Security Risk Analysis
Security Risk Analysis
A risk analysis is a process of identifying the assets you wish to protect and the potential threats against them. Performing an accurate risk analysis is a vital step in securing your network environment.
A formal risk analysis answers the following questions:
- What assets do I need to protect?
- Form what sources am I trying to protect these assets?
- Who may wish to compromise my network and to what gain?
- How likely is it that a threat will violate my assets?
- What is the immediate cost if an asset is compromised?
- What is the cost of recovering from an attack or failure?
- How can these assets be protected in a cost-effective manner?
- Am I governed by a regulatory body that dictates the required level of security for my environment?
In this process a risk analysis report is generated and is used to align technology-related objectives with a company’s business objectives. These types of reports can be quantitative or qualitative in nature. The measure of the IT risk can be determined as a product of threat, vulnerability and asset values.
Risk = Threat + Vulnerability + Asset
Risk analysis is most important process of risk management. It identifies and evaluates the risks which have to be eliminated, controlled or accepted. Risk analysis inclines to carry out work in different areas;
The major area of risk analysis is resource evaluation, it includes information, software, hardware and physical resources. The value of resource is measured by the value of its purchase, however other factors like short term and long-term effects from its destruction also plays a major part in the process of the resource evaluation.
The assessment of consequences defines the degree of destruction or losses which can supposedly occur.
The identification of threat greatly helps in determining the extent of losses to an information system.
The effectiveness of the existing means of protection must be evaluated every time with an update in the security analysis report.
The last and the most important area on which the risk analysis inclines id the calculation of probability i.e., the frequency of the threat occurrence. This should include presence, duration, time and the strength of the threat.
Risk is the concepts that form the basis for what we call security. If we talk in terms of security then we can say that, risk is the potential for less that requires protection. If there is no risk, there is no need for security.
A threat is anything that can disrupt the operation, functioning, integrity, or availability of a network or system. There are different categories of threats, occurrences such as floods, earthquakes, and storms. There are also unintentional threats that are the result of accidents and stupidity. Finally, there are intentional threats that are the result of malicious intent. Each type of threat can be deadly to a network.
A threat-source is defined as either
- Intent and method targeted as the intentional exploitation of vulnerability or
- A situation and method that may accidently trigger vulnerability.
Common threat-sources include natural threats, such as storms and floods, human threats, such as malicious attacks and unintentional acts, and environmental threats, such as power failure and liquid leakage.
Vulnerability is an inherent weakness in the design, configuration, implementation, or management of a network or system that renders it susceptible to a threat. Vulnerabilities are what make networks susceptible to information loss and downtime. Every network and system has some kind of vulnerability.
Impact refers to the magnitude of harm that could be caused by a threat exploiting vulnerability. The level of impact is governed by the potential mission impacts and in turn produces a relative value for the IT assets and resources affected.
Risk management deals with how the effects of risk are controlled, either by prior planning and actions or by responses to the event. Risk management can be best described as a decision-making process.
Risk management adopted three major processes which are known as: risk assessment, risk mitigation, and assessment.
Risk assessment consists of the following:
- Identification and evaluation of risks
- Identification and evaluation of risks impacts
- Recommendation of risk-reducing measures
Risk mitigation involves the following:
- Prioritizing appropriate risk-reducing measures recommended from the risk assessment process.
- Implementing appropriate risk-reducing measures recommended from the risk assessment process.
- Maintaining the appropriate risk-reducing measures recommended from the risk assessment process.
Evaluation and assessment include a continuous evaluation process. For example, the designated approving authority (DAA) has the responsibility for determining if the residual risk in the system is acceptable or if additional security controls should be implemented to achieve accreditation of the IT system.
You May Also Like-
Threats to Information System
What About Information Security??
What do you understand by Information System??
6 Important Question on Tar (Highway Material)
7 Important questions on Bituminous Materials
What are imperfection or defects of Solids
Right Understanding We all know that the Human Desire is to be in continuous happiness which is the need of I (self). But do you know, from where Continuous happiness will come? No, right! So continuous happiness is to be in Right Understanding, Right Feeling, and Right Thought that is Activity of I (Self). Do…
Where We Are (Self-Evolution) We exist as human being. We want to live a fulfilling life. We have some desires and we have some programs for the fulfilment of it. We need to understand our basic aspiration and program for its fulfillment correctly and comprehensively. Only then, we can ensure fulfillment. We should explore ourselves…
Highway Construction Embankment Construction Materials and General Requirements The materials used in embankments, subgrades, earthen, shoulders, and miscellaneous backfills shall be soil, moorum, gravel, a mixture of these. Clay having liquid limit exceeding 70 and plasticity index exceeding 45; shall be considered unsuitable for embankment. Sub-grade and top 500mm portion of the embankment just below…
Special Concretes Concrete is most vital material in modern construction. In addition to normal concrete, other varieties in use are, high strength and high-performance concrete, self-compacting, lightweight, high density, fiber reinforced, polymer, colored concrete, etc. The making of concrete is an art as well as a science. Special types of concrete are those with out-of-the-ordinary…
Marketing Practices Success in the world of business, no matter how you earn it, you have to rule on the marketplace. Although luck plays a role in the outcome of the market strategies. In the business decisions, there should be the understanding of market otherwise the failure will take place by the marked decisions. While…
Risk Analysis The risk that remains after the implementation of controls is called the residual risk. All systems will have residual risk because it is virtually impossible to completely eliminate risk to an IT system. In other words, we can say that there are two main parts of the security risk analysis known as Quantitative…