Levels

4 views
Skip to first unread message

Gary Hinson

unread,
May 16, 2026, 4:06:43 PMMay 16
to hyperg...@googlegroups.com
Friends,

I'm struggling a bit to explain 'levels of' stuff, largely because I find the very concept dubious, often misunderstood and misused.

Here's what I have so far:
image.png

What do you think?   Seems to me that's a lot of words implying my lack of understanding and clarity - but it could also be that 'levels' are inherently complicated and cloudy.  Or both.  

Corrections, clarifications and improvement suggestions please!

Kind regards/Ngā mihi,

____________________________________________

Raul Rodríguez Macías

unread,
May 16, 2026, 4:15:11 PMMay 16
to Gary Hinson, hyperg...@googlegroups.com
BTW Gary, check because there are pirate sites that contain your book, as z-lib 

Enviado desde mi HONOR X7c


-------- Mensaje original --------
De: Gary Hinson <ga...@isect.com>
Fecha: sáb, 16 de may de 2026, 14:06
Para: hyperg...@googlegroups.com
Asunto: [Hyperglossary] Levels
--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF44Lt1BYDK%3DTE2Xa%3DGeY5iEw_HNG2Ni874cuMQzjaXBVw%40mail.gmail.com.

Rob Slade, greatgrandpa and widower

unread,
May 16, 2026, 5:10:39 PMMay 16
to hyperg...@googlegroups.com
On Sat, May 16, 2026 at 1:15 PM Raul Rodríguez Macías <raul.rodrigue...@gmail.com> wrote:
BTW Gary, check because there are pirate sites that contain your book, as z-lib 

All of my later books were pirated within hours.  It's a fact of publishing life these days. 

--
Psalm 142:4, Ezekiel 24:16,18; Matthew 13:12; Isaiah 57:1; Genesis 2:18; 2 Corinthians 2:7,8; John 13:35; Proverbs 25:20; James 2:15,16; Proverbs 24:11-12, Jeremiah 45:3, Deuteronomy 28: 65-67, Isaiah 38:15, Psalm 69:20, Revelation 9:6, Numbers 11:15
Uuk klah ma, Rob.  U huk witas hluucsma, Gloria  Wikaah chachimhiy.

Online Scams and Frauds (OSF) series postings: 
======================

Virus-free.www.avast.com

Gary Hinson

unread,
May 16, 2026, 11:09:30 PMMay 16
to hyperg...@googlegroups.com
Thanks for the heads-up Raul - disappointing but not exactly surprising.

The cover price for the ~800-page book is set as low as possible - barely covering the production costs ... and yet still some people would rather steal it and risk prosecution for piracy.   

In conjunction with the publisher's crack team of legal ninjas, I will try to get it taken down.

Thinking forward, I'm inclined to stop work on the book's updates and just go fishing.  Working this hard, for free, is a mugs game.

Kind regards/Ngā mihi,

____________________________________________


--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAOX%2BAR6_1Qhnq1DpFM3-hb%2BmMtavyOo4ZfdL%2B5T_uMBem0Nt2A%40mail.gmail.com.

Nigel Landman

unread,
May 17, 2026, 5:32:56 AMMay 17
to hyperg...@googlegroups.com
Hi Gary
The lure of replacing your hyperglossary time with that of fishing, is understandable. But purely from a selfish perspective, the work you are doing is invaluable, even though it may not lead to the purchase of a superyacht or two.  

Level of stuff – level is a horrible word.

Complicated – yep. Cloudy (with a springling of meatballs) – yep. I often hear the word ‘maturity’ alongside level of assurance – odd, I know, and does result in a bunch of questions.
 
IMHO I believe, to achieve the outcome, you have the right number of words.
 
There is, again, another phrase – risk balance case – that is often associated with, to all intents and purposes, a failure to meet assurance requirements. There may well be a valid reason, but it will necessitate the need to build, and have signed off by senior (risk) management, a risk balance case. 

