Results of the O-ISM3 Challenge
The current state of affairs is that most information security professionals use the concepts of Confidentiality, Integrity and Availability for audits, consulting projects, risk assessment and management, and development of new standards. These concepts present a series of problems that have yet to be solved:
- They're incomplete. Some professionals suplement them with concepts like Possession, Utility, Risk, Authentication, Authorization, Audit, Non-Repudiation and Accountability. This means performance and delivery vary greatly depending on what professional or company you use.
- They're ambiguous. Many professionals and even published standards give different definitions of Confidentiality, Integrity and Availability. This adds more undesirable variance.
- They are not operational. Consequently, Threats, Incidents, Vulnerability and Weakness among other concepts can't be reliably defined in terms of Confidentiality, Integrity and Availability reliably, increasing the ambiguity of definition. Even seasoned professionals don't agree on just what an Incident or a Vulnerability is. If you can't agree on what something IS, how can you manage it?
- They don't have units of measurement. This makes it impossible to manage information security quantitatively. Bye, bye, optimization of resources.
The use of ambiguous, incomplete, not operational concepts without units of measurement has created a number of problems for information security management. Communication with between specialists and non-specialists in information security is difficult. Demonstrating the value of information security is difficult. Generally speaking, the use of these proxy concepts that don't add value makes information security management more difficult that it needs to be. Time is wasted, security projects that need funding don't get it, and trendy projects with little return get the green light. Luckily, change is possible.