Comparison and Contrast between a Security Threat Assessment and a Security Risk Assessment - Literature review Example

Security Threat and Risk Assessment Student’s Name Institution Affiliation Compare And Contrast Between A Security Threat Assessment And A Security Risk Assessment. Introduction For many people risk and threat are two similar concepts and are used interchangeably. This is not a correct assumption, and in the in the security industry, risk and threat do not mean the same thing; so what is the difference between risk and threat? Langham (2013 para. 2) notes that even among professionals, the risk is mistaken for threat and vice versa. Nonetheless, these two concepts cannot be mistaken for one another. There is a need to distinguish between risk and threat; hence, it is important to conduct at an extensive literature review on the topics. Literature review is a critical exercise because it is an opportunity to improve one’s knowledge on the topic (Brocke et al., 2009). The information gathered is helpful in identifying the differences between risks and threats. The similarities and differences between risk and security management is one of the topical areas covered in this paper. The objective of the discussion is to highlight the reasons for conducting a risk or security threat assessment. This is one of the approaches that was selected undertaken to better understand why a risk is not similar to a threat. The last section explores how the risk and security threat assessment inform decision-making. Security experts and risk analysts constantly have to make decisions with respect to a perceived threat or risk. Such a critical function cannot be performed without the correct know how and skills. The right Intel, assumptions and factors must inform decisions. Therefore, the objective of this section will be to explore how the different assessment tests, models and frameworks contribute to the final decision. Literature Review The impact of threats and risks on organisations has made risk and security management a multi-disciplinary subject. Ahlan and Arshad (2014) suggest that this subject can be applied to every field. Moteff (2005) points out that risk and threat management has become an important aspect of business and government activities. Over time, governments and organisations have developed comprehensive management processes to help them mitigate losses or avoid damages. A descriptive research by Ophoff et al. (2014) reveals that the businesses faces multiple information threats and traditionally most information system experts focussed more on internal threats rather than insider threats. According to Summer (2009), it is important to manage both risks and threats due to its criticality and cost implications. In most of the literature reviewed, it appears that there is unanimous admission that because risk and threat are used interchangeably, most companies and individuals seem not to distinguish the two. According to the Threat Analysis Group (2010, para 2), this confusion can be resolved if people understand the different definitions of terms as used in the industry. To begin with, a risk is a potential loss due to estimated, perceived or real threats (Williams, 2008). Borghesi, Gaudenzi and Borghesi (2013) define risk as an occurrence or activity that threatens to compromise assets while Li et al. (2011) note that a risk is the probability that an event or activity will negatively or positively influence an objective. On the other hand, a threat is any action or event that can exploit vulnerability (Cox, 2008). O’Toole (2006) defines a threat as the act or intention to cause harm to an object or individual. Vellani (2007) defines a threat as the motivation, intention or ability to attack or destroy assets. They also need to be realistic and credible. A credible or realistic threat must have the ability to compromise, destroy or damage an asset. Secondly, the adversary must have the skills, resources and the motivations to cause harm to an asset. Lastly, realistic and credible risks are likely to have occurred before, therefore, are likely to occur again (Langham, 2013). Assessing risks and threats have almost similar process. The Australian Standards (2009) ISO 31000, highlights a five step process for managing risk. Each section deals with a specific aspect of risk. For instance section one focuses on applications and definitions, while the second section deals with terms and definitions with respect to the identified risk. The third segment focuses on principles of risk management while the forth is concerned with risk management framework designs, accountability and implementation structures. The final segment is known as risk management process. It seeks to establish the main elements that would guarantee the process the highest chances of successful implementation. Managing threats takes on a similar approach except that it main focus is on the extent of vulnerability. Broader (2006) notes that managing threats involves taking a look at both human and non human factors. The process involves analysing every element that has the ability to make an asset vulnerable. For instance, hackers are human factors with the potential to make an asset vulnerable. On the other hand, viruses are non human factors that pose a risk to information systems assets. Vulnerabilities are always linked to potential threats (McEntire, Crocker, & Peters, 2010). Therefore, they must be graded to reflect their severity. The extent to which vulnerability becomes a threat is determined by factors such as the motivation, and capacity to cause damage or interrupt activity. Comparing Security Threat Assessment and Risk Assessment Security threat assessments are conducted to determine the extent to which vulnerability can lead to damage or loss of an asset (Vellani, 2007). O’Toole notes that threat assessments are founded on two important principles; the primary one being inequality. This principle acknowledges that threats and the person causing the threat are not