This blog is about Taking Security Back, so let’s start with some basic definitions about Security and Risk Management.
The risk management equation revolves around four components:
- Asset that needs protection
- Threat that could impact this asset with a certain probability
- Vulnerability that eases the threat’s access to the asset
- Security Measure in place to prevent or at least complicate threat’s access to the Asset
To picture this, let’s take a real life example:
One morning, you leave home forgetting to close one of your windows, the one facing the street, and your wallet stays on the living room’s table:
- Asset here is your wallet
- Threat could be a thief either passing by or with the clear intention of breaking into your house
- Vulnerability is your window left open
- Operational Security Measure is your remaining doors and windows left properly closed
You may get back home in the evening and still find your wallet on the living room’s table because no passer-by or thief took advantage of your window left open. The risk’s negative effect at the end of the day was null.
At the contrary, if a passer-by or a thief with a clear malicious intention, spots your window left open, gets in and steals your wallet, then the risk’s negative effect at the end of the day was real.
This basic equation should drive all your risk analysis thinking and will greatly help you identify your assets, detect your vulnerabilities, estimate the probability of a given threat and be aware of already implemented security measures.
Let’s take another real life example of each term, and how it applies to our daily life.
At the top of my head, an example could be the leaked database of the car plates numbers that was widely available for everyone in Lebanon:
- Threat: Malicious party misusing these data and stealing identities
- Vulnerability: Flawed process allowing data leakage at the concerned ministry and the data owner
- Asset: Personal private information and the total database for advanced analytics
- Risk: Exposure of private information
If you found this clear enough, then you’re more than ready to spot in your daily activities the Asset, the Threat, the Vulnerability and the corresponding operational security measures.
Looking forward to reading your comments.