Manage Learn to apply best practices and optimize your operations.

Information Security Science

In this excerpt from chapter 1 of Information Security Science, author Carl Young discusses information security threats and risk.

The following is an excerpt from Information Security Science by author Carl Young and published by Syngress. This section from chapter 1 explores information security risks.

Understanding the distinction between a threat and a risk is a prerequisite for effectively communicating a risk management strategy. It is important because although threats and risk are closely related, they are not equivalent. Threats are the entities or conditions that cause harm, and therefore should be the focus of attention in a risk management strategy.

Evaluating the risk associated with a threat provides the impetus for going forward with security solutions as well as the requirements for those solutions. Security professionals should therefore address threats by evaluating the risk they present to their respective organizations. The following definition of a threat is fit-for-purpose, although there can arguably be many variations on a similar theme:

A threat is any entity, action or condition that results in harm, loss, damage and/or a deterioration of existing conditions.

Given this definition, the spectrum of potential information security threats is quite broad. Threats to organizations might include thieves intent on stealing money, state-sponsored entities attempting to access company-proprietary or classified government information, and groups seeking to embarrass adversaries by exposing confidential information for political or economic gain.

It is this diversity of threats and their respective methods that drives the breadth of security risk mitigation measures. However, no organization can apply every possible mitigation method in equal measure without near-infinite resources. What is needed is a means of prioritizing threats in order to strategically apply remediation, which is precisely the point of a security risk assessment.

In that vein, a critically important role of the security professional is to identify the threats of highest concern (read: highest “risk”). This activity should be followed by measures that reduce his or her organization’s vulnerability to those threats within the constraints imposed by budgets. Indeed, it is the finiteness of available resources that makes prioritization of remediation efforts a necessity.

So now that threats have been defined more precisely, what exactly is risk? All threats are described by a fundamental characteristic called risk, which is a set of three components as follows:

  • the impact or importance of a threat incident
  • the likelihood or potential of a future threat incident
  • the vulnerability or potential loss due to a threat incident

These components collectively define the risk associated with a threat. In fact, risk can be notionally represented by an “equation” that is expressed as a product of the individual components as follows:

Risk (threat) = impact × likelihood × vulnerability

It should be read as, “The risk associated with a given threat equals the product of its impact, the likelihood of its occurrence, and the vulnerability to loss or damage.”

For now, suffice it to say that assessing the magnitude of the vulnerability component of risk, that is, the loss, damage, or exposure to a threat incident, is the basis for many of the analyses in this book.

Importantly, the risk associated with a threat is not immutable, and the magnitude of each component can vary significantly depending on circumstances. Context is crucial in assessing risk. In fact, a security assessment is merely an abstraction without context. If one were to provide a high-level if formal job description of a security professional, it is to evaluate the risk associated with the spectrum of distinct and impactful threats in light of scenario-specific parameters.

Identifying the spectrum of distinct and impactful threats is the progenitor of every security strategy. This task sounds simple, but determining what constitutes an impactful threat can be quite subjective and even controversial.

For example, some might argue that religion and television represent dangers to society. Yet many individuals, even intelligent ones, believe quite the opposite. With respect to distinctness threats that are seemingly different can actually be functionally equivalent in terms of the required risk mitigation. However, there is a test for distinctness that will be explained in the discussion on risk factors.

Analogies with the medical profession are often useful when thinking about concepts in security. Security threats are equivalent to diseases in medicine, and risk mitigation measures are analogous to therapies. Most reasonable people would agree that diseases make people worse off. So unless you are a bit sadistic, hearing that a relative, friend, or associate is afflicted with a disease would probably be unwelcome news.

In medicine identifying the need for risk management is usually relatively easy. Patients display symptoms that are manifestations of some condition. Remedies are sometimes prescribed as a prophylactic measure based on one’s exposure to a microorganism, a genetic predisposition to an ailment, or some risk factor for a particular disease.

Once a disease or precondition has been identified, patients pay physicians (and insurance companies) to prescribe therapies. Such therapies often take the form of a drug. The effectiveness of that therapy will of course depend on the correctness of the diagnosis, but will also relate to each individual’s physiological makeup since no two people are identical.

But fortunately people are biologically similar, or at least similar enough, and that fact is the key to the large-scale effectiveness of many therapies. If one believes otherwise, there should be a separate anatomy and physiology textbook for each person on earth.

