Risk Analysis And Vulnerability Information Technology Essay

The term risk management has been established in the last twenty years as an evolution of the term insurance management. The field of risk management includes a huge variety of activities and responsibilities than does insurance management. Risk management is now a widely accepted description of a discipline within most large organizations. Common risks such as building catastrophes, personnel injuries, and automobile accidents, as well as more major threats like product liability, environmental impairment, and employment practices, are the fields of the risk management department in a typical corporation. Although risk management has usually to do with property and loss, nowadays it is considerate to include financial risk management, such as interest rates, foreign exchange rates, and derivatives, but also new types of risks that businesses expose themselves in E-commerce. As the role of risk management has increased, some large companies have begun invest in large-scale programs known as enterprise risk management.

Risk management involves identifying, analyzing, and taking measures to decrease the exposures to threats towards organization. Risk management uses many techniques, to manage a multiple risks. Every business faces risks, some of which are easy to predict and under special manager’s control, and others which are apart from unpredictable, are also uncontrollable.

Risk management is important for all kind of businesses. More specific, for small businesses, there are many types of threats, such as theft, fire, flood, legal liability, injury, or disability, which can cause serious economical damage, even bankruptcy. These kinds of losses and liabilities can affect company’s operations and decrease its profits at very low even to zero level.

On the other hand, many large companies are able to hire a risk manager to predict risks and execute a plan to protect the firm against them; unlikely to smaller companies, they don’t include a risk manager in their annual budget. Instead, the handling of the threat probably will come from small business owner.


Risk assessment involves the integration of threat, vulnerability, and consequence information. Risk management involves deciding which protective measures to take based on an agreed upon risk reduction strategy. Many models/methodologies have been developed by which threats, vulnerabilities, and risks are integrated and then used to inform the allocation of resources to reduce those risks.

Threat Assessment

A threat assessment is the first thing to examine in a risk management plan. A variety of threats are being considered in a threat assessment considers such us natural, criminal, terrorist, accidental, etc. for specific facility or location. In order to evaluate the possibility of occurrence for each threat, the assessment should examine all types of information needed.

For natural threats, a risk manager should determine the credibility of the given threat by using historical data concerning frequency of occurrence for given natural disasters such as tornadoes, hurricanes, floods, fire, or earthquakes.

For criminal threats, the facility maybe is threatened from many types of criminal activities and that is why a risk manager should examine the crime rates in the surrounding area. Of course, the type of assets and activity which are taking place in the facility may also increase the possibility of a criminal attack by external or even internal aggressors.

Furthermore the type of assets and activity which are taking place in the facility will also relate directly to the possibility of different types of accidents. For example, if heavy industrial machinery are utilized by employees, then they will be at higher risk for serious or life-threatening accidents than employees in a typical office building.

For terrorist threats, the attractiveness of the facility as a target is a major consideration. In addition, the type of terrorist act may vary based on the potential adversary and the method of attack most likely to be successful for a given scenario. In general, the likelihood of terrorist attacks cannot be quantified statistically since terrorism is, by its very nature, random. Hence, when considering terrorist threats, the concept of developing credible threat packages is important.

Read also  The Collection Of Primary And Secondary Data Information Technology Essay

To determine vulnerabilities, use the matrix to interview personnel, review previous security incidents, and examine audit and system records and system documentation. Contact vendors for reports of known system vulnerabilities, check advisory Web sites and look for security issues by using automated tools. Then, evaluate the vulnerabilities while considering their number and nature and any countermeasures in place (discussed further next week).

Using the matrix, what vulnerabilities exist in the organization’s physical areas as applied to information security? Analyze findings from your observations and personnel interviews, risk assessment and historical site surveys, reviews of written and informal procedures and audit trail data, and any other research, like diagrams, practice drills, etc.

Using these findings, determine what vulnerabilities exist in the organization’s administration, policies and documentation area, and in the organization’s personnel practices. Consider the organization’s communications/network connectivity and in the computer system itself.

Once the threat levels have been identified and quantified, evaluate the vulnerability.

