Understanding Risks and Threats

To ensure that adequate security measures are deployed in the right areas and to the correct degree, and to make sure that we give everything within our environment its proper security focus, we must continually be thinking in terms of risks and threats. If a decision needs to be made about an application, network, or device, it is important to see it in light of the risks it poses. In most situations, security cannot simply be evenly spread throughout an entire organization and still be effective. The server that controls the heartbeat of a sickly person will certainly have more security than the coffee machine down the hall. Security measures must be based on some sort of evaluation processes to ensure that we are neither overprotecting nor underprotecting any given object. I will discuss this formal evaluation process (risk assessment) later in this book, but for now, our focus should be on "thinking" and "seeing" objects in terms of risks and threats.

This is not to say that we should secure some objects while others are left unsecured. Organizations should have a baseline security policy that mandates every system to have some minimum degree of protection. However, basing degrees of security on a weighted risk level is used to determine where enhanced security controls may be needed, and to focus attention on those objects that are more important to the organization.

What Are Risks and Threats?

Before we begin to discuss how to think in terms of risks and threats, let's get a couple of basic assessment definitions under our belts.

What Is a Risk?

A risk is the potential negative impact a threat can have on an environment. Everytime an organization relies on something (like a server or WAN connection), there is a possibility that the "something" will cease to function or become exposed. Take, for example, a house. If an event could happen that would cause damage to the house and would cost the owner, at most, $1,000 in damages, that house is considered to carry a $1,000 risk multiplied by the actual chance of such an event happening and the effect that the event will have.

What Is a Threat?

A threat is the "bad thing" that could happen to the environment. A fire in a server room is a threat the same as a hacker in a customer DB is a threat. A threat is some event outside of our control that could make our risks into a reality. The house has a $1,000 risk, but it would take a thief breaking into it to actually cause the damage. Thus, the threat is the thief breaking in or any other event that could potentially manifest the risk.



Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net