Nigel.

--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF44Lt1BYDK%3DTE2Xa%3DGeY5iEw_HNG2Ni874cuMQzjaXBVw%40mail.gmail.com.

Gary Hinson

unread,
May 17, 2026, 6:39:54 PMMay 17
to hyperg...@googlegroups.com
Superyacht purchases were never a line in my grand plan, Nigel.  Textbooks are not exactly money-spinners, barely valuable let alone invaluable.   'Making a difference' is a strong lure for me. Eeeking-out a living, though, requires enough income to pay the bills ... maybe even buy fishing gear. 

Oh well, c'est la vie.  The floggings will continue until morale improves.

I think I can slip 'maturity' in there somewhere, linking to its own entry.

"Risk balance case" is a new one on me - never heard that - but I do like to distinguish exceptions and exemptions, two commonly-confused terms (malapropisms) with different implications and clear relevance to risk management.   

Kind regards/Ngā mihi,

____________________________________________


To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPyqVUqNGOz1MmiPKge_%2BiifdYk_-OEj8t-mMJ3i1xA_UmLikA%40mail.gmail.com.

Nigel Landman

unread,
May 18, 2026, 6:50:46 AMMay 18
to hyperg...@googlegroups.com
Risk Balance Case (RBC) - it's a UK Gov., Military, Police Forces thing. Is the prhase worthy of inclusion in your glossary? Unknown.

Is it a bird, a plane or something akin to a specific risk assessment (identification, analysis, evaluation)? It is the latter, so to speak, but targeted on one particular area of concern; a failure to meet an assurance level (a minor / major NC, if you wish) that requires escalating up to SIRO for a decision. A decision about what? An exemption (but very much time-bound), dependent upon the words within the RBC.

Can IT system 'A' remain conected to systems 'B, C, and D' if 'A' has failed to meet the required level of assurance? Are there any compensating controls available that would allow continued connection? What corrective actions have been identified? And so on ...It is the SIRO's decision, and accountability stops at that point. 

It doesn't have to be an IT system, of course. If there is only one person with the skills to repair the coffee machine but they do not have the necessary security clearance; SIRO or no, coffee machine comes first.

Flogging the troops was always good for one’s morale. Flogging oneself, not so much.

Nigel.

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF5A9Rtpt4PGqbdLhCkvrYOGJahL9WDtivR9xVsz66B_7g%40mail.gmail.com.

Gary Hinson

unread,
May 18, 2026, 1:19:42 PMMay 18
to hyperg...@googlegroups.com
Aha!  Yes, that merits an entry, Nigel.  Thank you for explaining RBC.  

Elsewhere, I've heard the mil-spec process of checking system security a against defined standard called 'accreditation' - another malapropism for 'certification' I think.  Another troubling little discontinuity in Gary's World.

As I sit here sipping fresh coffee, rebooting my brain for the day ahead, I'm wondering whether to include an entry for coffee as an important availability and integrity control ...

Kind regards/Ngā mihi,

____________________________________________


To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPyqVUp%2B26QgDFSt2HGrLc0LrajFywXn74jyN%3Dj8fx42D9oQzQ%40mail.gmail.com.

Nigel Landman

unread,
May 19, 2026, 4:06:56 AMMay 19
to hyperg...@googlegroups.com
Further to RBC - UK Mil, via its public websit, state; Where circumstances dictate that it is necessary to carry out action that is outside of the scope of standard policy, a RBC must be raised ...

The website details categories and pathways for an RBC. These clearly meet UK Mil needs but Police Forces will have other categories (not necessarily made public), and pathways heading up towards SIRO (local) or SIRO (national).  

I have not heard RBC being used in commerical  enviornments. Further, I have checked the UK's HM Treasury Orange Book (a very useful bit of kit on risk, and available on-line) but no mention of RBC is made.  

