens of
definitions over the years, but I feel the following option most completely
and succinctly captures it.
There are a few things I like about this definition.
Process. i.e. it doesn’t end.
Acceptable. This alludes to the fact that the organization’s upper management
decides—based on the entity’s goals as a whole—how much risk to take on.
The crucial piece here is that
this isn’t for security professionals to decide.
Perceived. In short, “you don’t know what you don’t know”. And this is where
security professionals come in. Their entire job is to ensure that
management is making informed decisions.
As we all know, it’s not a good idea to use words with disputed definitions
as part of another definition. And since
risk
is one such word, I’ll clarify briefly how I define risk.
In general, I prefer NIST’s description from NIST Publication SP 800-30:
This reveals a few primary components: likelihood, threat-source,
vulnerability, and impact. The word “function” used in the definition is
pivotal; it reveals that if any of the values increase or decrease, the
total risk does as well. I also prefer to add asset value to the equation,
and this is a popular choice.
Ultimately, however, the definition of risk can be reduced to a much more
usable, less academic form, and this is the way you are going to be most
successful communicating it with those who are not security professionals.
So when should you use one definition vs. the other? In general, use the
simple version. Getting entangled in the infinite number of ways risk can be
calculated is something to avoid. It drains time and rarely accomplishes
anything when broken down much farther than is described above.
So, written out (i.e. without the word “risk”) we arrive at:
…and once again, in it’s more succinct and elegant form:
[
Security | wikipedia.org
][
NIST Publication 800-30 | nist.org
][
Risk, Threat and Vulnerability | taosecurity.blogspot.com
]
Want to explore the world of cryptocurrency and see what’s really going on behind the…
1. Introduction to the Text Title: Betrayal in the City Author: Francis Imbuga (Kenya) Genre:…
Brief Context Author & Publication: Written by Nigerian author Osita (Osi) Ogbu, the novel was…
Step into a deeper understanding of faith, values, and biblical truth with Musinguzi John Paul,…
Are you ready to unlock your business potential and become a future innovator, job creator,…
Step into the future of farming, food security, and environmental stewardship with Alinda Violet, your…
Leave a Comment