Security Threat and Risk Assessment - Essay Example

COMPARE AND CONTRAST SECURITY THREAT AND RISK ASSESSMENT Name Institution Compare and Contrast Security Threat and Risk Assessment Introduction To be operational and profitable fully, it is vital that organizations are never caught off guard. As a result, different institutions globally are relying on security and experts on risk assessment in assessing a wide range of security risk and assessment of threat. For example, open-source and proprietary are common examples. However, all the methods used tend to answer specified questions on the things that require protection, establishment of the threat and vulnerabilities, implications associated with damage, the value to the organization, and measures to be undertaken to reduce the level of exposure (Blyth, 2008). In most cases, the outcome or objective of both threat and risks assessments is the same and entails provision of the recommendations that would maximize the protection of confidentiality, availability, and availability while at the same time ensuring the provision of functionality and usability. In order to determine the best outcomes that would ensure the achievement of the desired objectives, the organizations could perform threat and risk assessment, which are accomplishable through either internal or external resources. It is vital that organizations note that risk assessment is a collaborative process; therefore, without notification and involvement of the organizational levels, the assessment process could be costly and might yield ineffective security measures. The choice of either using the internal or external resources often depends on the situation at the time (Chou, 2011). Consequently, organizations utilize security risk assessment and security threat assessments interchangeably (Umberger & Gheorghe, 2011). Although the two have certain similarities, it is important to note their contrasting perspective as well. The essay aims at reviewing various literatures on the comparison and contrast between security threat and risk assessment. Comparison between Security Threat and Risk Assessment The security threat and risk assessment are valuable and insightful opportunities for the organizations to evaluate the effectiveness of their security infrastructure. Therefore, the two reveal organizational security posture through detection of both active and potential institutional threats and risks, which evade the existing security measures (Mackey, 2016). Several researchers that have attempted to define security threat and risk assessment; nonetheless, it is the interactive relationship of the two components that combine to establish the initial evaluation and recommends the action plan for the risk management. In the heart of threat and risk assessment, there is an objective, a repeatable methodology of gathering the inputs on organizational risks, vulnerabilities, threats, and the controls which are responsible for the production of risk magnitude that are discussable, reasonable, and treatable (Strachan-Morris, 2010). There are different risk and threat assessment frameworks, which tend to follow similar structures; however, they could differ in the description and details of the procedures (Peltier, 2001). Nonetheless, the two often follow similar patterns for the identification of organizational assets and stakeholders, adequate understanding of the security requirements, enumeration of the threats, identification, and assessment of the effectiveness of controls, and calculation of the risks based on the inherent risk compromise and probability that the threat would occur (Jones & Ashenden, 2005). All the risk and threat assessment methods often require the assessment teams to define clearly the scope of the assets, the owner of the asset, and those that the organization consider responsible for organizational technology especially the security controls for the asset. The major factors that defines the scope of both risk and threat assessment are the assets. Risk usually depends on the existence of threat (Vellani, 2007). Therefore, the risks often result from impact of threat and harm. Usually, researchers often consider threat a significant component of security risk management with the evident theme as ensuring adequate understanding, application of the security risk, and management (Perrin, 2009). The extent to which an organization understands it threats depends on the level of understanding the adversaries perspectives with regards to the intentions, motives, and associated capacities while compromising the concerned assets. Contrasting Security Threat and Risk Assessment There are several security terms used interchangeably in the modern society, even if that should not be the case. Various security jargons tend to portray distinct meanings usable in specific ways reasons. For example, risk assessment and threat assessment are different and each is valuable in its capacity and applicable in solving different organizational problems (Schneier, 2015). Threat is usually a function of the capability of the enemy and intends to conduct an attack on the organization while risk is usually a function of probability that an organization would be involved in an attack as either a deliberate target or being in the wrong place at the wrong time. Moreover, the risk also involves the harm the attack on the organization would cause (Du & Zhu, 2013). In simple terms, threat is the product of capability and intent while risk is the product of probability and harm. In most cases, security threat assessment often takes into consideration an array of factors. For the assessment of capability, there is usually the analysis of the past organizational performance, the current trends, logistic support, and the extent to which the people could create their opportunity to attack, and the control and command (Turner & Gelles, 2003). The intent is usually establish able through the past experience, the rhetoric of the public, and whether the group create their opportunities or simply react to the events. Upon establishment of the threat level, it is vital to determine the risk through the assessment. Threat assessment plays vital role in identifying the type and the level of the hazard that the organization is likely to face. Since is a function probability and hard, it justifies how likely an event could damage the organization (Van & Kennedy, 2008). Threat assessment aims at determining anything that could contribute to interruption, tampering, and destruction organizational processes. Therefore, the assessment focuses on analysis on all the elements of the risks that could conceivably take place, which are either human or non-human elements (Landoll, 2011). During the assessment, it is important that the identified threats be looked