I can get quite grumpy (as you will have previously noted) about poor use of the English language. I am not, I should point out, without failings on this count, but it’s more down to forgetfulness than anything else. My BlackBerry inserts apostrophes for me, and when using something else, I lazily omit it, assuming that the handy word-processing software will recognise my failings and bail me out. However one mistake that keeps coming up is a confusion between Threat and Impact. So let’s try and get this straight shall we, as it helps explain an issue that is (hopefully) getting dealt with soon.
In the world of InfoSec, a threat is normally attached to a classification: RESTRICTED, CONFIDENTIAL and the like. However, we also have Impact Levels (IL) which broadly align with the Threat Levels i.e. RESTRICTED = IL3, CONFIDENTIAL = IL4. But, Impact is a function of threat ie:
Threat x Volume = Impact
Now this isn’t an exact science, but let’s just say you decide to hold some data on someone. You could choose to mark this as PROTECT (i.e. commercially sensitive) which is the equivalent of IL2. However, if you hold 1,000 records of this data (PROTECT x 1000 = IL3), the impact level goes up: this is called the aggregated threat. A lot of people I talk to in the industry don’t always get this, and it leads to some embarrassing faux pas.
There is a whole bundle of working going on right now about building appropriateness into technology selection within Government. The question is, when does one buy a product certified for RESTRICTED use, and when does one buy a product for IL3? Can I use a product certified for PROTECT for aggregated use in IL3? Why, you ask, does it matter? The reason is (as is the norm right now) cash. A product certified for PROTECT requires less engineering than RESTRICTED, which means it is cheaper to produce, which it means it costs less money to buy. I’m going to write some more about this next month when it all should become a little clearer what’s going on, but for now, there is considerable confusion in the market both industry and customer side.
I’ve heard some real horror stories about organisations rolling out over engineered (and over specced) software which cost 5-6 times more than software that would have done the job. Industry needs clarity equally clearly, since investment/return cycles on these products are long, and calls to be made this kind of resource commitment need planning and forethought. The quicker this gets solved the better.
PS Bad IT jargon phrase of the week: “Sweat Equity”. Brilliant and awful at the same time. Can anyone suggest a better one?