Dr. Glenn Hines
October 14, 2018
Risk, Threat, and Vulnerability
Risks, threats, and vulnerabilities all play a key part in the fundamentals of risk management. A risk is a chance that a loss will happen. A loss happens when a threat exposes vulnerability. The impact of the vulnerability tells the severity of the loss (Gibson, 2015).
A threat is any situation or event that could cause a loss or cause danger. For example, not having anti-virus software installed on a computer that’s connected to the internet. This is a threat for the computer because it’s vulnerable to virus infections. Threats can’t be all eliminated but can be controlled with preventative techniques. Threats need to be identified, but sometimes can be outside of your control. This could be an issue within an organization. This happens within the risk management process. Management decides if the threat is too great or if they can work around it. Management has to decide on how much of a risk is acceptable that will not compromise business profitability.
A vulnerability is a weakness. A technical can be technical procedural, or administrative. As stated earlier, not have anti-virus software installed on a computer is a weakness (Gibson, 2015). If an organization has a group of computers on the network without any anti-virus software installed is very risky. Management would have to decide on how much they are willing to spend on protection software. Once the software is installed, then the computers would have less vulnerability. The organization has to make sure the employees follow the security guidelines and acceptable use policy to help keep the network and computers safe.
Cyber attackers can use know vulnerabilities about an organization’s network to their advantage. Management has to determine how much risk they are willing to deal with. The more money spent on correcting vulnerabilities and identifying threats will increase the security of the networks from attacks. The organization will run smoothly when management decides to prevent attacks and possible down time of the business. However, if not problems are corrected, then there will be more risks of systems being infected from cyber attacks.
Risks vs. Loss
A loss only happens when an attacker succeeds with exploiting vulnerability. Loss can cause damage to an organization in different ways. Loss could be physical or financial. A physical loss is for a server to be down for the company’s website that provides products for its customers. A financial loss is for the customer’s not be able to make purchases from the company’s website (Gibson, 2015).
As stated earlier, a risk is chance a loss will happen. There can be risks without a loss and a loss without a risk. Some vulnerabilities can be controlled, but a threat can always be there. Damages can be reduced from a threat.
Describe risk management and assess its level of importance in information security
Risk management is controlling or trying to control what is going to happen during a process or at least reduce the chances of something negative happening. As for information security it is very important to keep private information private. This could be corporate secrets, personal data for employees and customers, and also to keep the servers and network secure from prying eyes or intrusions. If this information got out to the wrong people, then it could be devastating to the company and to the people that had their information compromised.
If the company had an intrusion on its network that was not caught, then that person or program that got into the network could set up the start of opening the network up for further intrusions. Once the people get into the network they will have access to the information that could drastically harm the company.
The need for organizations to take risks with its data
There is a need for organizations to take the time and find the risks involved with its data. If there is a chance that the data could be taken or erased, then what would be the results of these actions? If the results are within acceptable limits for the company, then the company would not have to do anything about it. If something was to happen and the data got out, then how many customers or suppliers would have second thoughts of working with them or buying things from them? It would give the company a bad reputation.
The necessary components in any organizational risk management plan.
A risk management plan is comprised of a couple different parts. These parts are risk identification, risk assessment, and risk resolution. These three parts will allow a risk management plan to work out problems that may occur. It will also help reduce the risks.
First, risk identification is the first part of the plan. “Risks are identified through techniques such as, brainstorming, document reviews, interviews, Delphi technique and SWOT Analysis.” (Dcosta, 2011). These five are just a few methods of identifying risks vulnerability of the company in the process. Brainstorming is where a group of people get together and pull all their information together to see what may happen. Document reviews is just as it states. Review old documents that may relate to the issue or modify outdated documents. Delphi technique is about the same as brainstorming, but all the people are not brought together they are unknown to each other will get personal opinions that will not be swayed by others. The SWOT Analysis will show the strengths, weaknesses, opportunities, and the threats to the plan. All these methods should help with risk identification.
Second, once the risks have been identified, they need to be assessed. This is where the risks are categorized in lists of external and internal risks. Internal risk can be controlled as external risk is events that a company does not have a direct control of. Once they have been broken down to the lists, management needs to decide the probability of the events happening and determine a rating number for the risks.
Finally, there is risk resolution. Management teams will review the higher rated risks. Management will make the decision if the risk will be accepted, transferred, or mitigated. The accepted approach is just to go with it and hope for the best. This method is best used for external risks. An external risk would be a flood. The company can reduce the down time by having backup servers and databases in place. So, if the risk did happen the company could bring up the backup servers and databases online. Then they would be able to be back up and running quicker if there were not any backups. Backup servers can be off-site.
The transfer approach is where the company can transfer the risk to another business that houses databases for companies. The risk for protecting the data will fall on that company and not the initial one, but this comes with a cost. Then the original company can have insurance to cover any damages or loss. This will help to reduce the loss caused by the risks, but it also comes with the price of the insurance (Gibson, 2015).
The mitigation approach is where the company will work on avoiding preventing or reducing the risks. This can be done many ways. If the problems with the networks, then they need to be updated or have the equipment with the problem replaced with new improved equipment.
Dcosta, A. (2011). Effective Steps in a Risk Management Plan. Retrieved from Bright Hub
Project Management: http://www.brighthubpm.com/risk-management/5145-effective-steps-
Gibson, D. (2015). Managing Risk in Information Systems. Burlington, MA: Jones ; Bartlett