Clearing Up Garbled InfoSecurity Communication

By Corey Tower, GRC Consultant

“There is a Threat that can Exploit our Vulnerability – we should address this Risk.”

That sentence alone can be written interchangeably about nine times, causing confusion on what in the information security world we are actually talking about. In my tenure, I’ve seen these risk management terms misused more than not.

What I would like to accomplish in this blog is address what risk management terms actually mean and how to use them correctly. Risk Management TermsOtherwise, we take the risk of creating confusion amongst our team which can exploit…oh, never mind, let’s get to it.

The following definitions are from Shon Harris’ All-in-1-CISSP:

Threat Agent: This is the entity that is responsible for creating a threat. This is your hacker.

Threat: Threat is a danger that can exploit a known or unknown vulnerability in your security.

Vulnerability: This is the lack of having a countermeasure or a weakness in an already existing countermeasure

Risk: Risk is your likelihood and business impact if a threat were to indeed exploit a vulnerability.

Exposure: An instance to being exposed to loses.

So how do these risk management terms interlink? Shon gives another great example of how to show this in her infinite loop:

“Threat Agents, give rise to Threats, that exploit Vulnerabilities, which lead to Risk, that can damage Assets, and cause an Exposure, which can be countermeasured by a Control, which affect Threat Agents.”

Another translation issue can come about when discussing what classification a control is. When it comes to kicking in your home’s front door, did that lock serve as a Physical Preventative control or a Physical Detective? The lock didn’t keep the intruder out, though your busted door frame told you loud and clear what happened. So which is it? Keep it simple – locks are meant to keep unwanted people out. That makes this a Physical Preventative Control. An example of a Physical Detective would be a motion detector.

As you can see, it’s no surprise these terms are interchanged. Within your security team, make it a point to use correct terminology to help bolster a more mature InfoSec program.