OSA has added two new definition pages — IT Security Architecture and IT Risk — that establish the shared vocabulary underpinning the pattern library, Capability Model, and Assessment tool.
IT Security Architecture
The page decomposes the term into its building blocks — IT Security (what to protect) and IT Architecture (how to describe it) — then presents OSA's definition: the enterprise discipline that embodies security principles in IT system design, defining what controls are required, where they sit, how they reduce risk to an acceptable level, and who is accountable.
It maps five types of security architecture from board-level strategy down to project-specific designs, and compares how NIST, SABSA, TOGAF, Gartner, ISO/IEC, and OSA each define the discipline.
IT Risk
The page challenges the assumption that IT risk equals security risk. Five categories cover the full scope: Security, Operational, Compliance, Project, and Strategic risk. A botched patch causing a four-hour outage is often more likely than an APT attack — yet risk registers rarely reflect this.
A section on cognitive biases in risk perception — drawing on Bruce Schneier — explains why organisations overweight headline attacks while underweighting gradual failures. Definitions from ISO 27005, NIST SP 800-30, FAIR, COBIT, and OSA show how each framework emphasises a different dimension.
What Comes Next
These are the first in a planned series. Definition pages for IT Security, IT Architecture, and additional terms will complete the vocabulary that enterprise architects need to position OSA in boardroom language.