Thesis on "Risk Identification in Information Security"

Thesis 15 pages (5004 words) Sources: 15

[EXCERPT] . . . .

Risk Identification in Information Security

How does risk identification contribute to effective risk management of information security?

Risk identification plays an essential part in the process of risk management and in dealing with the pressing issue of information security in the modern working and networked environment. Risk identification also plays an important role in the selection and prioritization of various problems in terms of their significance to the organization or institution. Furthermore, risk identification leads to an assessment of the value assets of the company or enterprise. It is imperative that an organization properly identifies all possible risks so that the communities of interest within that organization have a clear picture to construct an assessment of the vulnerabilities to these assets.

The present study is intended to research the ways in which risk identification is useful as an integral and essential part of the process of the risk management of information security. I hope that my research question and paper will help further the understanding of the role that risk identification plays in risk management, and that this research can be instrumental in providing some new insight into risk identification.

Overview of risk identification and IT

The issue of security has become an important if not crucial area of concern for all online companies, ecommerce institutions and Web users. The issue of security, as well as privacy, can be seen in the increasing concern about online shopping and customer confidence in the online payment process. The issue of privacy intrusion has also become central to today's online world, especially in the area of ecommerce. There has in recent years been an increase in the reports of fraud and credit card infringements. This has also resulted in efforts to create and disseminate more effective security measures and methods. All of these aspects have to be taken into account in understanding the problem of risk identification as a necessary prerequisite for good risk management in the information age.

With the advent and increasingly ubiquitous nature of the Internet, online networking and communications technologies, there has on the one hand been an exponential increase in the free flow of information and the growth of online business. The internet as a boon to various industries and commerce has meant not only that information and information sharing have become more accessible and faster, but that various new technologies can be used to increase business and transaction processes. In essence, the Internet has meant that the barriers that existed before between countries and nations, as well as markets, have all but disappeared.

On the other hand this modern phenomenon has also resulted in certain unique and challenging problems and risks to both commercial and private integrity that has become of paramount importance in the modern organization and business. As the internet has progressed in complexity and interactivity, as well as in the exponential increase in the number of online users, so have the threats of privacy invasion and other forms of intrusion and fraud.

The Internet has grown considerably during the past decade, particularly with respect to its use as a tool for communication, entertainment, and marketplace exchange. This rapid growth has been accompanied, however, by concerns regarding the collection and dissemination of consumer information by marketers who participate in online retailing. These concerns pertain to the privacy and security of accumulated consumer data & #8230;and the perceived risks that consumers may experience with respect to these issues

(Miyazaki, and Fernandez, 2001, p. 27)

Risk identification as well as risk assessment is therefore seen as a cardinal issue in today's IT and online environment. As one article on this subject states, "Operational IT planning should identify and assess risk exposure to ensure policies, procedures, and controls remain effective" (Booklet: Management ). Furthermore, it is generally stressed that this risk identification should be thorough and extensive. It should"... identify the location of all confidential customers and corporate information, any foreseeable internal and external threats to the information, the likelihood of the threats, and the sufficiency of policies and procedures to mitigate the threats" (Booklet: Management). As many IT specialists note, it is imperative that management consider the results of the identification and assessment of risks in overseeing all IT operations.

The above points therefore stress the central role that the identification of risk factors play in the security of the company or firm involved. As many experts comment, the reality of modern online and networking interactions and communications in business and other organizational activities is that any system is vulnerable to hacking and other security issues. It should also be noted that the general consensus is that the majority of security breaches occur as a result of common vulnerabilities in the system that could easily have been checked.

However, the identification of risk factors in terms of information security brings a large number of variables and criteria into play. These include not only issues of policy and procedure, but also human factors and issues such as training and human error that have to be taken into account in the assessment of risk.

Definitions

Before discussing the aspect of risk identification in detail and in relation to factors such as risk assessment and management, it is firstly important to clearly define the parameters of the term risk identification. The CISA Review Manual 2006 provides the following definition of risk management:

Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization." (

A number of important aspects need to be identified and unpacked from this definition. The first is that risk identification is on ongoing process which must be continuously repeated and maintained, as the online information environment is constantly changing with many new threats and risks emerging on a daily basis. Therefore, the process of identification must be one that is designed to be maintained over time and should also be flexible enough to adapt to new threats or risks in the online environment.

