I want to take this moment to fill you in on computer risk and security fundamental terms.

Terms:

Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

Threat: A possible danger to a computer system.

Attack: An attempt to bypass security controls on a system.

Ira Winkler put together a Risk Model regarding systems:

Risk = ((Vulnerability*Threat)/Counter Measures) * Valuation

If vulnerability is zero, risk is zero.

If threat is zero, risk is zero.

If valuation is zero, risk is zero.

If countermeasures is zero, risk is infinite.

This makes great sense to me and articulates why valuation is a key element to deciding risk to a system. If I value my development server at zero and my production at 1,000,000; then I could easily see what systems are worth more to me.

For example, what would you value your hard drive? What would you value your website? Wedding pictures?

Make sure to take every opportunity you can to remove your vulnerabilities and threats, while increasing your counter measures. The alternative changes from “if” you will be hacked it becomes a question of “when.”