Security Threat Assessment and Security Risk Assessment
For contemporary security and intelligence professionals, risk arises from a combination of a threat exploiting a vulnerability, such that it could cause harm to an asset. An asset is considered anything with a degree of value and therefore, in need of protection. An asset could include people, property or information. Thus, security management may involve a variety of organizations or systems including physical systems such as protection of physical property or people or even computerized systems such as protection of computerized systems from cyber security threats. A threat on the other hand could be seen as anything which is likely to exploit a vulnerability either intentionally or accidentally to obtain, damage or destroy the asset. Vulnerability on the other hand refers to weaknesses or gaps in an organization’s security program that could be exploited by threats in gaining unauthorized access to an asset thus harming it. On the other hand, risk refers to the likelihood of loss, destruction or destruction to an asset which results from a threat exploiting vulnerability as stated above. Thus, for effective security management, the stakeholders in the security management system must be well aware of all the security threats, vulnerabilities and threats in a bid to overcome them closing all the gaps in a bid to ensure effective system security. This would involve effective security threat assessment and security risk assessment as well as part of the security management program. This paper analyzes the available literature regarding security threat assessment and security risk assessment for effective management of security regardless of whether it refers to physical security or cyber security.
There is a great deal of literature regarding security management of which security threat assessment and security risk assessment are part of. The security threat assessment process involves looking across the spectrum facing a facility or the organization for events that may occur resulting to loss or damage to assets (Optimalisk.com, 2016). On the other hand, security risk assessment is aimed at giving a quantitative assessment of the probability of the occurrence of an event that will be detrimental to the asset in question. The terms security threat and security risk assessment are closely related in that accurate assessment of threats and identification of vulnerabilities would be critical to the understanding of the risk to assets (securityanalysis.com, 2016). Hence, security threat assessment precedes security threat assessment and is actually seen as part of security risk assessment. Security threat assessment and security risk assessment are related in that they are part of the organizational risk management process (Jared, 2013). In this regard, security threat assessment is the third part of the risk management process and involves identification of potential and real threats to the involved process or infrastructure. The threat assessment stage obtains pertinent threat information from a variety of sources including the specific threats as well as their likelihood of occurrence (Schmittling, 2010). Security risk assessment on the other hand is the fourth stage in organizational risk management which involves the assessment of risk on the basis of the adequacy of existing or proposed safeguards for protecting the asset in question against the threats that have been identified during the threat assessment stage. The step also involves the identification and evaluation of vulnerabilities as well as risk analysis according (Jared, 2013).
It has been argued that risk is a function of the value of threat, consequence and vulnerability. He sees the objective of risk management as that of creating a level of protection aimed at mitigating vulnerabilities to threats and the potential consequences, thereby reducing risk to acceptable levels (Katsicas, 2009). This means that the main similarity between security threat assessment and security risk assessment is that they are both aimed at helping reduce security risk to acceptable levels and even eliminating them where possible. Security threat assessment and security risk assessment have a lot of similarities despite their differences. Both security threat and risk assessments are performed with an aim of allowing organizational assess, identify and modify their overall security posture while enabling security, operations, organizational management as well as other personnel to collaborate and see the organization from risk or attackers perspective (Renfroe and Smith, 2014). This helps in obtaining management’s commitment in allocating resources and implementing appropriate security solutions. Comprehensive security threat and risk assessment would also aid in determining the value of the varying types of data stored across the organization. This helps in prioritizing and allocating security resources where they are most needed (National Institute of Standards and Technology, 2016). Thus, both the processes are seen as an integral part in ensuring organizational security regardless of whether it refers to physical or cyber security especially given the fact that both of the processes are part of the security risk management process (pci Security Standards Council, 2016).
The major differences between security threat assessment and security risk assessment mainly lies in their definitions. Security threat assessment is also seen as the process of identifying and analyzing the various threats that an organization may be exposed to and which may damage its assets (Greg, 2005). On the other hand, Greg (2005) states that security risk assessment refers to assessing a combination of the impact of loss rating as well as the vulnerability rating in evaluating the potential likelihood or risk to the facility from a given threat. In other words, risk assessment would refer to assessing the likelihood of a certain threat occurring and harming an asset while threat assessment would refer to the process of identifying the various threats an organization is exposed to as well as valuing them in terms of potential impact (Jenkins, 1998). When conducting security threat assessment, we ask ourselves what things threaten the security of the organization whether we are referring physical or cyber security while when conducting security risk assessment, we are concerned with how likely the threats are likely to occur and hence damage the assets we are referring to (Derr, 2013). A similar view is held by Turner who views both security threat assessment and security risk assessment as part of the broader risk management process. In this regard, he states that risk management is the act of determining what threats the organization faces, analyzing the related vulnerabilities to assess the level of threat while determining how the organization will deal with the associated security risk. As such, the risk management process involves both security threat assessment and security risk assessment.
