Compare and contrast security threat assessment and security risk assessment
9SECURITY RISK AND THREAT
Security Risk and Threat
Security Risk and Threat
Information security management requires both the threat assessment and the risk assessments. Security risks assessment is the term used to describe the procedures involved in the evaluation of the possibility of the occurrences of factors that affects the objectives using the information technology system (Renfroe & Smith, 2016). It can indicate the improvements that are done on the security or identify the gaps that still exist (Praxiom, 2015).
The security risk assessment access the organization based on the attackers perspective. It gives an analysis that can allow the company to access and enhance their security positions. The risk assessment on an organization security is done by the companies to establish the worth of the organizational data that is available (Bayne, 2002). The risk assessment is geared towards offering a quantitative possibility of the occurrences of the events that may hamper organization’s objectives.
The security threat assessment, on the other hand, tries to focus on all the possible factors that may affect the security whether natural or not (Holmberg & Evans, 2003). The threat assessment is usually done by identification of the threat types and categorizing them as either natural or accidental. The threats, especially from the attackers, may have a similar intention of sabotaging the applications (INFOSEC, 2014). Threat identification and assessment of the security is, therefore, a paramount process that assists in focusing the assessment operations within the organization (INFOSEC, 2014). It also hastens the discovery of the vulnerabilities within the security system that can be weighted and given attention based on their probabilities.
Similarities of the Security Threat Assessment and Security Risk Assessment
An organizational security assessment of risks and threats tend to have a similar focus. Despite the different methodologies employed in these assessments, they both aim at protecting the security framework (Colwill, 2009). The assessments tend to strive to assist in designing better procedures that can offer security protection.
The assessment techniques are also geared towards the identification of the threats and the threats that the information system may be experiencing (Tipton, & Krause, 2003). It, therefore, assists in the mitigation of these eventualities by either preventing their occurrences or by reducing the possible damage that they can cause (Praxiom, 2015).
Both assessment techniques establish the implications of the threats and risks on the security system thus assisting in minimizing their potential effects (Ralston, Graham, & Hieb, 2007). They, therefore, assist in the describing the main object in the applications that are used for security. The assessment methods thus assist the organizations in ensuring that they maximize the utilization of the available security resources.
Both the risk assessment technique and the threat assessment technique have a goal of establishing ways in which the exposure to the damage or loss can be reduced (Praxiom, 2015). The techniques tend to offer recommendations, which are usually used as the measure of their outcomes (Bernard, 2007). The suggestions approved by these assessments are often handled with high integrity and confidentiality as a means of protecting the security system (Bayne, 2002). The processes are usually collaborative involving the use of internal resources and external resources based on the situation being analyzed. The scope of both the assessments specifies what needs to be protected and the extent to which the protection is offered (Ralston, et al., 2007). The sensitivity level of the security applications usually depends on the knowledge of the analyst. Setting the scope in both the assessments is crucial in establishing whether the assessment should adopt the internal or the external perspective. It is because the context in which the security assessment is carried out is capable of influencing the security management.
Security threat assessment and risk assessment also possess some similarities in the data collection processes. The assessment techniques involve identification of all the necessary policies and procedures within the organization that can assist in the assessment process (Bayne, 2002). The information regarding the policies and procedures is usually retrieved from the present documents, and if they were undocumented, then an interview is conducted for the organizational employees. Either the interviews can be in the form of the questionnaires, or they can be done as a survey. The data collection stage in both the assessments gathers the information based on the current state of the security systems (Parker, 1981). In the data collection process the possible vulnerabilities that the security system is exposed to are also identified in both the security assessment methods.
The assessment methods also incorporate the step that analyses acceptable risks or threats (Bayne, 2002). In this stage, the assessment methods strive to measure whether the existing previously identified policies and procedures can offer effective protection to the security system. In so doing, both the assessment methods at this stage are capable of identifying whether the previously identified vulnerabilities in the security system were mitigated or not (
Both assessment methods compare in the analysis of the identified policies and procedures. The step is crucial in both assessments as it enhances the understanding of the compliance level of the organization regarding the security applications.Feng & Li, 2011). The system security analyst determines the threat and risks that are acceptable in the organizational security system. It is done by defining the security measures that are more effective and ensuring that they are used as the ineffective measures are detached from the system security protection (Chen, Paxson, & Katz, 2010). Despite the fact that most organizations try to cut down the costs involved in the security protection, the assessments at this level are capable of identifying g all the appropriate recommendations that can safeguard the information system in an appropriate manner.
Differences between Security Threat Assessment and Security Risk Assessment
While the security threat assessment focuses on all the possible factors that may affect the security whether natural or not, the security risk assessment tries to identify different factors that may affect the organizational security (CPNI, 2013). The security risk assessment involves an analysis that includes even the risks that the security management process may experience (Todd Sr, Glahe & Pendleton, 2001).
The security risk assessment is usually consequential in nature and strives to determine the likelihood of the occurrence of different risks (Fein, Vossekuil, & Holden, 1995). The security threat assessment, on the contrary, can be either qualitative or quantitative in nature.
