Compare and contrast security threat and security risk assessments
10SECURITY RISK TASK
Comparing and Contrasting Security Threat Assessment and Security Risk Assessment
Comparing and Contrasting Security Threat Assessment and Security Risk Assessment
Although the threats to all assets may be developed as well as mapped individually, the most effective approach is by developing a list of different types of threats as well as identifying how they could be utilised for attacking a business or nation. Basically, one threat could take advantage of the vulnerability and consequently damage different forms of assets. On the other hand, different types of threat could exploit various vulnerabilities with the objective of attacking one critical asset. Owing to the different association between assets and threat, it is imperative to conduct a security threat assessment so as to group threat agents and threat types. In any system, security must be proportionate to the available risks. Still, determining the suitable security controls is somewhat challenging. Therefore, security risk assessment is utilised to offer a comprehensive structure for analysing security risk, which consequently can result in the uncovering of vulnerabilities and threats. An asset can be defined as anything that has value while a threat is the underlying cause of the undesired incident that could harm the organisation or a system. On the other hand, risk is the possibility of a certain activity or action to bring about loss or adverse outcome. Therefore, the objective of security threat assessment is to determine threats that could result in unwanted impact or undesired event. The purpose of this essay is to compare and contrast security threat assessment and security risk assessment for contemporary security and intelligence professionals.
Basically, threat analysis and assessment involve focussing on intelligence. This according to Vandepeer (2011) is evidenced in wider intelligence literature as well as the statements made by the intelligence agencies. For instance, the role of the Australian Security Intelligence Organisation is assessing and investigating security threats with the objective of providing protection advice to the people of the Australia (Vandepeer, 2011). Advancement in technology has made information to become a valuable asset; therefore, protecting them from hackers and other attackers has become exceedingly challenging. Recent reports as cited by Mbowe, Zlotnikova, Msanjila, and Oreku (2014) have demonstrated that information security breaches such as identity theft and phishing have become very difficult to solve. For this reason, Mbowe, Zlotnikova, Msanjila, and Oreku (2014) suggest that the tools for security threat assessment should be integrated with the security culture and policy of the organisation. More importantly, security experts are required to develop suitable threat assessment tool that could effectively identify potential threats in all the critical. While information network are becoming more heterogeneous, complex and large, security-related threats have diversified; therefore, overburdening the traditional threat assessment methods (Cai, 2015).
Basically, security risk assessment is normally conducted with the objective ofestablishing the type of risks that are facing an asset. According to Lippmann and Riordan (2016), security risk assessments of critical assets with the aim of ensuring that risks from every existing threat are adequately managed is costly, time consuming, and requires a high level of organisational accountability. Because of these factors, scores of business organisations have opted to install the normal security controls, like scanners, email spam filters as well as antivirus software which can identify and address the software vulnerabilities. However, this approach cannot meet the unique security needs of many organisations; therefore, qualitative risk assessment is utilised to list threats and identify the probability and the impact of the listed threats, which are normally rated from the low threats to the high threats. As mentioned by Munir and Manarvi (2010), information is an important asset that should be protected from different types of threats so as to reduce risk, ensure business continuity a well as maximise business opportunities and return on investments (ROI). Lately, information technology (IT) has become an important part of the society; however, managing the increasing need for information flow has resulted in increased threats and risks. The need to secure information from threats is increasing; therefore, Munir and Manarvi (2010) suggest that information security threat assessment should be combined with the operational risk management for the solution to be effective.
In risk management process according to Ramona and Cristina (2011) is to identify threats and vulnerabilities to the assets. Therefore, risk assessment involves setting the impact and probability of the threats through the exploitation of the vulnerabilities. Therefore, risk assessment is utilised to ensure that security risks are cost-effectively managed. Furthermore, risk assessment provides a process framework that could be utilised to implement and manage controls with the objective of ensuring that the organisation’s security goals are met. Although the vulnerabilities and risks to an asset can change over time, Schmittling (2010) posits that organisations that follow their security framework are more likely to address any arising risks and/or vulnerabilities. Security risk assessment can be described as the process of measuring the security risks and identifying suitable security measures. Saleh, Refai, and Mashhour (2011) mention that the assessment is normally performed when changing the asset or its environment; therefore, the assessment process involves analysing and evaluating processes and asset associated with the system in the identification of the vulnerabilities and threat, which may have an effect on the system’s availability, integrity, or confidentiality. Given that security risk assessment is an important part of risk management, it must be a continuous process so as to be effective.
