Information Technology Reference
In-Depth Information
In ISO/IEC 13335 [23] , a risk is defined in the glossary in terms of three related
concepts:
Risk: the potential that a given threat will exploit vulnerabilities of an asset or group of
assets and thereby cause harm to the organization.
The analysis of both sources [23, 25] , and mainly the definition from [23] which
is more explicit than the succession of steps presented in [ 25] , shows that these
definitions of a risk are compliant with RM standards, because a risk is always com-
posed of a cause and a consequence . However, the definitions introduce some new
concepts: the cause of the risk is presented as the combination of threat and vul-
nerability , and the consequence is considered as the impact or harm (see Table 1) .
The concept of asset , which is not analysed in depth in this section, is also intro-
duced as related to the notion of risk. It is defined as anything that has value to the
organisation [ 23] . Common Criteria (CC) [ 8] defines risk with a finer granularity:
Threats are categorised as the potential for abuse of protected assets. The CC characterises
a threat in terms of a threat agent, a presumed attack method, any vulnerabilities that are
the foundation for the attack, and identification of the asset under attack. An assessment of
risks to security would qualify each threat with an assessment of the likelihood of such a
threat developing into an actual attack, the likelihood of such an attack proving successful,
and the consequences of any damage that may result. A threat shall be described in terms
of an identified threat agent, the attack, and the asset that is the subject of the attack. Threat
agents should be described by addressing aspects such as expertise, available resources, and
motivation. Attacks should be described by addressing aspects such as attack methods, any
vulnerabilities exploited, and opportunity.
Here the cause of the risk is called threat and it encompasses vulnerability, unlike
[ 25] and [ 23] that define them as related, but separate concepts at the same level. The
threat in [8] has multiple sub-components like threat agent, attack method, attack ,
etc. Details of those sub-components can be found in [ 40] . Threat in ISO/IEC 27001
or ISO/IEC 13335 has thus not the same sense as threat in CC, which is equivalent
to the global cause of the risk, encompassing threat and vulnerability. Threat from
[ 23, 25] and threat from [ 8] are thus not aligned in Table 1. NIST standards also
propose a different definition for a risk [ 52, 53] :
Risk: The net mission/business impact considering (1) the likelihood that a particular threat
source will exploit, or trigger, a particular information system vulnerability and (2) the
resulting impact if this should occur.
Here, risk is once again defined with the help of three components: threat source,
vulnerability and impact . The concept of threat is defined as the combination of a
threat source, its motivation (for human threat) and threat actions, like hacking,
social engineering, or system intrusion [ 52] .
The use of the term risk in security related standards is more precise than in
RM standards, but remains compliant with the latter. It is thus a mere specialisa-
tion of the term. The concept of risk is therefore aligned between the sources in
Table 1. However the precision of the components of a risk increases. The conse-
quence of the risk differs only in how it is named ( consequence , impact or harm )
Search WWH ::




Custom Search