Risk Management in Security Systems Engineering Explained
Risk Management as a Critical Element of Security Systems Engineering
Explain how Risk Management is a critical element to the Security Systems engineering. Also disucss how Risk Management is a critical component to the Security Systems engineering. Why is Risk Management a critical element of Security Systems engineering.
Defining Risk in Security Systems
Risk Management is a critical component of Security Systems engineering. To understand risk management, let's understand what risks are, vulnerabilities and threats are in relation to security systems. The combination of a threat combined with a vulnerability best defines risk within the realm of security as described by Bejtlich (2004).
Security is the process of keeping an acceptable level of risk and revolves around lowering risk factors. Security involves risk, threats, and vulnerabilities around an organization's assets as Bejtlich (2004) points out. A simple formula for risk is where risk equals threat x vulnerability x asset value. An asset is anything of value, which in the security context could refer to information, hardware, intellectual property, prestige, and reputation. A threat is a party with the skills and goals to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. The asset value is a measurement of the time and resources needed to replace an asset or restore it to its former state.
Risk Management and the Security Engineering Framework
The management of organizational risk is a crucial element in the organization's Information Security program and provides a framework for selecting the appropriate security controls for an information system as observed by The Federal Information Security Management Act (FISMA) as Jacobs (2016) points out. A risk-based management approach is promoted for selecting and specifying security controls and advocates considering a control's effectiveness, efficiency, and constraints due to laws, directives, policies, standards, and regulations as described by Jacobs (2016).
Prioritizing Security Risk Through Risk Management
Risk management is a critical element of security system engineering because it assists the security risk task prioritization allowing the business and the security team to rank the security risks based on the value of the assets, vulnerabilities that are currently circulating and known threats to the business, business units or team member(s). Once ranked in risk order the security system engineering team can come up with a mitigation plan, implement the plan.
References
Bejtlich, R. (2004). The Tao of Network Security Monitoring: Beyond Intrusion Detection. Addison-Wesley. ISBN 0-321-24677-2.
Jacobs, S. (2016). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance (2nd ed.). Wiley. https://onlinelibrary.wiley.com/doi/book/10.1002/9781119104728
Posts in this series
- Information Security for Protecting Organizational Assets
- Understanding the Various Branches of Information Security
- Systems Engineering SIMILAR Methodology Example
- Systems Engineering and Information Security in the SDLC
- Risk Management in Security Systems Engineering Explained
- Personnel and Physical Security in Information Assurance
- Trust, CIA Triad, and Safeguards in Information Security
- Building an Information Assurance Plan with ISO 27002
- Information Assurance Capability Maturity Model Explained
- Six-Phase Information Assurance Risk Assessment Process
- Security System Design: Building Defensible Systems