The Definitions of Security and Risk

["Daniel Miessler" <daniel () dmiessler com>]

What follows is an argument for my preferred definition of Security
(and risk). First I will give the link to the original article,
located on my website, which is formatted nicely.

http://dmiessler.com/blog/my-preferred-definition-of-security

And below is the article itself, in plain text.

--

There is much debate in the information security world regarding the
proper definition of security. I have seen dozens of definitions over
the years, but I feel the following option most completely and
succinctly captures it.

"The process of maintaining an acceptable level of perceived risk."

There are a few things I like about this definition.
1.      PROCESS. i.e. it doesn't end.
2.      ACCEPTABLE. This alludes to the fact that the organization's upper
management decides—based on the entity's goals as a whole—how much
risk to take on. The crucial piece here is that this isn't for
security professionals to decide.
3.      PERCEIVED. In short, "you don't know what you don't know". And this
is where security professionals come in. Their entire job is to ensure
that management is making informed decisions.

Risk

As we all know, it's not a good idea to use words with disputed
definitions as part of another definition. And since risk is one such
word, I'll clarify briefly how I define risk.
In general, I prefer NIST's description from NIST Publication SP 800-30:

"Risk is a function of the likelihood of a given threat-source's
exercising a particular potential vulnerability, and the resulting
impact of that adverse event on the organization. To determine the
likelihood of a future adverse event, threats to an IT system must be
analyzed in conjunction with the potential vulnerabilities and the
controls in place for the IT system."

This reveals a few primary components: likelihood, threat-source,
vulnerability, and impact. The word "function" used in the definition
is pivotal; it reveals that if any of the values increase or decrease,
the total risk does as well. I also prefer to add asset value to the
equation, and this is a popular choice.

Ultimately, however, the definition of risk can be reduced to a much
more usable, less academic form, and this is the way you are going to
be most successful communicating it with those who are not security
professionals.

"A risk is a chance of something bad happening."

Too simple? Not really. It's instantly understandable to virtually
everyone, but at the same time it does not contradict the more complex
definitions. So when should you use one definition vs. the other? In
general, use the simple version. Getting entangled in the infinite
number of ways risk can be calculated is something to avoid. It drains
time and rarely accomplishes anything when broken down much farther
than is described above.

Summary

So, written out (i.e. without the word "risk") we arrive at:

"Security is the process of maintaining, based on what we know, an
acceptable level of likelihood that something bad will happen to the
organization."

…and once again, in it's more succinct and elegant form:

"Security is the process of maintaining an acceptable level of perceived risk."

Links

[ Security | wikipedia.org ]
[ NIST Publication 800-30 | nist.org ]
[ Risk, Threat and Vulnerability | taosecurity.blogspot.com ]

--

Comments are welcome. I'd like to hear whether or not you guys feel
this approach is flawed in any way, and if so, what's a superior
alternative.

Regards,

--
Daniel Miessler
E: Daniel () dmiessler com
W: http://dmiessler.com
P: 0xD4A8FFF6