Coffee - availablity of body - integrity of mind; but where integrity wanes just as the sun reaches the yardarm - lucky that ....

Nigel. 

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF4ZDXqY0AufV8kk%2BWsekeo6x1UfyS25%2B_2-cmy5a4si3Q%40mail.gmail.com.

Gary Hinson

unread,
May 19, 2026, 1:54:59 PMMay 19
to hyperg...@googlegroups.com
How's this, Nigel:

image.png
"Close enough for government work"?

Kind regards/Ngā mihi,

____________________________________________

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPyqVUpDPwbp-tbFO%2BgWxnPEJO5rs4-sWjCsF5Vf6aL1QKCx7A%40mail.gmail.com.

Nigel Landman

unread,
May 20, 2026, 4:41:25 AMMay 20
to hyperg...@googlegroups.com
Yes and no, sorry. The challenge is that nobody formally defines the term. MoD make a good stab but others do not. 

I have put some ideas into the attached spreadsheet. 

Nigel.


RBC.xlsx

Gary Hinson

unread,
May 21, 2026, 2:14:43 AMMay 21
to hyperg...@googlegroups.com
Errr, OK Nigel.

Each of your definitions includes 'local or national SIROs', which I guess makes sense to UK defence pros, but probably not to Joe Public.  Although we could define/explain that, it's becoming a bit too parochial, I feel.  Plain SIRO's would do, hopefully.  

I'd prefer 'exemption' rather than 'deviation'.  

So, tonight at least, I'm leaning towards:  

"Risk balance case: Document with which Senior Information Risk Officers formally consider and (if appropriate) authorise exemptions from applicable security policies and compliance baselines."

... or something along those lines.  

Kind regards/Ngā mihi,

____________________________________________

_____________________________________________




On Wed, 20 May 2026 at 20:41, Nigel Landman <nigel....@gmail.com> wrote:
Yes and no, sorry. The challenge is that nobody formally defines the term. MoD make a good stab but others do not. 

I have put some ideas into the attached spreadsheet. 

Nigel.


How's this, Nigel:

image.png
"Close enough for government work"?

Kind regards/Ngā mihi,

____________________________________________



On Tue, 19 May 2026 at 20:06, Nigel Landman <nigel....@gmail.com> wrote:
Further to RBC - UK Mil, via its public websit, state; Where circumstances dictate that it is necessary to carry out action that is outside of the scope of standard policy, a RBC must be raised ...

The website details categories and pathways for an RBC. These clearly meet UK Mil needs but Police Forces will have other categories (not necessarily made public), and pathways heading up towards SIRO (local) or SIRO (national).  

I have not heard RBC being used in commerical  enviornments. Further, I have checked the UK's HM Treasury Orange Book (a very useful bit of kit on risk, and available on-line) but no mention of RBC is made.  

Coffee - availablity of body - integrity of mind; but where integrity wanes just as the sun reaches the yardarm - lucky that ....

Nigel. 

On Mon, 18 May 2026 at 18:19, Gary Hinson <ga...@isect.com> wrote:
Aha!  Yes, that merits an entry, Nigel.  Thank you for explaining RBC.  

Elsewhere, I've heard the mil-spec process of checking system security a against defined standard called 'accreditation' - another malapropism for 'certification' I think.  Another troubling little discontinuity in Gary's World.

As I sit here sipping fresh coffee, rebooting my brain for the day ahead, I'm wondering whether to include an entry for coffee as an important availability and integrity control ...

Kind regards/Ngā mihi,

____________________________________________



On Mon, 18 May 2026 at 22:50, Nigel Landman <nigel....@gmail.com> wrote:
Risk Balance Case (RBC) - it's a UK Gov., Military, Police Forces thing. Is the prhase worthy of inclusion in your glossary? Unknown.

