[SystemSafety] "Security Risk" and Probability

Martyn Thomas martyn at thomas-associates.co.uk
Wed Oct 25 11:29:01 CEST 2017


A good blog, Peter.

I would add that the probability of a successful attack depends on:

 1. the existence of a vulnerability (I know of no system that has been
    systematically attacked where the attackers have failed, and most
    are penetrated within a few minutes, so unless you have strong proof
    of security it is wise to assume that there are vulnerabilities).
 2. the existence of an attacker who has the motivation to attack (these
    may include vandals, employees, competitors, suppliers and former
    suppliers, low-level criminals, activists of various sorts, serious
    organised criminals, terrorists and nation states).
 3. The capability of one of your motivated attackers to exploit the
    vulnerability (this may change overnight, for example next time the
    Shadow Brokers upload a gigabyte of stolen NSA cyber tools to
    WikiLeaks).
 4. Your active defences (if any) , and whether they work on this
    occasion against this attack.
 5. Whether you systems have /already/ been compromised by a potential
    attacker (without strong proof to the contrary, you should assume
    that every system of national importance is already compromised -
    because otherwise adversary nation states have been incompetent).

Martyn


On 25/10/2017 09:54, Peter Bernard Ladkin wrote:
> Yesterday, I read yet another account suggesting/attempting some sort of equivalence between SILs
> and Security Levels (SLs). Please, stop it, people!
>
> https://abnormaldistribution.org/index.php/2017/10/25/security-risk-and-probability/
>
> PBL
>
> Prof. Peter Bernard Ladkin, Bielefeld, Germany
> MoreInCommon
> Je suis Charlie
> Tel+msg +49 (0)521 880 7319  www.rvs-bi.de
>
>
>
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20171025/6916a7a8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 560 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20171025/6916a7a8/attachment-0001.sig>


More information about the systemsafety mailing list