Security Threat and Security Risk Assessments - Essay Example

Name: Institution: Course: Tutor: Security threat and Security Risk Assessments Introduction Assessment of threat and risk is a fundamental strategy for the management of security organizations. Almost all security organizations need some objective assessment of threats and risks as security controls must be selected centered on actual risks to the assets of the organization (Sandia, 2012). Selecting security controls without a systematic assessment of threats and risks can lead to ineffective employment of security controls, wastage of resources and making the organization susceptible to unanticipated threats (Broder, 2006). Hence, assessment of threats and risks helps security organizations to realize business risk to vital information and assets quantitatively as well as qualitatively. They provide the tools essential to make corporate decisions as regards investment in technology, processes and people to bring threat to acceptable level (Norman, 2010). This paper will present the similarities and differences between risk assessment and threat assessment. Threat can be defined as an event that might occur and destroy or harm an asset. Threats can be man-made or natural. Examples of natural threats include floods, fire, lightning strikes, viruses, electrical, heat control, plumbing and dust. Examples of man-made threats include hackers, theft, accidental, non-technical staff, backup operators, and inadequate trained IT personnel. When a threat is man-made, it is critical to find out what are their capabilities and intentions. Threat assessment tends to look across the continuum facing an organization (Department of Homeland Security, 2008). On the other hand, risk is the frequency or probability of a particular event. Risk assessment attempts to provide a quantitative analysis of the likelihood of an event arising (ISO, 2007). From this definition, it is clear that threat and risk are not interchangeable words. Generally, it is not possible to control threats. For example, one cannot prevent a hurricane, stop the determinations of an international radical group or prevent a tsunami. On the other hand, risk may be mitigated. It can be controlled either to reduce vulnerability or the effect on the organization. It is important for security organizations to maintain a thorough summary and understanding of threat and risk (ASIS, 2008). Both threat and risk assessment requires organizations to identify an asset as the item of the assessment. Basically, assets may be systems, information, people, processes or applications. The team involved in the assessment of either the threat or risk must clearly define the asset’s scope, business owner, security controls and the individuals in charge of the technology. The asset describes the assessment’s scope while the custodians and owners define the assessment team members (Norman, 2010). Determining the scope of the assessment helps analysist know what requires to be covered, to what detail and level and its sensitivity. Moreover, the scope identifies what applications and systems need to be incorporated in the assessment. When determining the scope of the assessment it is imperative to take into account the envisioned audience of the ultimate recommendation, such as certifying authority, IT department and senior management. The scope must show the standpoint from which the assessment will take place that is if it is from an external or internal perspective or both (Bernard, 2003). Effective assessment of threat and risk requires collection of data. It requires collecting all existing procedures and policies and finding out those that are undocumented or missing. Interviews with the necessary staff may be carried out using surveys or questionnaires to help in identifying assets and outdated or missing documentation. The analysis of the current procedures and policies is conducted to measure the compliance level in the organization. It is critical to find out the portions which cannot be in compliance. Assessment of threat and risk helps professional assessors to suggest additional structural security procedures to be integrated into the organization when they find the probability of the threat or risk occurring to be high (ASIS, 2007). Threat assessment and risk assessment are continuously carried out. Organizations tend to grow and change over time just as the environment they operate within. The effects of technology develop day-to-day. For instance, a prison yard includes manifold layers of security, such as lighting systems, alarm systems, CCTV systems, fences, armed correction officers, structural reinforcements and lasers (Sandia, 2012). These security layers may have worked in combination to prevent threats four years ago, however, the similar technology employed in armed cruise armaments and aerial surveillance tools are cheap to buy and a user grade drone may quickly compromise completely the listed security elements of this prison structure. Smuggled goods may potentially be supplied in a secrecy way in the nighttime by an unmanned slightly piloted car to a chosen destination where a prisoner can retrieve it fruitfully in their time outdoor the next morning (Booz & Hamilton, 2005). Threat assessment entails identifying the several ways an asset can be compromised which might have an effect on the organization. Threats involve individuals exploiting susceptibilities or weaknesses unintentionally or intentionally which lead to a compromise. Typically, this process begins at the highest level, looking at common areas of interest and continuing to more detailed assessment (CPNI, 2010). The main aim is to identify the common combinations of perpetrators and ways which may result in the compromise of an