It has been stated that security threat assessment and security risk assessment though related also differ in terms of the processes involved in each (Birinegr etal, 2007). Security threat assessment is a valuable and insightful opportunity for security managers to evaluate the effectiveness of current security infrastructure and determine whether any threats have infiltrated the system (trendmicro.com, 2016). As such, the purpose of security threat assessment is that of revealing the organization’s true security posture through detection of active and potential threats likely to invade the existing security measures. According to Johansen (2013), threat assessment should reveal such information as the types of threats, threat exposure levels and the likely impact of the threats. Roper (1999) on the other hand explains security risk assessment as the one that determines what type of controls are to be implemented to protect assets and resources from threats hence allowing the organization to reduce exposure while maintaining an acceptable risk tolerance. The security risk assessment process is useful in evaluating the likelihood as well as potential damage of the threats that have been identified. It also measures the level of risk for individual assets as they relate to availability, integrity and confidentiality while gauging the effectiveness of existing controls in limiting the organization’s exposure to the risk. This helps in prioritization of asset security in accordance to importance (White, 2014). Thus, security risk assessment is important in addressing both internal and external threats while revealing what can go wrong, how it can go wrong, the potential impact and the preventive steps that can be taken to reduce the risk (Chou, 2012)
This essay has analyzed the available literature regarding security threat assessment and security risk assessment. The literature has revealed that the two processes are part of a bigger process of organizational risk management. From the literature, it is clear that while security threat assessment is mainly concerning with the analysis of the security threats that may hamper organizational security, security risk management deals with the assessment of the risk or likelihood of the threats occurring and hence harming the assets. The essay has revealed a lot of similarities between the two processes. However, not much of differences have been revealed. The only differences that have been revealed relate to their definitions, the procedures of carrying them out and the outcome. It should however be noted that the two processes are almost similar in that they are stages in one process of organizational risk management.
Threatanalysis.com. (2016). Threat, vulnerability, risk- Commonly mixed up terms. Retrieved from http://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly- mixed- up-terms/
Jared, B. (2013). Organizational security management. London, Rutledge.
Schmittling, R. (2016). Performing a security risk assessment. Retrieved from http://www.isaca.org/journal/archives/2010/volume-1/pages/performing-a-security-risk- assessment1.aspx
Optimarisk.com (2016). Threat and Risk Assessments. Retrieved from http://www.optimalrisk.com/Risk-Security-Consulting/Threat-and-Risk-Assessments
Renfroe, N., & Smith, J. (2014). Threat/vulnerability assessments and risk analysis. Retrieved from https://www.wbdg.org/resources/riskanalysis.php
National Institute of Standards and Technology. (2016). Risk management guide for information technology systems. Retrieved from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist8 00-30.pdf
Greg, B. (2015). Vulnerability and threat assessments. London, Rutledge.
Katsicas, S. (2009). Computer and information security handbook. Morgan Kaufmann Publications, Elsevier Inc.
Jenkins, B. (1998). Security risk analysis and management. London, Rutledge.
Derr, R. (2013). Threat assessment and risk analysis. New York, NY: John Willey & Sons,
Turner, J., & Gelles, M. (2003). Threat assessment: A risk management approach. London, Rutledge.
Biringer, B., Matalucci, R., & Connor, S. (2007). Security risk assessment and management: A professional practice guide for protecting buildings and infrastructures. New York, John Willey & Sons.
Trendmicro.com. (2016). Security threat assessment. Retrieved from http://www.trendmicro.com/cloud-content/us/pdfs/business/datasheets/ds_security-threat- assessment.pdf
Johansen, K. (2011). IT security risk assessment and program management. London, Rutledge.
Roper, C. (1999). Risk management for security professionals. Butterworth-Heinemann.
White, J. (2014). Security risk assessment: Managing physical and operational security. Butterworth-Heinemann.
Chou, T. (2012). Information assurance and security technologies for risk assessment and threat management. New York, NY: Taylor & Francis.