A Taxonomy of Loss
Elements of the Computing Environment
Just as a computer system is more than the computers themselves, so the risks to which a system is exposed are more than just physical.
Considering all the elements that contribute to the worth of a system helps reveal these different risks.
The value of a computer system rests in its utility to an organization. This value is represented by the capital cost of the equipment and software; the business information managed by the system and the outputs (reports, email, web pages) produced by the system.
Each system component has different associated security risks ranging from purely physical theft to the intangible cost of customer satisfaction and confidence.
The purely physical structures; processors, disk drives, memory, monitors etc.
The applications required to use the hardware; operating system, database, web server, email.
The information used by and stored on the computer system; documents, spreadsheets, databases etc.
The interconnection mechanism to allow information exchange and access to shared resources; wiring, network hubs and switches, routers, firewalls
The (usually) independent systems which carry the remote part of computer networks; PSTN, ISDN, frame relay, ATM
A computer system which is unused is of no value. Appropriate training, system reliability and availability all contribute to the overall useability of the system.
Any event which compromises the usability of a computer system reduces the value of that system and can be regarded as a direct cost to the organization.
The User Population
Each section of the user population places unique demands on a computer system and have different perspective on the value and cost of the system.
The distribution of users can reflect a range of security risks which must be addressed and a variety of sometimes conflicting interests which must be reconciled.
May rely on the computer system to perform their daily work. Generally only require access to those services that are appropriate to their work function.
Have specific business outcomes, such as sales targets or unit profits, to achieve.
Business units require different types of access and services from the computer system. For instance, only the finance group uses the general ledger system, the sales force requires remote or roaming access.
Have wider, strategic views of the business objectives. Without the active support of key senior managers, most computer systems initiatives fail to achieve their potential.
Responsible for providing access to sections of the computer systems to end users and for managing the performance of the system. Systems managers face a major challenge in balancing the needs of disparate users against the limited resources available.
The different specific computer systems (database, desktop, email, web, network) also present different security and value issues.
Customers, suppliers etc
Need to communicate with the organization through the web page, email, shared databases or information archives.
Any external connection to a computer system represents a major security risk; it can also represent significant added value.
The black hats. Seek to compromise computer systems; sometimes your own users are the attackers.