Abstract
The goal of information security is to be able not just to put in place measures to detect and mitigate attacks but also to predict attacks, deter attackers from attacking, and thus defend the systems from attack in the first place. Data protection should be based on the lessons learned over time, both within the organization and in other organizations. Over the time, a large number of methodologies for identifying information security risks were proposed and adopted and simplified approach to different methodologies has led to their classification in quantitative and qualitative, especially in terms of metrics used to quantify risk. This chapter proposes an international overview regarding the quantitative and qualitative analysis methods for information risk analysis. In practice almost always use a combination of these methods, depending on the characteristics of the organization investigated the degree of uncertainty associated with the method of analysis and risk management.
TopBackground
The risk analysis must be approached methodically to ensure that all activities of the organization were evaluated and all risks associated with these activities have been defined (Stepchenko & Voronova, 2015). The results of the risk analysis can be used to outline a risk profile of the organization that provides a rating of the significance of each risk and to prioritize risk management efforts. This process allows the mapping of risks by fields that affect the description of existing control mechanisms and indicates situations where the investment in controlled measures should be raised, lowered or redistributed (Enagi & Ochoche, 2013).
Risk analysis activity contributes to the efficiency and effectiveness of the organization's operations by identifying those risks that require management attention (Karim, 2007). It facilitates prioritization of risk control actions, depending on the impact on the organization and the potential benefit that they bring control measures organization. In this context, when we talk about treatment risks, the range of responses to risk includes tolerance, treatment, transfer and disposal (Coltman, Tallon, Sharma & Queiroz, 2015). However, organizations may decide that it is necessary to improve the control environment.
Some other external entities of the organization, such as customers, suppliers, business partners, external auditors, regulators and financial analysts often provide useful information for an efficient risk management process, but they are not responsible for the effectiveness of this process and also they are not part of the organizational risk management (Table 1).
Key Terms in this Chapter
Residual Risk: The risk that remains after security measures are implemented in a computer system and communications, as a consequence of the fact that not all threats can be countered and not all vulnerabilities can be eliminated or reduced to zero.
Financial Risks: These types of risk may reflect inadequate or unclear definition of strategies and objectives of the organization.
Threat: A potential cause unwanted incidents that may result in damage to the mission of a system or an entire organization. Security threats can be accidental or deliberate (malicious) and are characterized by elements of threat, attack method, and the goods subject to the threat.
Risk Management: A process conducted by the board of directors, the managers and others within an organization, in order to identify potential events that may affect the organization to manage the risks to the organization and to provide reasonable assurance regarding the achievement of organizational objectives.
Risk Analysis: A process of calculating risk. Algorithms for calculating the risk calculated risk as a function of the organization's assets, threats, and vulnerabilities.
Strategic Risks: Risks that should be considered by top management of the organization. These risks may affect the strategic objectives set by the organization in the long term.
Credibility: A concept directly related to risk management. How the organization addresses its credibility influences behavior, and internal and external relations of trust.