Information Technology Reference
In-Depth Information
Security criterion
(also called
security property
) - property or constraint on
business assets that characterises their security needs. Security criteria act as indi-
cators to assess the significance of a risk. Examples:
confidentiality; integrity;
availability; non-repudiation; accountability.
Note: The security objectives of an IS are defined using security criteria on busi-
ness assets (e.g., confidentiality of the technical plans; integrity of the structure
calculation process).
Our second group of concepts are
risk-related concepts
. They present how the
risk itself and its immediate components are defined.
Risk
- the combination of a threat with one or more vulnerabilities leading to
a negative impact harming one or more of the assets. Threat and vulnerabilities
are part of the risk event and impact is the consequence of the risk. Examples:
a
hacker using social engineering on a member of the company, because of weak
awareness of the staff, leading to unauthorised access to personal computers and
loss of integrity of the structure calculation process; a thief entering a company
building thanks to deficient physical access control, stealing documents contain-
ing sensitive information and thereby provoking loss of confidentiality of technical
plans
.
Impact
- the potential negative consequence of a risk that may harm assets of a
system or an organisation, when a threat (or an event) is accomplished. The impact
can be described at the level of IS assets (data destruction, failure of a component,
etc.) or at the level of business assets, where it negates security criteria, like, for
example, loss of confidentiality of an information, loss of integrity of a process, etc.
Examples:
password discovery (IS level); loss of confidentiality of technical plans
(business level
).
Note: An impact can provoke a chain reaction of impacts (or indirect impacts),
like for example a loss of confidentiality on sensitive information leads to a loss of
customer confidence.
Event
- the combination of a threat and one or more vulnerabilities. Examples:
a hacker using social engineering on a member of the company, exploiting weak
awareness of the staff; a thief entering a company building thanks to deficient
physical access control.
Note: Event is a generic term, used pervasively in RM and defined as the “occur-
rence of a particular set of circumstances” [
22]
. The definition provided in this
glossary is specific to IS security.
Vulnerability
- the characteristic of an IS asset or group of IS assets that can
constitute a weakness or a flaw in terms of IS security. Examples:
weak awareness
of the staff; deficient physical access control; lack of fire detection
.
Threat
- potential attack, carried out by an agent that targets one or more IS
assets and that may lead to harm to assets. A threat is constituted of a threat agent
and an attack method. Examples:
a hacker using social engineering on a member of
the company; a thief entering a company building and stealing media or documents.
Threat agent
- an agent that can potentially cause harm to assets of the IS.
A threat agent triggers a threat and is thus the source of a risk. Examples:
staff
members with little technical skills and time but possibly a strong motivation to
Search WWH ::
Custom Search