There is much debate in the information security world regarding the proper definition of security. I have seen dozens of definitions over the years, but I feel the following option most completely and succinctly captures it.
There are a few things I like about this definition.
Process. i.e. it doesn’t end.
Acceptable. This alludes to the fact that the organization’s upper management decides—based on the entity’s goals as a whole—how much risk to take on. The crucial piece here is that this isn’t for security professionals to decide.
Perceived. In short, “you don’t know what you don’t know”. And this is where security professionals come in. Their entire job is to ensure that management is making informed decisions.
As we all know, it’s not a good idea to use words with disputed definitions as part of another definition. And since risk is one such word, I’ll clarify briefly how I define risk.
In general, I prefer NIST’s description from NIST Publication SP 800-30:
This reveals a few primary components: likelihood, threat-source, vulnerability, and impact. The word “function” used in the definition is pivotal; it reveals that if any of the values increase or decrease, the total risk does as well. I also prefer to add asset value to the equation, and this is a popular choice.
Ultimately, however, the definition of risk can be reduced to a much more usable, less academic form, and this is the way you are going to be most successful communicating it with those who are not security professionals.
So when should you use one definition vs. the other? In general, use the simple version. Getting entangled in the infinite number of ways risk can be calculated is something to avoid. It drains time and rarely accomplishes anything when broken down much farther than is described above.
So, written out (i.e. without the word “risk”) we arrive at:
…and once again, in it’s more succinct and elegant form:
[ Security | wikipedia.org ][ NIST Publication 800-30 | nist.org ][ Risk, Threat and Vulnerability | taosecurity.blogspot.com ]