Comments on: My Preferred Definition of Security http://danielmiessler.com/blog/my-preferred-definition-of-security grep understanding Tue, 16 Mar 2010 15:15:13 -0500 http://wordpress.org/?v=2.9.2 hourly 1 By: A tcpdump Tutorial / Primer « The world apart http://danielmiessler.com/blog/my-preferred-definition-of-security/comment-page-1#comment-243816 A tcpdump Tutorial / Primer « The world apart Tue, 19 Jan 2010 17:44:10 +0000 http://dmiessler.com/blog/my-preferred-definition-of-security#comment-243816 <p>[...] Defining Information Security [...]</p> [...] Defining Information Security [...]

]]> By: Alex http://danielmiessler.com/blog/my-preferred-definition-of-security/comment-page-1#comment-241891 Alex Wed, 28 Jan 2009 01:02:53 +0000 http://dmiessler.com/blog/my-preferred-definition-of-security#comment-241891 <p>TIMM<br><br>Modern Information risk models have their roots in the Dutch models originally used to build dikes. This is commonly referred to as "engineering risk". This is different in concept to financial risk where we usually think of risk as being variation from expected return.<br><br>I think of it this way, you have an asset - say you're the Manager of a football club. You have a young center who is awesome. Now there is some chance that this player will get injured and that will be of detriment to the team. There is yet another perspective where we can be concerned with how much this young player, over the course of his current contract, will perform. There is the potential that he will exceed expectations or underperform (and we'll have different problems for either). <br><br>In constructing Information Security architecture, in building dikes, there is "overperform" - there is only 100% efficiency and subsequent battle with entropy.</p> TIMM

Modern Information risk models have their roots in the Dutch models originally used to build dikes. This is commonly referred to as “engineering risk”. This is different in concept to financial risk where we usually think of risk as being variation from expected return.

I think of it this way, you have an asset – say you're the Manager of a football club. You have a young center who is awesome. Now there is some chance that this player will get injured and that will be of detriment to the team. There is yet another perspective where we can be concerned with how much this young player, over the course of his current contract, will perform. There is the potential that he will exceed expectations or underperform (and we'll have different problems for either).

In constructing Information Security architecture, in building dikes, there is “overperform” – there is only 100% efficiency and subsequent battle with entropy.

]]> By: Alex http://danielmiessler.com/blog/my-preferred-definition-of-security/comment-page-1#comment-241892 Alex Wed, 28 Jan 2009 00:54:39 +0000 http://dmiessler.com/blog/my-preferred-definition-of-security#comment-241892 <p>Risk must include an impact component. In other words "something bad" isn't really granular enough for a high level statement that dictates policy.<br><br>Second, the problem with generic likelihood statements is that they assume a "one time event". When other people use likelihoods, there is an implied time-framing (60% chance of rain <em>today</em>, 30% chance of my team winning <em>this</em> game, etc...). NIST and other InfoSec standards that use a generic likelihood produce significantly useless decision statements by not accounting for the time factor.<br><br>Next:<br><br>I see security being subservient to risk. I see security as simply concerned with the act of understanding our probable ability to resist the probable level of force a threat may exert. This way, we can combine "security" with expected frequency of attack metrics to come up with a probable frequency of loss events (the time-framed likelihood that something bad will happen).</p> Risk must include an impact component. In other words “something bad” isn't really granular enough for a high level statement that dictates policy.

Second, the problem with generic likelihood statements is that they assume a “one time event”. When other people use likelihoods, there is an implied time-framing (60% chance of rain today, 30% chance of my team winning this game, etc…). NIST and other InfoSec standards that use a generic likelihood produce significantly useless decision statements by not accounting for the time factor.

Next:

I see security being subservient to risk. I see security as simply concerned with the act of understanding our probable ability to resist the probable level of force a threat may exert. This way, we can combine “security” with expected frequency of attack metrics to come up with a probable frequency of loss events (the time-framed likelihood that something bad will happen).