at with the focus on the business environment and the effect they would have on the organization. Threats usually depend on the vulnerabilities gradable in similar manner but measured in terms capability and motivation. For example, the organizational non-staff could have low motivation in doing something considered malicious; nonetheless, they might have high level of capability considering their level of access on certain organizational systems (Pinkerton, 2014). The risk could as well refer to the likelihood of being the target of the attack; probability of an attack being prosperous or general exposure to any given threat. From such derived definition, it is important to note that the major objective of risk assessment is to determine the adequacy of the most important potential breaches in security that requires immediate address (Cragin & Daly, 2004; Vellani, 2007). Some researchers enumerate and highlights that the significance of risk assessment is that it focuses on the most critical and likely dangers and evaluation of the various levels of risks relative to one another as the function of the existing link between cost of security breach and the probability of such penetration. Risk assessment is vital in the determination of organizational appropriate security budgeting inclusive of the money and time (Mandel, 2008). Moreover, it plays vital role in prioritization of the security policy implementations to ensure that the immediate challenges could be resolved faster. On the contrary, threat means the source and means that a particular attack occurs. In such case, a threat assessment is performed with an aim f determining the best approach of securing organizational system against any form of threat (Ou & Singhal, 2012). Usually, penetration testing processes focuses on the assessment of the threat profiles to assist the organizations develop effective countermeasures against various types of attack presented by any form of threat. Whenever risk assessment focuses more on the analysis of the potential and tendency of organizational resources to fall for different criminal attacks, the threat assessment usually, focus on the analysis of the resources used by the attacker (Broder, 2006). Assessment of the threat could assist in developing specified organizational security policies required for the implementation in line with the prioritization of the policy and understanding the need for specific implementation to secure organizational resources. Conclusion Security, like any other technical profession, has its specialized language developed to facilitate easier communication for the experts to discuss various subjects. It is vital to understand these terms. Many security terms are used interchangeably even in instances when the interchange ability is not applicable. For example, the essay focused on risk assessment and threat assessment and established their comparison and contrasts in a bid to ensure adequate understanding of the processes. Although both processes in most cases use similar frameworks and patterns, risk assessment is vital in determining organizational security breach that require immediate address. Both security threat and risk assessment aim at maximizing the benefits associated effective security systems; nonetheless, threat assessment plays vital role in determining the best approach of securing the system against a specified threat. Moreover, risk assessment focuses on the evaluation of dangers and various levels of risks relative to one another as a function on the interaction that occurs between the breach cost and the probability associated with such breach. However, risk assessment tends to focus on the analysis of the potential and tendency of organizational assets to fall prey to various forms of attack. Besides, the focus on threat assessment is the analysis on the resources utilized by the attackers. References Blyth, M. (2008). Risk and security management: Protecting people and sites worldwide. Hoboken, NJ: John Wiley & Sons. Broder, J. F. (2006). Risk analysis and the security survey. Amsterdam: Butterworth-Heinemann. Chou, K. (2011). Information assurance and security technologies for risk assessment and threat management: Advances. Hershey, PA: IGI Global (701 E. Chocolate Avenue, Hershey, Pennsylvania, 17033, USA. Cragin, K., & Daly, S. A. (2004). The dynamic terrorist threat: An assessment of group motivations and capabilities in a changing world. Santa Monica, CA: RAND Corp. Du, S., & Zhu, H. (2013). Security assessment in vehicular networks. New York, NY: Springer New York. Jones, A., & Ashenden, D. (2005). Risk management for computer security: Protecting your network and information assets. Amsterdam, Netherlands: Elsevier Butterworth-Heinemann. Landoll, D. J. (2011). The security risk assessment handbook: A complete guide for performing security risk assessments. Boca Raton, FL: CRC Press. Mackey, R. (2016). Choosing the right information security risk assessment framework - Information Security Magazine. Retrieved August 25, 2016, from http://searchsecurity.techtarget.com/magazineContent/Information-security-risk-assessment-frameworks Mandel, R. (2008). Global threat: Target-centered assessment and management. Westport, CT: Praeger Security International. Ou, X., & Singhal, A. (2012). Quantitative security risk assessment of enterprise networks. New York, NY: Springer. Peltier, T. R. (2001). Information security risk analysis. Boca Raton, FL: Auerbach. Perrin, C. (2009, July 7). Understanding risk, threat, and vulnerability - TechRepublic. Retrieved August 25, 2016, from http://www.techrepublic.com/blog/it-security/understanding-risk-threat-and-vulnerability/ Pinkerton. (2014, October 16). Threat vs Vulnerability vs Risk: What Is The Difference? Retrieved August 25, 2016, from https://www.pinkerton.com/blog/risk-vs-threat-vs-vulnerability-and-why-you-should-know-the-differences/ Schneier, B. (2015). Threat Modeling and Risk Assessment. Digital Security in a Networked World, 1(2), 288-306. Strachan-Morris, D. (2010, April 27). News - Threat and Risk: What's the Difference? :: Pilgrims Group. Retrieved August 25, 2016, from https://www.pilgrimsgroup.com/news.php?id=94 Turner, J. T., & Gelles, M. G. (2003). Threat assessment: A risk management approach. New York: Haworth Press. Umberger, H., & Gheorghe, A. (2011). Cyber Security: Threat Identification, Risk and Vulnerability Assessment. Energy Security, 4(3), 247-269. Van, B. E., & Kennedy, L. W. (2008). Risk balance & security. Thousand Oaks: Sage Publications. Vellani, K. H. (2007). Strategic security management: A risk assessment guide for decision makers. Amsterdam: Butterworth-Heinemann. Vellani, K. H. (2007). Strategic security management: A risk assessment guide for decision makers. Amsterdam: Butterworth-Heinemann. Read More