Harm

• Harm is the negative consequences of an actualized threat. (from the book)
  • Loss of a computer, file, access, ....
• The loss of confidentiality or access of some assets is clear harm
  • But the loss of some might not be so clear
  • Ie a photo with something in the background that shouldn't be there.
• They point out that the only evaluation you might be able to put on assets is somewhere on the scale from minuscule to moderate to extremely high.
  • Or you might just rate them relative to some other asset.
• They point out a study by Symantec of prices of things on underground web sites.
  • I found this site but can't vouch for accuracy.
• Risk and common sense
  • They point out that "threats are practically unlimited because devising an attack requires an active imagination, determination, persistence and time."
  • Ie smart, hard working ,imaginative people
  • They think up new things.
  • Throw in natural disasters and other failings and cyber security is a nearly impossible task.
  • You can't protect against everything.
• This is true in life as well
  • you can become so overrun with fear you will not go outside of your bedroom.
• We can only "live" because we accept some level of risk
• We prioritize our risks and manage the important ones.
• The same is true of computing.
  • Where possible we identify threats
  • Analyze the possibility of harm
  • Do our best to control this, or recover if it happens.
  • This is hard to do
• They define residual risk is risk that remains uncovered by controls.
  • Or the risk we accept with hopeful thinking.
  • Sidebar 1-3 discusses the impact of security breaches on a company
    • Research indicates that breaches have limited impact on long term company performance.
• Method - Motive - Opportunity
  • Method: think tool, knowledge, ability ...
  • Motive: Why? Just for fun, revenge, profit
  • Opportunity: