Security Threat and Security Risk
9SECURITY THREAT AND SECURITY RISK
Security Threat and Security Risk
Security management is rapidly expanding essentially with the increased levels insecurity all over the world. It is imperative for professionals to have the ability to distinguish between security risk assessment and security threat assessment. This will assist in developing accuracy and competence when dealing with both processes. Security risk assessment and security threat assessment are two divergent processes that exhibit both similarities and differences. This paper seeks to examine the similarities and differences between the two procedures.
Similarities between the Procedures
Foremost, one of the similarities of risk and threat assessment arises from the objectives of both processes. A key objective of the procedures is to offer recommendations that aim at promoting protection against various dangers that may affect assets and the society in general (Bayne, 2002). Another objective of both processes is to develop approaches that can be used in coming up with a complete security and safety program. Both processes also aim at reducing the gravity of risks that may affect the society ( Editore, 2014).
A second similarity arises from the fact that the risk assessment process incorporates threat assessment. As outlined by the AS/NZS HB167:2006 Security Risk Management standards, security risks are considered as a threat. This basically implies that the process of risk assessment integrates threat assessment (Brooks, 2011). Figure 1.0 below demonstrates the AS/NZS HB167:2006 process of risks assessment and the manner in which it also encompasses that threat valuation. Conducting a threat assessment is integral in the risk management process because if assist in the identification of threats to assets, information and people while determining the probability and the impact of the occurrence of the threat (Standards Australia, 2006).
Figure 1.0 HB167:2006 Security risk management framework
A key similarity between the security threat assessment and security risk assessment procedures is that both conduct vulnerability assessment. Vulnerabilities can be defined in simple terms as the gaps or weaknesses in a security program that can be exploited by threats in order to get access to an asset. They may include procedural, structural, human, and electronic elements that create an opportunity to attack an asset (Vellani, 2006). In both process, after the threats have been recognized, an assessment of vulnerability has to be conducted. The basic importance of the vulnerability assessment is to evaluate the probable implication of loss that arises from an attack that is successful. In addition, it examines the susceptibility of a location/ facility to an attack. Additionally, the assessment of vulnerability effectively outlines the effects of loss (Renfroe and Smith, 2014).
As highlighted by Radvanovsky and Brodsky (2016), the similarity between the security risk assessment and security threat assessment is that both processes form the heart of many organizations’ information security framework. Schmittling (2010) further argue that the two processes form the procedures that not only establish the rules, but also the guidelines of security policy, which are useful in establishing key controls as well as mechanisms that help in minimizing threats as well as vulnerabilities.
Another similarity is that both procedures are continuous. It can be stated that the risk and threat assessment are not a means to an end. Both processes are incessant in the sense that they should be conducted regularly in order to ascertain that the mechanisms of protection that exist currently could still meet the set objectives. The processes should have the ability to handle the security concerns of an organization or a country at all times. The risk and threat assessment procedure should, therefore, be a significant part of the overall lifecycle of security management (Bayne, 2002).
Differences between the Procedures
A difference that exists between the two processes is that the threat assessment process deals with a component that cannot be controlled while the risk assessment process works with an element that can be controlled. Pinkerton (2014) highlights that threats cannot be controlled. For instance despite implementing the threat assessment process, one cannot discontinue dangers such as a tsunami, threats from terrorist groups and a hurricane. It is possible to identify a threat nevertheless, they continue to be outside an individual’s outside control. The inability to control threats, therefore, makes the threat assessment process difficult. Risks, on the other hand, can be controlled and their overall effects can be reduced. Based on the ability to control or mitigate risk, it can be stated that the risk assessment process is much easier.
Also, a difference exists in the techniques that are used in conducting the two processes. The Standards Australia HB 89–2012 Risk Management Guidelines on risk assessment techniques offers recommendations concerning the approaches that are used in the process of risk assessment. Some of the main approaches highlighted by the regulation include brain storming, conducting interviews, undertaking the SWOT analysis, PEST analysis in order to examine the external environment , writing down check lists and the analysis of the scenario (Standards Australia HB 89- 2012). The threat assessment process on the other hand, involves techniques such conducting interviews in order to get basic information concerning the threat. The second approach involves the identification of trends and patterns in the occurrence of the threat and then gauging the level of threat is the next step which is then followed by looking for indictors that demonstrate a decline in the level of threat (Dworken, 2003). It, can therefore, be stated that although the two processes have been integrated together for instance in the case where the risk assessment procedure incorporates the threat assessment, what is evident in the process of security management is that different methods are used in conducting threat and risk assessment.
Alternatively, another significant difference between security risk assessment and security threat assessment pertains to one process triggering the other. Indeed, whereas security threat assessments form the initial step in assessing the security of an organization, security risk assessment is often triggered by the security threat assessment process, which often determines not only the type as well as the level of danger likely to be experienced by an organization. In this regard, Strachan-Morris (2010) notes that security threat assessments specifies not only the most significant and the most probable dangers, but also evaluates their degree of risk as compared to each other. The comparison is often conducted to help determine the interaction pitting the cost breach as compared to the probability of that particular breach. According to Strachan-Morris (2010), as an initial step in assessing the security of an organization, security threat assessments primarily consider a great number of factors. To gauge capability, security threat assessments analyze the quality of an organization’s past performance, the present trends, logistic support, command, and control in addition to the degree by which a particular group may derive its own opportunities and attack. Alternatively, having ascertained the degree of threat, as informed by the security threat assessment, the security risk assessment, which is a significant role of probability and damage, follows. Thus, security threat assessment triggers the security risk assessment.
Another significant difference between the two processes can also be explained based on their differing goals. Although they have similar objectives as stated earlier, security risk assessment significantly focuses on analyzing the possibility as well as the tendency of an organization’s valuable resources to experience various attacks, on the other hand, security threat assessments greatly focuses on analyzing the potential attacker’s resources. According to Land et al. (2003), security threat assessments are often carried out to establish the most effective approaches in as far as safeguarding an organization against any given threat. As Land et al. (2003) note that analyzing potential threats may help an organization to not only come up with, but also implement various security policies that are in concordance with policy priorities as well as the particular implementation requirements for securing an organization’s valuable resources.
Finally, another significant difference between the two processes is that while security risk assessment assesses an organization’s assets, with an aim of accounting for not only the criticality, but also the vulnerability of the assets in order to ascertain the security investment, the security threat assessments analyzes every information asset and thereafter establishes its liability (Meloy & Hoffmann,2013). According to Land et al. (2003), the process of threat assessment states that each situation of distress should not only be viewed, but also assessed individually. The implementation of the security threat assessment is done based on facts regarding a particular threat and conducted through an evaluation of its characteristics.
From the analysis, what is clear is that security risk assessment and security threat assessment are two divergent processes that exhibit both similarities and differences. The analysis has clearly highlighted a number of both the similarities as well as the differences between the two processes. Some of the highlighted similarities arise from the fact that they both have the same objectives, the risk assessment process also integrates the threat assessment procedure, both conduct vulnerability assessment and the two procedures are continuous. Some of the noted differences arise from techniques used and their roles when it comes to security management. Establishing the differences and similarities between the two processes is essential especially for security professionals.
Bayne, J. (2002). An Overview of Threat and Risk Assessment. SANS Institute.
Biringer, B, Matalucci, R & O’Connor, S. (2007). Security Risk Assessment and Management: A Professional Practice Guide for Protecting Buildings and Infrastructures. New Jersey: John Wiley & Sons
Brooks, D. J. (2011). Security risk management: A psychometric map of Expert Knowledge structure. International Journal of Risk Management, 13(1/2), 17–41. doi: 10.1057/rm.2010.7.
Dworken, J. ( 2002). Threat Assessment. Institute for Public Research
Editore, C. (2014). Risk Management. Cacucci.
Land, M, Truett, R & Bobby, R. (2013). Security Management: A Critical Thinking Approach Occupational Safety & Health Guide Series. Boca Raton, Florida. CRC Press
Meloy, R & Hoffmann, J. (2013).International Handbook of Threat Assessment. Oxford: OUP USA
Pinkerton. (2014). Risk vs. Threat vs. Vulnerability. Pinkerton
Radvanovsky, R & Brodsky, J. (2016).Handbook of SCADA/Control Systems Security.Boca Raton. Florida: CRC Press
Renfroe, N and Smith, L. (2014). Threat/Vulnerability Assessments and Risk Analysis. Applied Research Associates, Inc.
Schmittling, R. (2010). Performing a Security Risk Assessment.
ISACA Journal .1(2010). Pp.1-7
Standards Australia. (2006). HB 167:2006 Security risk management. Sydney: Standards Australia International Ltd.
Strachan-Morris, D. (2010).New Threats and Risks: What is the Difference?
Pilgrims Group Limited
Standards Australia HB 89–(2012). Risk Management – Guidelines on risk assessment techniques.
Vellani, K. (2006). Strategic Security Management: A Risk Assessment Guide for Decision Makers. Butterworth-Heinemann.