]]> By: Alex http://danielmiessler.com/blog/my-preferred-definition-of-security/comment-page-1#comment-240463 Alex Tue, 27 Jan 2009 20:02:53 +0000 http://dmiessler.com/blog/my-preferred-definition-of-security#comment-240463 <p>TIMM<br><br>Modern Information risk models have their roots in the Dutch models originally used to build dikes. This is commonly referred to as "engineering risk". This is different in concept to financial risk where we usually think of risk as being variation from expected return.<br><br>I think of it this way, you have an asset - say you're the Manager of a football club. You have a young center who is awesome. Now there is some chance that this player will get injured and that will be of detriment to the team. There is yet another perspective where we can be concerned with how much this young player, over the course of his current contract, will perform. There is the potential that he will exceed expectations or underperform (and we'll have different problems for either). <br><br>In constructing Information Security architecture, in building dikes, there is "overperform" - there is only 100% efficiency and subsequent battle with entropy.</p> TIMM

Modern Information risk models have their roots in the Dutch models originally used to build dikes. This is commonly referred to as “engineering risk”. This is different in concept to financial risk where we usually think of risk as being variation from expected return.

I think of it this way, you have an asset – say you're the Manager of a football club. You have a young center who is awesome. Now there is some chance that this player will get injured and that will be of detriment to the team. There is yet another perspective where we can be concerned with how much this young player, over the course of his current contract, will perform. There is the potential that he will exceed expectations or underperform (and we'll have different problems for either).

In constructing Information Security architecture, in building dikes, there is “overperform” – there is only 100% efficiency and subsequent battle with entropy.

]]> By: Alex http://danielmiessler.com/blog/my-preferred-definition-of-security/comment-page-1#comment-240462 Alex Tue, 27 Jan 2009 19:54:39 +0000 http://dmiessler.com/blog/my-preferred-definition-of-security#comment-240462 <p>Risk must include an impact component. In other words "something bad" isn't really granular enough for a high level statement that dictates policy.<br><br>Second, the problem with generic likelihood statements is that they assume a "one time event". When other people use likelihoods, there is an implied time-framing (60% chance of rain <em>today</em>, 30% chance of my team winning <em>this</em> game, etc...). NIST and other InfoSec standards that use a generic likelihood produce significantly useless decision statements by not accounting for the time factor.<br><br>Next:<br><br>I see security being subservient to risk. I see security as simply concerned with the act of understanding our probable ability to resist the probable level of force a threat may exert. This way, we can combine "security" with expected frequency of attack metrics to come up with a probable frequency of loss events (the time-framed likelihood that something bad will happen).</p> Risk must include an impact component. In other words “something bad” isn't really granular enough for a high level statement that dictates policy.

Second, the problem with generic likelihood statements is that they assume a “one time event”. When other people use likelihoods, there is an implied time-framing (60% chance of rain today, 30% chance of my team winning this game, etc…). NIST and other InfoSec standards that use a generic likelihood produce significantly useless decision statements by not accounting for the time factor.

Next:

I see security being subservient to risk. I see security as simply concerned with the act of understanding our probable ability to resist the probable level of force a threat may exert. This way, we can combine “security” with expected frequency of attack metrics to come up with a probable frequency of loss events (the time-framed likelihood that something bad will happen).

]]> By: Daniel Miessler http://danielmiessler.com/blog/my-preferred-definition-of-security/comment-page-1#comment-187272 Daniel Miessler Wed, 03 Sep 2008 21:22:34 +0000 http://dmiessler.com/blog/my-preferred-definition-of-security#comment-187272 <p>risk = threat x vulnerability x asset value</p> <p>That's a basic one...</p> risk = threat x vulnerability x asset value

That’s a basic one…

]]> By: TIMM http://danielmiessler.com/blog/my-preferred-definition-of-security/comment-page-1#comment-187269 TIMM Wed, 03 Sep 2008 21:19:54 +0000 http://dmiessler.com/blog/my-preferred-definition-of-security#comment-187269 <p>interesting, to see risk analyzed without gain. </p> <p>for me it's hard to not associate the two, especially without a correlation to express the multitude of gain above the risk.</p> <p>is there a proper equation for calculating risk that you prescribe to?</p> <p>-=T=-</p> interesting, to see risk analyzed without gain.

for me it’s hard to not associate the two, especially without a correlation to express the multitude of gain above the risk.

is there a proper equation for calculating risk that you prescribe to?

-=T=-

]]>