Although in an earlier post I discussed the four types of acts that can cause harm to an information system, here I would like to briefly discuss harm itself. Harm refers to the negative consequences that can arise from an actualized threat. That is, if a vulnerability in an information system is exploited such that a threat becomes a reality, then harm refers to the implications of the actualized threat. Note that the quantity or amount of harm that is sustained from a successful attack is often a subjective matter. Different people in different organizations will naturally assign different values to their information assets, and with different values assigned to assets, an identical attack would be perceived to cause different amounts of harm to two different organizations.
Quantifying harm is further complicated by the fact that the value of information assets commonly changes over time. Consider, for example, the value of the transaction records that your bank maintains for your checking account. If a malicious attacker were able to successfully delete or modify some of the records associated with your checking account, and if those records were associated with recent transactions that took place within the past few days, then your bank would almost certainly consider the attacker to have caused more harm than if the compromised records were associated with transactions from 10 years ago. This example speaks to the relationship between the value of information and time -- most modern information scientists believe that on average, the value of information assets degrades over time according to an exponential decay function. Put another way, new data are usually more valuable than older data.
0 comments :
Post a Comment