From The Secure Arc Wiki

Jump to: navigation, search



When applied to UML modeling, an actor is something or someone who provides stimulus to a system.

Denial of Service

Sometimes referred to as 'DOS', this is an attack aimed at disabling an application or infrastructure, so that it becomes unavailable to users who need it. DOS attacks are generally aimed at high profile companies, however smaller targeted attacks have been known to occur.

Elevation of Privilege

Elevation of Privilege, or Privilege Escalation, is the act of exploiting an application, which gains access to resources which would normally be protected from an application or user.

Information Asset

An information asset is information (usually stored), which is of 'value' to an organisation. The value of the information asset is derived by a process of asset classification. This is detailed in the Information Asset Classification section.

Information Disclosure

Information Disclosure is the giving out of information. In Information Security, we are concerned mainly with a breach of confidentiality, meaning information has leaked to someone who should not see it. Some information is labeled with a classification, such as 'public', 'confidential', or 'highly classified'. There are generally rules around the handling of this information based on its classification. There are many regulations preventing unauthorised disclosure of sensitive information, such as the 'Privacy Act'. The Information Asset Classification process is used to identify what information should and should not be disclosed.

Qualitative Risk Analysis

The process of examining the 'why' and 'how' of risk and comparing this with a larger data set to arrive at a risk rating. This type of analysis places more emphasis on describing a risk than quantitative analysis.

Quantitative Risk Analysis

The process of determining the value of a risk by examining its numerical, measurable characteristics.


Refuse to accept or be associated with an action. In some cases it is important to be able to trace activities such as transactions, to an individual asserting that action. Some applications require non-repudiation, which is an attempt to establish a provable association.


Risk denotes a potential for loss. It is made up of the probability of an event and its consequence.


The act of masquerading as someone else in order to gain, or damage a system without being properly identified.

System User

A System User is effectively the same as an End User, but is not used to authenticate to the user interface. When the same services need to be invoked by a system, batch or other asynchronous process that is not on behalf of a direct End User request, it needs to run as a User with the privileges it requires to invoke those services.

This is detailed in the Service Pattern design patterns.


Tampering of data, refers to improper modification of data before being sent, or before it is received. (such that the integrity of the data cannot be maintained)


A Threat is a person or thing likely to cause damage or danger.


An Information Asset is considered Transient if it only ever resides in memory and is not explicitly stored in a repository or file system by a Node in the system. Given that the underlying Operating System is likely to use a virtual memory mechanism that may result in the contents of memory, including the Transient Information Assets, to be temporarily stored on disk.


Vulnerability is the susceptibility to damage, loss, or attack.

Personal tools