Security Threat Assessment - Essay Example

Security Threat Assessment and a Security Risk Assessment Name Course Name and Code Instructor’s Name Date Introduction According to Haslett (2010), modern firms and institutions are bombarded with rapidly changing market and business environments that are characterized by stiff and cut throat competitions, high buyer bargaining power, changing customer needs and demands and shifting political, social, legal, cultural, economical, ecological, financial, legal and technological forces. With such a market environment, it becomes particularly important for firms and institutions to not only develop an effective management system and deliver quality products and services continuously but also effectively and efficiently identifying current and future potential business risks and threats as echoed by Talbot & Jakeman (2009). Identifying current and future business risks and threats is crucial in helping organizations form adequate and informed decisions, it help in acquiring and allocating available valuable resources appropriately and allow for the organizations to develop and implement productive and sustainable business strategies in order to ensure anticipated business goals, objectives, mission and vision are achieved and at the same time, guarantee that security threats and risks are satisfactorily responded to (Volten & Tashev, 2007). In security firms, institutions and sector, identifying the said risks and threats is all the more fundamental in ensuring safety and security is maintained continuously and ensures any prospective vulnerability is detected early and resourcefully and appropriately dealt with (Aceituno, 2005). Be it as it may, security personnel and even security consumers are hard pressed in distinguishing threats and risks which therefore, leads to poor risk assessments and threat assessments which in turn generate to ineffective or inadequate risk management systems and threat management frameworks as argued by Sutton (2010). This forms the basis of this report which is a literature review to compare and contrast between security risk assessment and security threat assessment. Similarities and differences between Security threat assessment and a security risk assessment According to Mununta (1999, p. 58), security is a function of the presence and interaction of Asset (A) requiring protection from either a person, organization or community referred to as Protector (P), a Threat (T) to the asset requiring protection in a given Situation (Si). The author expresses security by the formula S= (A, P, T) Si. This definition of security corresponds largely with the definition offered by Bellamy (2008, pg. 9), where the author describes security as the mitigation of threats to acquired values. However, Bellamy (2008, pg. 9) is categorical in mentioning that defining security is different for varied individuals, organizations, sectors and industries since it may hold divergent meanings for all of them. Fischer & Green (2003) indicates that security threat assessment and security risk assessment is the first stage in estimating and establishing threats, risks and consequences correlated with vulnerabilities and are core foundation to effective establishment and management of efficient security systems. From the outcomes generated from security threat assessment and risk assessment processes, suitable security measures and protections are identified and developed to facilitate secure security frameworks, which entails creating developing security policies and strategies, delegating security roles and establishing technical security measures and programs (Turner & Gelles, 2003). Frenkel, et al. (2005) argues that this should be followed by monitoring and re-assessments through continuous feedback are carried out in both processes which helps ensure the security controls and measures put in place are effectively functioining as anticipated and changes are made where necessarily to effectively adapt to emerging changes. According to Volten & Tashev (2007, pg. 17), failure to effectively define security contribute to the confusion and the inability for organizations and people to distinguish between risks and threats hence, overloading analytical systems. Security threat assessment and security risk assessment are essential in finding solutions to specific questions regarding the assets, identifying what or who the threats and vulnerabilities are, evaluating the implications of the occurrence of the threats an establishing strategies on how best to minimize exposure to the identified threats and vulnerabilities as discussed by Bennett (2007). Peltier (2001) concurs with Bennett (2007) by indicating that security threat assessment and security risk assessment helps in establishing the security posture of the security measures through identification of active and prospective threats, indicating vulnerable points and level of exposure among others. Therefore, understanding the differences and the similarities between Security threat assessment and security risk assessment is key to effective risk management. The main differences and similarities are Differences in definitions The major distinguishing factors between security risk assessment and security threat assessment is the definition of the main variables namely risks and threats. Threat is any variable that can and is able to exploit vulnerability deliberately or inadvertently and therefore, acquire, harm and obliterate an asset as defined by Roper (1999). This means that a threat is what an organization is trying to safeguard against (Landoll, 2006). Healy & Timothy (2002) describes assets as what is being protected which includes people encompassing employees, customers, shareholders, investors, suppliers and contractors among others. In addition, property consisting of intangible and tangible goods, core business involving primary business ventures, image and goodwill, information consisting proprietary data such a databases, critical records and software and networks which involve frameworks, tools and infrastructures connected with data, computer processing assets and telecommunications among others as explained by McNab (2004). On the other hand, risks are prospective loss, harm or damage to an asset due to a threat taking advantage of vulnerability as defined by Turner & Gelles (2003). Conclusively, risks link assets, vulnerabilities and threats. Aven (2003) describes vulnerabilities as the weaknesses of the existing security measures which are exploited by threats. Therefore security risk assessment can be defined as the process of evaluating prospective loss, harm and damage to an asset which is achievable through security threat assessment; which is the examination of anything that can take advantage of existing vulnerabilities of the asset’s security wall as supported by Bellamy (2008). In other words, security risk assessment can be defined as process of ensuring security measures applied is totally proportionate and suitable with its risks (Wheeler, 2011). When there are real or inherent threats but no vulnerabilities, the probability of risks are lower and alternatively, there can exist vulnerabilities with no threats hence, little or no risk. Therefore, risks can be summed up as a summation of assets, threats and vulnerabilities as expressed by Frenkel et al. (2005). Through valid and accurate security threat assessment, one is able to effectively carryout security risk assessment which then culminates to development and implementation of effective risk management systems and methods. According to Bennett (2007, p.274), the main difference between threat and risk which compounds to differences in threat assessment and risk assessment is that, threat is created against a key asset and defined in detail during threat assessment, while a risk is the link of how or if that threat can adversely affect a key asset which is defined in detailed in risk assessment. However, a common feature in threat assessment and risk assessment is thorough and accurate planning as supported by Santos (2007). Fay (2010) highlights that the planning phase generates the basis of which all ensuing work will be construct. Among elements covered in the planning phase includes establishing the analysis team, establishing the purpose of the assessment, determining the scope of assessment, identifying and valuing specific key assets such as people, products, processes, utilities, core business property and information as discussed by Bennett (2007, p. 275). Differences in concepts According to Dhillon (2007), security risk assessment is related with identifying ways on how to calculate jointly the threats and opportunities in order to enhance the outcomes where it focuses on improving returns. Alternatively, security threat assessment focuses on establishing the likelihood of adverse consequences and helps in identifying the best effective response or remedy to apply to the threat in order to minimize loss or damage based on the impact of the threat and the probability (Talbot & Jakeman, 2009). Threats are normal occurrence to life events and business operations and as Sutton (2010, p. 567) states “Each security threat is a hazard which has consequences and likelihoods, and that calls for the installation of safeguards and the development of emergency response plans.” In order effectively assess risks, one need to initially identify the threat where one is able to understand the likelihood and potential impact. It is after assessing risks that strategies are developed to tackle the identified threats and risks (Healy & Timothy, 2002). Differences in the process of identification and expression According to Dempster (2002), assessment of risks in security risks assessment is expressed qualitatively or quantitatively where the latter identifies risks in relation to percentages while the former identifies risks by descriptions which are mainly low, medium and high. In addition, risks can be expressed in terms of probability and frequency where risks are expressed in terms of mathematical probability of occurring. This concurs with inputs by Garcia (2001, p. 272) who mentions that risk is score defined in mathematical terms through the equation: R = PA [1-(PI)] C Where; R= Risk PA = Likelihood (threat) of an adversary attack measured between: 0-1.0 1 = Vulnerability: the highest the effectiveness can be. Pi = Probability of interruption measured between: 0-1.0 C = consequences (criticality) value measured between: 0-1.0 In contrast, assessments of threats in security threat assessment are identified and expressed in terms of adversaries and development of suitable judgments on goals and capabilities. According to Biringer et al. (2007), security risk assessment involves use of analytical methods to establish, review and record risks to which a security system is exposed to and accessible control measures to offset identified risks. It is from security risk assessment and not the security threat assessment that recommendations for rectification of identified vulnerability, action plans for applying the recommendations and operating procedures fashioned to safeguard against harm or damage are developed (Dempster, 2002). With security threat assessment, it utilizes methodical analysis to assess a threat by establishing exposure and vulnerability of an asset, level of probability as to when and where the threat can occur based on existing or potential vulnerabilities and the impact the harm, loss or damage of an asset has on the firm/ institution. This corresponds with suggestions made by Turner and Gelles (2003, p. 2) who indicates that security threat assessment is core to monitoring change or the movement in an event and the likelihood of enhanced or minimized risk for occurrence. Nevertheless, the two variables, that is security threat assessment and security risk assessment, are correlated and security risk assessment cannot effectively be carried out and function without effective security threat assessment (Crouhy, et al., 2006). Bellamy (2008) indicates that this is important because, effective security risk assessment generate a foundation for identifying and developing suitable policies and choosing cost effective methods to implement the developed policies. Santos (2007) mentions that due to the fact that both threats and risks change with time, firms and institutions needs to regularly review threats and risks and review the suitability and efficacy of the policies and mitigation measures already applied. Talbot & Jakeman (2009, p. 200) argue that the need for security risk assessment and management will often vary from one firm to another due to contextual dissimilarities and identified risks and even though firms irregardless of their size can gain from holistic security threat assessment, risk treatments will often differ depending on outcome of the assessment, size of the organization, organizational structure and operational climate. Bennett (2007) notes that both security threat assessment and security risk assessment forms key components and processes in the risk management cycle which entails assessment of threats and risks, implementing policies and controls, promoting awareness among concerned Stakeholders and monitoring and evaluation. Crouhy et al. (2006) argues that in spite of the level and type of security vulnerabilities identified, both security threat assessment and security risk assessment entails identifying issues and elements that may harm and therefore adversely impact on critical security system and assets. Fay (2010) implies that they also involve approximating the probability of threats and risks to occur based on available expertise or past experiences and information, establishing and categorizing the worth, vulnerability and criticality of the security system which can be impacted negatively if threats do occur thus, determining the most essential security systems and recovery costs. In addition, both variables entail establishing cost effective plans of actions to effectively manage threats and risks and encompasses recording the outcomes and creating suitable action plans or recommendations (Aven, 2003). There are varied frameworks and techniques of assessing security threats and security risks of which the degree of assessment and the amount of resources allocated and used differ based on the scope of the analysis and the ease of use of accurate and dependable data on threat and risk factors. This rhymes with sentiments made by Santos (2007) who states “...goal of any threat modeling technique is to develop a formal process while identifying, documenting, and mitigating security threats.” Important to mention is that ease of use of reliable data, significantly influences the degree to which the outcomes of the threat assessment and risk assessment can be dependably and consistently be measured and utilized (Landoll, 2006). Despite the contrasts that exist between security risk assessment and security threat assessment, they both have key critical success factors that ensure proficient implementation of security threat and risks assessment programs. These critical success factors include support and engagement by all concerned stakeholders who encompasses the employees, the management, experts and the community, accountability by all organizational units, effective planning, defining procedures, documentation of assessment outcomes, regular monitoring and reviewing as discussed by Aven (2003). Apart from the critical success factors, among other elements that are similar in both security threat assessment and security risk assessment are the focal points of the two processes which are namely the assessment scope, collection of data, defining and assessing policies and procedures, assessing threats, assessing vulnerabilities and analyzing risk acceptability as highlighted by Bellamy (2008). Among security components and security operating systems assessed in both security threat assessment and security risk assessments include security policies, physical and environmental security, access control, structure of security systems, acquirement, development and maintenance of security systems, key asset management, management of security events and regulatory compliance among others (Dhillon, 2007). Security threat assessment and security risk assessment compare significantly based on the benefits and gains they generate. Although carrying out security threat assessment and security risk assessment processes requires resources in terms of finances, time and personnel and the need for extra security measures may necessitate additional expense on part of the organization, the two processes help the organizations to effectively safeguard against probable threats and risks which if they were to occur, would costs the organization more adversely, compared to the resources required and allocated to carrying out the assessment processes and adding security measures. Therefore, the two processes help businesses cuts on costs. Both processes help enhance the performance and productivity of the security team as they are able to engage in the process and hence know what to do or what not to do to minimize risks hence enhanced productivity (Dhillon, 2007). Sennewald (1985) supports this by mentioning that development of review system and amassing security knowledge in the firm’s knowledge base done in threat and risk assessment helps in effective use of time by the personnel, which in turn translates to achievement of anticipated outcomes. As earlier mentioned, among key critical success factors for security threat assessment and security risk assessment is the commitment and engagement of all stakeholders encompassing the management, security experts and the employees. This engagement required during the processes helps build and cement effective business relationships while breaking barriers to the same (Turner & Gelles, 2003). Mutual engagement is mandatory when carrying out the two processes as various parties have a role to play. For example, the IT personnel are accountable to making decisions on particular security controls and applications while the business management makes decisions on the level of security risks acceptability. Therefore, as the two parties work cohesively, they are able to generate stable and productive business relationships as they are both able to recognize each other’s needs and responsibilities. By so doing, security is directly linked to business issues. Through regular security threat assessment and security risk assessment procedures carried out by an organization, an organization is able to integrate security as a core feature into the organizational culture which allows ease in application of security measures into more areas which in turn help establish adequate and suitable security levels that safeguard against adverse events (Sennewald, 