When I really stopped and thought about the subject matter of It’s Complicated, I was quite surprised – I’m even more surprised now that I’m thinking of it with regard to a security blog post! Why? Well, the movie touched on some pretty slippery word definitions in a breezy way that didn’t let you get sucked into too much introspection. The specific moments that I’m thinking of are when Meryl Streep discovers that as the ex-wife, she now is the “other woman”. She found herself questioning whether sleeping with her ex-husband was actually adultery, and when searching for the word to describe what Steve Martin’s character was to her, realized that the word “boyfriend” just didn’t seem comfortable at her age. The movie didn’t try to resolve any of the confusion about how some words “don’t mean what you think they mean“; accepting them as insufficient, and opting for an all-encompassing “it’s complicated” instead. This is a lot like cyber security’s current relationship to threat.
It doesn’t take a lot of exposure to the security industry to start seeing that the word “threat” is very prevalent. In fact, as an industry, one of the first steps we take when confronted with a new invention from the black hats is to recommend that people “assess the threat”. But what does that mean? I think it all depends on your context. Current industry definitions can’t talk about that yet – so we just leave it as “it’s complicated”.
When you take the word “threat” out of the security industry, and focus on the basic conversational elements, most definitions include something along the lines of: an expression of intention to inflict evil, injury or damage. This definition is all about a relationship. Take the definition apart, and a case could be made that if there is no result, then there is no threat. Or, the other piece of this definition is that there is an intention – which speaks to volition, and an actor being required for there to be a threat.
Does this mean then that threat is like the flammability triad? Which consists of (1) Actor, (2) Result, (3) Vulnerability. Where if you can remove either the actor, the result or the vulnerability that there is no threat? Logically, we can test each of these links.
Vulnerability – is the easiest to think about. A fun mental model of removing vulnerability is to consider if someone brandishing a knife at Iron Man – is that a threat? After the laughter stops, it seems like that one is valid. If you have infinite scaling, a denial of service can’t happen. In those two mental models, vulnerability is removed, so there is no threat. In reality, things are a less black and white. It appears that while not perfect, maybe we’re on to something – so let’s keep evaluating this model.
Result – The next one to test is the removal of a result. But what IS the result of a threat? If I was the CEO of HB Gary back in February this year, the threatened result of the Anonymous attack was the destruction of the reputation of my company. But if I was an HB Gary Operational IT person, corporate reputation and corporate destruction would be a bit outside my sphere of influence. To the Operational IT person, the threat is of a breach. So the result of the threat depends heavily on perspective and context, and may or may not be immediately quantifiable since a financial impact of this and the Sony breaches are in many ways determined by the response of the customers. Ouch. I’m back at “it’s complicated”.
Actor – Maybe the 3rd one will be easier. What if I say “remove the actor”? Well, this suddenly puts me in conflict with a business oriented definition of threat, which says that a threat may be a natural phenomenon such as an earthquake, flood, storm, or a man-made incident such as fire, power failure, sabotage, etc. So, the actor can be man with intent or without intent (forest fire that was started by someone and burns a power station), or nature-driven. Another mental model here can be an open bear trap on a hiking trail. Is it a threat? Well… my best answer is “maybe”, which feels highly unsatisfactory. This mental model brings up the kind of legal designation that happens if someone dies. We use legal models to differentiate the intent of the actor. Manslaughter is defined as killing or causing death without premeditation or intent to do so. If someone kills with intention, there are different layers of legalese for that which involve additional considerations about sanity, where things happen, malice or even just involvement if someone else performs a murder. When I try and map all that differentiation back to what happens in the security industry today; and what we talk about with regards to threat, I don’t think we have the words – it’s complicated.
My team and I don’t have any great insightful solutions that make the word simple; but we do think the one thing we can take from all this is that threat is about relationships and context. What do you think?
Update: Post modified for tidiness purposes.