Every profession has its own language/vocabulary, 无论是医疗行业, 法律或资讯科技. The medical 和 law professions have been around for hundreds of years 和 have long instituted their professional vocabulary. 然而, IT 和 information security have only been around for a few decades 和 do not have the maturity of other professions in instituting a vocabulary.
There are several words used in our profession that have multiple meanings. I am going to focus on three words that are commonly used to describe risk. 然而, these words should not be interchanged as they mean different things: 风险, 威胁 和 脆弱性. To most people, these words are interchangeable even within the IT profession. For security professionals, though, they should not be as they have completely different meanings. Allowing these words to be interchangeable confuses our security 和 IT colleagues 和 the leaders in our organizations.
我们先来看看 风险. According to a definition in Webster, 风险 is the possibility of something bad happening. It involves uncertainty about the effects or implications of activity with respect to something that humans value, 哪些经常关注消极, 不良的后果. It’s the “Unknowing,” “What If” 和 the “Ambiguous.“ 公平的研究所, a quantitative framework that “valuates” 风险, defines it with more of a quantitative definition by placing a couple of parameters into the definition such as how often the losses are likely to happen 和 how much loss is likely to result. These parameters can help the security practitioner quantify the 风险. 一个例子是:We have a 风险 of ransomware being within our network 和 it could impact our systems between 3 和 9 times a year.“它并没有说它存在, but it does state that we don’t know if it is 和 the probability of it impacting the firm.
A 威胁 is defined as an expression of intention to inflict harm, 换句话说,伤害或损害, an intent of using ransomware to inflict harm or damage to an organization. 在FAIR教科书中Measuring 和 Managing Information 风险,” threats are usually described as actors or communities. It is easier to think of threats linked to a group (such as a nation-state-backed crime syndicate) or natural disaster (such as a flood, 地震或龙卷风). These intentions or events require the negative intent of action to be considered threats to an enterprise’s health. If there is no negative intent, then it is not a 威胁.
脆弱性 is defined as the capability of being physically or emotionally wounded. 脆弱性 is a condition that increases the capability of being harmed. An example is being behind in OS patching would can allow ransomware to exploit 和 infect machines. Because the organization is behind in its patching schedule opens the possibility of future harm but does not mean it will happen.
我最近一直在 准备CISM考试 和 ran across this formula that explains how these words should be used in our profession. 风险 is a product of 威胁和漏洞. 公式是这样的:
风险=威胁*漏洞
The layperson 和 our IT teammates will often interchange these words as they describe a danger to an organization or firm. By following this formula, one can see that each element cannot be interchanged. It is up to the security practitioner to continue to educate their fellow IT professional 和 business colleagues on the proper use of the words.
作为安全从业人员, we must resist this blending 和 use the words correctly 和 gently correct our colleagues about how to use these words to describe dangerous situations. 就像其他行业一样, it will take decades to institute a universal vocabulary, 而是作为IT安全专家, it is up to us to set 和 publicize the st和ard of the proper use of the words 风险, 威胁和漏洞.
