Category Archives: Stories

Documenting Risk Acceptance

How it might save your career

Years ago, a mentor shared a story that took place when he was a security officer for a government station overseas. He had identified a list of critical security controls necessary to protect the lives of Americans who lived and worked at the station and had proceeded implementing them. Unfortunately, the head of the station was unwilling to provide the necessary funding, as he did not see that the expenditure was necessary.

My mentor documented the risks in terms of the threats to the station, the current vulnerabilities, and the controls necessary under the circumstances. The station head again rejected the proposal but was persuaded to sign a statement of risk acceptance that my mentor retained.

Some years later the station was attacked, and several Americans died. My mentor was the first stop when accountability for the security failure was being assigned. Having the risk acceptance on file enabled him to direct accountability to the appropriate individual.

What does Cybersecurity Mean?

Everybody's talking at me 
I don't hear a word they're saying 
Only the echoes of my mind

Harry Nilsson

The first known use of the word cyber:

Cybernetics – the science of communication and control theory that is concerned especially with the comparative study of automatic control systems (such as the nervous system and brain and mechanical-electrical communication systems). First known use: 1948.

Around 1992 the word reemerged, apparently with a new meaning

Cyber – of, relating to, or involving computers or computer networks (such as the Internet) the cyber marketplace [cyber = computers or computer networks]

Cyberspace is our interconnected technology. The word became popular in the 1990s when the uses of the Internet, networking, and digital communication were all growing dramatically and the term “cyberspace” was able to represent the many new ideas and phenomena that were emerging. [cyber = internet]

Cyber Security – Computer security, also known as cyber security or IT security, is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide. [cyber = computer]

Cyber Warfare – Cyberwarfare involves the battlespace use and targeting of computers and networks in warfare. It involves both offensive and defensive operations pertaining to the threat of cyberattacks, espionage and sabotage. There has been controversy over whether such operations can duly be called “war”. Nevertheless, nations have been developing their capabilities and engaged in cyberwarfare either as an aggressor, defendant, or both. [cyber = computers and networks]

The US Congress uses the term cybersecurity widely in the National Defense Authorization Act for Fiscal Year 2018:

The term `cybersecurity risk’ means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or  destruction of such information or information systems, including such related consequences caused by an act of terrorism. [cyber = information or information systems]

And then this cool new word was grabbed to mean whatever the advertiser wanted it to mean:

Cyber Monday – Cyber Monday is a marketing term for the Monday after the Thanksgiving holiday in the United States. The term “Cyber Monday” was created by marketing companies to persuade people to shop online. [cyber = online or internet]

CyberKnife –  Stereotactic Body Radiation Therapy (SBRT) delivers large doses of radiation to exact areas, such as the prostate, with advanced imaging. The entire course of treatment is given over a shorter period, for just a few days. SBRT is often known by the names of machines that deliver the radiation, such as Gamma Knife®, X-Knife®, CyberKnife® and Clinac®.  [cyber = radiation therapy]

So, the popular word cyber is used as a substitute for a variety of different words. But why not simply use the words whose meaning is clear?

And there’s more. In February 2018, the US Security and Exchange Commission issued a Statement and Guidance on Public Company Cybersecurity Disclosures. It referenced a U.S. Computer Emergency Readiness Team defininition:

Cybersecurity – the activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation. [cyber = information and communications systems]