Compare and Contrast between a Security Threat Assessment and a Security Risk Assessment - Coursework Example

Running Head: Compares and contrasts the roles of a security threat assessment and a risk assessment and how they inform decision making in response to security threats and the allocation of risk mitigation. Name of institution: Student number: Student name: Course tutor: Date of submission: 1.0 Introduction To begin with we will review at various definitions of the two terms; risk and threat. Risk can be explained quantitatively in terms of percentages or qualitatively in descriptive terms such as low, medium and high. In the security field risk would be the probability or frequency that a given type of security related incident would or would not occur at a given site. According to NGOs approach to security risk is defined as a combination of the impact and likehood that damage, loss or harm to NGOs from the exposure to threats (SAG,1991). Risk in information security can be defined as an authorized access, disclosure modification or destruction of information (Title 44 of the United States Code). While mathematically, risk can be defined a risk = (probability of the accident occurring) x (expected loss in case of the accident) (Dantzing, 1953). On the other hand NGOs approach to security they define threat is any factors for instance actions, situations or activities which have the potential or possibility to cause harm, loss, or damage to any organization, which may include its personnel, assets, and operations (SAG, 1991). Risk assessment is process which evaluates the likelihood of a given hazardous environment this may contribute to a particular disease or illness. Risk assessment is usually used to put in place regulations which protect the public from hazards in air, food, water and in the entire environment. The process also can be use to determine how much clean up is required when contamination is already exists. Risk assessment is a systematic examination of all sectors of work that determine what could cause injury, whether the hazards could be solved and if not what other steps should be taken to control the risk. Threat assessment deals with the identifying the possibility of adverse impact and decide which steps to apply to the Threat, depending both on probability and impact. Threat Assessment: A process to measure identified threats against an organization. Taken by itself a threat assessment only looks at each identified "adversary" or "event" and makes judgments about intent and capabilities as appropriate. For example, one would clearly not consider the "intent" of a natural disaster, but one would certainly look at the capabilities. The main objectives of both risk and threat assessment is to provide recommendations that will enable organizations maximize the protection of confidentiality, integrity and availability where functionality and usability of the assets is provided (www.sans.org). Therefore risk assessment is where the internal factors failure to adopt new technological advancement or politics within the organization is analyzed while threat assessment is the external factors like monopoly weather to the organization. The role of Risk Assessment Risk assessment play various role, for instance, it enable employers to have a general duty to maintain safety and health of employees in every area related to work. It enables employers to take the measures which are important to protect the safety and health of their employers. Some of these measures can include the preventing occupational risks like accidents in the organization, providing information and training to employees. The information may include promotions and training can involve taking workers for seminars, workshops to learn and organizing an institution and means to implement the important measures. According to Hall, there are five different roles which can be defined for performing project risk assessment. These include, Project risk manager, Project risk management team, Project risk profile owners, Project risk custodians and Project team members The project risk manager plays a role of providing the overall project risk strategy and to organize the project risk assessment team. In small organization, this can be done by the project manager while on the medium to large organization a different person should fulfill this role. The organization risk manager should come from outside the organization to achieve objectivity. The role of the project risk management team is mainly to gather and organize the necessary project risk data. The number of the team will be determined by the size of the whole project. These people can be internal to the organization but must have a detailed understanding of the organization risk management methodology that is applied. The project risk management team reports directly to the project risk manager (Labuschagne 2002) The role of the project risk profile owners is similar to the risk owners. Here when a risk has been located, it must be given to a responsible person who can be in a position to explain certain risk. It is, therefore, possible that a project risk profile owner could only have one risk although the norm is to have several (Labuschagne 2002) The role of project risk custodian is to supervise and consolidate all the risks within a certain risk category. Risk custodians are normally team leaders or sub-project managers. The project risk analyst reports to the project risk manager but also has a direct link to the project manager (Labuschagne 2002) The project team members play important role as they need to provide the necessary data to the project risk management team as well as to the project risk profile owners. When this information is not there, the process of risk management cannot take place. Project team members report directly to the top managers of the project which also head the risk management team (Chadbourne, 1999, Labuschagne 2002) 1.3 Process of risk and threat assessment a. Risk assessment There are two major elements in risk assessment; likelihood and consequence therefore risk assessment can be defined mathematically as RISK = Consequence x Likelihood. Likelihood can be defined as a “individual or a group with the motivation and capability for theft or sabotage of assets, or other malevolent acts that would result in loss of assets” (Garcia, 2001, p. 302). Consequence according