Levels

3 views
Skip to first unread message

Gary Hinson

unread,
May 16, 2026, 4:06:43 PM (5 days ago) May 16
to hyperg...@googlegroups.com
Friends,

I'm struggling a bit to explain 'levels of' stuff, largely because I find the very concept dubious, often misunderstood and misused.

Here's what I have so far:
image.png

What do you think?   Seems to me that's a lot of words implying my lack of understanding and clarity - but it could also be that 'levels' are inherently complicated and cloudy.  Or both.  

Corrections, clarifications and improvement suggestions please!

Kind regards/Ngā mihi,

____________________________________________

Raul Rodríguez Macías

unread,
May 16, 2026, 4:15:11 PM (5 days ago) May 16
to Gary Hinson, hyperg...@googlegroups.com
BTW Gary, check because there are pirate sites that contain your book, as z-lib 

Enviado desde mi HONOR X7c


-------- Mensaje original --------
De: Gary Hinson <ga...@isect.com>
Fecha: sáb, 16 de may de 2026, 14:06
Para: hyperg...@googlegroups.com
Asunto: [Hyperglossary] Levels
--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF44Lt1BYDK%3DTE2Xa%3DGeY5iEw_HNG2Ni874cuMQzjaXBVw%40mail.gmail.com.

Rob Slade, greatgrandpa and widower

unread,
May 16, 2026, 5:10:39 PM (5 days ago) May 16
to hyperg...@googlegroups.com
On Sat, May 16, 2026 at 1:15 PM Raul Rodríguez Macías <raul.rodrigue...@gmail.com> wrote:
BTW Gary, check because there are pirate sites that contain your book, as z-lib 

All of my later books were pirated within hours.  It's a fact of publishing life these days. 

--
Psalm 142:4, Ezekiel 24:16,18; Matthew 13:12; Isaiah 57:1; Genesis 2:18; 2 Corinthians 2:7,8; John 13:35; Proverbs 25:20; James 2:15,16; Proverbs 24:11-12, Jeremiah 45:3, Deuteronomy 28: 65-67, Isaiah 38:15, Psalm 69:20, Revelation 9:6, Numbers 11:15
Uuk klah ma, Rob.  U huk witas hluucsma, Gloria  Wikaah chachimhiy.

Online Scams and Frauds (OSF) series postings: 
======================

Virus-free.www.avast.com

Gary Hinson

unread,
May 16, 2026, 11:09:30 PM (5 days ago) May 16
to hyperg...@googlegroups.com
Thanks for the heads-up Raul - disappointing but not exactly surprising.

The cover price for the ~800-page book is set as low as possible - barely covering the production costs ... and yet still some people would rather steal it and risk prosecution for piracy.   

In conjunction with the publisher's crack team of legal ninjas, I will try to get it taken down.

Thinking forward, I'm inclined to stop work on the book's updates and just go fishing.  Working this hard, for free, is a mugs game.

Kind regards/Ngā mihi,

____________________________________________


--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAOX%2BAR6_1Qhnq1DpFM3-hb%2BmMtavyOo4ZfdL%2B5T_uMBem0Nt2A%40mail.gmail.com.

Nigel Landman

unread,
May 17, 2026, 5:32:56 AM (4 days ago) May 17
to hyperg...@googlegroups.com
Hi Gary
The lure of replacing your hyperglossary time with that of fishing, is understandable. But purely from a selfish perspective, the work you are doing is invaluable, even though it may not lead to the purchase of a superyacht or two.  

Level of stuff – level is a horrible word.

Complicated – yep. Cloudy (with a springling of meatballs) – yep. I often hear the word ‘maturity’ alongside level of assurance – odd, I know, and does result in a bunch of questions.
 
IMHO I believe, to achieve the outcome, you have the right number of words.
 
There is, again, another phrase – risk balance case – that is often associated with, to all intents and purposes, a failure to meet assurance requirements. There may well be a valid reason, but it will necessitate the need to build, and have signed off by senior (risk) management, a risk balance case. 

Nigel.

--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF44Lt1BYDK%3DTE2Xa%3DGeY5iEw_HNG2Ni874cuMQzjaXBVw%40mail.gmail.com.

Gary Hinson

unread,
May 17, 2026, 6:39:54 PM (4 days ago) May 17
to hyperg...@googlegroups.com
Superyacht purchases were never a line in my grand plan, Nigel.  Textbooks are not exactly money-spinners, barely valuable let alone invaluable.   'Making a difference' is a strong lure for me. Eeeking-out a living, though, requires enough income to pay the bills ... maybe even buy fishing gear. 

Oh well, c'est la vie.  The floggings will continue until morale improves.

I think I can slip 'maturity' in there somewhere, linking to its own entry.

"Risk balance case" is a new one on me - never heard that - but I do like to distinguish exceptions and exemptions, two commonly-confused terms (malapropisms) with different implications and clear relevance to risk management.   

Kind regards/Ngā mihi,

____________________________________________


To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPyqVUqNGOz1MmiPKge_%2BiifdYk_-OEj8t-mMJ3i1xA_UmLikA%40mail.gmail.com.

Nigel Landman

unread,
May 18, 2026, 6:50:46 AM (3 days ago) May 18
to hyperg...@googlegroups.com
Risk Balance Case (RBC) - it's a UK Gov., Military, Police Forces thing. Is the prhase worthy of inclusion in your glossary? Unknown.

Is it a bird, a plane or something akin to a specific risk assessment (identification, analysis, evaluation)? It is the latter, so to speak, but targeted on one particular area of concern; a failure to meet an assurance level (a minor / major NC, if you wish) that requires escalating up to SIRO for a decision. A decision about what? An exemption (but very much time-bound), dependent upon the words within the RBC.

Can IT system 'A' remain conected to systems 'B, C, and D' if 'A' has failed to meet the required level of assurance? Are there any compensating controls available that would allow continued connection? What corrective actions have been identified? And so on ...It is the SIRO's decision, and accountability stops at that point. 

It doesn't have to be an IT system, of course. If there is only one person with the skills to repair the coffee machine but they do not have the necessary security clearance; SIRO or no, coffee machine comes first.

Flogging the troops was always good for one’s morale. Flogging oneself, not so much.

Nigel.

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF5A9Rtpt4PGqbdLhCkvrYOGJahL9WDtivR9xVsz66B_7g%40mail.gmail.com.

Gary Hinson

unread,
May 18, 2026, 1:19:42 PM (3 days ago) May 18
to hyperg...@googlegroups.com
Aha!  Yes, that merits an entry, Nigel.  Thank you for explaining RBC.  

Elsewhere, I've heard the mil-spec process of checking system security a against defined standard called 'accreditation' - another malapropism for 'certification' I think.  Another troubling little discontinuity in Gary's World.

As I sit here sipping fresh coffee, rebooting my brain for the day ahead, I'm wondering whether to include an entry for coffee as an important availability and integrity control ...

Kind regards/Ngā mihi,

____________________________________________


To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPyqVUp%2B26QgDFSt2HGrLc0LrajFywXn74jyN%3Dj8fx42D9oQzQ%40mail.gmail.com.

Nigel Landman

unread,
May 19, 2026, 4:06:56 AM (2 days ago) May 19
to hyperg...@googlegroups.com
Further to RBC - UK Mil, via its public websit, state; Where circumstances dictate that it is necessary to carry out action that is outside of the scope of standard policy, a RBC must be raised ...

The website details categories and pathways for an RBC. These clearly meet UK Mil needs but Police Forces will have other categories (not necessarily made public), and pathways heading up towards SIRO (local) or SIRO (national).  

I have not heard RBC being used in commerical  enviornments. Further, I have checked the UK's HM Treasury Orange Book (a very useful bit of kit on risk, and available on-line) but no mention of RBC is made.  

Coffee - availablity of body - integrity of mind; but where integrity wanes just as the sun reaches the yardarm - lucky that ....

Nigel. 

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF4ZDXqY0AufV8kk%2BWsekeo6x1UfyS25%2B_2-cmy5a4si3Q%40mail.gmail.com.

Gary Hinson

unread,
May 19, 2026, 1:54:59 PM (2 days ago) May 19
to hyperg...@googlegroups.com
How's this, Nigel:

image.png
"Close enough for government work"?

Kind regards/Ngā mihi,

____________________________________________

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPyqVUpDPwbp-tbFO%2BgWxnPEJO5rs4-sWjCsF5Vf6aL1QKCx7A%40mail.gmail.com.

Nigel Landman

unread,
May 20, 2026, 4:41:25 AM (yesterday) May 20
to hyperg...@googlegroups.com
Yes and no, sorry. The challenge is that nobody formally defines the term. MoD make a good stab but others do not. 

I have put some ideas into the attached spreadsheet. 

Nigel.


RBC.xlsx

Gary Hinson

unread,
2:14 AM (11 hours ago) 2:14 AM
to hyperg...@googlegroups.com
Errr, OK Nigel.

Each of your definitions includes 'local or national SIROs', which I guess makes sense to UK defence pros, but probably not to Joe Public.  Although we could define/explain that, it's becoming a bit too parochial, I feel.  Plain SIRO's would do, hopefully.  

I'd prefer 'exemption' rather than 'deviation'.  

So, tonight at least, I'm leaning towards:  

"Risk balance case: Document with which Senior Information Risk Officers formally consider and (if appropriate) authorise exemptions from applicable security policies and compliance baselines."

... or something along those lines.  

Kind regards/Ngā mihi,

____________________________________________

_____________________________________________




On Wed, 20 May 2026 at 20:41, Nigel Landman <nigel....@gmail.com> wrote:
Yes and no, sorry. The challenge is that nobody formally defines the term. MoD make a good stab but others do not. 

I have put some ideas into the attached spreadsheet. 

Nigel.


How's this, Nigel:

image.png
"Close enough for government work"?

Kind regards/Ngā mihi,

____________________________________________



On Tue, 19 May 2026 at 20:06, Nigel Landman <nigel....@gmail.com> wrote:
Further to RBC - UK Mil, via its public websit, state; Where circumstances dictate that it is necessary to carry out action that is outside of the scope of standard policy, a RBC must be raised ...

The website details categories and pathways for an RBC. These clearly meet UK Mil needs but Police Forces will have other categories (not necessarily made public), and pathways heading up towards SIRO (local) or SIRO (national).  

I have not heard RBC being used in commerical  enviornments. Further, I have checked the UK's HM Treasury Orange Book (a very useful bit of kit on risk, and available on-line) but no mention of RBC is made.  

Coffee - availablity of body - integrity of mind; but where integrity wanes just as the sun reaches the yardarm - lucky that ....

Nigel. 

On Mon, 18 May 2026 at 18:19, Gary Hinson <ga...@isect.com> wrote:
Aha!  Yes, that merits an entry, Nigel.  Thank you for explaining RBC.  

Elsewhere, I've heard the mil-spec process of checking system security a against defined standard called 'accreditation' - another malapropism for 'certification' I think.  Another troubling little discontinuity in Gary's World.

As I sit here sipping fresh coffee, rebooting my brain for the day ahead, I'm wondering whether to include an entry for coffee as an important availability and integrity control ...

Kind regards/Ngā mihi,

____________________________________________



On Mon, 18 May 2026 at 22:50, Nigel Landman <nigel....@gmail.com> wrote:
Risk Balance Case (RBC) - it's a UK Gov., Military, Police Forces thing. Is the prhase worthy of inclusion in your glossary? Unknown.

Is it a bird, a plane or something akin to a specific risk assessment (identification, analysis, evaluation)? It is the latter, so to speak, but targeted on one particular area of concern; a failure to meet an assurance level (a minor / major NC, if you wish) that requires escalating up to SIRO for a decision. A decision about what? An exemption (but very much time-bound), dependent upon the words within the RBC.

Can IT system 'A' remain conected to systems 'B, C, and D' if 'A' has failed to meet the required level of assurance? Are there any compensating controls available that would allow continued connection? What corrective actions have been identified? And so on ...It is the SIRO's decision, and accountability stops at that point. 

It doesn't have to be an IT system, of course. If there is only one person with the skills to repair the coffee machine but they do not have the necessary security clearance; SIRO or no, coffee machine comes first.

Flogging the troops was always good for one’s morale. Flogging oneself, not so much.

Nigel.

On Sun, 17 May 2026 at 23:39, Gary Hinson <ga...@isect.com> wrote:
Superyacht purchases were never a line in my grand plan, Nigel.  Textbooks are not exactly money-spinners, barely valuable let alone invaluable.   'Making a difference' is a strong lure for me. Eeeking-out a living, though, requires enough income to pay the bills ... maybe even buy fishing gear. 

Oh well, c'est la vie.  The floggings will continue until morale improves.

I think I can slip 'maturity' in there somewhere, linking to its own entry.

"Risk balance case" is a new one on me - never heard that - but I do like to distinguish exceptions and exemptions, two commonly-confused terms (malapropisms) with different implications and clear relevance to risk management.   

Kind regards/Ngā mihi,

____________________________________________



On Sun, 17 May 2026 at 21:32, Nigel Landman <nigel....@gmail.com> wrote:
Hi Gary
The lure of replacing your hyperglossary time with that of fishing, is understandable. But purely from a selfish perspective, the work you are doing is invaluable, even though it may not lead to the purchase of a superyacht or two.  

Level of stuff – level is a horrible word.

Complicated – yep. Cloudy (with a springling of meatballs) – yep. I often hear the word ‘maturity’ alongside level of assurance – odd, I know, and does result in a bunch of questions.
 
IMHO I believe, to achieve the outcome, you have the right number of words.
 
There is, again, another phrase – risk balance case – that is often associated with, to all intents and purposes, a failure to meet assurance requirements. There may well be a valid reason, but it will necessitate the need to build, and have signed off by senior (risk) management, a risk balance case. 

Nigel.

On Sat, 16 May 2026 at 21:06, Gary Hinson <ga...@isect.com> wrote:
Friends,

I'm struggling a bit to explain 'levels of' stuff, largely because I find the very concept dubious, often misunderstood and misused.

Here's what I have so far:
image.png

What do you think?   Seems to me that's a lot of words implying my lack of understanding and clarity - but it could also be that 'levels' are inherently complicated and cloudy.  Or both.  

Corrections, clarifications and improvement suggestions please!

Kind regards/Ngā mihi,

____________________________________________

Contact - Books

unread,
2:22 AM (11 hours ago) 2:22 AM
to hyperg...@googlegroups.com
On the accreditation vs certification piece, you might be interested in how UKAS make a distinction between the two. 

As the UK Accreditation Service, they should have some idea at least. 


From: hyperg...@googlegroups.com <hyperg...@googlegroups.com> on behalf of Gary Hinson <ga...@isect.com>
Sent: Monday, May 18, 2026 6:19:03 PM
To: hyperg...@googlegroups.com <hyperg...@googlegroups.com>
Subject: Re: [Hyperglossary] Levels
 

Rob Slade, greatgrandpa and widower

unread,
9:44 AM (3 hours ago) 9:44 AM
to hyperg...@googlegroups.com
On Wed, May 20, 2026 at 11:22 PM Contact - Books <h...@securityblendbooks.com> wrote:
On the accreditation vs certification piece, you might be interested in how UKAS make a distinction between the two. 

As the UK Accreditation Service, they should have some idea at least. 


AAAAaaaarrrrrgggghhhh!!!!! 

This is getting even worse!  We used to have an accepted definition that certification was testing (us) and accreditation was acceptance (senior management).  Then BCI *reversed* that!  And now this addition of third party versus local?  The Powers That Be seem to be making accepted terminology impossible!

--
Psalm 142:4, Ezekiel 24:16,18; Matthew 13:12; Isaiah 57:1; Genesis 2:18; 2 Corinthians 2:7,8; John 13:35; Proverbs 25:20; James 2:15,16; Proverbs 24:11-12, Jeremiah 45:3, Deuteronomy 28: 65-67, Isaiah 38:15, Psalm 69:20, Revelation 9:6, Numbers 11:15
Uuk klah ma, Rob.  U huk witas hluucsma, Gloria  Wikaah chachimhiy.

Online Scams and Frauds (OSF) series postings: 
======================

Virus-free.www.avast.com
Reply all
Reply to author
Forward
0 new messages