Another significant difference that exists between the security threat assessment and the security risk assessment is the methodology that is employed to carry them out. The threat assessment of the security uses the threat metrics in the characterization of the security threats within an organization (Gleichauf, Randall, Teal, Waddell & Ziese, 2001). The metrics models elaborate how the threats and anomalies for the security system take place (Bayne, 2002). It highlights the proximity of different vulnerabilities that exists within the organization security system and establishes the potential magnitude they may have to the security. The term metric represents a measure and as such, threat metrics can yield both qualitative and quantitative threat analysis that can clearly indicate the results on how to manage the risks (Landoll & Landoll, 2005). Another method employed in the identification of threats in threat assessment is the threat models (Trend Micro, 2009). The models are also measurement structures that are adopted to enhance the consistency and to minimize biases during the security threat analysis (Bayne, 2002). A generic threat matrix is also applied in the security threat analysis to help in the categorization f the threats depending on their nature (Bayne, 2002). The generic threat matrix is also labeled into different magnitudes that denote various threat levels and can, therefore, quantify the threat.
In the risk assessment, methodology a checklist is implemented in the identification of the possible risks and threats. The checklist operates by identifying all the possible questions that may cause risks (Praxiom, 2015). It is usually adopted to enhance the creativity during risk assessment. A what-if analysis model that establishes all the possible eventualities that may contribute to risks can also be implemented during identification of risks (INFOSEC, 2014). It answers all the questions on the consequences of any mistake. It is usually carried out as a brainstorming activity for the system security analysts. In some cases, the risk assessment may involve the use of both the checklists and what-if analysis (Praxiom, 2015). The risk assessment methodology can also assume the use of a fault tree or conduct a hazard operability study in the security system to identify the all the possible causes of security risks.
The threat and the risk assessment of the security is a very significant step in the protection of the security system (Ullman, 1983). The assessment should not be regarded as the means to the end, but they should rather be done frequently to identify and mitigate different threats and risks that the security systems are facing (Borum, Fein, Vossekuil, & Berglund, 1999). The security threat and risk assessment have various similarities regarding their scope and objectives, but they are different especially in the models and techniques that are employed in collecting the information. The security threat assessment also tends to be quantitative in its outcome as compared to the security risk assessment due to the different models and techniques it employs. To improve the veracity, efficiency, and availability of the system used in information distribution, it is important that an organization conduct both the security assessment methods to fully identify both the threats and the risks and further mitigate them for proper security management (Landoll & Landoll, 2005). To identify the security gaps on time, the security assessments should be carried out at the beginning of the system development cycle to clearly identify its needs.
Bayne, J. (2002). An Overview of Threat and Risk Assessment. Sans.org. Retrieved 25 August 2016, from https://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
Bernard, R. (2007). Information Lifecycle Security Risk Assessment: A tool for closing security gaps. Computers & Security, 26(1), 26-30.
Borum, R., Fein, R., Vossekuil, B., & Berglund, J. (1999). Threat assessment: Defining an approach to assessing risk for targeted violence. Behavioral Sciences & the Law, 17.
Chen, Y., Paxson, V., & Katz, R. H. (2010). What’s new about cloud computing security. University of California, Berkeley Report No. UCB/EECS-2010-5 January, 20(2010), 2010-5.
Colwill, C. (2009). Human factors in information security: The insider threat–Who can you trust these days?. Information security technical report, 14(4), 186-196.
CPNI,. (2013). Personnel Security Risk Assessment. Cpni.gov.uk. Retrieved 30 August 2016, from http://www.cpni.gov.uk/documents/publications/2010/2010037-risk_assment_ed3.pdf?epslanguage=en-gb
Fein, R. A., Vossekuil, B., & Holden, G. A. (1995). Threat assessment: An approach to prevent targeted violence (Vol. 2). Washington, DC: US Department of Justice, Office of Justice Programs, National Institute of Justice.
Feng, N., & Li, M. (2011). An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 11(7), 4332-4340.
Gleichauf, R. E., Randall, W. A., Teal, D. M., Waddell, S. V., & Ziese, K. J. (2001). U.S. Patent No. 6,301,668. Washington, DC: U.S. Patent and Trademark Office.
Holmberg, D. G., & Evans, D. (2003). Bacnet wide area network security threat assessment. US Department of Commerce, National Institute of Standards and Technology.
INFOSEC. (2014). Cyber Threat Analysis — InfoSec Resources. InfoSec Resources. Retrieved 25 August 2016, from http://resources.infosecinstitute.com/cyber-threat-analysis/
Landoll, D. J., & Landoll, D. (2005). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press..
Parker, D. B. (1981). Computer security management. Reston, VA: Reston Publishing Company.
Praxiom. (2015). Risk Assessment Methods and Procedures. Praxiom.com. Retrieved 26 August 2016, from http://www.praxiom.com/risk-assessment.htm
Ralston, P. A., Graham, J. H., & Hieb, J. L. (2007). Cyber security risk assessment for SCADA and DCS networks. ISA transactions, 46(4), 583-594.
Renfroe, N. & Smith, J. (2016). Threat/Vulnerability Assessments and Risk Analysis | Whole Building Design Guide. Wbdg.org. Retrieved 30 August 2016, from http://www.wbdg.org/resources/riskanalysis.php
Tipton, H. F., & Krause, M. (2003). Information security management handbook. CRC Press.
Todd Sr, R. E., Glahe, A. C., & Pendleton, A. H. (2001). U.S. Patent No. 6,185,689. Washington, DC: U.S. Patent and Trademark Office.
Trend Micro,. (2009). Security Threat Assessment. Retrieved 30 August 2016, from http://www.trendmicro.com/cloud-content/us/pdfs/business/datasheets/ds_security-threat-assessment.pdf
Ullman, R. H. (1983). Redefining security. International security, 8(1), 129-153.