Poker-based infosec definitions

[Gary Hinson]

On LinkeDin, James Bore just klicked-off a series of pieces using the card-game poker as an analogy for risk management.

His first piece defines the terms, including an interesting distinction between 'threat' and 'hazard' concerning the presence or absense of agency.    

Previously, I've taken 'hazard' to refer to accidental or natural causes: 'agency' is a nice refinement.  That is, agency the adjective, not agency the noun: the CIA, for exmple, definitely faces hazards as well as risks!  The meme-style definitions I'm sharing (like the one above) are extracts from the hyperglossary.  Here's the full original entry for "Agency":

I'll revise the hyperglossary entry for hazard*, adding the bold bit thanks to James' prompt: "Health and safety or insurance term equivalent to danger, threat, threat agent, risk, risk source etc. depending on context and any specified definitions.  Generally suggests accidental or natural causes without deliberate intent or agency, although collateral damage, side-effects and unintended consequences of incidents may be considered hazardous." 

I'm not so keen on James' definition of [risk] tolerance, though - a topic I think we've discussed previously here on the reflector.

* I'll revise the hyperglossary entry ... but not until the second edition.  I am currently proofreading the edited manuscript for the first edition (as submitted back in April) and have been forbidden from meddling with the content other than necessary corrections.  Ho hum. 

Kind regards/Ngā mihi,

Gary

________________________________________

Gary Hinson CEO of IsecT Ltd

Information risk and security consulting

ISO27k  Audit  ISMS templates and policies
Pragmatic Security Metrics (with Krag Brotby)
Cybersecurity Hyperglossary (forthcoming!)

________________________________________