Disruption and Destruction

CIA as Security Objectives V2

When it comes to information security, which is the opposite of availability? Disruption or destruction? I prefer disruption to destruction.

The scope of information security includes information and information systems, and the context determines their availability. Destruction ruins the availability of information, while disruption breaches the availability of information systems. The availability of information depends on the availability of information systems.

As information itself is not accessible or usable, information consumers shall get access to or use the information with some tools or instruments, no matter the information is at rest, in motion, and in use. As a result, I assume the “access to and use of information” shall be realized through the information system, as defined in the “Information system” section.

Disruption over Destruction


  • Information depends on the information system.
  • The opposite of the availability of information means information is not available.

The following logic justifies the conclusion:

  • If information is available, then the information system is available.
  • If the information system is NOT available, then information is NOT available.
  • That means, if the information system is disrupted, then information is NOT available.
  • We can conclude that disruption is the opposite of the availability of information.

Information System

An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. In the context of this publication, the definition includes the environment in which the information system operates (i.e., people, processes, technologies, facilities, and cyberspace). (NIST SP 800-39)

An information system typically comprises components such as 1) data, 2) computer systems, 3) operating systems, 4) software, 5) networks, 6) data centers, 7) people, 8) business processes, and so forth. My book, The Effective CISSP: Security and Risk Management, introduced the Peacock Model as a metaphor for the information system.

The Peacock Model

The Peacock Model is a metaphor of information systems that extends the definition defined by 44 U.S.C, Sec 3502, and aligns with this definition of NIST SP 800-39, as stated above. It treats People and Business Processes as extensions and part of an information system, as an information system is implemented and operated by people to support business processes.

The Peacock

Peacock Model


Effective CISSP Questions

A host with an IP address,, sends ICMP control messages of Echo Request to but receives no response because requests timed out. Which of the following is the most likely cause?
A. The destination ignores the requests, or the network is jammed.
B. The default gateway of the host is not properly configured.
C. The routing table of the gateway doesn’t converge.
D. The destination resides in another broadcast domain.

Continue reading


Effective CISSP Questions

Your company sells toys online worldwide. A web-based E-Commerce system developed in-house and deployed to a public cloud supports the business. The EC system accepts credit cards and processes personal data. Which of the following addresses those concerns and provides the best assurance?
B. Risk Assessment
C. Security Assessment
D. Third-party Audit

Continue reading

Financial Viability of Controls


FINANCIAL Viability of Controls

Courtesy of Sven De Preter

This concise document is the courtesy of Sven De Preter (The Strategist of the new study group, Certification Stage) and shared with his permission.

Sven adds a new perspective, CAPEX, OPEX, and TCO, on top of the concept of ALE (Annual Loss Expectancy) introduced in most of the CISSP study guides.

  • CAPEX (Capital Expenditure) as initial costs
  • OPEX (Operational Expenditure) as ongoing costs
  • TCO (Total Cost of Ownership)


Effective CISSP Questions

Your company sells toys online worldwide. A web-based E-Commerce system developed in-house and deployed to a public cloud supports the business. As a security professional, you suggest penetration testing should be conducted. Which of the following is your most concern?
A. The decision of employment of internal or external penetration test team
B. The capability and experience of the penetration test team
C. The procedure that the penetration test team asks for permission to conduct penetration testing
D. The escalation path to the senior management if testing takes down the system

Continue reading


Effective CISSP Questions

As a CISO, you issue a policy that mandates every employee shall be aware of social engineering attacks. A supporting standard is then developed that requires everyone shall accept at least three or more hours of awareness training each year. Which of the following activities is the best upcoming activity conducted to enforce the policy?
A. Penetration testing
B. Security assessment
C. Vulnerability assessment
D. Risk assessment

Continue reading