Security Risk Analysis For Organizations

Risk Analysis Terminology

Introduction:

Security of any organization is determined by security risk analysis which is also known as risk assessment .100 % security is not assured by security risk analysis. Risk analysis consist of checking system vulnerabilities and the threats facing it. These are the major part in risk assessment program. Risk analysis ensure that controls and cost are fully commensurate with the risks to which industry is exposed. Two important approaches in risk analysis one is quantitative another one is qualitative. Qualitative risk analysis methods uses these elements threats, vulnerabilities, controls.

Quantitative risk analysis is based on unreliability and inaccuracy of data. Risk assessment on business objectives is based on following features, key assets must be focused, and prevention and production against threats .unavailability of services and facilities, loss of assets, unauthorized disclosure and unauthorized modification are known as risk. Using cyber security risk assessment techniques we can identify the various information assets that could be affected by vulnerability. Cyber-attack on hardware, software, laptops, systems, personal data affect those assets. Risk is reduced only through risk assessment. Organization must develop assessment criteria and assess the risk and also prioritize the risk then finally avoid those risk.

Risk Analysis

Risk Analysis Terminology

Asset-Anything with value and in need of protection

Threat –An action which causes damage on assets.

Vulnerability – Being attacked or harmed, either physically or emotionally.

Countermeasure – Any action with the ability to reduce attack and vulnerability.

Expected Loss –loss due to attack and vulnerability

Risk analysis

Current level of risk is identified through examination on vulnerabilities, threats, assets. And using countermeasures reduce the risk. First step of risk analysis is to identify and assign a value to the assets in need of protection. Here significant factor is value of assets .Hardware, people, data, software, documentation, supplies are affected by security problem. The first step is we have to identify which are affected and we have to create a list. Cost, sensitivity and mission critically these are the values of assets. Second step is to identify the threats. Threats are software bug, unauthorized access, denial of service and misconfigured systems. Risk analysis process is used to determine whether the countermeasures are active and effective.

Prepare a risk analysis report

The risk analysis process is used for minimizes the risk and identify the cost to each countermeasures. Writing a security risk analysis report is biggest challenge. Organization only focus on summary information and only focus on technical part. These report includes system connectivity, the use of environment , applicable threats and their frequency, data sensitivity level, residual risk, detailed annual loss and expectancy calculations.

Approaches to Risk Analysis

When vulnerability occurs, assets are losses. The losses are categorized as Modification, Disclosure, Denial of service, Destruction and Modification.

Disclosure

Confidentiality issues is referred as disclosure. Personal information is leaked or unauthorized person access the personal information.

Modification

This is occurred when the original message is modified by the effect of threats. Threats modify the content of database causes loss of assets.

Destruction

Original message is damaged due to threats activity. Intruders hack the database and damage the system causes loss of assets. Data is un-available due to attack is called destruction.

The Vulnerabilities are mainly used to attack the specific threats of the different Organization. The Main purpose is to exploit the attack of an information asset. The Organization are used to list asserts and vulnerabilities. The vulnerability are mainly explain to examine the each threats of the Organization. Identification process are best one justify the customer and the Organization work is serious one.

SD

Firewall

Certificates

PKI

System Audits

Physical Security

Redundant Array of

Inexpensive Drives (RAID)

Uninterrupted Power

Supply (UPS)

SD

Profess ona Workstat on 6000

PRO

Tape Backups

User Training

Password Protection

Countermeasures

System Certification and Accreditation

Risk assesment

Using risk assenment process we can determine risk and vulnerabilities.,Risk assesment procss assigns a value to each specific informationj assets .Likelihood,uncertaninty,value of information assets and percent of risk are the estimate factors of risk.

RISK = vulnerabilty of occurrences

Risk Control Strategy

• Risk prevention
• Reduction of impact
• Reduction of likelihood
• Early detection
• Recovery
• Risk transfer
• Fits company culture
• Flexible
• Easy and quick to use
• Modelling capability
• Secure

Avoidance, loss prevention, loss reduction, Separation, duplication and diversification are the fundamental techniques for risk control.

