4
Brian Dennison
John Denson
IT454 -1504B-01
Mon, 12/14/15
SECTION 4: ASSESSING RISK
Risk assessment and management is one of the highest priorities for any organization to safeguard its properties and assets. In a turbulent state, all information and security vulnerabilities should be in a conversant to many regulations. Selected and tested methodologies have been defined and framed to mitigate the risk-assessment to many organizations. The frameworks have been set to help and guide security and risk. One of the methodologies is: Factor Analysis of Information Risk, abbreviated as (FAIR).
FAIR is a methodology for understanding, analyzing and measuring information risk. Information policy and security practices have been inadequate available to aid in effectively managing information risk. For the little available information clues, managers and system owners have found it hard to make effective and well-informed decisions to safeguard their systems against such risks and uncertainties as they may happen.
FAIR is elevated to address security practice weaknesses. The major aim of this methodology is to allow organizations contribute effort and mitigate the various risk as they may happen. In one accord risk is assessed and measures be taken to counter the menace. The method ensures the organizational risk is defended and or challenge risk determined by use of advanced analysis techniques and also understand how time and resources such as money will impact the organization's security profile in general.
The Methodology works with the following components; these are; standardized nomenclature system for using the risk terms, a well-set framework for data collection, a taxonomy for information risk, Computational engine for evaluating risk model, measurement scales for all risk factors and a model for analyzing the complexity of all risk scenarios. The methodology has one best advantage; it doesn't use the normal, ordinary scale like one-to-10 rating and hence it is not subjected to the limitations the ordinary scale. The methodology uses the high or low scales to categorize its risk menace. Colors also form part of the rating red, yellow and green. FAIR methodology uses dollar estimates to indicate clearly losses and probability parameters for threats and vulnerabilities. Therefore, when merged with a range of values, confidence levels, it gives the best bargaining ground for mathematical modeling and hence loss exposures.
A risk whether quantitative or qualitative should be dealt with an organization. There are four methods to curb such: these are: accept(able), avoid, mitigate and transfer.
Accept: This is the willingness for an organization to assume the risk. This is a managerial and a business decision to accept the risk. This does not allow an organization assume the risk after its first identification. This comes after determining the level. Then assumptions later. Therefore, the best cause of action should be in plans t.
1. 4
Brian Dennison
John Denson
IT454 -1504B-01
Mon, 12/14/15
SECTION 4: ASSESSING RISK
Risk assessment and management is one of the highest priorities
for any organization to safeguard its properties and assets. In a
turbulent state, all information and security vulnerabilities
should be in a conversant to many regulations. Selected and
tested methodologies have been defined and framed to mitigate
the risk-assessment to many organizations. The frameworks
have been set to help and guide security and risk. One of the
methodologies is: Factor Analysis of Information Risk,
abbreviated as (FAIR).
FAIR is a methodology for understanding, analyzing and
measuring information risk. Information policy and security
practices have been inadequate available to aid in effectively
managing information risk. For the little available information
2. clues, managers and system owners have found it hard to make
effective and well-informed decisions to safeguard their systems
against such risks and uncertainties as they may happen.
FAIR is elevated to address security practice weaknesses. The
major aim of this methodology is to allow organizations
contribute effort and mitigate the various risk as they may
happen. In one accord risk is assessed and measures be taken to
counter the menace. The method ensures the organizational risk
is defended and or challenge risk determined by use of advanced
analysis techniques and also understand how time and resources
such as money will impact the organization's security profile in
general.
The Methodology works with the following components; these
are; standardized nomenclature system for using the risk terms,
a well-set framework for data collection, a taxonomy for
information risk, Computational engine for evaluating risk
model, measurement scales for all risk factors and a model for
analyzing the complexity of all risk scenarios. The methodology
has one best advantage; it doesn't use the normal, ordinary scale
like one-to-10 rating and hence it is not subjected to the
limitations the ordinary scale. The methodology uses the high or
low scales to categorize its risk menace. Colors also form part
of the rating red, yellow and green. FAIR methodology uses
dollar estimates to indicate clearly losses and probability
parameters for threats and vulnerabilities. Therefore, when
merged with a range of values, confidence levels, it gives the
best bargaining ground for mathematical modeling and hence
loss exposures.
A risk whether quantitative or qualitative should be dealt with
an organization. There are four methods to curb such: these are:
accept(able), avoid, mitigate and transfer.
Accept: This is the willingness for an organization to assume
the risk. This is a managerial and a business decision to accept
the risk. This does not allow an organization assume the risk
after its first identification. This comes after determining the
level. Then assumptions later. Therefore, the best cause of
3. action should be in plans to be undertaken. When it happens, the
risk in many instances is insignificant to the organization hence
the need to accept and assume.
Avoid: This means that the organization is going to do nothing
with the identified risks. Unlike on accepting the risk, when the
organization accepts the risk, it is doing something; whether
wrong or right.
Mitigate: As the organization may have decided to accept and
accept some, other risks may be cost restrictive for the purpose
of reducing all risks, therefore, based on the level of risk
acceptance, the rest should be mitigated. It, therefore, means
reducing risks using implementing controls and fixes or use of
any other countermeasures that have an immediate effect on the
risks.
Transfer: Another alternative is just to transfer the risk. Many
organization are employing the method just to reduce the risk. It
can be accomplished through cyber liability insurance including
other outsourced services. However, not all risks are
transferred. Insurance companies take charge of such services
hence reducing the risk. The companies strive to reduce the
financial burden to organizations when it occurs.
Terms Description
A threat is a popular term used in information and technology
under security issues. It is defined as, any potential cause of an
incident, within the information system that may result in
harming the computer systems and organization. Most of the
time it is hard to control a threat, unlike risks. It does happen
through unauthorized access, disclosure, destruction,
modification of information. This may adversely affect the
services the system provide to the organization. For instance,
criminals attacking the system over some duration to gain
access to important services and information.
Risk on the other hand often emerges because potential security
threats are identified. This identification could exploit
vulnerabilities in an information security systems. It also results
in the harm of to an organization. It is a matter of probability
4. that may occur at any given time. This can be controlled with a
set of defined procedural mechanisms in addressing security
matters. For instance a risk of data loss and or hacked by
criminals.
Exploit is a term commonly used in computing especially on
risk and security to mean an attack on a computer system, which
greatly uses and takes an advantage of a specific vulnerable
system instability hence paving ways for intruders to
compromise the system. For example, scripts were written to a
faulty code to take advantage and replicate data or the relevant
source code.
References
David Parker and Alison Mobey, “Action Research to Explore
Perceptions of Risk in Project Management,” International
Journal of Productivity and Performance Management 53, no. 1
(2004): 18–32.
Stasiak, K. (2015, July 7). 4 Ways to Handle Risk (Only One is
Bad). Retrieved December 14, 2015, from
https://www.securestate.com/blog/2015/07/07/4-ways-to-
handle-risk-(only-one-is-bad)
Threat, vulnerability, risk - commonly mixed up terms -
INDEPENDENT SECURITY CONSULTANTS (INDEPENDENT
SECURITY CONSULTANTS RSS)
http://www.threatanalysis.com/2010/05/03/threat-vulnerability-
risk-commonly-mixed-up-terms/
Whitman, Michael (2012)."Chapter 2: The Need for Security".
Principles of Information Security, Fourth Edition. Boston,
Mass: Course Technology. p. 53.