tag:blogger.com,1999:blog-4088979.post111522064472990913..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: OCTAVE Properly Distinguishes Between Threats and VulnerabilitiesRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4088979.post-1115340149488890802005-05-05T20:42:00.000-04:002005-05-05T20:42:00.000-04:00Anonymous,I devoted an entirely new blog post to y...Anonymous,<BR/><BR/>I devoted an entirely new <A HREF="http://taosecurity.blogspot.com/2005/05/risk-threat-and-vulnerability-101-in.html" REL="nofollow">blog post</A> to you. You're right, I don't define terms. I follow other people who think clearly. Enjoy.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1115312981214986102005-05-05T13:09:00.000-04:002005-05-05T13:09:00.000-04:00In reference to the FIRST article as well as this ...In reference to the FIRST article as well as this one, once again Richard you are assuming that YOUR definition of threat is appropriate, and many information security professionals still disagree with you. OCTAVE is talking about threat actors, which obviously refer to people or organizations. But a threat in general is, as people have pointed out before, not necessarily a person. Go to dictionary.com and you will see threat is generally defined as a noun, "something that is a source of danger". Thus, any THING that can be a "source of danger", is defined a *threat*. You've accused SANS and now FIRST of "confusing" these definitions, yet CERT/CC is "correct" because they agree with you? <BR/><BR/>Richard, your book is great and I greatly respect your work, but you do not define these terms, nor are you qualified to assume that entire security organizations (whose members have been in this game longer than you) are "confused" because they use the DICTIONARY DEFINITION OF THREAT.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1115240113520669272005-05-04T16:55:00.000-04:002005-05-04T16:55:00.000-04:00As an information security consultant working out ...As an information security consultant working out in the field, I am always engaged in an uphill battle against misperceptions that information security is only about technical risks. I also have to fight to get people to understand the difference between threats, vulnerabilities and risks. OCTAVE's clear definitions will surely help as a formal establishment of truly balanced security thinking. I second that kudo!Anonymousnoreply@blogger.com