Friday, September 26, 2008

The Definition Of Security

There is much debate about how to define security - as in digital or IT security.

All too often IT security is spoken of as a "cost to the business". On a broader level I believe IT security is a responsibility management has it its stakeholders. That's not a definition of IT security, simply what it is.

Keeping with the concept of what IT security is - well it is not a cost to the business; rather, it is an investment by the business. It only becomes a cost to the business AFTER an exploit has taken place and digital information has been compromised or stolen.

Another fallacy I hear in my travels is that an investment in IT security is nothing more than an insurance policy; i.e. insurance that the digital information will remain safe if the proper investment is made to protect it.

A businesses' investment in IT security is not an insurance policy. An insurance policy pays the insured to compensate for a covered loss. Certainly, there are various types of business insurance a company can buy for data loss, but that is missing the point, because we're talking about IT security, not insurance.

So what then is the definition of IT security?

By Daniel Miessler on September 3rd, 2008

The process of maintaining an acceptable level of perceived risk.

There are a few things to like about this definition.

  • Process. i.e. it doesn't end.
  • Acceptable. This alludes to the fact that the organization's upper management decides-based on the entity's goals as a whole-how much risk to take on. The crucial piece here is that this isn't for security professionals to decide.
  • Perceived. In short, "you don't know what you don't know". And this is where security professionals come in. Their entire job is to ensure that management is making informed decisions.
  • Risk. As we all know, it's not a good idea to use words with disputed definitions as part of another definition. And since risk is one such word, I'll clarify briefly how I define risk. In general, I prefer NIST's description from NIST Publication SP 800-30:
Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.

This reveals a few primary components: likelihood, threat-source, vulnerability, and impact. The word "function" used in the definition is pivotal; it reveals that if any of the values increase or decrease, the total risk does as well. I also prefer to add asset
value to the equation, and this is a popular choice.

Ultimately, however, the definition of risk can be reduced to a much more usable, less academic form, and this is the way you are going to be most successful communicating it with those who are not security professionals.

A risk is a chance of something bad happening.

Too simple? Not really. It's instantly understandable to virtually everyone, but at the same time it does not contradict the more complex definitions.

So when should you use one definition vs. the other?

In general, use the simple version. Getting entangled in the infinite number of ways risk can be calculated is something to avoid. It drains time and rarely accomplishes anything when broken down much farther than is described above.

So, written out (i.e. without the word "risk") we arrive at:

Security is the process of maintaining, based on what we know, an acceptable level of likelihood that something bad will happen to the organization.

…and once again, in it's more succinct and elegant form:

Security is the process of maintaining an acceptable level of perceived risk.

No comments: