Information security is required because the technology applied to information creates risks. Broadly, information might be
improperly disclosed (that is, its confidentiality could be compromised), modified in an inappropriate way (that is, its
integrity could be compromised), or destroyed or lost (that is, its availability could be compromised). Compromise of a
valuable information asset will cause dollar losses to the information's owner whether acknowledged or not; the loss could be
either direct (through reduction in the value of the information asset itself) or indirect (through service interruption,
damage to the reputation of the information's owner, loss of competitive advantage, legal liability, or other mechanisms).
What is Information Security?
Where information risk is well enough understood and at least in broad terms stable, information security starts with
policies. These policies describe "'who should be allowed to do what" to sensitive information. Once an information security
policy has been defined, the next task is to enforce the policy. To do this, the business deploys a mix of processes and
technical mechanisms. These processes and mechanisms fall into four categories:
• Protection measures (both processes and technical mechanisms) aim to prevent adverse events from occurring.
• Detection measures alert the business when adverse events
• Response measures deal with the consequences of adverse events and return the business to a safe condition after an event
has been dealt with.
• Assurance measures Validate the effectiveness and proper operation of protection, detection, and response measures.
The final information security task is an audit to determine the effectiveness of the measures taken to protect information
against risk, We say "final" but, obviously, the job of information risk management is never done. The policy definition,
protection, and audit tasks are performed over and over again, and the lessons learned each time through the cycle are
applied during the next cycle.
Blakley, B., McDermott, E., Geer, D., Session 5: less is more: Information security is
information risk management, Proceedings of the 2001 workshop on New security paradigms,