Risk Definitions: No Dictionaries, Please

In the business world, everyone has different ideas relative to the meaning of terms, so here is a small glossary that will make sure we are on the same page of music.

annualized loss expectancy (ALE)

The expected loss, expressed in money units, for a given asset as a result of a given threat.

annualized rate of occurrence (ARO)

Calculated frequency of a threat expressed in fractions of a whole.

asset

Something of value, divided into one of three pillars: personnel, data, and physical facilities. Assets include tangible (hardware) and intangible (intellectual property) items.

asset value

The total replacement value of an asset.

attack

An attempt, successful or not, to gain access to a computer system by bypassing security controls.

attacker

People using technical or social means to gain access to facilities, employees, or systems.

authorization

Access privileges granted to a user, process, or program.

backup

Exact copies of files and programs to facilitate recovery.

banner

A notice appearing as users gain access to facilities or systems advising they may be monitored.

BIOS

Basic input/output system.

BOT

Short-speak for robot; a script or program that runs automatically.

critical assets

Assets needed to assure continuing profitability of operations.

cost/benefit

Is the cost of the safeguard worth more than the value of the asset? Essentially defined as the "biggest bang for the buck."

DMZ

Demilitarized zone; used in establishing a buffer zone between the organization's interior network, usually protected by a firewall, and the exterior open-ended network, such as the Internet.

exposure value

The amount of anticipated asset loss attributable to a given threat. Usually expressed in a percent value.

ECPA

Electronic Communications Privacy Act, Title 18, United States Code, Sections 2701-2711.

fault tolerance

Assets required assuring profitability. What does the organization really need to continue profitably?

FUD

Fear, uncertainty, doubt.

granularity

Size of the units under consideration.

hacker

Person using technical or social means to gain access to facilities, employees, or systems; an attacker.

hash

Mathematical procedure easily computed, but the calculation of its reverse is infeasible. A one-way hash function produces a mathematical product of a file resulting in a fingerprint of that file.

host

Any device on a network; same as node.

malware

Software capable of performing unauthorized functions on a computer system.

pornography

An obscene item recognized by most children, yet not clearly defined by some of our great legal minds.

qualitative

Process expressed in the experience of the evaluators.

quantitative

Process measured in numeric terms.

risk

The probability of something harmful happening to assets.

risk analysis

The process of identifying assets, threats, and vulnerabilities and contrasting with safeguards. There are two means of risk analysis: quantitative and qualitative.

risk analysis report

A narrative and tables reflecting critical assets, threats, vulnerabilities, cost/benefit analyses, and recovery program.

root

Person logged on has complete system privileges, same as administrator; possesses the system's crown jewels.

safeguards

Protective measures, the purpose of which is to ensure assets are available to meet business profitability requirements.

single loss expectancy (SLE)

This expression is the value (V) of the asset multiplied by the exposure factor expressed as a percent (E): E×× V = SLE.

spam

Unsolicited, unwanted e-mail.

system

Combination of many elements, human resources, data, physical facilities, the objective of which is to achieve profitability.

trap door

Hidden mechanism circumventing access and security controls; same as back door.

Trojan horse

A piece of software that mimics a valid function but whose purpose is to cause damage.

threats

Event causing potential harm to an asset.

vulnerability

A weakness that can be exploited by a threat.

Following is a list of commonly used abbreviations:

• AES Advanced Encryption Standard

• ASCII American Standard Code for Information Interchange

• BIOS basic input/output system

• CA certification (or certificate) authority

• CCIPS Computer Crime and Intellectual Property Section (Criminal Division, U.S. Department of Justice)

• CPU central processing unit

• CTC Computer and Telecommunications Communicator (U.S. Attorney's Office)

• DES Data Encryption Standard

• DNS Domain Name System (or Service)

• DoJ Department of Justice

• ESN electronic serial number

• FBI Federal Bureau of Investigation

• FRR false rejection rate

• FTP file transfer protocol

• Gb gigabyte

• hex hexadecimal

• HTML Hypertext Markup Language

• HTTP Hypertext Transfer Protocol

• IDEA International Data Encryption Algorithm

• IM instant messenger

• IP Internet Protocol

• IRC Internet relay chat (or channel)

• ISDN Integrated Services Digital Network

• ISO International Standards Organization

• ISP Internet service provider

• kbps kilobits per second

• KBps kilobytes per second

• LAN local area network

• mbps megabits per second

• MBps megabytes per second

• MIME Multipurpose Internet Mail Extensions

• MoA/MoU memorandum of agreement/memorandum of understanding

• NNTP Network News Transfer Protocol

• PBX private branch exchange

• PCMCIA Personal Computer Memory Card International Association

• PDA personal digital assistant

• PGP Pretty Good Privacy

• PIN personal identification number

• Ping Packet Internet Groper

• PKI public key infrastructure

• RA registration authority

• RFC request for comments

• ROM read-only memory

• RSA encryption Rivest-Shamir-Adleman encryption

• TCP Transmission Control Protocol

• TCP/IP Transmission Control Protocol/Internet Protocol

• TLD top-level domain

• TTL time-to-live

• URI Universal Resource Identifier

• URL Uniform Resource Locator

• WAN wide area network

• WWW World Wide Web