The Public Eye with Eric Chabrow

What is a Threat?

Defining Term Seen as Helping to Safeguard Privacy
What is a Threat?

What is a threat?

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

The answer seems obvious, especially in the context of IT security and information risk. Yet, is it, especially when developing codes and standards, as well as funding research and development initiatives that involve taxpayer money?

I hadn't thought much about the definition of the term "threat" until this past week, when EPIC - the Electronic Privacy Information Center - submitted comments on a proposed update of the Federal Cybersecurity Research and Development Strategic Plan, which, according to the Federal Register, addresses the continued criticality of R&D in ensuring the nation remains on track to develop innovative tools and capabilities to address cybersecurity threats.

Here's what EPIC, in its filing, says about defining threat:

Earlier this month, I wrote a story and a blog about draft guidance being developed by the National Institute of Standards and Technology that defines IT security terms (see NIST Revising Glossary of Infosec Terms and Quantifying the Growth of IT Security). How does the draft define "threat?"

NIST's 3 Definitions of Threat

NIST Interagency Report 7298 Revision 2 (Draft), Glossary of Key Information Security Terms, provides three definitions of the term "threat":

  1. Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.
  2. The potential source of an adverse event.
  3. Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets or individuals through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

IR 7298 also furnishes definitions for threat analysis, threat assessment, threat event, threat monitoring, threat scenario, threat shifting and threat source, as well as advanced persistent threats, inside threat, insider threat, outside threat and outsider threat. Plus the term "threat" appears in dozens of other definitions in the glossary.

That's a lot of defining, and perhaps too many definitions when it comes to addressing threat in the cybersecurity landscape. It's a point EPIC makes:

    "Such an open-ended and broad use of the word 'threat' does not properly narrow the strategic plan's cybersecurity research objectives to relevant cybersecurity problems. EPIC objects to these particularly broad usages because they increase the risk of innocuous online activities being classified as 'threats' - thereby providing the pretext for the collection of user data. Therefore, [the government] needs to refine and clarify the definition of cyberthreat."

Being precise in defining "threat" or, for that matter, other terms is crucial. People must understand one another because specific terms don't necessarily mean the same thing to different people.

Take, for instance, the term "cybersecurity." As addressed in a blog posted earlier this spring - Can You Define Cybersecurity? - being misunderstood on cybersecurity could have devastating consequences. Improving understanding, through language or by actions, was behind U.S. Defense Secretary Leon Panetta's joint announcement with Chinese Defense Minister Gen. Liang Guanglie last May that both nations will cooperate on cybersecurity.

As Panetta says, it's extremely important to avoid misperceptions that could lead to a crisis.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.