Information Security: A Coherent Approach - Vulnerability
(Page 2 of 4 )
According to the group's white paper, "a vulnerability is a flaw or weakness in a system's security procedures, design, implementation or internal controls that could be exploited," resulting in some form of security breach. The most widespread and damaging vulnerabilities can be broadly divided into three types.
Perhaps surprisingly, the biggest of these groups is that of management-related vulnerabilities, which includes inadequate security investment, lack of awareness of security issues at management level, inadequate contingency planning and the failure to communicate the importance of security consciousness.
This clearly indicates that there may often be a lack of communication between decision makers and those directly responsible for implementing security controls - usually IT professionals. Unless and until such communication issues are addressed and improved, the security efforts of many organizations are likely to continue to be under funded and misdirected.
The second group of vulnerabilities contains human factors. These include overconfidence in the existing security controls, user-level ignorance, carelessness and negligence, poor governance, and above all, the failure to recognize the importance of these factors.
It is common knowledge that a security system is only as strong as its weakest element. What is often forgotten is that the weakest element is generally the people who work within the system. Whether through naivety (e.g. handing out passwords), negligence (writing them down), or ignorance (failing to make them strong enough to withstand cracking), most security breaches can be traced back to some form of human error.