Risk-Driven Security

Risk-driven security is an advanced concept. One of the major pillars of an e-commerce system is its risk management from operational, transactional, and financial perspectives, and overall in all aspects of its function. To understand risk-driven security, you must first understand what risk itself is. In simplistic terms, risk is the mathematical probability of an event that could happen, or be avoided or mitigated in future, rather than a present problem that could cause harm and must be addressed immediately. That is a mouthful. In layman's terms, risk is the likelihood of some event happening, not its actual occurrence. Risk-driven security, on the other hand, is the concept of designing and implementing security measures that are deployed based on the probability of an attack taking place. This is a significant deviation from static security design, and one that directly addresses optimization of scalable systems' security such as an e-commerce infrastructure. Let's see what it means.

Security does not come cheap; any security operation (authentication, authorization, verification of credentials, and the like) comes with a cost of computing (CPU cycle that is spent on performing that security operation) and usability (usually the delay that is imposed upon the entity that is the target of the security operation) associated with it. For example, a traditional e-commerce site asks for a user's credentials every single time the user attempts to access it. ...

Get Web Commerce Security Design and Development now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.