Every time I speak with someone or read something regarding some of the most core terminology in the security and risk management field, I start to question whether they really know what they’re talking about. Even worse, some speak with so many words and such arrogance, that I start to question whether I know what I’m talking about! To try to combat those issues, I’ve collected a list of terms that sometimes get confusing and have cobbled together definitions for them. While these may not be 100% technically correct, for the layman, these have proven helpful to me whenever the pundits talk in circles to make themselves feel important. Probably the ones that garner the most confusion in their use are Risk, Threat and Vulnerability.
- Risk: A risk is a chance of something bad happening. That’s probably the best one. More technically, it’s the combination of the probability of an event and its consequence. The common equation is [Risk = Threat x Vulnerability – Controls], or some variation of that.
- Threat: A potential cause of an unwanted impact to an asset, system or organization. (I know there are threat agents and threat events, which are different, but I’ve never really seen anyone use these in an intelligible, useful way that impacts any decisions that executives make).
- Vulnerability: Any weakness that makes an information asset susceptible to exploit by a threat. Calling this a weakness is good as well, or hole, or problem area—They’re all close enough for darts.
- Control: (see also, Countermeasure or Safeguard) An action, process, device, or system that can prevent, or mitigate the effects of threats on a vulnerability. It’s something that diminishes the ability for a threat to act on a vulnerability.
- Risk Management: The process of determining an acceptable level of perceived risk, assessing the current level of risk, taking steps to reduce risk to the acceptable level, and maintaining that level of risk.
- Security is the ability to protect information and organizational resources with respect to confidentiality and integrity (and availability, as most authorities will state). Although Ken Stasiak would argue availability is an IT operations problem, not a part of security. (See his blog on the subject).
- Privacy: As it pertains to information and security, probably the most useful is: Protection and proper (appropriate) use of anyone’s personal information that you hold. More formally, it is the proper collection (i.e., legitimate business need for the information), safeguarding, use, and ultimately destruction of personally identifiable information (PII).
Feel free to comment, blow them up or come up with something better. I’ll take the feedback from any comments and add an update where it makes sense. We’ll be rolling out deeper information about the iRisk equation in the coming months, so be on the lookout for further case studies and blogs. Hope this was helpful!