Information security system

/in /by

Consider three output variables from your information security system as follows: Confidentiality, Integrity, and Availability. For simplicity, you treat each variable as binary, that is, they only have two states – maintained or not maintained. Thus, C = confidentiality maintained, and ~C = confidentiality not maintained, etc. Now suppose you are considering a single person in your organization as a threat, and in the most general sense consider the two events A = threat makes an attempt at attacking the system, and ~A = threat does not make an attempt.

 

(a) List all of the scenarios resulting from the combination of causes and outcomes in the problem. (b) How many scenarios might you be tempted to rule out as being “no risk” based on how they are defined? (c) Can you rule these out? Why or why not?