Risk Analysis: The Core of Security Risk Assessment
Risk Analysis: The Core of Security Risk Assessment
While performing information security management many things need to be in place before information security management can start as Raggad (2010) points out. The organization has to be in agreement with an accepted business mission, strategic plan and a standardized information technology computing environment with an asset baseline assessment completed. The level of detail, extent or correctness and the identification of assets should be equal to the energy and time invested in the security risk assessment which the baseline asset assessment is part of as Landoll (2016) points out. Once the baseline asset inventory is complete, the applications and systems can be prioritized by risk to determine the types of security risk assessments are required for the assets identified as the highest priority. Security risk analysis is peformed to identify assests with the highest priority.
Security risk analysis includes critical thinking, types of data analyzed and methods used to complete risk analysis which is a part of the security risk assessment. The purpose of the security risk analysis as described by Freund & Jones (2015) is to provide a decision-maker with the best possible information about the loss exposure and their options for dealing with it. Many do not distinguish a difference between security risk assessment and security risk analysis. Risk analysis, as Freund & Jones (2015) points out, is a subcomponent of risk assessment. Risk analysis described by Peltier (2010), is the method that permits the management team to validate that it has met its responsibility of due diligence when making a choice about moving forward with a new project, capital expenditure, investment strategy, or another such business process. Risk analysis is about evaluating the significance and enabling the comparison of options. Risk management, as described by Freund & Jones (2015), is assessment without meaningful or accurate risk analysis, poorly informed prioritization and cost-ineffective decision.
The risk analysis approach is determined by the location of the starting point of a risk assessment. The risk analysis approach can be viewed from different aspects. Examples are a threat, asset or vulnerability oriented as identified by Ross (2012). Along with the orientation or starting part of the alternative analysis methods of analysis such as utilizing a graph to represent the results. By taking different approaches to analysis, as Ross (2012) points out, this provides a way to account for whether, within the time allocated for the risk to be assessed, a specific adverse impact could occur once or repeatedly. The analysis also depends on the nature of the impacts and how the organization recovers from the adverse impact.
Critical Thinking
The ability to use critical thinking is dire to risk analysis as described by Norman (2016).
In one’s everyday life many efforts are in place to influence ones thinking. Some examples of influences in life would be people in education, the media, advertisers and politicians with political views as Purpura (2008) points out. As one thinks through complex issues or challenges, there is a need to sort out the different statements provided on the subject. With many influences, some sort of framework or steps assist in sorting out all the different claims made. One example of critical thinking as described by Purpura (2008) is a four-step process. The four steps are understanding the point of view, pursuing other views, assess and identify the various viewpoints and then creating a reasonable view.
To understand the point of view, as Purpura (2008) describes, one might read about similar issues or listen to different viewpoints of the issue. The person investigating should seek to understand where the background of the source came from. If possible one can view the issue from the sources point of view. The second step as discussed is to pursue other views which includes asking the right questions and collecting viewpoints on the situation. Identify solution or ideas from others to assist in build a point of view. The third step is to assess and classify all viewpoints into categories or topics in a list format. This might include looking for gaps, exceptions, a selective perception or personal attacks on a subject or issue. The last step is to go back and review the list of viewpoints.
Critical thinking as Norman (2016) is required for performing a risk analysis. Along with critical thinking one need to assess the criticality and consequences. A criticality takes into the impact that a specific asset has as a part of the mission of an organization, while consequence recognizes the consequence that a loss of an asset has on an organization. A simple criticality and consequence ranking can be used as a component of other calculations including asset target value and risk analysis calculations and also countermeasure cost-effectiveness. Risk, as identified by Norman (2016), can be ranked by consequences so that restricted funds can be spent on defending the most important assets. Gaining an understanding criticality and consequence analysis is a key to applying the limited budget for countermeasures in a effective manner. It is vital that countermeasures be applied to secure the most critical assets first and then others in descending fashion.
What Is a Risk
A risk is a situation that exposes an object to harm as described by Talabis & Martin (2013). A risk is made up of an event, asses, outcome, and probability. The event in risk assessment the unplanned situation that might or might not occur. The event in a risk assessment occurs in the future. In most cases during a risk assessment, as identified by Talabis & Martin (2013) represents an undesired or unwanted adverse occurrence. A situation is an event.
An object is an asset. The assets is the indirect or direct target that is part of the event. An asset is normally something of value to an organization. This asses could be an object or information. Examples of assets are computer hardware, applications, and databases. The outcome is the result or impact of the vent that occurred in the risk. When doing security risk assessment, the outcome is an adverse or unwelcome situation which incurs a loss or the possibility of a loss. A measurement is the basis of any risk assessment. The probability normally involves the determination of the exposure and frequency of an event and subjective in nature. Reviewing the steps, the first part of a risk is the action or inaction of a future event. The second part of a risk is understanding if the likelihood or probability that the event is going to occur. The third part is the asset which directly or indirectly affects the event. The fourth part is the outcome that is impact of the vent on the asset.
Information security risk as Talabis & Martin (2013) states revolves around three things which are threats, vulnerabilities, and impact. The threat is the event from an action or inaction that the result is a negative wanted situation. The vulnerability is an environmental weakness that will increase the probability or likelihood of a threat happening or completing successfully.
