Tim Bass
Sun, 11 Nov 2007 05:25:20 +0000
Opher Etzionprovides atimely seqway for Part 3 of this series onThe Top Ten Security Threats for 2008in his two blog posts, Context and Situation - are they synonyms? and The notion of context and its role in event processing.**
I will briefly illustrate and elaborateby applying the concepts of context and situation to risk identification, or the identification of increasingly risky situations, in terms of the three core contextual elementsof risk, (1) threat, (2) vulnerability and (3) criticality.**
The intersection of the context (or elements)of risk, illustrated in the figure above, defines various situations relevant to risk and risk management.* Here is the context and the various situations:
(1) Threats environments that have no critical assets or known vulnerabilities.* This is a bit likeflesh eating zombiesisolated on a remoteisland in uncharted ocean waters.** There is a low probability of a risky situation developing, except in those horror movies where shipwrecked bikini clad tourists enter the scene! Then, we have the situation ofbarefoot peoplein bikinis (vulnerable)and some who arevery beautiful (critical assets)- seesituation (7) below!
(2) Vulnerabilities in systems, programs, people, equipment or facilities that are not associated with critical assets and there are no known threats.** These are like the vulnerable barefoot bikini clad people on the ship who are not critical to the plot of the horror movie.
(3) Critical assets (information, systems, programs, people, equipment or facilities) for which there are no known vulnerabilities or threats.** These are the stars of the movie - the ones highly paid for their critical assets 
(4) A threat or number of threats has acquired specific knowledge and/or capability to exploit a vulnerabilityto non-critical assets. An example would be the people who are �killed early� in the horror movie, the vulnerable, non-critical assets!**
(5) Critical assets for which there are no known vulnerabilities but there is exposure to one or more specific threats.** These are like the strong, beautiful, unfeatablefolks in our island of horror metaphor. They are simply not vulnerable to the flesh eating zombies!
(6) Critical assets for which there are known vulnerabilities but no known threats.** These are likethe bikini clad beautiful people before they landed on the island of terrible flesh eating zombies!
(7) Critical assets for which there are known vulnerabilities and threats. Thiscontext defines the mostrisky situations for our cast of vulnerable, bareful, beautiful, fashionable, bikini clad tourists on the island of flesh eating zombies!** Run for your lives!!!
Situations and context?*** We experience this in almost every moment of our lives.** Our senses provide the context and our minds formulate the situations.
So, where are the top ten security threats for 2008 I promised?*
Stay tuned�..