Is it a bird, a plane or something akin to a specific risk assessment (identification, analysis, evaluation)? It is the latter, so to speak, but targeted on one particular area of concern; a failure to meet an assurance level (a minor / major NC, if you wish) that requires escalating up to SIRO for a decision. A decision about what? An exemption (but very much time-bound), dependent upon the words within the RBC.

Can IT system 'A' remain conected to systems 'B, C, and D' if 'A' has failed to meet the required level of assurance? Are there any compensating controls available that would allow continued connection? What corrective actions have been identified? And so on ...It is the SIRO's decision, and accountability stops at that point. 

It doesn't have to be an IT system, of course. If there is only one person with the skills to repair the coffee machine but they do not have the necessary security clearance; SIRO or no, coffee machine comes first.

Flogging the troops was always good for one’s morale. Flogging oneself, not so much.

Nigel.

On Sun, 17 May 2026 at 23:39, Gary Hinson <ga...@isect.com> wrote:
Superyacht purchases were never a line in my grand plan, Nigel.  Textbooks are not exactly money-spinners, barely valuable let alone invaluable.   'Making a difference' is a strong lure for me. Eeeking-out a living, though, requires enough income to pay the bills ... maybe even buy fishing gear. 

Oh well, c'est la vie.  The floggings will continue until morale improves.

I think I can slip 'maturity' in there somewhere, linking to its own entry.

"Risk balance case" is a new one on me - never heard that - but I do like to distinguish exceptions and exemptions, two commonly-confused terms (malapropisms) with different implications and clear relevance to risk management.   

Kind regards/Ngā mihi,

____________________________________________



On Sun, 17 May 2026 at 21:32, Nigel Landman <nigel....@gmail.com> wrote:
Hi Gary
The lure of replacing your hyperglossary time with that of fishing, is understandable. But purely from a selfish perspective, the work you are doing is invaluable, even though it may not lead to the purchase of a superyacht or two.  

Level of stuff – level is a horrible word.

Complicated – yep. Cloudy (with a springling of meatballs) – yep. I often hear the word ‘maturity’ alongside level of assurance – odd, I know, and does result in a bunch of questions.
 
IMHO I believe, to achieve the outcome, you have the right number of words.
 
There is, again, another phrase – risk balance case – that is often associated with, to all intents and purposes, a failure to meet assurance requirements. There may well be a valid reason, but it will necessitate the need to build, and have signed off by senior (risk) management, a risk balance case. 

Nigel.

On Sat, 16 May 2026 at 21:06, Gary Hinson <ga...@isect.com> wrote:
Friends,

I'm struggling a bit to explain 'levels of' stuff, largely because I find the very concept dubious, often misunderstood and misused.

Here's what I have so far:
image.png

What do you think?   Seems to me that's a lot of words implying my lack of understanding and clarity - but it could also be that 'levels' are inherently complicated and cloudy.  Or both.  

Corrections, clarifications and improvement suggestions please!

Kind regards/Ngā mihi,

____________________________________________

Contact - Books

unread,
May 21, 2026, 2:22:35 AMMay 21
to hyperg...@googlegroups.com
On the accreditation vs certification piece, you might be interested in how UKAS make a distinction between the two. 

As the UK Accreditation Service, they should have some idea at least. 


From: hyperg...@googlegroups.com <hyperg...@googlegroups.com> on behalf of Gary Hinson <ga...@isect.com>
Sent: Monday, May 18, 2026 6:19:03 PM
To: hyperg...@googlegroups.com <hyperg...@googlegroups.com>
Subject: Re: [Hyperglossary] Levels
 

Rob Slade, greatgrandpa and widower

unread,
May 21, 2026, 9:44:54 AMMay 21
to hyperg...@googlegroups.com
On Wed, May 20, 2026 at 11:22 PM Contact - Books <h...@securityblendbooks.com> wrote:
On the accreditation vs certification piece, you might be interested in how UKAS make a distinction between the two. 

As the UK Accreditation Service, they should have some idea at least. 