Risk Analysis and the Oversight Committee
The process of risk analysis allows an organizations management to prove that they met the obligations of due diligence of the team when deciding to move forward with a project, capital expenditure, investment strategy, or another business process as Peltier (2010) points out. Risk analysis looks at the issues that come into play when determining if a project should be permitted to move forward. The risk analysis examines existing influences such as a capital expense, improvement outlays, and enduring costs such as operations and maintenance. The risk analysis also addresses intangible impacts, such as customer connivance or regulatory compliance.
On the completion of risk analysis, as Peltier (2010) points out, the results are presented to a management oversight committee that is required to review new project requests and deliberate over if the request moves forward or not. If a request gets approval, then the project will be registered, and the risk assessment gets put on the schedule to be worked on during the start of the design phase of the system development life cycle (SDLC). The decision by the oversight committee assessment is recorded and retained for a set period of time. Then the organization can refer to these decisions questions arise over time as to why a request was or was not permitted as described by Peltier (2010).
Security Risk Assessment
An information security risk assessment, as described by Talabis & Martin (2013) includes recognizing and gauging risks to the confidentiality, integrity, and availability of information systems and resources. This process should be a fundamental requirement for any security program in any organization.
There are many different security risk assessment frameworks. The common generic components as described by Talabis & Martin (2013) are identifying threats, vulnerabilities, and assets. Then determine the impact of these components. Once reviewing the impact identify the probability or likelihood a threat has the ability to exploit a vulnerability of an asset.
Identifying threats has a focus of identifying information security threats. Threats could come from events, actions, sources and even inactions. Some frameworks identify depict a threat to include the threat source and the threat action as Talabis & Martin (2013) points out. The main objective is to identify all possible threats to each asset identified. As discussed the next step is to revisit the threats identified and look for vulnerability. Identifying the existence of a vulnerability contributes to calculating the probability of risk. If the vulnerability identified on an asset can be exploited by a threat, then there is automatically an increase in risk to that asset. Another component of the security risk framework is asset identification. Before the assessment can be conducted all critical assets in the organizations that have impact on the confidentiality, integrity or availability of the information resources of the organization. The next component of a security risk assessment framework is to determine the impact assessment. The assessments objective is to produce or measure the impact so that the risk ratings can be produced for the assets. The risk assessment is normally a qualitative or quantitative risk assessment as discussed by Talabis & Martin (2013). Once impact is determined and a risk rating for the assets is complete the last component is to determine the chance that a threat would exploit the threat to disturb the asset.
Risk Assessment Versus Risk Analysis
Many do not identify or understand the difference between risk assessment and risk analysis as identified by Freund & Jones (2015), differences do exist.
A risk assessment assists the organization in identifying what the threats are, and as Peltier (2010) discusses, the threats that pose the highest risk to the organization. Identifying the organization's area of highest risk, the organization can concentrate on addressing the areas of risk. An organization's resources are inadequate, and the risk identification process allows the management team to deploy resources to where they can be most beneficial. The goal of a risk assessment, as Peltier (2010 points out is not to eliminate all risk but to reduce risk to an acceptable level.
The ultimate value of conducting a risk analysis in the organization is to find out if it is practical to carry on with a new project. Risk analysis permits the management team to examine existing tangible and intangible issues and then decide if moving forward with a project makes sound business sense.
Data Types Analyzed
Administrative data can assist in risk analysis. Data gathered from human resources, understanding an organizational structure, information control, and system security are examples of information data to be reviewed and discussed.
Technical security threats to the organization exist and need to be included in the analysis of risk as described by Landoll (2016).
A security risk assessment can include the review of physical security devices and by including these provisions, as described by Landoll (2016), a comprehensive view of the overall security posture of an organization.
Methods of Risk Analysis
Quantitative risk analysis, as described by Kim & Solomon (2014), attempts to describe risk in financial terms and put a dollar value on all the elements of risk.
Qualitative risk analysis, as described by Kim & Solomon (2014), defines a risk situation and then figures out what impact the event would have on the organization's operations.
Quasi-quantitative analysis, as described by Freund & Jones (2015), encompasses using a set of predefined quantitative ranges that have been labeled using qualitative terms and then leveraging a set of matrices based on the Factor Analysis of Information Risk (FAIR) framework.
Conclusion
The security risk analysis is a part of the information security assessment process. Discussions in critical thinking, types of data analyzed and what methods used to complete risk analysis which apart of the security risk assessment summarized as to why these areas are essential to providing a final security risk assessment.
References
Freund, J., & Jones, J. (2015). Measuring and managing information risk: A FAIR approach. Waltham, MA: Butterworth-Heinemann.
Kim, D., & Solomon, M. G. (2014). Fundamentals of information systems security (2nd ed.). Burlington, MA: Jones & Bartlett Learning.
Landoll, D. (2016). The security risk assessment handbook (2nd ed.). Boca Raton, FL: CRC Press.
Norman, T. L. (2016). Risk analysis and security countermeasure selection (2nd ed.). Boca Raton, FL: CRC Press.
Peltier, T. R. (2010). Information security risk analysis (3rd ed.). Boca Raton, FL: Auerbach Publications.
Purpura, P. P. (2008). Security and loss prevention: An introduction (5th ed.). Waltham, MA: Butterworth-Heinemann.
Raggad, B. (2010). Information security management: Concepts and practice. Boca Raton, FL: CRC Press.
Ross, R. S. (2012). Guide for conducting risk assessments (NIST Special Publication 800-30 Revision 1). National Institute of Standards and Technology.
Talabis, R. M., & Martin, J. L. (2013). Information security risk assessment toolkit: Practical assessments through data collection and data analysis. Waltham, MA: Syngress.