Information Technology Reference
In-Depth Information
when the same number of people can be more productive). Effective IA promotes
greater uptime for mission-critical systems and business support systems, thus avoid-
ing the cost of downtime due to security incidents.
You may use the IA quantification process and IA quantification framework
to identify IA-related parameters in the ROI justification. The IAQP will align IA
with the business scenario, and the quantification terms will correlate directly with
revenue and cost.
13.4 iA Justification Based on
examining the threat Space
IA is the protection of information and information technology assets. The need
for protection presupposes some threat. The
threat space
to information technology
includes threat sources, one of which is attackers. The nature of an attacker implies
intelligence and intent; a natural phenomenon, by contrast, has no intelligence or
intent. A taxonomy to address threats needs to accommodate the entire threat space,
including acts of volition, naturally occurring threats, and genuine accidents.
13.4.1
Threat Sources and Types
A threat is “the potential for a threat-source to exercise (accidentally trigger or
intentionally exploit) a speciic vulnerability.” A threat source is “either (1) intent
and method targeted at the intentional exploitation of a vulnerability or (2) a situ-
ation and method that may accidentally trigger a vulnerability.” A vulnerability
is “a flaw or weakness in system security procedures, design, implementation, or
internal controls that could be exercised (accidentally triggered or intentionally
exploited) and result in a security breach or a violation of the system(s) security
policy.”
Vulnerabilities are the doorways to mission entropy; threats are the keys
that open those doors.
hreats
are general categorizations of potential dangers.
hreat agents
are specific
categories of potential dangers.
Kinetic threats
are imminent dangers. An
incident
occurs when a kinetic threat meets vulnerability. Table 13.2 presents examples of
threats, threat agents, kinetic threats, and incidents.§ For example, one threat cat-
egory is a natural threat. One type of natural threat is weather. A threat agent under
the natural threat of weather is a hurricane. A kinetic threat is the actual occurrence
Defined in NIST SP 800-30.
Defined in NIST SP 800-30.
Defined in NIST SP 800-30.
§ The table represents only a small sampling of threats, threat agents, kinetic threats, and
incidents.