AAAAaaaarrrrrgggghhhh!!!!! 

This is getting even worse!  We used to have an accepted definition that certification was testing (us) and accreditation was acceptance (senior management).  Then BCI *reversed* that!  And now this addition of third party versus local?  The Powers That Be seem to be making accepted terminology impossible!

--
Psalm 142:4, Ezekiel 24:16,18; Matthew 13:12; Isaiah 57:1; Genesis 2:18; 2 Corinthians 2:7,8; John 13:35; Proverbs 25:20; James 2:15,16; Proverbs 24:11-12, Jeremiah 45:3, Deuteronomy 28: 65-67, Isaiah 38:15, Psalm 69:20, Revelation 9:6, Numbers 11:15
Uuk klah ma, Rob.  U huk witas hluucsma, Gloria  Wikaah chachimhiy.

Online Scams and Frauds (OSF) series postings: 
======================

Virus-free.www.avast.com

Gary Hinson

unread,
May 23, 2026, 2:50:05 PMMay 23
to hyperg...@googlegroups.com
[Sorry for the delay - still busy compiling the list of additions to the hyperglossary - over 400 so far and about 100 more to go, in this phase]

Thanks James (I believe "Contact - Books" is you, Mr Bore). 

I have tweaked the definition of accreditation and quoted UKAS as follows:
image.png

Rob, being an antisocial hermit, I don't like parties and I find first, second and third parties confusing ... so I generally avoid them.  

I hope the revised definition does not raise the red mist.

By the way, I'm being careful to distinguish and use "technical" and "technological" properly throughout.  That's yet another oft-confused pair of malapropisms, a hair (or is it hare?) trigger for this pedant.

Kind regards/Ngā mihi,

____________________________________________

--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAOX%2BAR6aZhnWb37a9qeDyPkbAn1Wf0qENqQ5xcvy_kppBZ2Szw%40mail.gmail.com.

Rob Slade, greatgrandpa and widower

unread,
May 23, 2026, 3:28:06 PMMay 23
to hyperg...@googlegroups.com
On Sat, May 23, 2026 at 11:50 AM Gary Hinson <ga...@isect.com> wrote:

Rob, being an antisocial hermit, I don't like parties and I find first, second and third parties confusing ... so I generally avoid them.  

I hope the revised definition does not raise the red mist.
 
I think you have done an exemplary job of conflating the variety of inputs into a single entry.

--
Psalm 142:4, Ezekiel 24:16,18; Matthew 13:12; Isaiah 57:1; Genesis 2:18; 2 Corinthians 2:7,8; John 13:35; Proverbs 25:20; James 2:15,16; Proverbs 24:11-12, Jeremiah 45:3, Deuteronomy 28: 65-67, Isaiah 38:15, Psalm 69:20, Revelation 9:6, Numbers 11:15
Uuk klah ma, Rob.  U huk witas hluucsma, Gloria  Wikaah chachimhiy.

Online Scams and Frauds (OSF) series postings: 
======================

Virus-free.www.avast.com

Gary Hinson

unread,
May 23, 2026, 8:12:17 PMMay 23
to hyperg...@googlegroups.com
Thank you sir!


Kind regards/Ngā mihi,

____________________________________________


--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAOX%2BAR6EduzFWECUnNkDUAvtAFGp_qjRkx69v7%2B9Xnhe5nrD-A%40mail.gmail.com.

Nigel Landman

unread,
May 24, 2026, 6:06:30 AMMay 24
to hyperg...@googlegroups.com
Oh pffttt...I'm struggling with the opening to this defintion.

image.png

I think it's the - (such as ISO) - bit that has thrown me.
Why? In my head I think of ISO as the developer and publisher of Type A management system standards (in this context), e.g. ISO/IEC 27001 - with national accreditation bodies (UKAS, ANAB, DAkkS, JASNAZ etc. - with oversight by IAF) who would verify an organisation/individual (conformity assessment body – CAB).is competent to audit/certify…
Therefore, IMHO, the trusted authority would be the national accreditation body, rather than ISO.

