ISO 27000 (Information technology - Security techniques - Information security management systems - Overview and vocabulary) defines both terms, and differently: 2.4 attack attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset (2.3) 2.45 threat potential cause of an unwanted incident, which may result in harm to a system or organization -- Christopher Dearlove Senior Principal Engineer, Communications Group Communications, Networks and Image Analysis Capability BAE Systems Advanced Technology Centre West Hanningfield Road, Great Baddow, Chelmsford, CM2 8HN, UK Tel: +44 1245 242194 | Fax: +44 1245 242124 chris.dearlove@xxxxxxxxxxxxxx | http://www.baesystems.com BAE Systems (Operations) Limited Registered Office: Warwick House, PO Box 87, Farnborough Aerospace Centre, Farnborough, Hants, GU14 6YU, UK Registered in England & Wales No: 1996687 -----Original Message----- From: ietf [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Dave Crocker Sent: 15 December 2013 18:18 To: Jari Arkko; Scott Brim Cc: Ted Hardie; Bjoern Hoehrmann; IETF discussion list Subject: Re: Editorial thoughts on draft-farrell-perpass-attack-02 ----------------------! WARNING ! ---------------------- This message originates from outside our organisation, either from an external partner or from the internet. Consider carefully whether you should click on any links, open any attachments or reply. Follow the 'Report Suspicious Emails' link on IT matters for instructions on reporting suspicious email messages. -------------------------------------------------------- On 12/15/2013 10:07 AM, Jari Arkko wrote: > FWIW when I have talked about this issue, I've usually talked about the fact that Internet has a vulnerability for pervasive monitoring and that we need to address that vulnerability just like we do with other vulnerabilities. (To our ability, just like with the other vulnerabilities.) "Threat" would work well for me, too. +1 Within the IETF, I'm used to hearing security folk talk in terms of 'threats', so the word 'attack' was a bit of a surprise. It's worth using language that is already common in the IETF, and is as boringly neutral as we can get away with. (In most of the world, the word 'threat' wouldn't be considered neutral, of course, but within technical security discussions, it seems to be.) As others keep noting, within the IETF, our job is to focus on the technical issues of this topic. That means we should avoid anything that excites opportunities for those other issues. They're relevant, of course, but not in the IETF. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ******************************************************************** This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person. ********************************************************************