Abstract
Information security has become one of the most important responsibilities of all organizations due to increasing cyber threats. Attackers take advantage of systems vulnerabilities; therefore, system administrators should be aware of potential threats to take necessary actions to protect their organizations and stakeholders. At this point, a risk assessment is needed to discover possible threats for vulnerable systems of the organization and to implement strategies for the business goals. This study proposes a hybrid risk management framework using both qualitative and quantitative methods to analyze risk within organizations and reduce them with practical countermeasures. Based on this framework, case studies have been carried out considering three hypothetical companies identifying possible information security risks, and these risks have been reduced to an acceptable level by applying the proposed risk analysis methodology.
TopIntroduction
Cyber-attacks have confounded information technology infrastructure of organizations and posed significant threats to their valuable information resources that have been valued as extremely important assets in cyberspace. Business managers need to be savvy to possible threats, aware of and prepared for both internal and external elements in order to manage cybersecurity risks. Hence, risk analysis procedure assists managers through evaluating possible threats or risks imposed on organizations, measuring the probability and impact of those risks and finally implementing strategies that create additional value to business operations by means of protecting their most precious information assets. Although, the most established risk analysis methodologies give great attention to technical risks, in recent, business organizations need risk analysis that incorporates social and organizational elements of complex systems with technical aspects in order to correctly evaluate and manage those risks. Within this context, the main objective of this paper is to address information risk management concepts considering possible threats and important organizational assets.
Drawing upon BS 7799 (Biery, 2006) information security risk management guidelines, in addition, by contributing additional possible threats, three hypothetical companies have been examined in terms of their business and organizational priorities. To that end, a strategic framework was proposed in order to identify critical business operations and relevant threats along with asset valuation for these three companies. Finally, a summary of evaluations and solutions were proposed to the identified threats for these companies. This study proposes a hybrid risk management framework via using both qualitative and quantitative methods to analyze risks within three hypothetical companies with the aim of incorporating social and organizational aspects alongside technical ones to overcome incompetencies of methods that previous studies did not. The remainder of the paper is structured as follows. The extant literature on cybersecurity risk analysis and management was reviewed and followed by presenting the proposed risk management framework. The paper concludes by providing a summary of the results and an overview of solutions and evaluations.
Key Terms in this Chapter
Risk: It is a measure of how open assets are against potential threats.
Threat Impact: The threat Impact indicates how seriously a potential threat affects a vulnerability in the system.
Residual Risk: It is the risk that cannot be reduced to the acceptable level after risk processing.
Risk Analysis: Evaluation of possible threats and possible risks.
Risk Processing: As a result of risk analysis, it is a package/plan of measures to reduce the risks to an acceptable level and maintain this level.
Threat: Potential hazard that can partially or totally interrupt the operation of systems, processes and other information system components.
Vulnerability: Weakness leading to a threat.