It is easy to find news reports of incidents where an organization’s security has been compromised. For example, a laptop was lost or stolen, or a private server was accessed. These incidents are noteworthy because confidential data might have been lost. Modern society depends on the trusted storage, transmission, and consumption of information. Information is a valuable asset that is expected to be protected. Information security is often considered to consist of confidentiality, integrity, availability, and accountability (Blakley, McDermott, & Geer, 2002). Confidentiality is the protection of information against theft and eavesdropping. Integrity is the protection of information against unauthorized modification and masquerade. Availability refers to dependable access of users to authorized information, particularly in light of attacks such as denial of service against information systems. Accountability is the assignment of responsibilities and traceability of actions to all involved parties. Naturally, any organization has limited resources to dedicate to information security. An organization’s limited resources must be balanced against the value of its information assets and the possible threats against them. It is often said that information security is essentially a problem of risk management (Schneier, 2000). It is unreasonable to believe that all valuable information can be kept perfectly safe against all attacks (Decker, 2001). An attacker with unlimited determination and resources can accomplish anything. Given any defenses, there will always exist a possibility of successful compromise. Instead of eliminating all risks, a more practical approach is to strategically craft security defenses to mitigate or minimize risks to acceptable levels. In order to accomplish this goal, it is necessary to perform a methodical risk analysis (Peltier, 2005). This article gives an overview of the risk management process.
Risk management may be divided into the three processes, shown in Figure 1 (Alberts & Dorofee, 2002; Farahmand, Navathe, Sharp, & Enslow, 2003; NIST, 2002; Vorster & Labuschagne, 2005). It should be noted that there is no universal agreement on these processes, but most views share the common elements of risk assessment and risk mitigation (Hoo, 2000; Microsoft, 2004). Risk assessment is generally done to understand the system storing and processing the valuable information, system vulnerabilities, possible threats, likely impact of those threats, and the risks posed to the system.
Risk assessment would be simply an academic exercise without the process of risk mitigation. Risk mitigation is a strategic plan to prioritize the risks identified in risk assessment and take steps to selectively reduce the highest priority risks under the constraints of an organization’s limited resources.
The third process is effectiveness assessment. The goal is to measure and verify that the objectives of risk mitigation have been met. If not, the steps in risk assessment and risk mitigation may have to be updated. Essentially, effectiveness assessment gives feedback to the first two processes to ensure correctness. Also, an organization’s environment is not static. There should be a continual evaluation process to update the risk mitigation strategy with new information.Top
It is impossible to know for certain what attacks will happen. Risks are based on what might happen. Hence, risk depends on the likelihood of a threat. Also, a threat is not much of a risk if the protected system is not vulnerable to that threat or the potential loss is not significant. Risk is also a function of vulnerabilities and the expected impact of threats.
Key Terms in this Chapter
Accountability: The assignment of responsibilities and traceability of actions to all involved parties.
Risk Mitigation: The process to strategically invest limited resources to change unacceptable risks into acceptable ones.
Threat: The potential for some damage or trouble to an organization’s information technology environment.
Risk Management: An organization’s risk assessment and risk mitigation
Risk Assessment: The process to understand the value of assets, system vulnerabilities, possible threats, threat likelihoods, and expected impacts.
Vulnerability: A weakness or flaw in an organization’s system that might be exploited to compromise security.
Availability: The maintenance of dependable access of users to authorized information, particularly in light of attacks such as denial of service against information systems.
Integrity: The protection of information against unauthorized modification and masquerade.
Confidentiality: The protection of information against theft and eavesdropping.