Security Risk Assessment

10 Key excerpts on "Security Risk Assessment"

• 

  eBook - ePub

  Industrial Security

  Managing Security in the 21st Century

  • David L. Russell, Pieter C. Arlow(Authors)
  • 2015(Publication Date)
  • Wiley

    (Publisher)

  Security risk analysis, otherwise known as risk assessment, is fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed. However, many conventional methods for performing security risk analysis are becoming more and more untenable in terms of usability, flexibility, and critically—in terms of what they produce for the user.

  The basic elements of risk must be explored, and a Security Risk Assessment methodology and tools must be introduced to help ensure compliance with security policies, external standards (such as ISO 17799), and legislation (such as data protection legislation).

  Business Definition for Risk Assessment

  Determining the level of risk in a particular course of action is important. Risk assessments are an important tool in areas such as health and safety management and environmental management. Results of a risk assessment can be used, for example, to identify areas in which safety can be improved. Risk assessment can also be used to determine more intangible forms of risk, including economic and social risk, and can inform the scenario planning process. The amount of risk involved in a particular course of action is compared to its expected benefits to provide evidence for decision making.

  Broad Definition for Risk Assessment

  Risk assessment is the overall process of identifying all the risks to and from an activity and assessing the potential impact of each risk. The impact is measured by combining assessed and costed risk, the likelihood of an incident, and the impact of the incident. These elements are then combined to produce a single cost figure.17

  Quantitative Risk Assessment

  This approach employs two fundamental elements: the probability of an event occurring and the likely loss should it occur. Quantitative risk analysis makes use of a single figure produced from these elements. This is called the “annual loss expectancy (ALE)” or the “estimated annual cost (EAC).” This is calculated for an event by simply multiplying the potential loss by the probability. As previously discussed, it is theoretically possible to rank events in order of risk (ALE) and to make decisions based on it accordingly. The problems with this type of risk analysis are usually associated with the unreliability and inaccuracy of the data. Probability can rarely be precise and can, in some cases, promote complacency. Controls and countermeasures often tackle a number of potential events, and the events themselves are frequently interrelated, and the cost of improvements cannot be clearly calculated or assigned.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Security Risk Assessment

  Managing Physical and Operational Security

  • John M. White(Author)
  • 2014(Publication Date)
  • Butterworth-Heinemann

    (Publisher)

  Chapter 1

  Introduction to Security Risk Assessments

  Abstract

  There are many names given to the term Security Risk Assessment. In fact, the actual process of identifying security issues has been called physical security assessment, security survey, security audit, and risk assessment to name just a few. Generally speaking, it is a systematic on-site assessment and analysis of your current security measures, whether they are physical security measures, technology, operations, facilities, security management, policies, training, reports, or any other aspect of your security program or measures. This chapter will help to define the intent of an assessment, who will conduct it, and how to remain objective and unbiased throughout the project.

  Keywords

  Defining security risks; Physical security review; Security deficiencies or excesses; Security Risk Assessment; Security vulnerabilities

  What Is a Security Risk Assessment?

  There are many definitions given to the term Security Risk Assessment . According to ASIS International’s manual, Protection of Assets: Physical Security , a Security Risk Assessment is “a fundamental examination that can include review of documentation, policies, facilities, technology, protection strategies, staffing, training, and other key indicators to determine the present state of the protection program (security) in an effort to identify deficiencies and even excesses, in order to make recommendations for improvement based on proven methods.” 1

  In fact, the actual process of identifying security issues has been called many different things. Some of the more common names assigned to this subject have been security assessment, security survey, security audit, and risk assessment to name just a few. Generally speaking, it is a systematic on-site assessment and analysis of your current security measures, whether they are physical security measures, technology, operations, facilities, security management, policies, training, reports, or any other aspect of your security program or measures. Regardless of the title, they are all going after similar goals of identifying security weaknesses, risks, deficiencies, and even excesses, and then formulating a plan to address the findings with detailed recommendations based on industry accepted standards and best practices.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  The Security Risk Handbook

  Assess, Survey, Audit

  • Charles Swanson(Author)
  • 2023(Publication Date)
  • Routledge

    (Publisher)

  Fischer (2013 ) when discussing risk analysis make a number of good arguments relevant to this book when he says that the first step in risk analysis is identifying the threats and vulnerabilities. Many threats to business are important to security, but some are more obvious than others. That is applicable when you look at the individual and diverse environments in part two of this chapter.

