To better understand a situation with risk in mind, one must understand the bigger picture. Further more, to build this bigger picture, one must be aware of the elements that build the picture. This bigger picture will be further referred to as "context" or "risk context".

The user engages in an online activity to reach a goal

user-activity-goal-1

The user is referred to as an individual that has a certain goal and whats to achieve it in a legitimate way online.

An easy example is that of online shopping (user activity). One wants to buy furniture online (goal), because it's cheaper than the offline alternatives.

Elements identified - user, user activity, goal

The user needs certain items in this online activity

user-activity-goal-2

Activities usually require some kind of input. In most cases, you cannot engage in an an activity (be it online or offline) without some kind of tool or information.

Following the example above, in order for the user to buy the furniture online, the items that the user needs can be the following two:

  • some form of payment and the information associated with that
  • delivery information like address and name

For both the user and the online shop, the above information has a certain value, reason why we will refer to it as "asset".

Element identified - asset

The online activity is made up of multiple steps

user-activity-goal-3

Conducting an activity usually consists of multiple actions done in certain steps.

To continue the example above, some of these actions might include
1. search for an online shop
2. paying with the credit card online

Element identified - action or multiple actions

Maliciously intended people engage in activities to reach their goal

adversary-activity-goal-1

Maliciously intended people usually try to take advantage of unsuspecting users online to reach their goal. For this reason, they will be called "adversaries", because they are directly threatening the regular user.

Element identified - adversary

These malicious activities are targeted or based on other peoples activities

adversary-activity-goal-2

The adversaries are usually taking advantage of other people online and their activities, in order to obtain their assets or use them to achieve their goal. The activities that adversaries are engaging in are a direct threat for the user, reason why they will be named "threats".

Element identified - adversary activity (also seen as "threat" by the user)


Building the bigger picture

risk-context-build-1

All of the elements identified above are defining the risk context. The below list sums up all of them.

  • User
  • User goal
  • Activity (made up of actions)
  • Asset
  • Adversary
  • Adversary goal
  • Threat (or adversary activity)

The context is seen differently from the users perspective and from the adversary's perspective.

To better understand the importance of these elements and to better understand what the user must be aware of, both of these perspectives must be taken into consideration.