1---
 2layout: page
 3title: The Definition Layers (1, 2, 3)
 4---
 5
 6Risk Assessment activities in Layer 1 through Layer 3 all work together to equip the organization for success when Sensitive Activities are performed.
 7
 8Beginning with an understanding of the different ways negative outcomes or failures can occur, Layer 1 activities include the documentation of Vectors and the corresponding Guidance that can help prevent those negative outcomes.
 9
10Building upon Vectors, Layer 2 defines how Threats are narrow and specific to a particular scenario. Those Threats document the justification for Controls, which provide clear objectives and requirements to guide actors in the mitigation of Threats.
11
12As the capstone to enable robust security implementation, Layer 3 prioritizes the Risks that an organization faces and outlines the Policies that are necessary to mitigate the most pressing opportunities for neglect, mistakes, and malicious activity.
13
14When these three layers are coordinated in a streamlined fashion, they act as design requirements to accelerate and empower implementation activities.
15
16However, the opposite is more often seen in reality: a failure to properly orchestrate definitions as part of the preparation and/or design requirements will inevitably result in Compliance being segmented from security. Instead of using Compliance activities as a strategic part of a larger initiative, Compliance itself becomes the goal.
17
18As [Goodhart’s law](https://en.wikipedia.org/wiki/Goodhart's_law) teaches us: “When a measure becomes a target, it ceases to be a good measure.” If we mandate Compliance for the sake of Compliance, we reduce our own efficacy. For this reason, a deep understanding of the reasoning behind these three layers is essential for ideal security outcomes.
19
20---
21
22## Continue Reading
23
24- **< Previous Page**: [The Model](./04-the-model)
25- **> Next Page**: [Layer 1](./05.1-Layer-1)
26
27---