Similarities and Differences between Security Risk Management - Coursework Example

Running head: Similarities and differences between security risk management and security threat security Student’s name Institution Course Professor Date TABLE OF CONTENTS Introduction 3 Similarities 6 Differences 8 Conclusion 11 References 13 Introduction Various organizations of varied sizes and types are normally faced with both internal and external influences which can make them uncertain whether they will be able to meet the set goals and objectives. With the changing market environment, most firms and business organizations are deemed to develop an effective management system that will be able to identify both current and future potential business risks and threats. Therefore adequate and informed decisions can be made at ease in the organization where goals, missions and objective of the business are adequately achieved (Volten and Tashev, 2007). Most organizations are striving to improve their business to keep head of the competition and generate revenue. The management decisions made will include the allocation of security staff and the dissemination of warnings to the workforce and the general public. The objective of security in society has evolved to accommodate a myriad of disciplines thus gave rise to challenges in defining a modern concept of security. Security has embraced the principles and application of risk management for instance, a probabilistic risk approach to measure risk and aid decision making (Talbot & Jakeman, 2008). Garlick, (2007) argued that such an approach has been supported since it is able to produce rational, objective and informed options from which decisions can be made. Careful study of risks and threats in an organization constitute significant assessments of both the threats and risks which leads to an effective and efficient risk and threat management systems (Sutton, 2010). However, objectives of security risk and threat assessment do vary from one organization to the other; this is because of contextual differences and potential and expected risks identified (Talbot and Jakesman, 2009). It is essential for security managers to have a definition of security in order to know what their duties are and able to integrate activities with the main objectives of the organizations. Assets must be safeguarded according to the baseline security requirements and continuous risk management. Security is considered as a precondition for the possibility of living a good life in an open society. According to Giovanni Manunta, (1999), security is termed as a function of the interaction of many components, above all the protector, who performs all the security process. It protects any assets as oppose to threats from unacceptable change within a defined situations. Security is defined, where in a given situation (Si) the security of an asset (A) is a function of the threat (T) to that asset which its protector (P) perceives and the actions taken to mitigate the threat. S = f (A, P, T ) (Si) (Manunta,1999) Where A = Asset P = Protection T = Threat (Si) = Situation Insecurity is the result of a complex process which there is a rational aspect oriented to take costs and benefits into consideration. Furthermore, it is utility based, defensive and multidimensional phenomenon that is connected with intelligence, protection, surveillance, vetting and investigation. Security has embraced the principles and application of risk management. It incorporates specific security risks concepts such as threat, vulnerability and criticality (Bellany, 2008). For example the probabilistic approach measures risk and also assist in yielding rational, objective and informed options from which decision making process is made. While identification and management of opportunities and threats is a success condition for any security risk management team in an organization. Risk management involves three processes such as risk assessment, risk mitigation and reassessment of the residual risk. Security risk management is deemed to be different from other forms since other forms lacked the key concepts required for effective design, application and mitigation of identified security risk. The cornerstone of security risk management is to provide robust and informed mitigation measures in the protection of people, information and the assets; however, the generic risk management lacks the distinct security risk management concepts such as threat, criticality and vulnerability (Wheeler, 2011). The security risk management concept is employed by systems architects and planners, security and I.T auditors, business analysts and decision makers, consultants and partners. Security risks management ensures that the organizational resources are protected from threats; either physical, human, internal or external. Management risk of the security information assumes a vital role in the organizational risk management. It affirms the protection of the organization’s people, information and assets from the threatening attacks that can impact the business activity (Wheeler, 2011). Definition of terms Asset – Anything with value and in need of protection Threat – An action or potential action with the propensity to cause damage Vulnerability – A condition of weakness that creates an opportunity for exploitation by threats. It may include; weak policies and procedures, weak countermeasures Countermeasure - Any device or action with the ability to reduce vulnerability. Expected loss – The anticipated negative consequence to assets due to threat manifestation Impact – Losses as a result of threat activity. Similarities and differences between the security risk assessment and a security threat assessment According to the IIA, risk can be defined as the possibility that an event will occur which will impact the achievement of objectives of an organization. For instance, it is a combination of the probability of an event and its related consequences. The use of risk management approach is able to identify, assess and control the potential events. It is expressed in terms of mathematical probability and frequency. For instance; R = PA [1-(PI)] C Where R = Risk PA= Likelihood (threat) of an adversary attack measured between 0-1.0 I=Vulnerability; the highest the effectiveness can be Pi=Probability of interruption measured between 0-1.0 C= Consequences (Criticality) value measured between 0-1.0 Similarities Security risk assessment and security threat assessment provide a basis for establishment and management of effective and efficient security systems. They both represent initial stage during the process of estimating and establishing threats, risks and impacts that are associated with vulnerabilities (Fischer & Green, 2003). Furthermore, they are fundamental in finding solutions to specific questions regarding