  Let us refresh our memories before we move on.

  The six-step Security Risk Assessment process

  1. Identify the organisation’s assets.
     This has to be the first step in the Security Risk Assessment process because if we do not understand what requires protection, the remaining steps of the assessment will be pointless. Before an attack, the first step the aggressor takes is to identify those entities and functions that are key to us and the organisation, namely the assets.
  2. What are the threats to the organisation? Step two is the identification of the threats pertinent to the organisation by way of a credible threat assessment. Who and what do we anticipate defending ourselves and the organisation against?
  3. What vulnerabilitiesor weaknesses have been identified?
     The criminal or terrorist will forensically examine all of our security systems in an effort to identify a weakness, or exposure, through which he or she may be able to carry out their attack (s). We must be on the front foot by identifying such vulnerabilities before an attack.
  4. What is the likelihood of an attack? This is by far the most difficult task in the Security Risk Assessment, and it is a phase when we must be in a position to foster the thoughts of any Subject Matter Expert relevant to the threat.
  5. What would be the impact? Once we have knowledge of the assets, threats, vulnerabilities, and likelihood of an attack, we will be in a position to calculate any possible impact. Once again it is critical to consult experts.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Cyber Security Management

  A Governance, Risk and Compliance Framework

  • Peter Trim, Yang-Im Lee(Authors)
  • 2016(Publication Date)
  • Routledge

    (Publisher)

  CHAPTER 6

  Risk Assessment Policy and its Strategic Context

  6.0 Introduction

  Mont and Brown (2011: 1) make a number of relevant points when stating that:

  Security decision-makers need to assess the risks their companies are exposed to (due to current and foreseeable threat environments) and how current security policies effectively address them; the priorities of various stakeholders and business objectives need to be taken into account; they need to understand the implications, at the operational level, of mandating or changing specific policies; they need to decide which investments (e.g., automation, education, better monitoring/compliance, etc.) are necessary and most suitable in order to support these policies.

  This chapter starts with understanding what risk involves (Section 6.1) and continues with defining the term vulnerability (Section 6.2). Reference is then made to risk assessment policy (Section 6.3) and a strategic management framework is included (Section 6.4). Cyber security strategy (Section 6.5) is given prominence and this is followed by cloud computing (Section 6.6). A conclusion is provided (Section 6.7).

  6.1 Understanding what Risk Involves

  There are different methods of risk assessment and some may be more suitable than others. Some involve mathematical formulas and some are more qualitative and involve the use of score cards for example. In order to better understand the complications associated with risk, it is important for senior management to know what type of business model is in place and what type of exposure the organization is confronted with; more importantly the size and complexity of the organization itself; management’s attitude to change and innovation; a consideration of the non-human factors and human factors (both internal and external); and an appreciation of the fact that those who might launch an attack on the organization have the resources to do so. They should also have an overall appreciation of the complexity of the IT resources, the internal and external use of the Internet, the access that the organization’s partners (outsourced service providers) have to the organization’s IT networks and resources, the extent to which employees engage in home working and remote working, and other considerations such as legal and regulatory requirements and possible breaches; the consequences of an organization not being able to access business critical information from the organization’s information systems, changes being made to business critical information on an organization’s information systems without the knowledge of staff or authorisation, and the likely impact on the organization should, for example, the confidentiality of the business critical information on the organization’s systems be compromised (ENISA, 2007–2008: 4–8). Other considerations that top management need to take into account are the significance of the organization’s information systems with respect to it achieving its business objectives and what the impact on various stakeholders might be should a disaster occur with the organization’s information systems (ENISA, 2007–2008: 8).

