Security Risk Analysis
A risk analysis is a process of identifying the assets you wish to protect and the potential threats against them. Performing an accurate risk analysis is a vital step in securing your network environment.
A formal risk analysis answers the following questions:
- What assets do I need to protect?
- Form what sources am I trying to protect these assets?
- Who may wish to compromise my network and to what gain?
- How likely is it that a threat will violate my assets?
- What is the immediate cost if an asset is compromised?
- What is the cost of recovering from an attack or failure?
- How can these assets be protected in a cost-effective manner?
- Am I governed by a regulatory body that dictates the required level of security for my environment?
In this process a risk analysis report is generated and is used to align technology-related objectives with a company’s business objectives. These types of reports can be quantitative or qualitative in nature. The measure of the IT risk can be determined as a product of threat, vulnerability and asset values.
Risk = Threat + Vulnerability + Asset
Risk analysis is most important process of risk management. It identifies and evaluates the risks which have to be eliminated, controlled or accepted. Risk analysis inclines to carry out work in different areas;
The major area of risk analysis is resource evaluation, it includes information, software, hardware and physical resources. The value of resource is measured by the value of its purchase, however other factors like short term and long-term effects from its destruction also plays a major part in the process of the resource evaluation.
The assessment of consequences defines the degree of destruction or losses which can supposedly occur.
The identification of threat greatly helps in determining the extent of losses to an information system.
The effectiveness of the existing means of protection must be evaluated every time with an update in the security analysis report.
The last and the most important area on which the risk analysis inclines id the calculation of probability i.e., the frequency of the threat occurrence. This should include presence, duration, time and the strength of the threat.
Risk is the concepts that form the basis for what we call security. If we talk in terms of security then we can say that, risk is the potential for less that requires protection. If there is no risk, there is no need for security.
A threat is anything that can disrupt the operation, functioning, integrity, or availability of a network or system. There are different categories of threats, occurrences such as floods, earthquakes, and storms. There are also unintentional threats that are the result of accidents and stupidity. Finally, there are intentional threats that are the result of malicious intent. Each type of threat can be deadly to a network.
A threat-source is defined as either
- Intent and method targeted as the intentional exploitation of vulnerability or
- A situation and method that may accidently trigger vulnerability.
Common threat-sources include natural threats, such as storms and floods, human threats, such as malicious attacks and unintentional acts, and environmental threats, such as power failure and liquid leakage.
Vulnerability is an inherent weakness in the design, configuration, implementation, or management of a network or system that renders it susceptible to a threat. Vulnerabilities are what make networks susceptible to information loss and downtime. Every network and system has some kind of vulnerability.
Impact refers to the magnitude of harm that could be caused by a threat exploiting vulnerability. The level of impact is governed by the potential mission impacts and in turn produces a relative value for the IT assets and resources affected.
Risk management deals with how the effects of risk are controlled, either by prior planning and actions or by responses to the event. Risk management can be best described as a decision-making process.
Risk management adopted three major processes which are known as: risk assessment, risk mitigation, and assessment.
Risk assessment consists of the following:
- Identification and evaluation of risks
- Identification and evaluation of risks impacts
- Recommendation of risk-reducing measures
Risk mitigation involves the following:
- Prioritizing appropriate risk-reducing measures recommended from the risk assessment process.
- Implementing appropriate risk-reducing measures recommended from the risk assessment process.
- Maintaining the appropriate risk-reducing measures recommended from the risk assessment process.
Evaluation and assessment include a continuous evaluation process. For example, the designated approving authority (DAA) has the responsibility for determining if the residual risk in the system is acceptable or if additional security controls should be implemented to achieve accreditation of the IT system.
You May Also Like-
Threats to Information System
What About Information Security??
What do you understand by Information System??
6 Important Question on Tar (Highway Material)
7 Important questions on Bituminous Materials
What are imperfection or defects of Solids
The term ‘soil’ in soil engineering is defined as an unconsolidated material, composed of solid particles, produced by the disintegration of rocks. The void space between the particles may contain air, water or both. The soil particles may contain organic matter.
What are Bricks? Bricks are one of the oldest building materials and it’s extensively used at present as a loading material in construction methods because of its durability, strength, reliability, low cost, easy availability, etc. Bricks are manufactured by molding burnt clay or a mixture of sand and lime or of Portland cement concrete, in…
Water Proofing Materials Dampness in a building is the main cause of the deterioration of the building as well as for the ill-health of the occupants. The damp brickwork in the buildings is prone to fresh attack. Also, the soluble salts in bricks are liable to attack the cement mortar when the brickwork remains wet…
Sound Insulation A well-designed building should incorporate sound insulation to restrain the noise level. High noise conditions result in uncomfortable living conditions, mental strains, fatigue, and may even lead to a nervous breakdown or temporary deafness. Adequate insulation can be achieved by using sound-absorbing or sound repellent materials. Sound Insulating Materials Sound Insulating Materials fall…
Heat Insulating Materials The purpose of thermal insulation is to restrict the heat transfer from warmer to cooler areas. Transfer of heat takes place by three processes- the convection, the radiation and, the conduction. Convection In convection, heat is transferred from one place to another by the movement and mixing of liquids or gases. Radiation…