Vulnerability

Threat

Countermeasures

Risk

Management

The additional details needed for the design of the system.

Access control techniques

• DAC
• MACs
• NDC

Discretionary Access Control are implemented by the database user. MACs is an expansion of Mandatory access controls. NDC is an expansion of Non-discretionary controls. Lattice based control is another type of Non-discretionary. The structure of lattice based control is matrix. The structure have rows and columns. Row is referred to subject .Colum is referred to objects.

• Use at any stage of Project Life Cycle
• Identify all or selected risks
• Classify systems and projects
• Countermeasure guidance
• Audit trail

Information security risk criteria is identified, established and maintained. Repeat risk assessment process to ensure the consistent, valid and comparable results. Protect the company from knowable challenges is done by risk assessment Evaluating the potential, financial damages and loss of assets. Understand mission and objectives of an organization and risk associated with.

Take risk assessment to generate value. Company must follow weakly risk assessment process to

generate value to protect from loss assets.

Preparing a Risk Analysis Report

Identify which information asset is success for the organization. Identify which information asset produce the most revenue. . Identify which information asset produce the most profitability.

Identify which information asset would be the most expensive to replace. Identify which information asset would be the most expensive to protect. Identify which information asset would be the most cause the greatest liability. The below diagram show information asset valuation process.

Security Risk Management:

The Risk Management is one of the important process for the Organization. The process contain the controlling of threats of a business organization. The threats from a large different of information, including organization Errors. Finally, a risk management increasing a process for finding the treats and sophic character.

Risk Management contains two types are given below:

• Risk Authority
• Risk Determination

1. Risk Authority:

Risk Authority is used for the important concepts for the System Security. Risk authority applying the Control to remit the risk to an Organization. Thus the reduce risk are applicable for the data and information of the organization business.

1. Risk Determination:

Risk Determination is used to identify the Current information of the System. It’s mainly used for the determining the data from the Organization. Risk management identifying the knowledge of the organization and clarifying the organization attack. The threats are important one for the Organization System, the large number of the threats are attacked by assets. Conformation determination and Valuation:

 The following process involving the determination are given below:

• User
• Information and data
• System Software
• System Hardware
• Networking

Classification is the important one for the Organization. It’s mainly used to identify the data Classification. E.g. security, internal, privacy, information .Most of the Organization must be specified the Components and find out the levels of the organization. The levels must be present in the Organization are mutually exclusive and spacious one.

Many of the Organization are widely used for the Schemes. They are different types of

the Classification Schemes are used to Financial Organization and military organization. The Information are handled by the owners. The owners are fully responsible for identify and classify their information asserts. The Information of the organization are mainly focused for the Classification and must be analysis sequentially. Many of the Organization do not give the full view level of the Classification. Thus the classification are used by the military and financial Organization. The important one for the Organization need to identify the data and Security.

The following Vulnerability Components are given below:

• Avoidance
• Transference
• Mitigation
• Security
• Privacy
• Acceptance

Avoidance:

The Vulnerability are Control the levels of the Organization Exploitation.

Vulnerabilities and Threats

Risk Avoidance are mainly prepared the following Condition are given below:

• Counting the Threats
• Limiting number of the threats.
• Adding the threats for Protection.

The Three methods of Avoidance are given below:

• Education and Research
• Technology
• Privacy and Policy

Transference is mainly used for the transfer the one asserts to other asserts.In this approach are mainly used for the organization. Many of the organization contains the Complex risk to transferred one to another System Organization. Organization are acting as individual thinking and should provide the Security Management and organization Experience. Mitigation: Mitigation are used to reduce Vulnerability. They are more number of impacts are consider through Analysis and Requirements process. They are the three types of Mitigation are given below:

• IRP
• DRP
• BCP

The Mitigation types are explained detailed:

DRP stands for Disaster recovery Plan are the important one of the Mitigation Process. Thus the DRP are working in a progress, in this action take to define the IRP. BCP working is continuously of the Military Organization, thus process working periodically, if complex or earthquake events are Occurs.

