“Risk” defined

In the network and computer security field, we frequently discuss threats, vulnerabilities, and risks. (I have always liked Dr. Peter Tippett’s “Risk Equation,” which I lay out in NetSec Letter #33.)

In its Special Publication 800-39, NIST defines risk thusly:
A measure of the extent to which an entity is threatened by a potential circumstance or event. This extent is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
The definition is in the current drafts of SP 800-39 and SP 800-30 Rev 1. What do you think of it?

No comments: