Security Threat Assessment and Security Risk Assessment - Literature review Example

COMPARE AND CONTRAST BETWEEN A SECURITY THREAT ASSESSMENT AND A SECURITY RISK ASSESSMENT Student’s Name Institution’s Name Instructor’s Name 23rd August 2015 Introduction According to Amoore, L (2013), security threat assessment is the process of identifying threats to a country, people, organization or region. The threats are external and usually outside the control of the model (Broder, J., F 2011). Such threats include terrorist activity, corruption levels, drug smuggling and hijacking. On the other hand, security risk assessment looks at procedures that can be implemented to reduce the effect of the threats. The study will seek to compare and contrast between a security threat assessment and a security risk assessment (Lo, C., C et al. 2012). It will also seek to find out how such procedures can be able to inform better decision making in reply to security threats and the allotment of risk mitigation assets (Cole, 2011). There are a lot of models that has been developed so as to integrate threats, risks and vulnerabilities and how such models are helpful in allocation of resources that ensures reduction of risks (Wang., P. 2012). Security Threat Assessment According to Storey J.,E (2011), an evaluation of a terrorist who is currently in a given jurisdiction incorporated with assessing possible targets of the presence of the terrorist and the probability statement that the criminal will commit an illegitimate act (Wachinger, 2013). The evaluation spotlight is on the terrorist prospect, the ability and the enthusiasm and readiness to commit the prohibited act. The security risk may be low, medium and high risk (Gowda, 2015). Firstly, in low risk there is no previous or existing activity or intelligence information. Secondly, for the medium risk there is no current occurrence, there is no intelligence and information on potential action. Thirdly, on high risk there is a recent incident of occurrence of the activity and information regarding the same is available for decision making (Wachinger, 2013). Threat Risk Factor Risk Rating Activity Terrorism -Political -Bio -Cyber -Agro 2 They are an assessment of risk that is created by terrorism activities within a country. The study focuses chiefly on radicalization of domestic radicals . Source data: Researcher, 2015 Security Risk Assessment Security risk assessment is the process of analyzing external threats against the company’s procedures with an aim of identifying where there exists vulnerability (Cheminod, 2013). It involves the process of identifying, analyzing and understanding information assets, possible impact of security risks, threats and weaknesses in order to apply the suitable security measures (Cárdenas., A.,A, et al. 2011). The risk assessment includes identifying and analyzing of the following factors: Firstly, it should include all assets in the system. They should map all the security chains and how the command flows (Woody, E.,Z. 2011). Secondly, it should include all the threats that affect the integrity of the system and the confidence bestowed in it. For instant, the spread of spiteful code when there is unauthorized log in or access to information. They should rank the terrorist attacks and their level of occurrence. Instant of terrorism includes the following: organized crime, threats on the safety of the public and bombing of people (Cárdenas, et al. 2011).Thirdly, the vulnerability of the system that is directly related to the threats, for example lack of latest application of software to detect and prevent the occurrence of risks (Reid Meloy, 2012). Fourthly, it assesses any potential impacts, likelihood and risks that are caused by the threats (Viduto, V. 2012). Fifthly, security measures that is helpful in control of risks. That includes preparation of an action plan to identify weaknesses and choose someone who is responsible to fix the weakness (Wachinger, 2013). In security risk assessment there is also the element of auditing the security system Lo, C., C et al. 2012). Security audit is the process whereby the organization’s policy and standards of security are used as a basis of assessing standard of existing protection measures (Cole, 2014). The audit should be periodically done and documents reviewed to ensure that the procedures that are there are followed and that records are routinely followed (Turner, 2012). The Risk Assessment Stages According to Reid Meloy (2012), all this stages it is vital that the personnel involved in the assessment conceal the information. All the details and particulars of the assessment should be kept secure and confidential (Wang., P. 2012). Once the levels are carried well and completed there should be sufficiency of mitigation to curb the threats (Monahan, 2012). The risk assessment process – There is advantage in following the process of risk assessment in a step-by-step process without making supposition about the last or ultimate outcomes (Broder,J.,F. 2011). Organizational-level risk assessment – Under this process the risk spot on a number of insider threats that an enterprise faces and precedence or prioritize these in terms of their impact and probability (Feng, 2011). Ground-level risk assessment – Under this stage there is the need to assess the cluster of employees that have access to the organization assets. The employees have the greatest probability of carrying out the identified threats. According to Monaghan, J (2012), the person with specialist or skilled knowledge is more likely to commit the offense than an officer who is unskilled. Once the assessment is carried out or the level is complete, new measures should be suggested in order to mitigate the risks (Viduto, V. 2012). Role based (individual) risk assessment – It is a stage that is optional and perhaps not necessary in many organizations. The stage is normally carried if there are high risk roles that require individual and own staffs to do the assessment. The process consumes a lot of resources and only chief or key human resources who understand their roles perfectly (Raspotnig, C. 2013). The Process of Security Audit Firstly, the process should define the scope of the audit (Wachinger, 2013). The scope should encompass an audit of the security such as the wireless network. Secondly, the audit should also identify loopholes in the security system (Theoharidou, M. 2011). The scope should look at the potential security loopholes that use of audit tools and various technologies. Thirdly, the audit process should then provide recommendations for continuous improvement of the system – After the conclusion of the audit, there should be an audit report to highlight the deviation between the accessible protection procedures and measures (Woody, E.Z. 2011). They should also define security standards and policies, and make successive recommendations for enhancement (Cárdenas, A., A et al. 2011) Vulnerability Assessment Is the process of recognizing a weakness in a company’s security procedures and how that can be used to aid the terrorists to hit the target or achieve the threat factors that are highlighted in the threat assessment such as political terrorism and cyber terrorism. Vulnerability in a company can be identified through internal audits and through reviews of the security (Lo, C., C et al. 2012). According to Wang, P (2012), the vulnerability assessment analysis of whether an individual is prone to terrorism includes the following questions: do you stay or live in an area known for high terrorism rate? Do you have adequate security measures to aid in detection and prevention of risks? In case of occurrence of risk or threat do you have security personnel who can come to help you? Are you equipped to deal with skills to handle such occurrence? After the assessment are acknowledged and documented the next step is to look at the action plan. That will assist in laying up procedures that reduces, lessens or alleviate the above threats (Monahan, 2012). Action Plans It consists of spotting, identifying and documenting vulnerabilities (Gowda, 2015). The main function of an action plan is to develop procedures that help to reduce the vulnerabilities. In the above example on vulnerability assessments of a terrorist attack there is need to come up with measures that reduce the threat (Petersen, 2011). For example, after knowing you are living in an area prone to terrorist attack what measures have you installed to ensure that the risk is mitigated? Such measures may include building a perimeter wall around you house (Woody, E., Z. 2011). If such a threat happens, the individual living in that place should ensure that they are quickly linked to the police or security authorities who can aid them (Monaghan, J. 2012). The Process of Security Risk Assessment Personnel security is a system of guidelines and policies that try to find to manage the risk of exploiting their lawful admission to an organization’s asset for unauthorized purposes. Those who inquire about to legitimate admission are termed to as insider (Wang, P. 2012). Anyone whose actions results to harm to a country, region or organization can have entrée to assets may be unending member or just a contractor (Rausand, M. 2013). According to Schieferdecker The personnel security risk assessment assists a person to use one type of methodology. It is a unique type of assessment as it focuses upon the risks façade by the people who are legitimate or are given access to use the company’s assets. It is undemanding, flexible, robust and transparent. The guidance explains how to know the kind of risks posed to people assets (Y.P.O Shieh, et al. 2011). The process however doesn’t tend to expose on