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Understanding Personal Security and Risk

  A Guide for Business Travelers

  • Charles E. Goslin(Author)
  • 2017(Publication Date)
  • Routledge

    (Publisher)

  9 Risk Assessment for Personal Security

  Introduction

  The purpose of formally assessing risk in the field of personal security is to develop an executive protection program (see Chapter 4 ) or to develop a plan for a project that either you or someone you are in charge of is executing with a team in a high-risk location. There are several different kinds of risk assessment methods used today in the field of security and business with varying degrees of complexity in formula, granularity, scope, and terminology. The right kind of risk assessment depends on the application—one size or formula does not fit all. In the field of personal security, my own view is that the simpler the method, the better. Unlike risk assessments done for sensitive government or industrial facilities, infrastructure, or business enterprise, the personal Security Risk Assessment is focused mainly on one key asset—you or individuals for whom you are immediately responsible. For this reason, the personal Security Risk Assessment that I describe here is very suitable for tailoring to a micro rather than a macro scale and scope.

  The risk assessment process is the best way to design and implement a personal security program or security program related to personal security—such as an executive protection or a corporate traveler security program. This approach methodically guides your collection, selection, and evaluation of information to ensure that it is detailed, accurate, and relevant. It provides structure to what is an imperfect science at best—although there continues to be excellent strides made in perfecting it. More than any of the other disciplines within the overall field of security, personal security is fraught with subjective information and is thus very dependent on good judgment, instinct, experience, and timing. This method can be used when you are required to design a program to demonstrate to decision makers your justification for countermeasure selection, for estimation of threat and risk, and as a baseline for future analysis. It is especially important when resources are limited and can only be allocated toward critical needs. It is a hands-on process that requires you to interact with the requirements of your stakeholders, research and ask questions about the kinds of adversaries you or your team might face, and understand the kinds of weakness that might exist through questioning and evaluation. The importance of asking the right question to get the right information—and not throwing something up against the wall (next to my dislike of checklists is the hackneyed question, “what keeps you awake at night?”) to see what sticks—is very important when conducting an assessment, whether it is complex or simple. At the very least, you need to know what it is that you are digging into and do a bit of research before the survey. It is important to order your survey’s sequence to mirror the risk assessment process. The analysis process is iterative and repetitive for a reason: By overlapping the right stages, you will be able to uncover the right data that evolve into information and link to each element of the process, providing continuity. Taking a haphazard or hasty approach to risk assessment in order to get to a quick solution and “make a plan!” does yourself or your client or team no favors. Asset criticality and impact of loss mirror elements within vulnerability and threat, so each must be taken in specific order to ensure discipline in the method. This also ensures that you remain as objective and unbiased as possible, which is particularly important when conducting purely qualitative assessments that have subjective inputs.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Security Architecture – How & Why

  • Tom Madsen(Author)
  • 2022(Publication Date)
  • River Publishers

    (Publisher)

  Table 3.3 ). You will therefore need to adopt a risk assessment methodology to develop this business risk model.

  Assessing the level of threat is notoriously difficult. Threats exist outside your span of control, the world is simply a dangerous place and all that you can do is to recognize the threats and their sources (threat agents). Without access to reliable, consistent, complete data on previous loss events, the statistical analysis provides little useful guidance on the probability of a threat materializing. Also, as has been already mentioned, observation of past events is not necessarily a good guide to how the future will be.

  Assessing the vulnerabilities and the associated impact is much easier since both these things are within your span of control. Thus, risk assessment methodologies in commercial organizations tend to focus on assessing these aspects, usually qualitatively (low, medium, high). Analyzing threats in commercial organizations is limited simply to identifying the threats without quantification. Risk and threat assessment methodologies can fill several books by themselves and SABSA has its own model, but here I will point you to a few sources of risk and threat assessment methodologies and frameworks, before getting to the SABSA model. You absolutely must know about both risk and threat assessment, in order to be successful with SABSA!

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Understanding, Assessing, and Responding to Terrorism

  Protecting Critical Infrastructure and Personnel

  • Brian T. Bennett(Author)
  • 2017(Publication Date)
  • Wiley

    (Publisher)

  As part of the critical infrastructure, key resource, and key asset protection process, risk analysis occurs when a jurisdiction determines that one or more of the critical assets that were identified in the inventory step are threatened and vulnerable to deliberate attacks by an adversary, by natural disasters, or by accidents. Risk analysis begins with an examination of the negative effects of the degradation or loss of a critical asset. The likelihood of the occurrence is determined, and appropriate security countermeasures are developed and implemented. These scaled countermeasures should be appropriate to the threat posed against the critical asset. Following this action is an evaluation of the cost of the security countermeasures in terms of available resources (e.g., time, money, personnel, and materials).