Benchmarking is the one of approach to manage the Risk. It is another type of the Risk Analysis and Management. Benchmarking is the purpose for the Studying the Organization. It could be generated the duplicate one, that could be desired the own.

• Metrics based measures
• Process based measures

Ethical and Social Issues of Security in Information Technology: Information is mainly used for the current world. Many of the Organization are working great full today, some Companies are Facebook, Google. Many of the organization are using wrong way. Thus the Organization create a problems for the employees.

• Cyber Crime
• System Ethics
• ICT

Information technology are widely used for the Crime. It could range from the personal computer system to very large area of the financial Organization. Cyber Crime are widely used to loss the Human life. Many of the new technology growth are connected to the internet. Thus the growth of the technology are contributed to encourage the Cyber Crime.

Cyber Crime Types:

• Identity theft
• Identity fraud
• Copyright Infringement
• Hacking
• Computer Virus

Identity Theft:

The identity theft is one of contribution to grow the Cyber Crime. The Cyber Criminal hack someone personal details. Some criminal hack the personal details like passbook numbers, passport numbers, debit card and credit card.

Hacking:

Hacking is the part of the Cyber Crime. The hacker access the Unauthorized System. The hacker attack once the personal system, to gathering the whole information of the System users.

Computer Virus:

Virus is one part of the program. Virus are attacking the System, it could be causes the some problems and re-stored the information. Viruses is the Unauthorized programs, it could be used any users.

System Security:

System Security are used to protect the unauthorized person. In computer System, the System security is weakness. It’s very useful for the hacker, easily attack the System to gathering the information easily.

Ethics is one of the important for the people. Thus ethics are referred, to guide the people to taking the correct decision. Ethics are widely used to guide the people to take the Right or wrong decision. In information system, ethics are used to protect the System individually. Information system is responsible for the System Security.

Conclusion

Risk management is not an event it’s a continual process. If risk management is performed properly it could be a powerful tool that enables organization run risk free and maximize their value creation. You need not fear about the result if you know yourself and enemy. Hundred percentage security is not assured by security risk analysis.

References

Administration and Finance. (2018). Information Security Risk Assessment

Guidelines. [online] Available at: https://www.mass.gov/anf/research-andtech/cyber-security/security-for-state-employees/risk-assessment/risk-assessmentguideline.html [Accessed 19 May 2018].

Anon, (2018). [online] Available at: https://www.csiweb.com/industries-weserve/financial-institutions/regulatory-compliance/services/cybersecurity-riskassessment [Accessed 19 May 2018].

Anon, (2018). [online] Available at:

https://www.sciencedirect.com/science/book/9780128002216 [Accessed 19 May

Cyber security risk management at the Bonnevile Power Administration. (2008).

[Washington, D.C.]: U.S. Dept. of Energy, Office of Inspector General, Office of

Green, P. (n.d.). Enterprise Risk Management.

Nr.no. (2018). [online] Available at: https://www.nr.no/~abie/RA_by_Jenkins.pdf

SearchSecurity. (2018). Cybersecurity risk assessment: a basic framework. [online]

Available at: https://searchsecurity.techtarget.com/Cybersecurity-risk-assessmenta-basic-framework [Accessed 19 May 2018].

Security-risk-analysis.com. (2018). Introduction to Security Risk Analysis & Security

Risk Assessment. [online] Available at: https://www.security-riskanalysis.com/introduction.htm [Accessed 19 May 2018].

Trim, P. and Lee, Y. (2016). Cyber security management. London: Routledge.

Walsh, T. (2018). Security Risk Analysis and Management: An Overview (2013

update). [online] Library.ahima.org. Available at:

https://library.ahima.org/doc?oid=300266#.Wv_0qe6FPcs [Accessed 19 May 2018]