As more and more people talk about security, I hear the terms threat, vulnerability, mitigation and risk used. Often in what I believe is the wrong context.
There are lots of attempts to define the terms, write taxonomies etc. There is little point in duplicating this, however, here is how I think about the terms…
| Threat | Someone could steal my laptop. |
| Threat Actor | A random chancer in this example. Other examples could be someone specifically targeting my laptop (which alters the likelihood and threat intelligence)) |
| Incident | A random chancer steals my laptop. |
| Threat Intelligence | On average each hotel suffers one incident of theft from rooms per year. |
| Vulnerability | I leave my laptop unattended in a hotel room, that has weak room security (see Hotel room zero-factor authentication) |
| Likelihood | I stay in a hotel about 1 day in 20.Combined with my threat intelligence, suggests this example is relatively rare. |
| Impact | A competitor is able to gain advantage from information on the laptop, if the chancer recognised the data and finds a buyer. |
| Risk | If I leave my laptop in a hotel room, there is a small chance that it will be stolen and company confidential information find its way to a competitor. |
| Risk Treatment | Mitigation 1.Encrypt the disk, with a boot level password, and follow operational procedures to ensure the disk is encrypted when unattended. Mitigation 2. Company policy: do not leave laptop in hotel rooms unattended. |
I find these examples easier to relate to than definitions. Do they work for you? Thoughts welcome?
Once Upon a Camayoc 
Reblogged this on Deborah Burns.
LikeLike