equal. The second principle is based on likelihood. It recognises that threateners do not always execute their threats. Nevertheless, they should not be ignored instead all threats must be taken given the attention and priority they deserve that why it is important to conduct an assessment. Secondly, security assessments are conducted in order to identify a specific threat or threats. As a mentioned earlier, not all threats materialize. Therefore, companies and governments must be able to identify specific adversaries who are most likely to cause harm. In most instances, after going through the process it turns out that the perceived threat is no longer significant. Thirdly, assessments are conducted in order to classify the threats. For example, a threat can be classified as a direct threat if it targets a specific person or object, and is delivered in a straight and non-obstructive manner (O’ Toole, 2006). An indirect threat is unclear. Jackson and Frelinger (2009) point out that such threat are planned and usually masked in order to avoid detection. Threats can also be implied using verbal and non verbal cues. Such threats are known as veiled threats. Lastly, there are conditional threats. This type is normally witnessed in extortion or manipulative cases. The threatener usually warns the individual or organisation of a violent act if their demands are not fulfilled (Burgess et al., 2013). Classification of threats is a crucial process because it enables an expert to determine the level of risks posed. For example, if the threat is ambiguous, inconsistent and is not specific, then it is a low level of threat. Talbot and Jakeman (2009) note that, medium level threats tend to be direct and well defined. However, they do not show any indication that the individual has taken any preparatory steps to initiate the act. Sometimes they appear unrealistic. If a threat appears realistic and has a high probability of posing danger then it is classified as high level threats. This type of threats is specific, direct and demonstrates preparatory actions. On the other hand, risk assessment is conducted in order to identify sources and events that are likely to cause a potential loss or damage. Standards Australia (2009) recognises that security risk management is an activity that gives experts an opportunity to examine and analyse how security threats interact at different institutional and individual levels. The purpose of the exercise is to get insight on how different risk factors influence each other and contribute to the outcomes. Smith and Brook (2013) point out that in order to determine how the critically of an action or issue then a risk assessment needs to be conducted. The exercise helps security experts distinguish between critical and non-critical items. It is important to do so because wrong decisions can easily be made if the criticality of an issue or threat is wrongly accessed. Additionally, risk assessment is conducted in order to determine the level of exposure to vulnerability. Ezell et al. (2010) states that whereas vulnerability highlights susceptibility, risk assessment focuses on the consequences of the outcome of the act. Hence, unlike threat assessment whose focus is the process, risk assessment looks at both processes and outcome. Assessment Risk and threats are assessed difference; hence, different formulas are applied. To calculate threat the following formula is applied Threat= intention + resources + capability (Vellani, 2007). The process is divided into three steps the first being threat identification. During this stage, security experts focus on finding out potential adversaries. They also study their characteristics. This activity relies on experiences or occurrences to determine the future ones. The process also involves quantifying threats. Quantitative analysis enables experts present a detailed analysis, as well as identify trends and similarities, which help to establish common grounds (Vose, 2008). In addition, qualitative analysis can be applied because they are easy to understand, cheap and provides a general overview of risks. The second step is known as asset classification. Its objective is to find out potential targets and determine the critically of the threat. Normally experts attempt to find out what assets have been targeted before, why they were targeted and when. They also request for information that will help them find out how the asset was compromised as well as a report of implemented remedial security measures. This information is normally easily available in organisations that are security conscious (Umeh & British Information Society, 2007). The final step is known as critical or consequence analysis. The security expert assesses the effects of an incidence. The objective of this exercise is to find what the adversaries motivations, intentions and capability. In addition, it helps to establish the likelihood of a similar incidence occurring. Two types of assessments can be conducted: qualitative and quantitative assessments. Qualitative assessments refer to assessments that analyse the threats characteristic ain order to come up with a conclusion (Peltier, 2005). This assessment depends on the level of skill of the evaluator. On the other hand, quantitative assessment depends on the conclusions derived from statistical information and calculation that factor in various probabilities. It is complicated and relies on too many assumptions. Risk assessment also involves three steps: identification, analysis and evaluation (Fisher et al., 2013). The objective of the risk identification is to gain greater insight on how risks and threats interact. This activity is crucial because it helps one to understand the internal and external factors that place an asset at risk. Once all potential risks are identified the analysis process begins. During this stage, experts begin to study the interrelationships between different factors. The exercise helps establish whether the factors have linear or non-linear relationships. Such