the assets, identifies the threats and vulnerabilities, evaluate the implications of the occurrence of the threats and also establish strategies and mechanisms that will adequately minimize exposure to the threats and vulnerabilities identified. Consequently, in risk assessment and threat assessment, a thorough and accurate planning is undertaken first. The planning stage provides the foundations of which all ensuing work will be constructed, establishes the analysis team and the purpose of the assessment, determines the scope of the assessment, identifies and values the fundamental assets for example people, information, firms’ products, processes and property (Bellamy, 2008). Moreover, risk and threat assessments are not a means to an end but a continuous process that is reviewed regularly so that protection mechanisms currently in place meet the set objectives. Indeed, they help to obtain a solid understanding of the various challenges being faced by the organization. In both assessments, the results generated will help to identify and develop appropriate security measures and protections leading to a secure security frameworks (Wheeler, 2011). The features of secure security framework include the following; establishment of technical measures and programs, delegation of security duties to qualified personnel and development and maintenance of security policies and strategies. Alternatively these developed security policies and strategies in both processes undergo a constant monitoring and evaluation to ensure that they are functioning efficiently and effectively, (Fischer & Green, 2003). Furthermore, through security threat assessment and security risk assessment process, they allow the establishment of security position of the security measures by identification of threats and indication of both level of exposure and the vulnerable points. Indeed, the two processes are fundamental to efficient and effective risk management (Bennett, 2007). Establishments of potential connections between vulnerabilities and associated threats will offer comparable benefits to concentrate on the most significant risks. For example, those arising from a more serious threat interact with the most severe vulnerabilities to expose assets of greatest value. The determination of vulnerability levels that are based on the impact on the probability inadequacies related to prevention measures and the severity of the outcome is fundamental to the security threat assessment and security risk assessment. There are new laws and mandates that influence the requirement and scope of security risk assessment and security threat assessment in any organization because they ensure that proper security controls, procedures and guidelines are in place. The actual cost of the safeguards can be easily minimized since security threat assessment and security risk assessment consider threats, vulnerabilities and asset values thus avoidance of extreme recommendations. Moreover, they form fundamental components and processes in the risk management cycle by aiding in identification of both risks and threats and implementation of policies and controls in the affected organization or a firm. A formal security threat and risk assessments are a viable alternative application of the security standards. However, both assessments do possess strengths and weaknesses that arose from their implementation costs, relative complexity, accuracy and availability in different circumstances. Nonetheless, security threat and risk assessments suffer a major shortcoming for example; the effort of collecting enough data for a comprehensive report can be costly especially for complex scenarios. There are important factors to be taken into consideration during the assessment of security risk and threat. They include; cost and time constraints, the duration of the project, the complexity of the facility or system, the availability of suitable standards and security professionals and current and anticipated risk environment (Wheeler, 2011). Risk and threat assessment in relation to security allows an organization to understand the roles, responsibilities and accountabilities for the security professionals in an organization. For instance, most organizations must be information security conscious so that they can develop and implement proper security controls based on the results of internal risk and vulnerability assessments (Aven, 2008).With accurate assessment an organization can unearth known weaknesses and vulnerabilities in its existing system, prioritize the consequences of the vulnerabilities based on the value and importance of the data and then implement the proper security control and security countermeasures to mitigate the identified weaknesses. Differences Careful understanding of security threat assessment and security risk assessment allows the set objectives of risk management to be achieved within the available scarce resources in terms of time, space and time (Talbot & Jakeman, 2008). Security risk assessment can be defined as process of evaluating security risks and is related to the use of information technology. It is an essential prerequisite to the effective management of any risks. Undesirable event that can affect assets, operations and persons are identified. Assessment of the risk in terms of likelihood and impact is made. When these risks are prioritized, considerable strategies and measures that will reduce the likelihood and impact of the undesirable events (Bellany, 2008). Assessment of the security risk is the initial step to evaluate and identify risks and impacts that are associated with vulnerabilities. It provides a foundation for the management team of any organization to establish a cost effective security program to be utilized (Dhillon, 2007). Thus allows security policy implementation to be prioritized so that the most immediate challenges can be solved quickly. Utilization of analytical methods in this assessment guarantees establishment, review and recording of risks which the security system is exposed to and suitable control measures to offset the identified risks (Turner & Gelles, 2003). Assessment of risks can be expressed either qualitatively or quantitatively. It identifies risk in relation to percentages and by describing it as being low, medium and high. The fundamental areas in a risk assessment are; the scope, data collection, analysis of policies and procedures, threat analysis, vulnerability analysis and correlation and assessment of risk acceptability. According to the assessment results, a suitable security protection and safeguards ought to be implemented to uphold a secure protection framework (Wheeler, 2001). The level of vulnerabilities of the assets is determined by identifying and evaluating the effect of in-place countermeasures. Detailed information about the asset such