在国标 GB/T 25069—2022《信息安全技术 术语》中,对信息安全的定义是:
信息安全 information security
[来源:GB/T 29246—2017,2.33, 有修改:注中的“其他特性”改为“其他性质”]
网络安全 network security
[来源:GB/T 20270—2006, 3.1.1, 有修改:“网络环境下”改为“对网络环境下”,“表征”改为“保持”]
信息安全风险 information security risk
这里的网络安全是狭义的network security,而不是广义的cybersecurity,目前还没有定义广义网络安全的国标。
在国际标准 ISO/IEC TS 27100:2020 《Information technology — Cybersecurity—Overview and concepts》中,有如下定义:
3.2 cybersecurity
safeguarding of people, society, organizations and nations from cyber risks (3.7)
Note 1 to entry: Safeguarding means to keep cyber risks at a tolerable level.
3.7 risk
effect of uncertainty on objectives
Note 1 to entry: Cyber risk can be expressed as effect of uncertainty on objectives of entities in cyberspace (3.5).
Note 2 to entry: Cyber risk is associated with the potential that threats will exploit vulnerabilities in cyberspace and thereby cause harm to entities in cyberspace.
[SOURCE:ISO/IEC 27000:2018, 3.61, modified — Notes 1 to 6 to entry have been replaced.]
3.5 cyberspace
interconnected digital environment of networks, services, systems, people, processes, organizations, and that which resides on the digital environment or traverses through it
Note 1 to entry: Interconnected digital environment that traverses public infrastructure e.g. the internet, rather than parts of the organisation’s internal network or air-gapped digital environments that may not traverse public infrastructure.
[SOURCE:ISO/IEC 27102:2019, 3.6, modified — In the definition, the part after "processes" has been added.]
网络空间cyberspace是由网络、服务、系统、人员、过程、组织等要素构成的互联数字环境(必须链接互联网,不能仅是内网)。是 the cyberspace,不是 a cyberspace 。
网络风险cyber risk 可以表现为不确定性对网络空间内实体的目标的影响。网络风险与威胁利用网络空间的漏洞,并对网络空间实体造成损害的可能性相关。
网络安全 cybersecurity 是指保护个人、社会、组织和国家免受网络风险。保护是指将网络风险保持在可接受的水平。
我们放到更大的尺度来看风险,在国际标准 ISO 31073:2022 《Risk management—Vocabulary》中,对风险是这样定义的:
3.1.1 risk
effect of uncertainty (3.1.3) on objectives (3.1.2)
Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities (3.3.23) and threats (3.3.13).
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources (3.3.10), potential events (3.3.11), their consequences (3.3.18) and their likelihood (3.3.16).
3.1.3 uncertainty
state, even partial, of deficiency of information related to understanding or knowledge
Note 1 to entry: In some cases, uncertainty can be related to the organization’s (3.3.7) context as well as to its objectives (3.1.2).
Note 2 to entry: Uncertainty is the root source of risk (3.1.1), namely any kind of “deficiency of information” that matters in relation to objectives (and objectives, in turn, relate to all relevant interested parties’ (3.3.2) needs and expectations).
3.3.13 threat
potential source of danger, harm, or other undesirable outcome
Note 1 to entry: A threat is a negative situation in which loss is likely and over which one has relatively little control.
Note 2 to entry: A threat to one party may pose an opportunity (3.3.23) to another.
3.3.23 opportunity
combination of circumstances expected to be favourable to objectives (3.1.2)
Note 1 to entry: An opportunity is a positive situation in which gain is likely and over which one has a fair level of control.
Note 2 to entry: An opportunity to one party may pose a threat (3.3.13) to another.
Note 3 to entry: Taking or not taking an opportunity are both sources of risk (3.1.1).
[SOURCE:IEC 31010:2019, 3.2]