Information Security Science

Author: Carl Young

Learn more about Information Security Science from publisher Syngress

At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles

Experiments can be conducted that leverage the similarity of humans such that the action of a specific therapy can be isolated from other variables, and thereby lead to a conclusion on cause and effect. The process leading to the approval of a new drug, which includes testing hypotheses on effectiveness, is typically quite protracted, and expensive.

First, experiments are conducted on animal models that use a control group to isolate the effect of a single variable, namely the drug in question. Researchers attempt to establish a causal link between the disease and the palliative effects of the drug while observing potential side effects. The type of animal is chosen because their physiological response can be extrapolated to humans.

Once the animal studies have concluded, and it is clear that the drug had the intended result without obvious harmful side effects, human trials can commence. So-called “double-blind” experiments are designed to eliminate bias where a statistically significant trial population is divided into control and test groups.

Following the human trials and assuming a positive outcome, the drug is approved for general use by the Federal Drug Administration (US). As an aside, the average cost of research and development for a prescription drug is estimated to be $2.558 billion. The point is that medical threat scenarios benefit from significant testing of hyptotheses relating cause and effect.

Contrast this with security scenarios. In general, threat incidents are relatively rare, and, importantly, there is often considerable variation in conditions that undermines the ability to isolate a variable under test.

One can simulate attacks on networks and applications. That is the point of conducting penetration tests. Such simulations will provide a degree of confidence in the resilience of specific security controls. But this is not the IT equivalent of a drug that confers broad immunity. The operational model, which consists of the user environment, is too complex, ephemeral, and varied.


In general, comprehensive assessments of information security risk are required to establish a thorough understanding of the risk factors affecting an organization. Furthermore, such assessments must be made with respect to risk-based policies and standards in the absence of useful statistics on incidents. Adopting a process to rigorously assess the risk associated with information security threats is essential to developing a coherent information security risk management strategy.

Since the essence of security is to mitigate the effect of threats, all estimates of risk should begin with identifying the spectrum of distinct threats. Threats were defined previously, but what is meant by “distinct” in this context?

Distinctness implies a set of characteristics that distinguishes one threat from another. Characterizing threats under general headings such as “terrorism,” “street crime,” and “hate crime” may be useful for sociologists and politicians, but it is not particularly helpful in developing a risk management strategy. So how does one specify that a given threat is distinct from another and why does it matter to a risk assessment strategy? These questions will be answered following a brief digression on risk.

Recall (1.1) was introduced as an operational definition of risk and was formulated in terms of three components, likelihood, vulnerability and impact. This was somewhat hyperbolically referred to as the Fundamental Expression of Risk. However, it is not a true mathematical equation because each component in (1.1) appears to have equal magnitude and this condition is not true in general.

One important feature to notice about this expression is that if a single component is zero, there is no risk. The implication is that if there is no risk, the threat being evaluated does not exist for all practical purposes. Put another way, absent one or more components of risk, a given threat is simply not threatening.

In addition, the notion of “cost” broadly defined is missing from (1.1). Although cost is not a fundamental component of risk per se, it plays an important role in real-world decisions on security.

For example, it is not uncommon to encounter security risk scenarios where the magnitude of one component of risk is significant but remediation is cost prohibitive. Therefore, despite the assessed risk no action is taken to address it. The cost associated with risk mitigation is a reality associated with real-world risk management processes that would not appear in a strictly academic view.

Although a measurement of risk is ideal, it is not always possible to provide a quantitative estimate. The reality is that a qualitative view of each component is sometimes the best option available. The good news is that such a view is often sufficient to make a meaningful decision on risk mitigation. Moreover, a sophisticated security risk manager understands when quantitative measurements of risk will yield meaningful results and when it is futile to even try.

With that background, the risk assessment process can now be described, and, in particular, the critical role of risk factors in developing an effective risk management strategy. As noted earlier, the first step in a security risk assessment is to identify the spectrum of impactful and distinct threats to an organization. In order to address the question of threat distinctness, the crucially important concept of a “risk factor” must be reintroduced and defined as follows:

A risk factor is a feature, characteristic or condition that enhances one or more components of risk for a specific threat or mode of threat implementation. It is the spectrum of risk factors that drive the required mitigation methods.