to Blades is the degree of damage that may in the event of threat occurrence (Blades, n.d. p.38). There are four steps that should be taken into account as assessing risks in an organization. Step one is identifying hazards and those at risk t. This involve finding those things at work that have the potential to cause harm, and identifying employees who may be exposed to the hazards known as the scope. Step two is the evaluating and prioritizing risks which basically involve estimating the existing risks and prioritizing them in order of importance. The work to be done to eliminate or prevent risks is vital and thus should be prioritized. The table below illustrates how risks are categorized and prioritized in the assessment process. Deciding on preventive action is under step three which involve identifying the correct measures to eliminate or control the risks. The problem The solution Risk analysis Recommendations Impact Likelihood Risk level (current) Mitigation measures Residual risk level (future) Large Very likely High Transfer avoid Table 1.0 for risk assessment according to SAG (1991) Step four involve taking action through putting in place the preventive and protective means by prioritization plan and specifying who does what and when. Step five is the final step which involves monitoring and reviewing. The assessment should be reviewed now and then to ensure it remains up to date and it should be revised whenever important changes occur in the organization. The management of an organization will make decisions of protecting its assets according to this assessment. In risk assessment both immediate and long-term solutions are recommended by the risk analyst. Risks are described in terms of likelihood and consequences. In likelihood; a risk can described in a level of very likely to occur, likely, possible, unlikely, rare or unknown. b. Threat assessment Threat assessment consists of two major steps; situation analysis and determination of general and specific threats to the assets. Threat assessment procedures has two parts; identification of the threat and assessment of its impact. The steps in threat assessment are: first identify assets which you are trying to protect , then threat assessment where possible threats to the assets are identified where they are classified according to the level of threat as either low threat, medium or high threat. The third step is to identify how vulnerable the assets are to these threats. Vulnerability of an asset can be classified as either very likely, likely moderately likely or unlikely. The realities The solution Threat assessment (TA) recommendations Threat Situation Mitigation measures Residual risk level (future) Table 2.0 for threat assessment according to SAG (1991) The above procedures of assessing risk and threat are similar in the process of identify the scope what to the assessed , the risks or threats to that particular assets are assessed and given priority depending on their changes of occurring and how much damage they can cause to the asset. In both assessments the scales for measuring vulnerability and magnitude of threats or risks are the same. It is worth noting that threat assessment to do not provide an assessment of risk but it provides information and procedures that are used within a risk analysis. The table below shows how risk and threat assessment categorize risks and threats in the analysis process. Consequences Rating likelihood Minor : requires first aid treatment or on-site release contained, there is little financial loss 1 Rare: Effects of risk or threat can be contained. Does not increase the probability of additional vulnerabilities being exploited. Moderate: the treat or risk requires significant resources to exploit, with significant potential for financial loss. Where it requires little resources to exploit, there is moderate potential for loss. 2 possible: this may occur at some time which can be expected to affect more than one system element or component. Major: there is expensive injuries or a major loss of assets. it requires few resources to exploit, with significant potential for loss. 3 Likely: few are resources to exploited, with significant potential for loss. It will probably occur inmost situations. Catastrophic: results to death, toxic release huge financial loss. 4 Very likely: it is expected to occur in most situations. Unknown: assessment not carried out insufficient data about the risk 5 Unknown: insufficient data to make assessment. Table showing Vulnerability and exposure rating MITIGATION MEASURES The concept of mitigation measures for risk assessment and threat assessment is simple, it involve to act upon identified elements of the operational context to produce a favourable change in the situation enabling the effective and efficient conduct of activities while ensuring the security, safety, and well-being of staff as a high priority. Organization may act upon all elements, however acting upon the threat may be difficult and sometimes beyond the organization‘s capabilities. It is easier and more efficient to focus mitigation strategies on acting upon the elements that are under the Organization‘s control. a) Threats and Mitigation Measures Unintentional threats are threats that are either physical, like exposing materials in plain view or can be electronic in nature. Such threats can lead to insiders getting chance to have information for which they are not supposed to know. In such situation, the threats are addressed by coming up with a privacy policy consistent with Fair Information Practices, rules and regulations. Another measure can be by defining appropriate functional and interface requirements; developing, integrating, and configuring the system in accordance with those requirements and best security Practices; there after provide clear operating instructions and training to users and system administrators. Another example of threat is intentional threat from insiders. Actions of this threat can be seen as improper use of authorized capabilities for instance, browsing, removing information from trash and circumvention of controls to take unauthorized actions like, removing data from a workstation that has been not been shut off. The counter to these threats are addressed by a combination of technical safeguards like, access control, auditing, and anomaly detection, and administrative safeguards which can