Successful Risk Assessment and Proper Management - Essay Example

Running Head: Security and AS4360 Name: University: Course: Tutor: Risk Assessment Risk assessment refers to the process evaluating the threats that could occur in an organization. Taking such measures enables organizations to understand any harm that could dawn on assets and employees. Owing to different kind of threats that could effect on different organizations operating in variety of industries, it is important for each institution to consider the environment it operates in before deciding the most befitting risk assessment. Indeed, some industries, like in IT, have developed procedures that enable players to understand the threats that could occur and thus develop effective measures to contain any damage on organization’s assets as well as labor force. This paper will however elaborate on basic risk assessments that take place in a wide range of organizations, with a little emphasis on computer industry. Much focus will be directed to the connection between systems of risk assessment and AS4360. It shall thus be argued most effective systems of performing risk assessment and ensuring that risks have been averted are the ones built upon AS4360 frameworks. The first section of the paper will explain two systems of risk assessment that will be subjected to an AS4360 test; this will facilitate the choosing of the most effective system. Section two shall elaborate on the importance of performing risk assessment in determining resource allocation in an organization. AS4360 is an Australian/ New Zealand standard that is used as a blanket guide to assessment. Though ugh organizations are required to follow the standard, it has to be considered that they are saved from the agony of choosing between different risk assessment systems without knowledge whether they could work. One could thus argue that the standard helps organizations to escape the headache of choosing between systems. Indeed, AS4360 was developed in collaboration with wide range of industries, which enabled them to make a contribution though expression of their needs. The presence of this standard has also led to the growth of advisory professionals who are pivotal in organizations attempts to ensure successful risk assessment and proper management of any threats that could be identified in present systems. An Analysis of Two Risk Assessment Systems Individual organizations have the tendency of developing internals risks assessment systems that are most effective in meeting needs. There are however two main frameworks that have historically been applied in organizations. The first is the definition that risk originates from the combination of motivations, capabilities and opportunities that lead to crime (Jones & Vidalis, 2005, p. 3). This framework has been used for many years and in wide range of industries. It has the advantage of understanding the environment that could lead to threats becoming a reality within organization’s operations. By understanding the motivation that could lead to potential individuals from undertaking certain actions of threat to the organizations, it becomes easier to for the management or the concerned parties to look for ways of reducing that motivation. For instance, organizations facing the risk of having equipments vandalized because due to lack of enough security will most likely employ more manpower or surveillance gadgets to deter burglars. This is because lack of enough security will have been determined as the motivation for inside or outside parties to engage actions harmful to the relevant organization (Cox & Ricci, 1990, p. 325). By understanding the capability of people that might engage in the acts that could pose risk to organizations property, the management could easily ensure that internal mechanisms are way above threat’s reach (Tregear, 2001, p. 20). This means people aiming to perform such harmful acts will have to work harder, which will take lots of time; the relevant organization would have improved their internal mechanisms before these threats reach the current level. As the cycle continues, threats would find it hard to perform their acts and thus leave organizations property well secured in both short and long term. By checking on the opportunities available for threats to undertake their actions, organizations will be able to ensure that all the loopholes are sealed. The drawback of this framework is the number of the assumptions taken by organizations’ management or security departments. These individuals work on the assumption that they can successfully deduce motivations, capabilities and opportunities that influence other entities into becoming threats. Some aspects of threats could be right but most of the rest could be utter wrong. It has to be understood that what motivates individuals into undertaking actions that could affect organizations keep changing; opportunities and capabilities also change with time. Security department officials will thus have hard time estimating the chances of threats undertaking actions that could pose several risk factors. The second framework is the AS/NZS4360:2004; sees risk as the possibility of an occurrence that will have an impact to the organization; the occurrence is measures through the investigation of the consequences that could accrue from persisting threats. This framework is relatively new and is supposed to replace the one previously explained in the above section. Though it is being used by several organizations, its real impact in variety of industries has not been seen because not all industries have used it. It is however superior compared to the other measure; because it starts with the end in mind, that is, organizations try to first understand the consequences that could befall them as a result of being attacked by their threats. Understanding what could happen becomes a good way of preparing internal systems in ways that they will not be susceptible to any threats. Comparing the two frameworks, it is easy to conclude that the first one serves acts as a measure to enable institution to prevent themselves from futures risks. This means that actions are usually taken after attacks have already taken place. Organizations thus learn from the loopholes that had existed before and subsequently ensure that bleaches do not happen again. On the other hand, AS4360 serves as a preventative measure for any risks. This is because organization’s security departments perform mock threats to see what will happen to organizations equipments and systems. These mock attacks are performed in lines with the organizations perceived threats. In the computer industry, and increasingly in other fields, organizations go to an extent of paying burglars, such as hackers, to try to bleach security details. The processes taken by these burglars and hackers are closely monitored by individual organizations’ security departments. Incase the hackers and burglars are successful in penetrating are therefore easily identified and necessary measures taken. Furthermore, the individuals used in penetrating systems can advice departments on the necessary measures that should be taking in sealing the holes that facilitated easier access. Organizations should therefore consider utilizing AS/NZS4360:2004 in their risk assessment processes. It is, however, of vital importance to ensure that some aspects of the other measure are applied in risk processes. This is because blending the two mechanisms would strengthen organisational security structures. Such a combination will also serve organizations well, especially in the transition process. As organizations move from the old risk assessment framework to the new ones, it is necessary to consider the help of professionals that are qualified the filed. This shall lead to smooth transition that will not compromise organizations structures. Furthermore, security department