the assets that are vital or the group that employees pose enormous threats. That will require knowledge, skills and expertise of your organization (Stewart, 2011). The sectors have their own risks and every sector knows their enterprise well. That provides a scaffold and framework to work with but it needs organization to bring the right kind of information and people. The more the investment is put in the process the better and worthwhile is the result of the organization. Risk Management in Personnel Security The security personnel should use appropriate measures to detect and curb an extensive variety of attacks form the insiders, from the fraud by the staffs through the conduct of a terrorist attacks (Petersen, 2011). The measures to be implemented can be costly and labor intensive. That may lead to delays in business process such as recruitment or movement of staffs between business categories. The process therefore should be implemented in a manner that reflects the brutality of the risk. Risk management provides a systematic basis for proportionate and efficiency of personnel security (Rausand, M. 2013). Risk Management Cycle Identifying Threats Access Vulnerability Evaluate counter Measures Implement Counter Measures Source data: Researchers, 2015 It is the groundwork of the personnel security management process. It is an unremitting and unbroken cycle of: Risk assessment – It involves access of risks to an assets to a region, country or organization in view of the likelihood of the threat occurring. It also highlight on the impact or force of the event of the risk. Implementation – It involves the identification and implementation of security measures and to reduce the likelihood and the force of the threat and what it may cause in the event it occurs. Evaluation – The evaluation part involves an assessment of the effectiveness of the countermeasures and also identification of necessary counteractive action. The repeated and recurring nature of the risk management process ensures that anytime a risk assessment is cyclical (Poolsappasit, 2012). The implementation and evaluation are also reviewed periodically. The value of the risk mostly comes from methodical examination of threats and opportunities and also countermeasures. The process will differ in different organizations and set ups. Risk Assessment: An Overview Risk is part of two aspects. That is the possibility of an event happening and the impact of such events. The overall measure of a risk happens when all this aspects have been evaluated and combined. The methodology provides that there is a risk score are comparative rather than total and are graded on a 1-5 scale. The scale one represents the least likely combined with the least impact and five stands for the most likely and most impact. Probability of an Insider Event Happening That can be categorized into three factors: the intent, capability and opportunity. Intent is an evaluation of the willpower of insider’s to carry out the assault. Capability is the scale of insider knowledge and skills that a person requires to be successful in a given attempt. Opportunity is the merging of the access that an insider has to an enterprise asset. The asset must be combined with the environmental vulnerability to determine the opportunity (Petersen, 2011). Impact The impact should be assessed in terms of the asset value that is affected and any other wider cost or consequences. An example of this is that many of the incidents have impact on finance, reputation and operation. For individuals, the first and foremost step in a risk assessment is spotting the security personnel involved in protection of human lives and property. If the individual cannot recognize what every security personnel does and all the steps in the security process then he will fail to control the security of the system in the security chain (Gowda, 2015). For those brokers that provides services that aid in ensuring there is peace and stability they need to ensure that information is safeguarded (Marium., S. 2012). Such personnel include the internet providers. If a terrorist plan on hitting a specific building, the first thing he will require is the knowledge of a particular building. The architect shouldn’t assist the terrorists on how specific of the buildings and how such building can be accessed with ease. Also the men should be able to guard the confidentiality of delicate information on regards to the operation of the building. Who should be involved in carrying out a personnel security risk assessment? The assessment is effectual and efficient when they are integral part of the process of risk management. It ensures that the assessment will be translated into an action. Good results are attained when the team comprises of the following: those who are human resource (HR) staffs and security team be responsible or in charge of risk management, the personnel with deep knowledge of a given role of employees, that is finance managers for finance roles and lastly that is optional, a trusted external contact that provides a substitute point of view and confront received wisdom (Poolsappasit, 2012). The Organization-level Risk Assessment On our introduction we highlighted that security threats are purely external therefore hard to be mitigated or control the results of their occurrence. In this section we want to look at the risks assessment and how the procedures can be improved to better or strengthen the company’s operation. The results of the assessment should be recorded in the following manner: Insider Threat Probability (1-5) Assumptions (Probability) Impact (1-5) Assumptions (impact) 1. 2. The following document should be protected as the process can provide information on the company’s vulnerability to terrorists. Step one: Spotting the possible insider threats. The important aspect involves spotting the organization threats. The organization should explore what the assessment is able to produce (Murphy, 2013). The assessment identify the organization assets are essential to attain the function. For example, in a bakery set up the key function of the business is to produce breads to satisfy their customers’ needs. Some of the key assets that are important to be able to produce and deliver breads are an oven and a van (Wachinger, 2013). In addition, there should be a clear and careful description of threats so as to achieve its objective or results. There is a process that should be followed to ensure that organization threats are detailed. Range – The threats should highlight the complete or full range of insider activity that the organization is likely to face (Gowda, 2015). They may include: corporeal attacks, unauthorized disclosure of information and thievery of intellectual property. Some of the third parties who might cause damage to the firm include competitors, terrorists and investigative media practitioners. Definition of an insider – The insider by definition is a person who exploits or has the capability of exploiting their lawful entry to association assets for illegal purposes (Marium., S. 2012). The type of risk assessment does not think about accidental damage from strangers but there may be need for insider’s threat to protect against the external threats. Level of detail – The more details given to a threat the more easy and realistic the judgment is about probability and impact. Step Two: Assess probability After the definition of terms and the list of threats are identified the next step is to consider whether or how likely they are to occur. In this stage the likelihood or probability of threat occurring is graded in a scale of 1 to 5 (Hagmann, 2012). The threat that is likely to occur is given a scale/ probability of 5 while that which is perceived not likely to occur is given 1. There are factors to consider when assessing the likelihood. They are four in number and include: potential target, precedence, security situation and ability. Step Three: Assess impact According to Feng (2011), it is assessed using a scale of 1 to 5. 1 represent lower impact while 5 is equals to the greatest impact. The factors that should be considered to access the impact include: number and the significance of affected sites, potential injuries or fatalities that exist amongst the public, reputation damage to the organization, loss of finances and adequacy of plans and existing counter measures (Hagmann, 2012).S Step Four: Determine the risk priority In this step it determines the priority of each threat (Amoore, L. 2013). The likelihood or probability value is mostly multiplied to give a value according to the risk assessment methodologies. Example a likelihood of 3 and an impact of 4 will give a score of 12 (Murphy, 2012). In this step the security team disposes of resources to threats with the highest priority. Conclusion The research paper gives an in-depth analysis of security threat and security risk assessment. It highlights the process and stages of risk assessment that can be used to mitigate the consequences of risk. It also gives the vulnerability assessment and assesses the action plan for the specific threat and risk. The study also outlines the importance of auditing in the security system. The study also uses an example of both a personnel and terrorism examples to help understand the concepts of security threat and security risk assessment process. In addition, it highlights the best personnel to undertake the aforementioned processes. Lastly, the paper has found out that there exists a difference between security threat and risk assessment. Security threat assessment is about recognizing a threat before it occurs while security risk assessment is about procedures that are in place to mitigate on the external