I shall go get my coat…

Nigel

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF6MgXe8zRPZ2Koy6WAA%3DxR4-BbNmKhsaKi6v62ykrpdWA%40mail.gmail.com.

Gary Hinson

unread,
May 24, 2026, 1:59:00 PMMay 24
to hyperg...@googlegroups.com
That is a complex, multi-phrase sentence, Nigel, one (of many!) that could probably do with simplification and/or splitting into separate sentences.   [<-- and there's another example!  It's my natural style, my default, my preference ...] 

As I hunt systematically through the hyperglossary content for updates, I've realised that many definitions can be simplified to just the first sentence or clause.   Reducing options and variants would also simplifiy the language.  However, doing so would cut-off pertinent details and explanation, plus the external and internal references, quotes from 'official' sources, related terms etc., the stuff that I feel adds a lot of value. 

So far, I've tried to cater for two types of reader, those who:
  1. Just want the basics, the superficials.  Maybe they are in a hurry, students, not fluent in tech English or just not that interested.  Fair enough.  
  2. Prefer to diver deeper, specialists exploring and wallowing the gory details - like me.    
For many definitions, that means providing a gentler, simpler, more superficial introductory sentence for type 1 readers... leading into more detailed explanation and all the other stuff for the type 2s..

That's not a hard and fast rule, however, and, on reflection, the entry for 'Accreditation' would probably benefit from having a simpler start for the type 1s e.g. "Verifying an organisation competent to certify others."   I'll have a go at restructuring it.

Tweaking the wording here and there has slowed down the process of compiling the 'changes' page but I think it's worth it.  Do please continue pointing out the rough bits in need of more polish. 

Kind regards/Ngā mihi,

____________________________________________

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPyqVUpMy2oafQJQtpG1k7U-R8iYOogmjJFza2ghRoH%2BJSSp_w%40mail.gmail.com.

Gary Hinson

unread,
May 24, 2026, 3:34:29 PMMay 24
to hyperg...@googlegroups.com
OK, here goes: I've restructured it with the 'type 1' first line summary, rephrased it, dropped the unhelpful ISO reference and added new entries for 'Accreditation body' and 'CB == Certification Body'.  

image.png

Maybe I should also add an entry for 'AB == Accreditation Body' but (in my experience) that's an uncommon abbreviation.  Oh and anyway, down here it usually refers to the All Blacks unless perhaps over-excited fans are really chanting "Go the Accreditation Bodies!"  

Kind regards/Ngā mihi,

____________________________________________


Nigel Landman

unread,
May 25, 2026, 4:05:27 AMMay 25
to hyperg...@googlegroups.com
Breaking news....a new tactic adobpted by NZ, go you 'accrediation bodies' - that will put Rassie into a spin come August. Perhaps the Boks' will forgo the use of a cab to Ellis Park, and use the bus instead. 

Other than that, the defintion makes perfect sense ...

Nigel.

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF6%3Ddu77yWnw8CXYu%2Bu6C5bdbNS%3DyO_-obe0GAo%2BXYwpNQ%40mail.gmail.com.

Gary Hinson

unread,
May 25, 2026, 1:24:03 PMMay 25
to hyperg...@googlegroups.com
"Perfect sense", I'll take that, thank you!

Today I'm working on the T's for the changes page, on-track to complete the alphabet this month as planned ... so long as I can resist the lure of a local river with some big trout, caught by a pal yesterday, that is.  I've made a rod for my own back - well, that's my line anyway.   [Sorry, dad jokes are the best I can manage at 5am]

Kind regards/Ngā mihi,

____________________________________________

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPyqVUp6Q7m9OAbP4QXGjU4UEVQFMBm8Ra8v-f0R9dKpb%3DQ_kw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages