Alex Hutton writes a primer post on what Information Security (InfoSec) is to create a reference point. He says InfoSec is too complex to be described as threat-centric or vulnerability-centric. It is a hypothetical construct, what is secure enough is subjective to the observer, and a subjective assessment that is immediately, almost subconsciously compared to the relative risk tolerance of the owner in their mind. This presents many challenges in managing a security program, not the least of which is establishing that a high degree of intersubjectivity.
Source: https://threatpost.com/what-information-security-112910/74709/

