To better understand a situation with risk in mind, one must understand the bigger picture. Further more, to build this bigger picture, one must be aware of the elements that build the picture. This bigger picture will be further referred to as "context" or "risk context".
The user engages in an online activity to reach a goal
The user is referred to as an individual that has a certain goal and whats to achieve it in a legitimate way online.
An easy example is that of online shopping (user activity). One wants to buy furniture online (goal), because it's cheaper than the offline alternatives.
Elements identified - user, user activity, goal
The user needs certain items in this online activity
Activities usually require some kind of input. In most cases, you cannot engage in an an activity (be it online or offline) without some kind of tool or information.
Following the example above, in order for the user to buy the furniture online, the items that the user needs can be the following two:
- some form of payment and the information associated with that
- delivery information like address and name
For both the user and the online shop, the above information has a certain value, reason why we will refer to it as "asset".
Element identified - asset
The online activity is made up of multiple steps
Conducting an activity usually consists of multiple actions done in certain steps.
To continue the example above, some of these actions might include
1. search for an online shop
2. paying with the credit card online
Element identified - action or multiple actions
Maliciously intended people engage in activities to reach their goal
Maliciously intended people usually try to take advantage of unsuspecting users online to reach their goal. For this reason, they will be called "adversaries", because they are directly threatening the regular user.
Element identified - adversary
These malicious activities are targeted or based on other peoples activities
The adversaries are usually taking advantage of other people online and their activities, in order to obtain their assets or use them to achieve their goal. The activities that adversaries are engaging in are a direct threat for the user, reason why they will be named "threats".
Element identified - adversary activity (also seen as "threat" by the user)
Building the bigger picture
All of the elements identified above are defining the risk context. The below list sums up all of them.
- User goal
- Activity (made up of actions)
- Adversary goal
- Threat (or adversary activity)
The context is seen differently from the users perspective and from the adversary's perspective.
To better understand the importance of these elements and to better understand what the user must be aware of, both of these perspectives must be taken into consideration.