staff would benefit from exceptional training-on-the-job from the security professionals, which will lead to internal work force that would lead to better service for individual organizations. Importance of Risk Assessment in Resource Allocation Assessing organizations risk exposures is an absolute necessity. Indeed, failure to understand the risk that could befall ones organization would lead to inadequate prepared ness. Apart form the necessity of preparing countermeasures; organizations need to know various degrees of risk that affect departments or equipments. This enables senior management to allocate resources depending on the severing of the risk, meaning that the most dangerous exposures receive enough attention, such as getting help from outside professionals. This section shall deal with the importance of assessing risk in order to estimate resource allocation within in organizations. Several aspects of this importance are discussed below in detail. Provides Knowledge; Risk assessment provides security departments with knowledge that will help them understand severity of threats facing organization, and the cost to be incurred. Understanding whether the threat could become reality in the short run could thus enable senior management to take necessary measures, including allocating the right amount of resources such as manpower and finance. Indeed, organizations get a chance of evaluating abilities of their security departments in dealing with the threats. On the other hand, understanding whether threats could only happen in the long run, organizations are able to prepare strong groundwork that will ensure total safety when the time comes. Understand Agents’ Capabilities: By undertaking mock threat operations, security departments could successfully determine the real abilities of the perceived threats to render damage to targeted systems or equipment. Should it occur that threats are successful in attaining their goals; organizations can subsequently strengthen their systems by allocating the right amount of resources. This also applies to whether threats are immediate or in the long run. The severity of agents’ damage to the organization could also be assessed and the appropriate measures taken. For instance, organizations could consider allocating lesser resources should it appear that the damaged that could be cause by the most serious threat is little. This would save monetary and labor that could have been used in large-scale if the assessment was absent. Helps Understand Flaws in the System; It sometimes happens that organizations develop internal systems through well experienced associates, which leads to higher degrees of confidence that the systems are totally threat-proof. However, subjecting these professionally-built systems into serious mock attacks could lead to different results: that they can easily be accessed by threats and subsequently cause serious damage to the organization. When that happens, organizations get to learn whether people who had built systems stood true to their promises or contractual agreements. This would lead to looking into other contractors that would do better job, that is, delivering true threat-proof systems. Organizations also get to understand cost of repairs on their broken systems, or whether a total overhaul will have to be considered. Enables Comparison of Historical Threats and Cost. Through risk assessment procedures, organizations are able to estimate the severity of threats that have been seen serious in individual organizations’ history (Coster & Hankin, 2003, p. 547). Security departments will thus understand whether resources have historically been used on the most serious threats. It could sometimes happen that organizations have been using a lot of manpower and financial resources on threats that upon testing have prove non-consequential, whereas those that had been ignored prove to be the most serious. As a result, it becomes easy for organizations to change their spending structures towards the most serious threats. Performing these tests on regular basis enables security departments to always preside descent security systems. Test Organisational Preparedness: Several organizations consider performing impromptu mock attacks to understand security details preparedness in dealing with threats. This sharpens the department’s alertness; other employees are also tested of their ability to quickly take measures that would protect their systems from damage during attacks. Since all-round preparedness takes lots of time and resources, security departments get to understand needs that would enable them to be ready for threats. Risk assessment thus enables organizations to develop budgets that will ensure that security departments and other personnel are well knowledgeable on the appropriate measures of dealing with security problems. Failure to undertake these important processes could lead to serious damage of organizations equipment and systems incase of attack. Exposes Organizations to Outside Help; Given that mock attacks are usually undertaken by outside individuals, organizations gain the advantage of getting the help of professionals that will provide necessary advice. Indeed, it is during these, interactions with professionals that security department officials get to know the best practices that apply in different situations. This is an important step because the professionals have a wide experience in working with different organization and variety of fields. Such a wealth of knowledge should be exploited to the maximum because it would lead to well informed security departments that would educate other members of staff on ways and means of securing equipment and systems in times of threat. Compare with Other Organizations: Performing these tests and the involvement of professionals enable organizations to compare threats affecting them with those affecting their peers in the same industry. Budgetary allocation between organizations should also be compared. This will help in seeing whether there was coloration be organization spending on security fixtures and severity of threats. Professionals would actually be helpful in this stage because they would have data comparing organizations across industries. The provision of the data to relevant security department and subsequent analysis would help in developing best frameworks that could lead to strengthening of security systems (Hendershot, 1998, p. 5)—which could not have been achieved without the risk assessment. This paper has shown that performing risk assessment in organizations is vital in the long run safety of organizations equipments and workforce. It has also been illustrated that performing regular assessments helps in improving security structures in any organization. The importance of this process has indeed resulted to the development of standards (AS4360) which ensure that organizations adhere to measures that will guarantee safety of workforce among other important installations. Extensive comparison between AS4360 and the crime triangle-motivation, capability, opportunity has showed that the former is more superior in enabling organizations to perform productive risk assessments. Security departments are therefore encouraged to use AS4360 in their procedures, which should be held or on a regular basis. References Coster, M. N., & Hankin, R, K. (2003). “Antagonistic hazards’ Risk assessment.” Journal of Loss Prevention in the Process Industries, 16, 545-550. Cox, L. & Ricci, P. (1990). New Risks: Issues and Management. London, UK: Springer. Hendershot, D. (1998). Comparing Industrial Risk Analysis. Pennsylvania, US: Rohm and Haas Company. Jones, S. & Vidalis, A. (2005). Analyzing Threat Agents & Their Attributes. Wales, UK: School of Computing, University of Glamorgan. Tregear, J. (2001). “Risk assessment.” Technical Report Regarding Information Security, 10, 19-23. Read More