My Preferred Definition of Security

By Daniel Miessler on September 3rd, 2008: Tagged as Information Security | Security

security_lock

There is much debate in the information security world regarding the proper definition of security. I have seen dozens of definitions over the years, but I feel the following option most completely and succinctly captures it.

The process of maintaining an acceptable level of perceived risk.

There are a few things I like about this definition.

  1. Process. i.e. it doesn’t end.
  2. Acceptable. This alludes to the fact that the organization’s upper management decides—based on the entity’s goals as a whole—how much risk to take on. The crucial piece here is that this isn’t for security professionals to decide.
  3. Perceived. In short, “you don’t know what you don’t know”. And this is where security professionals come in. Their entire job is to ensure that management is making informed decisions.

Risk

As we all know, it’s not a good idea to use words with disputed definitions as part of another definition. And since risk is one such word, I’ll clarify briefly how I define risk.

In general, I prefer NIST‘s description from NIST Publication SP 800-30:

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.

This reveals a few primary components: likelihood, threat-source, vulnerability, and impact. The word “function” used in the definition is pivotal; it reveals that if any of the values increase or decrease, the total risk does as well. I also prefer to add asset value to the equation, and this is a popular choice.

Ultimately, however, the definition of risk can be reduced to a much more usable, less academic form, and this is the way you are going to be most successful communicating it with those who are not security professionals.

A risk is a chance of something bad happening.
Too simple? Not really. It’s instantly understandable to virtually everyone, but at the same time it does not contradict the more complex definitions.

So when should you use one definition vs. the other? In general, use the simple version. Getting entangled in the infinite number of ways risk can be calculated is something to avoid. It drains time and rarely accomplishes anything when broken down much farther than is described above.

Summary

So, written out (i.e. without the word “risk”) we arrive at:

Security is the process of maintaining, based on what we know, an acceptable level of likelihood that something bad will happen to the organization.

…and once again, in it’s more succinct and elegant form:

Security is the process of maintaining an acceptable level of perceived risk.

Links

[ Security | wikipedia.org ]
[ NIST Publication 800-30 | nist.org ]
[ Risk, Threat and Vulnerability | taosecurity.blogspot.com ]

  • http://westwood.fortunecity.com/dolce/636/cooperatistation.html TIMM

    interesting, to see risk analyzed without gain.

    for me it’s hard to not associate the two, especially without a correlation to express the multitude of gain above the risk.

    is there a proper equation for calculating risk that you prescribe to?

    -=T=-

  • http://westwood.fortunecity.com/dolce/636/cooperatistation.html TIMM

    interesting, to see risk analyzed without gain.

    for me it’s hard to not associate the two, especially without a correlation to express the multitude of gain above the risk.

    is there a proper equation for calculating risk that you prescribe to?

    -=T=-

  • http://dmiessler.com/ Daniel Miessler

    risk = threat x vulnerability x asset value

    That’s a basic one…

  • http://dmiessler.com Daniel Miessler

    risk = threat x vulnerability x asset value

    That’s a basic one…

  • http://www.riskanalys.is Alex

    Risk must include an impact component. In other words “something bad” isn't really granular enough for a high level statement that dictates policy.

    Second, the problem with generic likelihood statements is that they assume a “one time event”. When other people use likelihoods, there is an implied time-framing (60% chance of rain today, 30% chance of my team winning this game, etc…). NIST and other InfoSec standards that use a generic likelihood produce significantly useless decision statements by not accounting for the time factor.

    Next:

    I see security being subservient to risk. I see security as simply concerned with the act of understanding our probable ability to resist the probable level of force a threat may exert. This way, we can combine “security” with expected frequency of attack metrics to come up with a probable frequency of loss events (the time-framed likelihood that something bad will happen).

  • http://www.riskanalys.is Alex

    TIMM

    Modern Information risk models have their roots in the Dutch models originally used to build dikes. This is commonly referred to as “engineering risk”. This is different in concept to financial risk where we usually think of risk as being variation from expected return.

    I think of it this way, you have an asset – say you're the Manager of a football club. You have a young center who is awesome. Now there is some chance that this player will get injured and that will be of detriment to the team. There is yet another perspective where we can be concerned with how much this young player, over the course of his current contract, will perform. There is the potential that he will exceed expectations or underperform (and we'll have different problems for either).

    In constructing Information Security architecture, in building dikes, there is “overperform” – there is only 100% efficiency and subsequent battle with entropy.

  • http://www.riskanalys.is Alex

    Risk must include an impact component. In other words “something bad” isn't really granular enough for a high level statement that dictates policy.

    Second, the problem with generic likelihood statements is that they assume a “one time event”. When other people use likelihoods, there is an implied time-framing (60% chance of rain today, 30% chance of my team winning this game, etc…). NIST and other InfoSec standards that use a generic likelihood produce significantly useless decision statements by not accounting for the time factor.

    Next:

    I see security being subservient to risk. I see security as simply concerned with the act of understanding our probable ability to resist the probable level of force a threat may exert. This way, we can combine “security” with expected frequency of attack metrics to come up with a probable frequency of loss events (the time-framed likelihood that something bad will happen).

  • http://www.riskanalys.is Alex

    TIMM

    Modern Information risk models have their roots in the Dutch models originally used to build dikes. This is commonly referred to as “engineering risk”. This is different in concept to financial risk where we usually think of risk as being variation from expected return.

    I think of it this way, you have an asset – say you're the Manager of a football club. You have a young center who is awesome. Now there is some chance that this player will get injured and that will be of detriment to the team. There is yet another perspective where we can be concerned with how much this young player, over the course of his current contract, will perform. There is the potential that he will exceed expectations or underperform (and we'll have different problems for either).

    In constructing Information Security architecture, in building dikes, there is “overperform” – there is only 100% efficiency and subsequent battle with entropy.

  • Pingback: A tcpdump Tutorial / Primer « The world apart

  • Andis Kakeli

    My Preferred Definition of Security | danielmiessler.com: http://danielmiessler.com/blog/my-preferred-definition-of-security


Top

Popular

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

Arguments

Projects

Collections

Twitter

What I'm Reading

Favorite Books and Essays

Top Blog Categories

Inputs