NOTE: All of the definitions and most of the examples below are appropriated from a National Security Agency (NSA) curriculum used by the National Colloquium for Information System Security Education (NCISSE). The terminology lesson on which this document is based is available, framed within a larger set of resources at “NSA Courseware” or unframed. Although the project design team ended up adopting most of the source original text, it was edited and supplemented to improve UVa-appropriateness. Comments and additions are indicated below in brackets.
Definitions
[These definitions are in logical, not alphabetical, order so that one could read them through and learn about how the pieces of the ITS-RM process fit together. In a subsequent web-enabled version of this documentation, there will be an additional alphabetical glossary containing the same definitions, as well as links to the glossary from pertinent places in the text.]
Security Management: Managing the risks to a department’s mission
[A focus on departmental mission is vital; departments cannot mitigate every risk, but must prioritize based on the threat to their mission and available resources.]
Risk: “The combination of events harmful to an entity’s desired state of affairs, the chance that the events will take place, and the consequences of their occurrence, as a function of time.” (NSA Corporate Plan for INFOSEC Action, April 1996)
Management: (New World Dictionary of the American Language)
- The art or manner of controlling the movement or behavior of something
- To have charge of; direct; conduct; administer
Risk Management: “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.” (National Information Systems Security Glossary, NSTISSI No. 4009 and AFR 205-16, AFR 700-10)
Risk Management (Simply Put): Determine what your risks are and then decide on a course of action to deal with those risks.
[More colloquially: “What’s your threshold for pain?” or “Do you want this to show up on the front page of the Daily Progress?”]
Aim of Risk Management: To aid managers to strike an economic balance between the costs associated with the risks and the costs of protective measures to lessen those risks
Critical Asset: Something that when disclosed, modified, destroyed, or misused will cause harmful consequences to the department or its – or the University’s – goals and mission, or will provide an undesired and unintended benefit to someone
Examples: Information, people, software, hardware, facilities, etc.
Risk Assessment: A study of threats and vulnerabilities, the design effectiveness of present security mechanisms, and the potential impact of these factors on a department’s ability to perform its mission
Threat: The capabilities and intentions of adversaries to exploit an information system; or any natural or unintentional event with the potential to cause harm to an information system, resulting in a degradation of a department’s ability to fully perform its mission
Examples: adversarial (terrorists, foreign states, disgruntled employees, criminals, recreational hackers, commercial competitors) and non-adversarial (nature, unintentional human acts)
Attack: A well-defined set of actions by the threat (an active agent) that, if successful, would damage a critical asset – cause an undesirable state of affairs – resulting in harm to a department’s ability to perform its mission
[An attack is an action; a vulnerability is an opportunity.]
Vulnerability: A characteristic of an information system or its components that could be exploited by an adversary, or harmed by a natural act or an act unintentionally caused by human activity
Examples: Inadequate password management, easy access to a facility, weak cryptography, a software flaw, an open port
[Or a facility housing the asset that is subject to fire or flood.]
Consequence: The harmful result of a successful attack, degrading a department’s ability to perform its mission
Examples of consequences to a department’s mission
- Loss of information confidentiality
- Loss of information integrity
- Loss of availability of information or system functions [natural disaster]
- Inability to correctly authenticate sender of information [forged log-ins, redirected transactions]
- Inability to verify receipt of information by the intended recipient [credit card connections]
Risk Mitigation: Actions or countermeasures we can take to lessen risk
- Affect threat agent or their capabilities
- Eliminate or limit our vulnerabilities
Countermeasure Examples
- Fix known exploitable software flaws
- Enforce operational procedures
- Provide encryption capability
- Improve physical security
- Disconnect unreliable networks
- Train system administrators [Train everybody!]
- Install virus scanning software
Risk Management Decision: Determination by administration to
- Take specific actions that will mitigate risk to mission, or
- Reject countermeasure recommendations and accept risk to mission
Residual Risk: That portion of risk that remains
- Management decides to accept risk
- Unconsidered threat factors
- Unconsidered vulnerabilities
- Incorrect conclusions
Goal for the department: Defining and institutionalizing risk management
- Define the process
- Get management support
- Educate the workforce
- Practice risk management