as how the asset is used, data sensitivity levels, and mission criticality are used to determine the significance of the asset’s vulnerabilities. Thereafter, the negative impact to the asset is estimated by examining several combinations of threats and vulnerability areas. Indeed, security risk assessment provides the management with tangible information so as to make informed decisions concerning information security (Turner & Gelles, 2003). It identifies the existing security controls, calculates vulnerabilities and evaluates the consequences of threats on every area of vulnerability. Consequently, the analysis attempts to strike an economic balance between the effects of risks and the costs of security solutions intended to manage them. While conducting security risk assessment it is fundamental to define what the goals and objectives are for the assessment and what the organization would like to achieved at the end of the assessment process (Aven, 2008). Security threat assessment is a valuable and insightful opportunity to evaluate the effectiveness of the current security infrastructure. It is carried out to determine the best approaches to securing a system against any threat or a class of threat (Biringer, 2007). The analysis helps a firm or business organization to develop specific security policies to implement in line with policy priorities and understand the specific implementation for securing the organization’s resources. Alternatively, assessments of threats identified in security threat assessment are expressed in terms of adversaries and development of appropriate judgments on goals and capabilities (Wheeler, 2001). Methodical analysis is employed in security threat assessment and it assesses a threat by establishing exposure and vulnerability of an asset, level of probability as to when and where the threat can occur and the consequence the harm, loss or damage of an asset on the organization (Dempster,2002). Threat assessment identifies the possibility of adverse consequences and responses to apply to the threat that depends on probability and impact. It deals on reducing the prospective losses by taking great emphasis on each identified event and wise judgment about capabilities and intent as appropriate (Bennett, 2007). Alternatively risk assessment deals on maximization of returns as it measure the probability or frequency of foreseeable loss event profiles. However, it does not address vulnerability, threats or potential impacts to the organization (Turner & Gelles, 2003). Security risk assessment focuses more on analyzing the potential and tendency of one’s resources to fall prey to various attacks where as the threat assessments focus more on analyzing the attackers’ resources. Careful assessment of security threat will guarantee the security risk assessment to be carried out thus resulting to development and implementation of effective and efficient risk management systems and mechanisms (Turner & Gelles, 2003). The recommendation made from security risk assessment will make the identified vulnerability being rectified, actions plans and operating procedures that provide proper safeguard against any damage or harm to be developed. Dhillon, (2007) enumerated security operating systems and components that were assessed during security threat assessment and security risk assessment. They included; physical and environmental security, security systems structures, security policies, access control, key asset management and many others. Conclusion Security risk assessment and security threat assessment are correlated. Thus they form fundamental component and processes in the risk management cycle. Moreover, they are involved in establishing cost effective plan of actions to manage both threats and risks effectively. Careful risk and threat assessment allows implementation of any supplementary safeguards that will reduce the risk to an acceptable level. The outcome of both assessments provides recommendations that maximize the protection of confidentiality, integrity and availability while providing usability and functionality. Establishments of potential connections between vulnerabilities and associated threats will offer comparable benefits to concentrate on the most significant risks. The efficient execution of risk management enables total risks to be minimized economically. For example the extent to respond quickly and effectively discover vulnerabilities and active attacks reduces the probability that organization activities are destroyed or damaged. The security plan frames a security approach that defines the strategies to be employed to control the risks. Furthermore, an organization must align its goals and objectives with the business drivers so as to prioritize and place great emphasis on critical systems and assets first. References ASIS International. (2009). Security body of knowledge: substantive considerations. ASIS international Academic/Practitioner symposium 2009, ASIS International Aven, T. (2008). Risk analysis: Assessing uncertainties beyond expected values and probabilities. West Sussex: John Wiley & Sons Inc Beard, B., & Brooks, D. J. (2006). Security risk assessment: Group approach to a consensual outcome. Proceeding of the 7th Australian information Warfare and Security Conference, 5-8 Bellamy, A.J. (2008). Security and the war on terror. New York: Taylor & Francis. Bennett, B. T. (2007). Understanding, Assessing, and Responding to Terrorism: Protecting Critical Infrastructure and Personnel. New York: John Wiley and Sons. Brooks, D .J. (2011). Security risk management: A psychometric map of expert knowledge. International Journal of Risk Management, 13(1/2), 17-41. Brooks, D.J. (2009). What is security: Definition through knowledge categorization. Security Journal, DOI, 18, 1-15 Dhillon, G. (2007). Principles of information systems security: text and cases. NY: John Wiley & sons. Fischer, R. J. & Green, G. (2004). Introduction to security. (7th ed). Boston: Butterworth Heinemann. Garlick, A. (2007). Estimating risk: A management approach. Aldershot: Gower Publishing Company Manunta, G. (1999). What is security? Security Journal, 12(3), 57-66 Manunta, G. (2002). Risk and Security: Are they compatible concepts? Security Journal, 15 (2), 43-55 Talbot, J., & Jakeman, M. (2008). SRMBOK: Security risk management body of knowledge. Carlton South: Risk Management Institution of Australasia Ltd. Turner, J. T., & Gelles. M. G. (2003). Threat assessment: a risk management approach. Upper River Saddle: Routledge. Volten, P. & Tashev, B. (2007). Establishing security and stability in the wider Black Sea area: international politics and the new and emerging democracies. London: IOS Press. Wheeler, E. (2011). Security Risk management: Building an Information Security Risk Management Program from the Ground Up. Sidney: Elsevier Read More