analyses are derived from mathematical calculations on probability, and central tendencies. A graphical representation of such information is what results in either liner or non-linear relationships. Finally, the evaluation process helps to categorise different potential threats depending on the analytical information gathered from the previous stage. Another aspect that distinguishes threat and risk assessment is risk modelling. This activity is done only during risk assessments and it aims to predict the future using various diverse variables. This function is mostly computerised. However, Koller (2005) notes that the process is not a solution to the problems rather the technique is used to come up with solutions. Risk modelling can be performed for various situations; however, each model is designed to work best in a particular situation. According to Dernado (2002), it is important to select relevant data only when modelling. Additionally, he argues that no model can accurately represent the real world. Therefore, risk models should be kept simple. Lastly, models should never be used to replace reality. Therefore, risk analysts should always remember that they are a tool, which supplies the probable answer and not the reality. How Threat and Risk Assessments Inform Decisions The overall objective of any assessment is to facilitate an outcome. The same principle applies to both threat and risk assessment. These activities are conducted in order to assist organisations and individuals to make an informed decision. The activity promotes cost- benefit analysis as well as informs compliance analysis. Risk assessments help to reduce or mitigate risks. After going through the entire process, decision makers are in a better position to identity alternative course of action that can lead to reducing the impact or effects of the threats on to the assets. For instance, after a risk analysis, the it manager can decide to introduce stringent information security policies to reduce the probability of information loss through negligence or system instruction It also can enables experts completely avert a risk. Avoiding risks reduces opportunities for vulnerability. An assessment report can provide a list of activities that can be undertaken to avoid or eliminate a certain risk. For instance, an organisation can introduce additional security features to do avoid fraud during cashless transactions. The report provides insights on how organisations can transfer risk to a third party. After assessing potential outcomes, the report may recommend that a company explore securer alternatives. For instance, an online payment platform may chose to appoint a financial institution to handle all its financial transactions. Sometimes businesses are forced to redistribute their risk in order to minimise on chances of exposure. Upon undertaking a risk assessment, IT manager can decide to back up data in more than one secure location. The identification process helps organisations and individuals accept t risks when there is no other option. The process helps people understand their vulnerabilities and the manner to handle them when an incidence comes up. Dworken (2008) notes that threat assessment is conducted in order to establish the likelihood that an individual or organisation will face the anticipated harm. The activity helps managers decide on the specific security measures that can be adopted to protect the asset. For instance, after conducting a security threat assessment, the decision makers may decide to take specific actions to avert an incidence from occurring. The Bayes theory model applies independent probabilities to come up with statistical information that supports particular findings. This model shapes the decision-making process and influences perceptions. These models mitigate uncertainty and provide some form of factual backing to decisions. According to Workman, Bommer, and Straub (2008), security assessment reports enables organisation to take responsibility for welfare of their data and information. The information contained in the reports assist managers to develop structures or policies that reduce the number of vulnerabilities facing the organisation. Security assessment reports help organisations operate in a more cost effective manner. According to Landol (2006), this activity helps to identify gaps that could potentially hurt the organisation. It also helps manager avoid omission bias. In most cases, omission bias is a result of inaction due to perceived increase on responsibilities. Conducting a threat assessment reduces the probability of omission bias; hence, the final decision is not affected by unfounded fears or selective omission. The decision-making process is not as straight forward as demonstrated in models. The process is influence by both internal and external factors. Conducting a security assessment is one of the ways of ensuring that objectivity is maintained throughout the process. Hence, the final decision is not affected by personal factors such as attitudes and perceptions. In addition, the process validates the final decision. The findings in the reports not only justifies a specific action but also provides the person in charge with enough information to defend his or her actions should the need arise. The assessment reports also influences resource allocation. For instance, if organizations defies that its current information infrastructure is vulnerable to both human and non-human risk factors then it is likely that the department will be granted a bigger budget in order to address the concerns. The same concept also applies to the national security. If the security assessment report identifies potential risks to the people, then the government will dedicate some financial and human resources to the problem until it is resolved or the risk reduced. Conclusion Risk and threat management has become an essential part of government and business activities. Although the two terms can be used interchangeably, they do not mean the same thing. Security