B. Vulnerability Assessment

After identifying all existing threats, we have to perform a vulnerability assessment. Vulnerability assessment evaluates the impact of loss that any pre reported threat can cause after a successful attack. The evaluated degree of the damage that emanatates from such an attack is determined by Impact of loss. For achieving the properly definition of the impact of loss a threat is able to cause, a key component is needed. Each facility must be examined on its owned definitions.

Below we can see some definitions for impact of loss in a company that serves the public.

Devastating: In this case the facility is damaged and there is a need of repair in most of its items or assets. For that reason, the organization is forced to reduce the number of visitors in a certain degree for several period of time.

Severe: In this case a part of the facility has been damaged or partially contaminated because of several events such as fire, extreme rain, smoke etc. Examples include partial structure breach resulting in weather/water, smoke, impact, or fire damage to some areas. Some items/assets in the facility are damaged beyond repair, but the facility remains mostly intact. The entire facility may be closed for a period of up to two weeks and a portion of the facility may be closed for an extended period of time (more than one month). Some assets may need to be moved to remote locations to protect them from environmental damage. The number of visitors to the facility and others in the organization may be reduced by up to 50% for a limited period of time.

Noticeable: The facility is temporarily closed or unable to operate, but can continue without an interruption of more than one day. A limited number of assets may be damaged, but the majority of the facility is not affected. The number of visitors to the facility and others in the organization may be reduced by up to 25% for a limited period of time.

Minor: The facility experiences no significant impact on operations (downtime is less than four hours) and there is no loss of major assets.

C. Risk Analysis & Vulnerability

A combination of the impact of loss rating and the vulnerability rating can be used to evaluate the potential risk to the facility from a given threat.

Vulnerability is defined to be a combination of the attractiveness of a facility as a target and the level of deterrence and/or defense provided by the existing countermeasures. Target attractiveness is a measure of the asset or facility in the eyes of an aggressor and is influenced by the function and/or symbolic importance of the facility. Sample definitions for risk ratings are as follows:

Read also  Focusing On The Software Company Of Jharna Information Technology Essay

Very High: This is a high profile facility that provides a very attractive target for potential adversaries, and the level of deterrence and/or defense provided by the existing countermeasures is inadequate. Countermeasures recommended to mitigate these risks should be implemented as soon as possible.

High: This is a high profile regional facility or a moderate profile national facility that provides an attractive target and/or the level of deterrence and/or defense provided by the existing countermeasures is inadequate. Countermeasures recommended to mitigate these risks should be implemented as soon as possible.

Moderate: This is a moderate profile facility (not well known outside the local area or region) that provides a potential target and/or the level of deterrence and/or defense provided by the existing countermeasures is marginally adequate. Countermeasure implementation should be planned in the near future

Low: This is not a high profile facility and provides a possible target and/or the level of deterrence and/or defense provided by the existing countermeasures is adequate. Countermeasure implementation will enhance security, but is of less urgency than the above risks.

The vulnerability assessment may also include detailed analysis of the potential impact of loss from an explosive, chemical, or biological attack. Professionals with specific training and experience in these areas are required to perform these detailed analyses. A sample of the type of output that can be generated by a detailed explosive analysis can also be shown graphically. A graphic representation of the potential damage to a facility from an explosive attack allows a building owner to quickly interpret the results of the analysis, although a more fully detailed and quantitative engineering response would be required to design a retrofit upgrade.

In addition, similar representations can be used to depict the response of an upgraded facility to the same explosive threat. This allows a building owner to interpret the potential benefit that can be achieved by implementing various structural upgrades to the building frame, wall, roof, and/or windows.

D. Upgrade Recommendations

Based on the findings from the risk analysis, the next step in the process is to identify countermeasure upgrades that will lower the various levels of risk. If minimum standard countermeasures for a given facility level are not currently present, these countermeasures should automatically be included in the upgrade recommendations. Additional countermeasure upgrades above the minimum standards should be recommended as necessary to address the specific threats identified for the facility. The estimated capital cost of implementing the recommended countermeasures is usually provided in the threat/vulnerability assessment report. The estimated installation and operating costs for the recommended countermeasures are also usually provided in the threat/vulnerability assessment report. All operating costs are customarily estimated on a per year basis.

E. Re-Evaluation of Risks

The implementation of the recommended security and/or structural upgrades should have a positive effect on the impact of loss and/or the vulnerability ratings for each threat. The final step in the process is to re-evaluate these two ratings for each threat in light of the recommended upgrades. Using an exterior explosive threat as an example, the installation of window retrofits (i.e., security window film, laminated glass, etc.) will not prevent the explosive attack from occurring, but it should reduce the impact of loss/injury caused by hazardous flying glass. Therefore, the impact of loss rating for an explosive threat would improve, but the vulnerability rating would stay the same.


A Generic Model for Assessing and Integrating Threat, Vulnerability, and Risk

Many models/methodologies have been developed by which threats, vulnerabilities, and risks are integrated and then used to inform the cost-effective allocation of resources to reduce those risks. For this report, CRS reviewed vulnerability assessment models or methodologies, including some developed and used, to varying degrees, in certain selected sectors

Read also  Introduction To Office Administration Information Technology Essay


Using Assessments to Identify and Prioritize Risk Reduction Activities.

Identify Ways to Reduce Risk. Risks can be reduced in a number of ways: by reducing threats (e.g. through eliminating or intercepting the adversary before he strikes); by reducing vulnerabilities (e.g. harden or toughen the asset to withstand the attack); or, by reducing the impact or consequences (e.g. build back-ups systems or isolate facilities from major populations). For each potential countermeasure, the benefit in risk reduction should also be determined.26 More than one countermeasure may exist for a particular asset, or one countermeasure may reduce the risk for a number of assets. Multiple countermeasures should be assessed together to determine their net effects. The analyst should also assess the feasibility of the countermeasure.

The cost of each countermeasure must also be determined. Costs, too, are multidimensional. There may be up-front financial costs with associated materials, equipment, installation, and training. There are also longer term operational costs of the new protective measures, including maintenance and repair. There may also be operational costs associated with changes to overall operations. Costs also include time and impact on staff, customers, and vendors, etc. Expenditures on the protection of assets also results in opportunity costs, i.e. costs associated with not being able to invest those resources in something else.

Prioritize and Decide In What to Invest.

Once a set of countermeasures have been assessed and characterized by their impact on risk, feasibility, and cost, priorities may be set. Decision makers would have to come to a consensus on which risk reduction strategy to use to set priorities.

Most of the methods reviewed suggest a cost-effective selection process (i.e. implementation of the risk-reduction method(s) should not cost more than the benefit derivedby the reduced risk). Cost-effectiveness could also imply that the country invest in risk reduction to the point where the marginal cost to society equals the marginal benefit. Alternatively, given a fixed budget, cost-effectiveness might imply investing in protections that maximize the benefits for that investment. Countermeasures that lower risk to a number of assets may prove to be most cost-effective. Also, focusing attention on those assets associated with the highest risks may yield the greatest risk reduction and be one way to implement a cost effective approach.

While cost-effectiveness is usually the recommended measure for setting priorities, decision makers may use others. For example, decision makers may be risk averse. In other words, even if the chance of an attack is small, or the potential target is not particularly vulnerable, the consequences may be too adverse to contemplate. In this case, decision makers may wish to bear the costs of additional protection that exceed the “expected” reduction in risk. Roper notes, however, that, in general, protection costs should not exceed a reasonable percentage of the total value of the asset.2

Another measure by which to select protective actions might be to favor maximizing the number or geographical distribution of assets for which risks are reduced. Alternatively, decision makers might want to focus efforts on reducing a specific threat scenario (e.g. dirty bombs) or protecting specific targets (e.g. events where large numbers of people attend).

The electric utility checklist states that the ultimate goal of risk management is to select and implement security improvements to achieve an “acceptable level of risk” at an acceptable cost. The concept of acceptable risk is mentioned in a number of methodologies, and it needs to be determined by decision makers

After selecting which protective measures to pursue, programs, responsibilities, and mechanisms for implementing them must be established. Many of the reviewed methodologies conclude with the recommendation to revisit the analysis on a regular basis.

Order Now

Order Now

Type of Paper
Number of Pages
(275 words)