Terms of art

The day before yesterday I mentioned that we've been discussing terminology and definitions on a couple of professional forums. In exploring the first few terms of art, we've begun peeling back the layers to reveal more complexity beneath. Almost immediately, we realized the need to define some of the terms we were using in the initial definitions - the very reason that our glossary is sprinkled with hyperlinks.

Discussing the core term, "risk", we've danced around various ways to express some combination of probability or frequency of occurrence and projected severity or magnitude of impact, losses and other adverse consequences.  

"Information risk", then, relates to incidents involving or affecting information, hence "information security" involves measures to reduce or limit the number and/or the severity of incidents involving or affecting information ... which is markedly different to the common definition along the lines of 'protecting the confidentiality, integrity and availability of information' - although I guess the two could be combined, if necessary.

Aside from those particular points, the discussion has set people thinking and talking: as an awareness-raising technique, it has worked, to some extent anyway. As is normal for virtually all awareness activities, a small proportion of the audience has actively engaged and responded: the vast majority have remained silent. Whether they are watching with interest, on the point of speaking up, livid with rage and so unable to express themselves coherently, or simply tuned-out and away-with-the-fairies we don't know - probably some mix of those, and perhaps other attitudes.

That thought suggests another possible awareness metric - a survey of opinions among the intended audience of a corporate infosec awareness program about the program, their engagement with it, interest in it, perhaps exploring the reasons why they feel the way they do. Provided the survey was carefully designed and competently executed on a reasonable sample of the population, it should generate useful, actionable insight with, probably, a few focal points in need of improvement. Aside from any weaknesses, it might also confirm the program's strengths (e.g. if people are happily enjoying, absorbing and learning from the information provided without the need to get actively involved, that would not be a bad outcome - a basis on which to build at least).