On the other hand, security threat assessments normally do not consider the probability of failure of the bottom events experienced during the attack; therefore, this could bias the outcomes. Technology advancement has made security threat assessment more imperative and complicated. The increasing use of the e-government services has resulted in numerous security threats. Therefore, Chang (2014) suggest that security threats can be assessed by identifying threats to and opportunities for the assets together with the users. In the case of electronic government sites, security threat assessments can be achieved through a combination of information security auditing, web content analysis, as well as mapping of the computer network security (Chang, 2014). While security threat assessment focus on identifying and listing potential threats to an asset, individual or an organisation, risk assessment focuses on identifying and evaluating risks to the security by identifying the probability of occurrence as well as the ensuing impact. Unlike threat assessment which only identifies threats, risk assessment categorises assets, identifies threats, as well as rates the vulnerabilities of the system while offering important strategies and information that could be utilised to put into practice effective controls. Furthermore, risk assessment process involves allocating values to the outcomes, their probability as well as the risk level. According to Kiran, Mukkamala, Katragadda, and Reddy (2013) risk assessment involves evaluating the likelihood of the vulnerabilities and threats to ensue, calculating the impact of each threat on the assets; and determining the descriptive or measurable value of the risk.
In their study, Ghazouani, Faris, Medromi, and Sayouti (2014) propose a qualitative approach for security risk assessment utilising the concepts described in ISO27005. Basically, the ISO27005 is the standard that offers information security risk management guidelines in the organisation. The qualitative approach offers an applicable risk analysis covering for information security in the organisations. This approach according to Ghazouani, Faris, Medromi, and Sayouti (2014) can be utilised for listing assets, identifying vulnerabilities, assessing the likelihood of a threat occurring, evaluating the outcome in case the threat fails to ensue, and finding the level of the risks. Furthermore, the approach can be used to identify mitigation safeguards and controls as well as developing an implementation action plan. Security threat assessment is the initial step in the risk management program. As opined by Kouns and Minoli (2014) threat assessment takes into account the full spectrum of threats in a given location or organisation. The type of activity/asset situated in a certain location or organisation is associated directly with probability of different threats (Renfroe & Smith, 2014).
In conclusion, the essay has compared and contrasted security threat assessment and security risk assessment for contemporary security and intelligence professionals. As mentioned in the essay, risks are the frequency or probability certain undesired event; therefore, the risk assessment seeks to quantitatively assess the likelihood of an event happening or the rate of occurrence.On the other hand, threats can be described as events that could occur and result in loss or damage to the assets. For this reason, the threat assessment is used to identify the possible threats facing an organisation or asset. As mentioned in the essay, risk assessment involves combining functions such as identifying threats to the asset that could lead to a loss of the asset and evaluating the impact of each threat to the asset. Therefore, while threat assessment focuses on identifying potential threats; risk assessment involves combining the threats, their impacts and vulnerabilities so as to establish the consequence of the risk as well as finding solutions. Therefore, the acceptance of risks depends on the magnitude of the threats, consequences and vulnerabilities. For instance, when the threats and vulnerabilities are high and the consequences are low, then the risks can either be ignored or accepted.
Cai, X. (2015). Network Security Threat Situation Evaluation Based on Fusion Decision and Spread Analysis. International Journal of Security and Its Applications, 9(3), 383-388.
Chang, K.-H. (2014). Security Threat Assessment of an Internet Security System Using Attack Tree and Vague Sets. e Scientific World Journal, 1-9.
Ghazouani, M., Faris, S., Medromi, H., & Sayouti, A. (2014). Information Security Risk Assessment — A Practical Approach with a Mathematical Formulation of Risk. International Journal of Computer Applications, 103(8), 36-42.
Kiran, K., Mukkamala, S., Katragadda, A., & Reddy, D. (2013). Performance And Analysis Of Risk Assessment Methodologies In Information Security. International Journal of Computer Trends and Technology, 4(10), 3685-3692.
Kouns, J., & Minoli, D. (2014). Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams. New York: John Wiley & Sons.
Lippmann, R. P., & Riordan, J. F. (2016). Threat-Based Risk Assessment for Enterprise Networks. Lincoln Laboratory Journal , 22(1), 33-45.
Mbowe, J. E., Zlotnikova, I., Msanjila, S. S., & Oreku, G. S. (2014). A Conceptual Framework for Threat Assessment Based on Organization’s Information Security Policy. Journal of Information Security, 5, 166-177.
Munir, U., & Manarvi, I. (2010). Information Security Risk Assessment for Banking Sector-A Case study of Pakistani Banks. Global Journal of Computer Science and Technology, 10(10), 44-55.
Ramona, E., & Cristina, A. (2011). Security Risk Management — Approaches and Methodology. Informatica Economică, 15(1), 228-240.
Renfroe, N. A., & Smith, J. L. (2014, August 17). Threat/Vulnerability Assessments and Risk Analysis. Retrieved from The Whole Building Design Guide: WBDG: https://www.wbdg.org/resources/riskanalysis.php
Saleh, Z. I., Refai, H., & Mashhour, A. (2011). Proposed Framework for Security Risk Assessment. Journal of Information Security, 2, 85-90.
Schmittling, R. (2010). Performing a Security Risk Assessment. ISACA Journal, 1, 18-24.
Vandepeer, C. (2011). Intelligence analysis and threat assessment: towards a more comprehensive model of threat. Proceedings of the 4th Australian Security and Intelligence Conference (pp. 104-111). Perth, Western Australia: Edith Cowan University.