Opher Etzion provides a timely segway for Part 3 of this series on The Top Ten Security Threats for 2008 in his two blog posts, Context and Situation – are they synonyms? and The notion of context and its role in event processing.
I will briefly illustrate and elaborate by applying the concepts of context and situation to risk identification, or the identification of increasingly risky situations, in terms of the three core contextual elements of risk, (1) threat, (2) vulnerability and (3) criticality.
The intersection of the context (or elements) of risk, illustrated in the figure above, defines various situations relevant to risk and risk management. Here is the context and the various situations:
(1) Threats environments that have no critical assets or known vulnerabilities. This is a bit like flesh eating zombies isolated on a remote island in uncharted ocean waters. There is a low probability of a risky situation developing, except in those horror movies where shipwrecked bikini clad tourists enter the scene! Then, we have the situation of barefoot people in bikinis (vulnerable) and some who are very beautiful (critical assets) – see situation (7) below!
(2) Vulnerabilities in systems, programs, people, equipment or facilities that are not associated with critical assets and there are no known threats. These are like the vulnerable barefoot bikini clad people on the ship who are not critical to the plot of the horror movie.
(3) Critical assets (information, systems, programs, people, equipment or facilities) for which there are no known vulnerabilities or threats. These are the stars of the movie – the ones highly paid for their critical assets 🙂
(4) A threat or number of threats has acquired specific knowledge and/or capability to exploit a vulnerability to non-critical assets. An example would be the people who are “killed early” in the horror movie, the vulnerable, non-critical assets!
(5) Critical assets for which there are no known vulnerabilities but there is exposure to one or more specific threats. These are like the strong, beautiful, undefeatable folks in our island of horror metaphor. They are simply not vulnerable to the flesh eating zombies!
(6) Critical assets for which there are known vulnerabilities but no known threats. These are like the bikini clad beautiful people before they landed on the island of terrible flesh eating zombies!
(7) Critical assets for which there are known vulnerabilities and threats. This context defines the most risky situations for our cast of vulnerable, bareful, beautiful, fashionable, bikini clad tourists on the island of flesh eating zombies! Run for your lives!!!
Situations and context? We experience this in almost every moment of our lives. Our senses provide the information for the context (somewhat autonomic, or lower level, cognitive context) and our minds formulate the (higher cognitive) situations.
So, where are the top ten security threats for 2008 I promised?