the vulnerabilities that might be exploited by the threats
In BS7799-2:2002 4.2.1.d.3 I read the following:
d) Identify the risks
- Identify the assets [...]
- Identify the threats to those assets.
- Identify the vulnerabilities that might be exploited by the threats.
The standards document does define a few terms, but not
Now, my computer is an asset that is threatened by interruptions in electric power supply.
But it does not make sense to say that
the power supply exploited a storm to stop my PC?
Is BS 7799-2:2002 written on the assumption that all risk is caused by deliberate attacks?
Looking at Security in Computing by Charles P Pfleeger, ISBN 0-13-799016-2 section 1.2:
[...] an exposure is a form of possible loss or harm [...] A vulnerability is a weakness in the security system that might be exploited to cause loss or harm. A human who exploits a vulnerability perpetrates an attack on the system. Threats [...] are circumstances that have the potential to cause loss or harm; human attacks are examples of threats, as are natural disasters [and] human errors[...] a control [BS 7799-2:2002 3.11 risk treatment] is a protective measure
By BS and Pfleeger definitions, my power line is vulnerable to sabotage, but not to storm damage.
Hardly a useful definition. I can't say that the
storm is a threat that exploits the vulnerability of the power line.
I need a new word.
is a threat that xxxes the vulnerability of the power line.
I want to remove
exploit from the definition:
- a weakness in the security system that might cause loss or harm