Publications
A threat-based definition of IA- and IA-enabled products
This paper proposes a definition of 'IA and IA-enabled products' based on threat, as opposed to 'security services' (i.e., 'confidentiality, authentication, integrity, access control or non-repudiation of data'), as provided by Department of Defense (DoD) Instruction 8500.2, 'Information Assurance (IA) Implementation.' The DoDI 8500.2 definition is too broad, making it difficult to distinguish products that need higher protection from those that do not. As a consequence the products that need higher protection do not receive it, increasing risk. The threat-based definition proposed in this paper solves those problems by focusing attention on threats, thereby moving beyond compliance to risk management. (DoDI 8500.2 provides the definitions and controls that form the basis for IA across the DoD.) Familiarity with 8500.2 is assumed.