INFORMATION SECURITY CONTROL
Distinguish between a vulnerability, a threat, and a control.
Vulnerability is a weakness in the security system, for example, in procedures, design, or implementation, that might be exploited to cause lose or harm. For instance, a particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user`s identity before allowing data access.
A Threat to a computing system is a set of circumstances that has the potential to cause loss or harm. There are many threats to a computer system, including human-initiated and computer-initiated ones.
We use a control as a protective measure. That is, a control is an action, device, procedure, or technique that removes or reduces a vulnerability.
In general, we can describe the relationship among threats, control, and vulnerabilities in this way:
A threat is blocked by control of a vulnerability.
A threat is a potential to do harm. A vulnerability is a means by a threat agent can cause harm. A control is a protective measure that prevents a threat agent from exercising a vulnerability.
Preserving confidentiality, integrity, and availability of data is a restatement of the concern over interruption, interception, modification, and fabrication. How do the first three concepts relate to the last four? That is, is any of the four equivalent to one or more of the three? Is one of the three encompassed by one or more of the four?
There is not a good one-to-one correspondence. Modification is primarily a failure of integrity, although there are aspects of availability. Fabrication is probably the closest to being exclusively an integrity violation, although fabrication of convert outputs could be used to leak otherwise confidential data. Interruption is an availability concern although one can argue that it is a failure of the integrity of a communication or information...