There is much debate in the information security world regarding the proper definition of security. I have seen dozens of definitions over the years, but I feel the following option most completely and succinctly captures it.
The process of maintaining an acceptable level of perceived risk.
There are a few things I like about this definition.
- Process. i.e. it doesn’t end.
- Acceptable. This alludes to the fact that the organization’s upper management decides—based on the entity’s goals as a whole—how much risk to take on. The crucial piece here is that this isn’t for security professionals to decide.
- Perceived. In short, “you don’t know what you don’t know”. And this is where security professionals come in. Their entire job is to ensure that management is making informed decisions.
As we all know, it’s not a good idea to use words with disputed definitions as part of another definition. And since risk is one such word, I’ll clarify briefly how I define risk.
In general, I prefer NIST‘s description from NIST Publication SP 800-30:
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.
This reveals a few primary components: likelihood, threat-source, vulnerability, and impact. The word “function” used in the definition is pivotal; it reveals that if any of the values increase or decrease, the total risk does as well. I also prefer to add asset value to the equation, and this is a popular choice.
Ultimately, however, the definition of risk can be reduced to a much more usable, less academic form, and this is the way you are going to be most successful communicating it with those who are not security professionals.
A risk is a chance of something bad happening.Too simple? Not really. It’s instantly understandable to virtually everyone, but at the same time it does not contradict the more complex definitions.
So when should you use one definition vs. the other? In general, use the simple version. Getting entangled in the infinite number of ways risk can be calculated is something to avoid. It drains time and rarely accomplishes anything when broken down much farther than is described above.
So, written out (i.e. without the word “risk”) we arrive at:
Security is the process of maintaining, based on what we know, an acceptable level of likelihood that something bad will happen to the organization.
…and once again, in it’s more succinct and elegant form:
Security is the process of maintaining an acceptable level of perceived risk.