conscious organisations recognise the difference between the two aspects; hence, they have implemented policies and set up structures that mitigate the risks or threats. Risk assessments involve identification, analysis, and evaluation of potential risk factors. The three-stage process aims to establish how different factors interrelate to produce the outcome. The information gathered during the process enables the experts to classify risks and determine the probability of materialising. Threat assessment is performed in order to determine the vulnerabilities. The process involves both quantitative and qualitative analysis of potential risk factors. A detailed analysis enables experts to determine trends and predict the possible outcomes. Both activities influence the final decisions. The reports determine what actions to be taken. Based on the findings, managers or other decision makers are in better position to make informed decisions. In addition, the reports can be used to request extra budgetary funding in order to secure the organisation. Finally, from the literature review, it is evident that more research needs to be done to establish the significance of risk and threat assessment. Currently, there is still confusion on the two concepts and it is through extensive research and access to information that this matter can be resolve. Understanding how each concept works and its significance will reduce cases of misunderstandings. It will also contribute to the growth of related disciplines and sectors. References Ahlan, A. R., & Arshad, Y. (2014). Information Technology Risk Management: The case of the International Islamic University Malaysia. Journal Of Research And Innovation In Information System, 6(2), 58-66. Australian Standards. (2009). Australian Standard ISO31000:2006 Risk Management. Sydney: Author Borghesi, A., Gaudenzi, B., & Borghesi, A. (2013). Risk management: How to assess, transfer and communicate critical risks. Milan: Springer. Brocke, J. V., Simons, A., Niehaves, B., Niehaves, B., Reimer, K., Plattfaut, R., & Cleven, A. (2009). Reconstructing the giant: on the importance of rigour in documenting the literature search process. Retrieved from http://my.uni.li/i3v/publikationen/00065700/04046767.PDF Broder, James F. (2006). Risk analysis and the security survey. Amsterdam: Butterworth- Heinemann. Burgess, A. G., Ressler, R. K., Douglas, J., & Burgess, A. W. (2013). Crime classification manual: A standard system for investigating and classifying violent crime. Hoboken, N.J: Wiley. Cox Jr, L. A. T. (2008). Some limitations of “Risk= Threat× Vulnerability× Consequence” for risk analysis of terrorist attacks. Risk Analysis, 28(6), 1749-1761 Denardo, E.V. (2002). The science of decision making: A problem based approach using Excel. John Wiley & Sons, Inc. Dworken, J. T. (2008). Threat assessment training module for NGOs operating in conflict zones and high-crime areas. Office of Foreign Disaster Assistance/InterAction PVO Security Task Force. Np. Ezell, B. C., Bennett, S. P., Von Winterfeldt, D., Sokolowski, J., & Collins, A. J. (2010). Probabilistic risk analysis and terrorism risk. Risk Analysis, 30(4), 575-589. Fischer, R. J., Halibozek, E. P., & Walters, D. (2013). Introduction to security. Waltham, MA: Butterworth-Heinemann. Jackson, B. A., & Frelinger, D. (2009). Emerging threats and security planning: How should we decide what hypothetical threats to worry about? Santa Monica, CA: RAND. Koller, G. R. (2005). Risk assessment and decision making in business and industry: A practical guide. Boca Raton, FL: Chapman & Hall/CRC. Landoll, D. J. (2006). The security risk assessment handbook: A complete guide for performing security risk assessments. Boca Raton, FL: Auerbach Publications. Langham, G. (2013, February 20). Threat v's Risk. Retrieved from http://intelmsl.com/insights/other/threat-vs-risk/ Li, Z., Ma, Y., Wang, L., Lei, J., & Ma, J. (2011). A novel real-time aggregation method on network security events. Kybernetes, 40(5), 912-920. McEntire, D., Crocker, C. G., & Peters, E. (2010). Addressing vulnerability through an integrated approach. International Journal of Disaster Resilience in the Built Environment, 1(1), 50-64. Moteff, John D. (2005). Risk management and critical infrastructure protection: Assessing, integrating, and managing threats, vulnerabilities and consequences. Washington, D.C.: Congressional Research Service, Library of Congress. Ophoff, J., Jensen, A., Sanderson-Smith, J., Porter, M., & Johnston, K. A Descriptive Literature Review and Classification of Insider Threat Research. Proceedings of Informing Science & IT Education Conference (InSITE) 2014 O'Toole, M. E., & National Center for the Analysis of Violent Crime (U.S.). (2006). The school shooter: A threat assessment perspective. Quantico, Va: FBI Academy. Peltier, T. R. (2005). Information security risk analysis. Boca Raton: Auerbach Publications. Smith, C. L., & Brooks, D. J. (2013). Security Science: The Theory and Practice of Security. Waltham, MA: Elsevier. Sumner, M. (2009). Information security threats: a comparative analysis of impact, probability, and preparedness. Information Systems Management, 26(1), 2-12. Talbot, J., & Jakeman, M. (2009). Security risk management: Body of knowledge. 2 ed. Hoboken, New Jersey: John Wiley & Sons, Inc. Threat Analysis Group, LLC. (2010, May 3). Threat, vulnerability, risk - commonly mixed up terms | Threat Analysis Group, LLC. Retrieved from http://www.threatanalysis.com/blog/?p=43 Umeh, J. C., & British Computer Society. (2007). The world beyond digital rights management. Swindon: British Computer Society. Vellani, K. H. (2007). Strategic security management: A risk assessment guide for decision makers. Burlington, MA: Butterworth-Heinemann. Vose, D. (2008). Risk analysis: a quantitative guide. John Wiley & Sons. Williams, M. J. (2008). NATO, Security and Risk Management: From Kosovo to Khandahar Contemporary Security Studies. New York: Routlegde. Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799-2816. Read More