Security Risk Assessment Definitions
These definitions are not comprehensive.
Please consider them simply as brief clarifications to indicate their use in this blog. Unless otherwise stated, they are adapted from longer definitions in ISO31000 or SRMBOK. Any terms you come across in the book that are new to you can be found in one of these two documents.
If you do not have access to the above resources, most dictionaries will be adequate. The CISSP Glossary (https://www.isc2.org/Certifications/CISSP/CISSP-Student-Glossary) is also an easily accessible list of excellent security definitions. It differs from SRMBOK or ISO31000 in some respects but covers a lot of ground and is generally consistent with the way definitions have been used in this blog
Assets a.k.a. Resources. They can be both the target of an attack and the means for defending against it. NB. ISO31000 refers to Resources rather than Assets.
Attack Vector The type of event, method or means of attack
Consequences The outcome of an event which affects the company’s objectives. Measured in terms of impact on objectives, resources, assets, capability, or any other metric determined in the risk criteria. For negative consequences, that includes adverse impacts, terms like shock, etc. Positive consequences are benefits.
Controls Process, policy, device, or other action that acts to minimize negative risk or enhance positive opportunities.
Event Threat Act, incident, attack, etc.
Exposure a.k.a. Attack surface. Time frame, duration, frequency, or points of potential attack (virtual or physical) in which an asset is exposed to potential threats or opportunities, e.g. for a home, this might include doors, windows, roof, as well as internet ingress, computer terminals, etc.
Hazard Inanimate potential source of harm.
Likelihood Chance, Frequency, Probability
Risk The effect of uncertainty on objectives
Source a.k.a. Threat. Person or thing which could initiate an attack or release of a hazard by deliberate actions. For positive risks, it means opportunity.
Vulnerability Weakness that can be exploited by an adversary to gain access to an asset