1. Information Assets (a thing):
1.1. Information assets (IA) may include database records, software code, critical company data, & other intangible items. These intangibles may include reputation and other proprietary information.
1.2. The goal of an information security system is to ensure that confidential IA remain confidential.
2. Threat (an agent, actor, or person):
2.1. The term “threat” refers to the source and means of a particular type of attack
2.2. Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.
2.3. The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
2.4. Threats can be classified into three general categories:
2.4.1.1. Natural Threats: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
2.4.1.2. Human Threats: Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).
2.4.1.3. Environmental Threats: Long-term power failure, pollution, chemicals, liquid leakage.
2.5. Threats exploit vulnerabilities.
3. Vulnerability (a state):
3.1. The term “vulnerability” refers to: the weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset.
3.2. A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
3.3. Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat.
3.4. Historically, the HOS (Human Operating System) – not Microsoft products – is the source of most vulnerabilities.
3.5. Perhaps however, the most interesting vulnerabilities are those found in the actual security controls themselves.
4.0 Risk (a probability):
4.1. The term “risk” refers to the likelihood of being targeted by a given attack, of an attack being successful, and general exposure to a given threat. Risk is also characterized as an, “attack surface”.
4.2. A commonly used risk equation is: R = (IA x T x V)/100, but although this formula looks objective, its inputs are often so subjective as to make the analysis relative at best, & arbitrary at worst.
4.3. Still, the key to developing a practical information security system is to classify risks in some fashion, & then to economically reduce risks to either “reasonable” levels, or – in the case of many organizations – a level mandated by regulation.
The post A Concise Definition of Four Commonly Misused Security Terms appeared first on Battle Magic Security.