A second important point is that the measures or counter-measures taken as a result of identification and assessment of risks must be balanced in order to ensure that these measures taken do not impact negatively on aspects such as efficiency and productivity. In other words, risk identification is related to value assessment and counter -- measures instituted to protect the assets of the company or organization should not jeopardize the integrity of the organization.

In essence risk identification can be understood as The "… likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset)" (SPECIAL REPORT: Security Directives and Compliance). Furthermore, this means that the optimal management of security risks implies the correct and timely identification of possible risk factors that may threaten the company. This in turn refers to an ongoing and detailed awareness of the value of the assets of the company or organization. "… managers need to identify the value of the IT and information assets that might be impacted; then conduct a threat and vulnerability analysis to identify the potential effect and the probability of that occurrence" ( SPECIAL REPORT: Security Directives and Compliance) Therefore, it follows that in order to accomplish adequate risk identification one must take into account the important concept of vulnerability. Vulnerabilities as a central aspect of risk identification will be discussed in more detail in the following section.

Vulnerabilities

Vulnerabilities to the system in information security constitute a risk. These vulnerabilities can mean the loss of integrity and confidentiality and can consequently lead to other losses, such as loss of income. However, the identification of all risks is often an impossible task and the term residual risk is used to describe all remaining risks after the identification and assessment. In this sense, risk assessment follows from the identification of the risk and is usually carried out be a team of experts in the areas of the business affected.

There are many common types of vulnerabilities that need to be acknowledged and included in any strategy of risk identification and management. One of the most pervasive and common risks is identity theft. An article that provides some insightful and relatively contemporary statistics on the extent of ID theft is Internet Commerce Grows 88% by Dollar Volume and 39% by Transaction Volume: Fraud Remains a Concern. For example, the author notes that in recent years the "…. United States remained the top source country for security events generated with an overwhelming 79%, followed by Canada (5.7%), Taiwan (2.6%), Korea (2.5%) and the U.K. (2.4%)" (Internet Commerce Grows 88% by Dollar Volume and 39% by Transaction Volume: Fraud Remains a Concern). Another source that attests to the serious extent of this risk is FraudWatch International (http://www.fraudwatchinternational.com). The identify Theft section to this site is constantly updated with some of the latest… READ MORE

How to Reference "Risk Identification in Information Security" Thesis in a Bibliography

Related Thesis Papers:

Information Security in Cloud Computing Platforms Research Paper

Cloud Computing

INFORMATION SECURITY in CLOUD COMPUTING PLATFORMS

Cloud computing manipulates and alters our way of understanding of how current computing systems are aligned. The economics of cloud computing are… read more

Research Paper 18 pages (6099 words) Sources: 25 Topic: Computers / IT / Internet

---

Electronic Security Information Documentation Term Paper

Electronic Information Security Documentation

During the last thirty years, people have become more aware of harms coming from lack of security. Yet the problem has escalated faster than the efforts… read more

Term Paper 3 pages (1268 words) Sources: 1+ Topic: Computers / IT / Internet

---

Enterprise Security Plan Proposal Research Proposal

Enterprise Security Plan Proposal

The objective of this study is to develop an enterprise security plan proposal which covers the ten domains of Information Security Common Body of Knowledge and… read more

Research Proposal 4 pages (1088 words) Sources: 4 Topic: Healthcare / Health / Obamacare

---

Security Risk Management Process Microsoft Company Term Paper

Security Risk Management Process - Microsoft Company

Security Risk Management the Microsoft Way

Defining Risk and Risk Management

Value Risk Management

Risk Management Procedures and Processes

Key Success Factors For… read more

Term Paper 13 pages (3314 words) Sources: 1+ Topic: Business / Corporations / E-commerce

---

Information Security Policy Research Proposal

it Systems Security Guidelines several insights emerge from an analysis of its intent, structure and definition of best practices. In completing an assessment of this document it is imperative to… read more

Research Proposal 3 pages (870 words) Sources: 10 Style: APA Topic: Management / Organizations

---

View 100+ more related papers  >>