include, procedures, training etc. Another type of threats can be intentional and unintentional threats which are authorized external entities. Whereby intentional threats involve improper use of authorized capabilities for instance, misuse of information while unintentional threats include flaws in privacy policy definition. In such case, these threats are addressed by technical safeguards, good example, is the boundary controls like firewalls. Administrative safeguards in the form of routine use agreements which require external entities are also vital to mitigate such threats. Another form of threats is Intentional threats from external unauthorized entities. In this case, threat actions is characterized by mechanism, that is, physical attack like theft of equipment, electronic attack like hacking, interception of communications, and personnel attack like social engineering. Such threats are addressed by physical safeguards, boundary controls at external interfaces, technical safeguards like, identification and authentication, encrypted communications, and clear operating instructions and training for users and system administrators. b) Risk Mitigation Risk management is a culture, processes & structure that are carried out to ensure that chances of managing adverse effect (Standards Australia, 2004a, p. 4). The risk associated with a certain attack on an organization can be reduced by reducing the level of threat to it, by reducing its vulnerability to that threat, or by reducing the effect of an attack should it happen. In any organization various managers should play a primary role of reducing threat, by disrupting, investigating, detaining, or removing individuals that threaten an organization. The Managers are principally responsible for trying to mitigate the result of an attack, through rapid response and recovery. The Manager’s primary role is to minimize an asset’s vulnerability. An organization that puts in place a sound risk management structure benefits from the follows; they will have fewer surprises because they are already prepared for a given risk. In occurrence of risk without planning people tend to shift responsibilities hence risk mitigation brings about efficiency working, making informed decisions and enhance stakeholder’s relationship. Risk management reduces chances of self denial and guilty of responsibilities to management or employees if a disaster occurs without preparing. Conclusion Risk assessment and threat management are very important to the management of any organization. These tasks can be done with an independent body which has no interest in the company or can be done by the task force within the company depending on the nature of the tie and available resource. Risk management and threat assessment are aimed at improving the organization’s disaster preparedness strategy plans. The assessment report of both risk and threat is used to make decisions on how to invest, where to put much resources and what can be deferred for the best of the organizations. Most organization prefer to defer all activities that have been classified as “high risk/threat” and “most likely to occur” with a larger damage to the organizational assets. Other organizations decide to transfer this risks and threat to insurance companies who will compensate them in case such risks/threats strike. Risks/threats that are classified as “low risk/threat” and unlikely to occur with little damage on the company’s assets are mitigated by the companies themselves where few resources are explored. Therefore risk assessment and threat assessment are used by organization to decide on which mitigation plan to implement from the recommendation. REFERENCE David van Dantzing (1953) Wired Magazine, Before the levees break, page 3. Chadbourne, BC.(1999)To the Heart of Risk Management: Teaching Project Teams to Combat Risk, Sanders, A Lockheed Martin Company, Proceedings of the 30th Annual Project Management Institute 1999 Seminars & Symposium, Philadelphia, Pennsylvania, USA: October 10-16, 1999) Canadian Communications Security Establishment, (1999)“Threat and Risk Assessment Working Guide”, retrieved fromhttp://www.cse-cst.gc.ca/en/documents/knowledge_centre/publications/manuals/ITSG-04e.pdf Fay, J.J. (Ed.). (1993). Encyclopaedia of security management: Techniques and technology. Boston: Butterworth-Heinemann. Hall, EM. (1998). Managing Risk – Methods for Software Systems Development, Addison Wesley, ISBN 0-201- 25592-8, Herzog, Pete,(2001) “Open-Source Security Testing Methodology Manual”, Version 1.5, retrieved from http://uk.osstmm.org/osstmm.pdf Kaye, Krysta,(2001) “Vulnerability Assessment of a University Computing Environment” retrieved from http://rr.sans.org/casestudies/univ_comp.php Koller, G. (1999). Risk assessment and decision making in business and industry: A practical guide. CRC Press. Koller, G. (2000). Risk modelling for determining value and decision making. CRC Press Labuschagne, L. (2002). Implementing an Information Technology Project Risk Management Initiative, PMISA, ISBN 0-620-28853-1, Naidu, Krishni, (2001) “How to Check Compliance with your security policy”, Retrieved from http://rr.sans.org/policy/compliance.php Raytheon. (2002), “Risk Management and Security, Analysis of the Risk Assessment Process”, Retrieved from http://www.silentrunner.com/files/whitepaperriskassess.pdf Risk Management Research and Development Program Collaboration. Risk Management Maturity Level Development, RMRP–2002-02, Version 1.0, April 2002 Standards Australia. (2006). HB 167: Security risk management. Sydney: Standards Australia International Ltd. Sennewald, C., A. (2003). Effective security management (4th e.d.). Boston: Butterworth-Heinemann. Stephanou, Tony, ( 2001) “Assessing and Exploiting the Internal Security of an Organization”, , retrieved from http://rr.sans.org/audit/internal_sec.php Symantec, January 02 2002), “Vulnerability Assessment Guide”, retrieved From http://enterprisesecurity.symantec.com/PDF/167100088_SymVAGuide_WP.pdf Talbot, J., & Jakeman, m. (2008). SRMBOK: Security risk management body of knowledge (1st ed.). Risk Management Institute of Australia. Carlton. Australia. Turvey, B.E. (1999b). Inductive criminal profiling. In B. Turvey (Ed.), Criminal profiling (pp. 13–23). San Diego, CA: Academic Press Vigilinx, (2001),“Security Assessment Methodology”., retrieved from http://www.vigilinx.com/pdf/50722_White_Paper-SAM.pdf Read More