asset. The goal of performing both the threat and risk assessment is to achieve good security by providing recommendations that capitalize on the protection of integrity, availability and confidentiality whereas still ensuring usability and functionality. Threat and risk assessment can be performed using either external or internal resources. The circumstances at the time determine whether the external or internal resources are to be used. Moreover, the assessment’s agency determines whether to use the internal or outside resources (Cavenne et al., 2007). After mapping a threat to an asset, the next important step is to find out its possible combinations. Every threat may be linked to certain vulnerability or even several vulnerabilities. A threat is not considered a risk to assets unless it can exploit vulnerability. Before carrying out a risk assessment, it is imperative to reduce the array of all likely combinations as some combinations might not be feasible (Booz & Hamilton, 2005). Thus, there exist an interrelationship between asset, threat and vulnerability which is significant to the assessment of security risks. It becomes possible to find out the impact and probability of security risks when the asset, threat and vulnerability are identified. Threat assessment attempt to understand the magnitude and dimensions of the business effect to the organization in case the asset was to be compromised. The magnitude of compromise is usually described as high, medium or low corresponding to the financial effect of the compromise while the dimensions of compromise are integrity, confidentiality and availability. The exercise of assessing the impact of asset damage or loss may help identify which assets must go through risk assessment (CPNI, 2010). Risks assessment entails estimating the degree of general damage that may occur due to the exploitation of a threat. Quantifiable elements of effect include cost, profits, revenues, regulations, service levels and reputation. Risk assessment also involves determining the degree of risk which may be accepted and unacceptable and finding how to deal with the unacceptable risk (Broder, 2006). Moreover, it entails determining when and what assets may be impacted by such risks. A risk is considered to be high when the impacts of a threat are considered to be severe. It is important to find out the circumstances that may influence the probability of a threat occurring. Usually, the number of accredited users increases the probability of a threat occurring. The probability may be expressed in relation to the frequency of happening, such as daily, monthly or yearly. A risk is considered to be high if the probability of the threat occurring is considered to be great. Hence, to be able to provide an overall estimated degree of risk, it is crucial to identify a threat, its impact and probability of occurrence (Department of Homeland Security, 2008). Threat assessment and risk assessment form the core of the information intelligence framework. They form the processes that create the rules of the security strategy whereas transforming the goal of an information intelligence framework into precise plans for implementation of strategic measures that decreases the threats and risks (ASIS, 2007). Every element of the technology must be analyzed for its threat and risk profile as it is from such assessment that a determination must be made to efficiently assign the time and money of an organization towards attaining the most suitable and best implemented overall security policies. The processes of carrying out such assessments may be very complex and must consider secondary and other impact of action when deciding the way to deal with security for the numerous IT resources (FSA, 2007). In conclusion, security threat and risk assessment are carried out to enable organizations to analyze, identify and adapt their overall security position and to empower security, operations, administrative management and other professional to work in partnership and view the whole organization from the perspective of an attacker. This process is needed to obtain the commitment of the organizational management to assign assets and implement the suitable security solutions. Assessment of threat and risk is a continuous process which once started must be reviewed frequently to make sure that the existing protection mechanisms still meet the set objectives. The assessment must adequately address the organization’s security requirement in relation to availability, confidentiality and integrity. The assessment of risk and threat forms the fundamental part of the general organization’s life cycle. References ASIS. (2007). Information Asset Protection Guideline. Vol.5. ANSI, Inc: USA. ASIS. (2008). Threat Advisory System. Vol.4. ASIS International: USA Bernard, R. C. S. (2003). Homeland Security and your Business. Security Technology & Design Magazine Booz, A. & Hamilton. (2005). Convergence of Enterprise Security Organization. The Alliance for Enterprise SRM Broder, J. (2006) Risk Analysis & the Security Survey. 3rd ed. BH: USA. Cavenne, F., Ulisse, A., Nieuwenhuijs, A. & Luiijf, H.A.M. (2007). EU – Common Risk Assessment Methodology. EURAM CPNI. (2010). Guide to Producing Operational Requirements for Security Measures. Department of Homeland Security. (2008). Risk-Based Performance Standards Guidance. V.2.4. Washington, DC FSA. (2007). Operational Risk Management Practices. FSA: London ISO. (2007). Committee Draft of ISO 31000 “Risk Management – Guidelines on Principles and Implementation of Risk Management”. V.4. ISO Office: Geneva. Norman, L. T. (2010). Risk Analysis and Security Countermeasure Selection. CRC Press: USA Sandia. (2012). Security Risk Assessment Methodologies. Sandia Corporation: USA. Read More