1985). In addition, as threat and risk assessment programs are applied widely within the firm and more people are involved, security becomes an agenda for debate hence, enhancing security awareness within the internal and external environments of the firm. Wheeler (2011) emphasizes that this is crucial in efficient identification of threats, vulnerabilities and risks wherever and whenever they occur which helps safeguard against them in good time before the vulnerabilities or threats escalates to high level of harm, damage or loss of assets. Conclusively, both security threat assessment and security risk assessment programs generate consistency and objectivity which is needed in addressing security issues and when engaging in security reviews regardless of the type of business system or application. (Broder, 1984) agrees by highlighting that as security information gets shared and generated from varied sources of the business, this helps in supporting effective communication among relevant stakeholders and help in solving problems and making decisions concerning security. As Peltier (2001) highlights , the outcomes of both security threat assessment and security risk assessment are crucial in enabling firms and institutions to adhere to legislative and policy goals, allocate cost effective resources to avert threats and probable risks, facilitate effective and responsible management of security information and helps in safeguarding vital security information and key assets. Conclusion Security threat assessment and security risk assessment are two processes that are crucial component to the risk management process. They are both carried out with the intent to assess security threats and risks to security systems, information, programs, services, physical environments and assets such as people, technology, property, core business, networks and utilities among others. The report has explicitly compared and contrasted between security threat assessment and security risk assessment as analyzed by varied literature and studies. Although the two processes have major differences, they are correlated and are both essential in effective management of security and they help in creating an understanding on the what, how, who and when to safeguard, minimize, diminish, and accept risks. Security threat assessment and security risk assessment encourages thorough and accurate planning, commitment and engagement from all relevant stakeholders, and fosters knowledge and information sharing and individual accountability in order to ensure risk and threat assessment goals and objectives are effectively and efficiently achieved. Important to note is that security risk assessment can only be effectively accomplished through effective security threat assessment. From the outcomes generated from security threat assessment and risk assessment processes, suitable security measures and protections are identified and developed to facilitate secure security frameworks. It is apparent from the literature review that the two processes cannot generate sustainable long term results without engaging and depending on each other. References Aceituno, V. (2005). On Information Security Paradigms. ISSA Journal. Aven, T. (2003). Foundations of risk analysis: a knowledge and decision-oriented perspective. New York: John Wiley and Sons. Bellamy, A.J. (2008). Security and the war on terror. New York: Taylor & Francis. Bennett, B.T. (2007). Understanding, Assessing, and Responding to Terrorism: Protecting Critical Infrastructure and Personnel. New York: John Wiley and Sons. Biringer, B.E., Matalucci, B.R. & O’Connor, S. L. (2007). Security risk assessment and management: a professional practice guide for protecting buildings and infrastructures. New York: John Wiley and Sons. Broder, J. F. (1984). Risk Analysis and the Security Survey. Boston, MA: Butterworth-Heinemann. Crouhy, M., Galai, D. & Mark, R. (2006). The essentials of risk management. New Jersey: McGraw-Hill Professional. Dempster, M.A. (2002). Risk management: value at risk and beyond. Cambridge: Cambridge University Press. Dhillon, G. (2007). Principles of Information Systems Security: text and cases. NY: John Wiley & Sons. Fay, J. (2010). Contemporary Security Management. Sidney: Elsevier. Fischer, R.J. & Green, G. (2003). Introduction to security. Boston: Butterworth-Heinemann. Frenkel, M. Hommel, U., Dufey, G., & Rudolf, M. (2005). Risk management: challenge and opportunity. Melbourne: Springer. Garcia, M.L. (2001). The design and evaluation of physical protection systems. Boston: Butterworth-Heinemann. Haslett, W.V. (2010). Risk Management: Foundations For a Changing Financial World. New York: John Wiley and Sons. Healy, R. J. & Timothy J. W. (2002). Protection of Assets Manual. Los Angeles, CA: POA Publishing, LLC. Landoll, D.J. (2006). The security risk assessment handbook: a complete guide for performing security risk assessments. London: Auerbach Publications. Manunta, G. (1999). What is security? Security Journal, 12, 57–66; doi:10.1057. McNab, C. (2004). Network Security Assessment. Sebastopol, CA: O'Reilly. Peltier, T. (2001). Information Security Risk Analysis. Boca Raton, FL: Auerbach/CRC Press. Peltier, T. R. (2001). Information Security Risk Analysis. Boca Raton, FL: Auerbach publications. Roper, C. A. (1999). Risk Management for Security Professionals. Boston, MA: Butterworth-Heinemann. Santos, O. (2007). End-to-End Network Security: Defense-in-Depth. Singapore: Cisco Press. Sennewald, C. A. (1985). Effective Security Management, 2nd Ed. Boston, MA: Butterworth Publishers. Sutton, I. (2010). Process Risk and Reliability Management: Operational Integrity Management. Sidney: William Andrew. Talbot, J. & Jakeman, M. (2009). Security Risk Management Body of Knowledge. New York: John Wiley and Sons. Talbot, J., & Jakeman, M. (2009). Security Risk Management Body of Knowledge. New York: John Wiley and Sons. Turner, J.T., & Gelles, M.G. (2003). Threat assessment: a risk management approach. Upper River Saddle: Routledge. Volten, P.M.E. & Tashev, B. (2007). Establishing security and stability in the wider Black Sea area: international politics and the new and emerging democracies. London: IOS Press. Wheeler, E. (2011). Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Sidney: Elsevier. Read More