  The goals of risk analysis are the identification of all critical assets, threats, and vulnerabilities of critical assets along with the estimation of the impact of a successful attack. Risk analysis provides:

  • Potential Threat Strategies. A review of the adversary's overall strategy, and tactical threats. As part of the evaluation process, variations of the potential tactics used should be conducted as well. The most credible scenarios should be identified for further evaluation.
  • Assessment of Current Risk to an Asset. What intelligence exists that an adversary may be targeting a particular critical asset?
  • Countermeasure Options. A review of the gamut of security countermeasures that is available to protect the critical asset by reducing vulnerabilities and hence risk. Countermeasures may be administrative, such as policies and procedures, or physical, such as hardening.
  • Evaluation of System Effectiveness.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Information Security Risk Assessment Toolkit

  Practical Assessments through Data Collection and Data Analysis

  • Mark Talabis, Jason Martin(Authors)
  • 2012(Publication Date)
  • Syngress

    (Publisher)

  Chapter 5

  Information Security Risk Assessment: Risk Assessment

  Information in this chapter:

  • System Risk Analysis • Organizational/Strategic Risk Analysis

  Introduction

  So, we have collected the data in our data collection phase and we have structured the data in the data analysis phase. At this point you may be asking yourself, “What is the difference between the previous phase of the process and this one?” The fundamental difference is that the data analysis phase deals with structuring and organizing the data that was collected. Think of it as putting unstructured data, like a survey, into an organized format, such as a table. This phase is really focused on going through the organized data and interpreting it in order to derive and support our conclusions.

  At this point of our process, we should have relatively organized data that can be used for a more practical analysis of risk. In the previous phase, we used the data we collected in quantitative analysis to derive figures and various “scores.” These scores will be essential inputs as we move into more of a qualitative analysis.

  During this risk analysis phase, we will interpret the data, gather findings, and ultimately form conclusions that will be the end result of all our activities so far. At the end of this chapter, the assessor should be able to answer the question “What are our organizational and system specific risks?”

  In this chapter we will introduce two related but distinct levels of risk analysis. One is the system risk analysis, where we focus on the risk to a specific system. Many of the activities conducted in the data analysis phase are focused on system risk. The second type of risk analysis that we will be performing is an organizational or “strategic” analysis that provides an overall view of risks as they pertain to the organization. Organizational risk analysis is the most qualitative of the two and the outcome of this analysis is more subject to interpretation and is more heavily influenced by the experience of the practitioner.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Certified Information Security Manager Exam Prep Guide

  Gain the confidence to pass the CISM exam using test-oriented study material, 2nd Edition

  • Hemang Doshi(Author)
  • 2022(Publication Date)
  • Packt Publishing

    (Publisher)
• Vulnerability
• Budget
• As per good practices, a full reassessment of risk should be performed:
  1. In the case of material control failure
  2. In the case of the residual risk being higher than the acceptable risk
  3. In the case of the installation of a new patch
  4. In the case of the implementation of emergency changes
• The main objective of conducting risk assessments on a consistent basis is:
  1. To lower the cost of risk assessment
  2. To adhere to the security budget
  3. To comply with the security policy
  4. To determine trends in the evolving risk profile

Risk Identification

Risk management begins with risk identification. Risk identification is the process of identifying and listing risks in the risk register .
The primary objective of the risk identification process is to recognize threats, vulnerabilities, assets, and controls of the organization. A risk practitioner can use the following sources for the identification of any risk:
• Review of past audit reports
• Review of incident reports
• Review of public media articles and press releases
• Systematic approaches such as vulnerability assessments, penetration testing, review of business continuity plan (BCP ) and disaster recovery plan (DRP ) documents, interviews with senior management and process owners, and scenario analysis
All the identified risks should be captured in the risk register along with details such as description, category, probability, impact, and risk owner. In fact, maintenance of the risk register process starts with the risk identification process.

Risk Identification Process

The following are the steps involved in risk identification:
Figure 3.10: Risk identification process
A security manager should thoroughly understand the process of risk identification. Generally, this process begins with the identification of critical assets. A security manager should be aware of all assets that need protection. After the identification of assets, threats should be determined, followed by the identification of any existing controls, identification of vulnerabilities, and then determining consequences.