Information Technology Reference
In-Depth Information
carry out an attack; hacker with considerable technical skills, well equipped and
strongly motivated by the money he could make.
Note: A threat agent can be characterised by expertise, available resources and
motivation.
Attack method
- standard means by which a threat agent carries out a threat.
Examples:
system intrusion; theft of media or documents
.
Risk treatment-related concepts
describe what decisions, requirements and con-
trols should be defined and implemented in order to mitigate possible risks. The
different risk treatment-related concepts are different levels of design decisions on
the IS.
Risk treatment
- the decision of how to treat the identified risks. A treatment
satisfies a security need, expressed in generic and functional terms, and can lead to
security requirements. Categories of risk treatment decisions include:
•
Avoiding
the risk (risk avoidance decision) - decision not to become involved in,
or to withdraw from, a risk. Functionalities of the IS are modified or discarded
for avoiding the risk;
•
Reducing
the risk (risk reduction decision) - action to lessen the probability, neg-
ative consequences, or both, associated with a risk. Security requirements are
selected for reducing the risk;
•
Transferring
the risk (risk transfer decision) - sharing with another party the
burden of loss from a risk. A third party is thus related to the (or part of the) IS,
ensuing sometimes some additional security requirements about third parties;
•
Retaining
the risk (risk retention decision) - accepting the burden of loss from a
risk. No design decision is necessary in this case.
Examples:
not connecting the IS to the Internet (risk avoidance); taking measures
to avoid network intrusions (risk reduction); taking an insurance for covering a loss
of service (risk transfer); accepting that the service could be unavailable for 1 hour
(risk retention).
Note: Risk treatment is basically a shortcut for risk treatment decision, according
to the state of the art.
Security requirement
- a condition over the phenomena of the environment that
we wish to make true by installing the IS, in order to mitigate risks. This definition
is inspired from
[26]
. Examples:
appropriate authentication methods shall be used
to control access by remote users; system documentation shall be protected against
unauthorised access.
Note
1: Risk reduction decisions lead to security requirements. Sometimes, risk
transfer decisions need some security requirements about third parties. Avoiding
risk and retaining risk do not need any security requirement.
Note
2: Each security requirement contributes to cover one or more risk
treatments for the target IS.
Control
(also called
countermeasure
or
safeguard
) - a designed means to
improve security, specified by a security requirement, and implemented to com-
ply with it. Security controls can be processes, policies, devices, practices or other
Search WWH ::
Custom Search