The logic associated with risk factors as the basis for risk management is compelling to the point of appearing circular: If risk factors are those features that enhance one or more components of risk for a given threat, then addressing all the risk factors is required in order to effectively manage that threat.

A medical analogy is again illustrative. Consider the threat of cardiovascular disease. Some well-known risk factors for this threat are high blood pressure, obesity, a high concentration of certain types of cholesterol in the blood, smoking, lack of exercise, being male (or a postmenopausal female), diabetes, and a family history of cardiovascular disease.

Read an excerpt

Download the PDF of chapter 1 in full to learn more!

These risk factors were determined through large population studies that enabled scientists to correlate the presence of a risk factor with the likelihood of a future threat incident. In other words, people had varying rates of heart attacks based on the number and magnitude of one or more risk factors.

The likelihood of a future threat incident increases by some quantifiable amount with each additional risk factor, an artifact of the plethora of data established over years of studying relatively homogeneous models such as humans. In other words, the more risk factors displayed by a patient, the higher is the likelihood he or she will suffer a heart attack in a specific interval of time.

The risk increases with the duration of the time interval under consideration. An individual who displays all of the significant risk factors would likely be a candidate for aggressive medical therapy as determined by a bona fide medical risk manager, for example, a cardiologist.

A Venn diagram can be used to illustrate the intersection of risk factors, a condition that would amplify the likelihood component of risk for the threat of heart attacks as shown in Fig. 1.1.

A similar diagram can be created for any threat. Physical security threats are illustrative of the utility of such diagrams. Consider the threat of vehicle-borne explosive attacks by anti- Western elements against the headquarters of an international bank. Risk factors for this attack might include the following:

  • the country where the facility is located;
  • the iconic status of this particular facility or the bank in general (in other words, a symbolic association with Western culture and/or a particular government);
  • the historical use of this mode of attack by groups of concern;
  • the proximity of the facility to vehicular traffic.

Note that the first three risk factors enhance the likelihood component of risk for this threat while the last one enhances the vulnerability component of risk. Understanding the nature of the contribution to risk for a given risk factor is important in managing the risk associated with each impactful and distinct threat. For example, reducing the profile of a company or facility would affect the potential for attack, but would do nothing to reduce the vulnerability or the potential damage/loss should an attack occur.

Fig. 1.2 illustrates the Venn diagram for the set of risk factors associated with a given target and relative to this threat. If all of these risk factors existed for a given target, the risk is enhanced relative to a target that possessed less risk factors.

To further illustrate this important point, if the impactful threats were groups concerned about the global hegemony of fast food corporations, the likelihood component of risk might be significantly altered from the anti-Western terrorists noted earlier. In that case the security strategy might not include this threat as a priority for remediation.

The long-awaited answer to the question of what makes one threat distinct from another can now be presented. Simply put, any two threats are equivalent if the type and magnitude of their respective risk factors are identical. Conversely, if their risk factors differ in either type or magnitude, the two threats are distinct and each threat must be addressed separately as part of a risk mitigation strategy.

This test for distinctness has a very practical implication. Namely, threats can be logically grouped according to their risk factors. In addition, simultaneously addressing the risk factors will effectively manage all of the threats with risk factors in common. Note that if one risk factor is not addressed, it means at least one vulnerability exists for each threat to which that risk factor applies.

The key to an effective risk mitigation strategy is to address all the risk factors for each distinct and impactful threat. A graphic that depicts the risk management process is captured in Fig. 1.3.


About the author: Carl S. Young is a recognized subject matter expert in information and physical security risk management. He is currently a Managing Director and the Chief Security Officer at Stroz Friedberg, an international security risk consulting firm. He is the former Global Head of Physical Security Technology at Goldman Sachs as well as a former Senior Executive and Supervisory Special Agent at the FBI. He was also a consultant to the JASON Defense Advisory Group. Mr. Young is the author of Metrics and Methods for Security Risk Management (Syngress, 2010), and The Science and Technology of Counterterrorism (Butterworth-Heinemann, 2014) as well as numerous journal publications. In 1997, he was awarded the President’s Foreign Intelligence Advisory Board (PFIAB) James R. Killian Award by the White House for significant individual contributions to U.S. national security. Mr. Young received undergraduate and graduate degrees in mathematics and physics from the Massachusetts Institute of Technology.

This was last published in December 2016

Dig Deeper on Risk assessments, metrics and frameworks