factors that may contribute to a company, region or country loss. References Amoore, L. (2013). The politics of possibility: Risk and security beyond probability. Duke University Press. Broder, J. F., & Tucker, E. (2011). Risk analysis and the security survey. Elsevier. Cárdenas, A. A., Amin, S., Lin, Z. S., Huang, Y. L., Huang, C. Y., & Sastry, S. (2011, March). Attacks against process control systems: risk assessment, detection, and response. In Proceedings of the 6th ACM symposium on information, computer and communications security Cheminod, M., Durante, L., & Valenzano, A. (2013). Review of security issues in industrial networks. Industrial Informatics, IEEE Transactions on, 9(1), 277-293. Cole, E. (2011). Network security bible (Vol. 768). John Wiley & Sons. Cole, M. (2014). Towards proactive airport security management: Supporting decision making through systematic threat scenario assessment. Journal of Air Transport Management, 35, 12-18. pp. 355-366). ACM. Feng, N., & Li, M. (2011). An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 11(7), 4332-4340. Hagmann, J., & Cavelty, M. D. (2012). National risk registers: Security scientism and the propagation of permanent insecurity. Security Dialogue, 43(1), 79-96. Gowda, V., & Rani, C. (2015). System Security, Threat Detection And Prevention Measures Of Autonomous Systems. Lo, C. C., & Chen, W. J. (2012). A hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39(1), 247-257 Marium, S., Nazir, Q., Shaikh, A. A., Ahthasham, S., & Mehmood, M. A. (2012). Implementation of Eap with RSA for Enhancing The Security of Cloud Computing. International Journal of Basic and Applied Sciences, 1(3), 177-183.. Monahan, J. (2012). The individual risk assessment of terrorism. Psychology, Public Policy, and Law, 18(2), 167. Monaghan, J., & Walby, K. (2012). Making up ‘Terror Identities’: security intelligence, Canada's Integrated Threat Assessment Centre and social movement suppression. Policing and Society, 22(2), 133-151. Murphy, M. N. (2013). Contemporary piracy and maritime terrorism: the threat to international security. Routledge. Petersen, Karen Lund. "Risk Analysis-a Field Within Security Studies." European Journal of international relations (2011): 1354066111409770. Poolsappasit, N., Dewri, R., & Ray, I. (2012). Dynamic security risk management using bayesian attack graphs. Dependable and Secure Computing, IEEE Transactions on, 9(1), 61-74. Reid Meloy, J., Hoffmann, J., Guldimann, A., & James, D. (2012). The role of warning behaviors in threat assessment: an exploration and suggested typology. Behavioral sciences & the law, 30(3), 256-279. Rausand, M. (2013). Risk assessment: theory, methods, and applications (Vol. 115). John Wiley & Sons. Raspotnig, C., & Opdahl, A. (2013). Comparing risk identification techniques for safety and security requirements. Journal of Systems and Software, 86(4), 1124-1151. Schieferdecker, I., Grossmann, J., & Schneider, M. (2012). Model-based security testing. arXiv preprint arXiv:1202.6118. Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., & Sommerlad, P. (2013). Security Patterns: Integrating security and systems engineering. John Wiley & Sons. Stewart, M. G., Ellingwood, B. R., & Mueller, J. (2011). Homeland security: a case study in risk aversion for public decision-making. International Journal of Risk Assessment and Management, 15(5-6), 367-386. Storey, J. E., Gibas, A. L., Reeves, K. A., & Hart, S. D. (2011). Evaluation of a violence risk (threat) assessment training program for police and other criminal justice professionals. Criminal justice and behavior, 38(6), 554-564. Theoharidou, M., Kotzanikolaou, P., & Gritzalis, D. (2011). Risk assessment methodology for interdependent critical infrastructures. International Journal of Risk Assessment and Management, 15(2-3), 128-148. Turner, J. T., & Gelles, M. (2012). Threat assessment: A risk management approach. Routledge. Viduto, V., Maple, C., Huang, W., & López-Peréz, D. (2012). A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decision Support Systems, 53(3), 599-610. Wachinger, G., Renn, O., Begg, C., & Kuhlicke, C. (2013). The risk perception paradox—implications for governance and communication of natural hazards. Risk analysis, 33(6), 1049-1065. Wang, P., Lin, W. H., Kuo, P. T., Lin, H. T., & Wang, T. C. (2012, April). Threat risk analysis for cloud security based on Attack-Defense Trees. In Computing Technology and Information Management (ICCM), 2012 8th International Conference on (Vol. 1, pp. 106-111). IEEE. Woody, E. Z., & Szechtman, H. (2011). Adaptation to potential threat: the evolution, neurobiology, and psychopathology of the security motivation system. Neuroscience & Biobehavioral Reviews, 35(4), 1019-1033. Y. P. O., Shieh, H. M., & Tzeng, G. H. (2013). A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Information Sciences, 232, 482-500. Read More