Research Proposal on "Security and Online Privacy Regulations: An Analytical"

Research Proposal 20 pages (5553 words) Sources: 20 Style: APA

[EXCERPT] . . . .

security and online privacy regulations: an analytical assessment of how young adults can effectively adopt self-protections when using the internet

The work of Munteanu (2004) entitled: "Information Security Risk Assessment: The Qualitative vs. Quantitative Dilemma" relates the primary security risk assessment methodologies used in information technology. Munteanu relates that information security technology does not reduce information risk very effectively because information security is primarily a human problem. Whatever forms an information asset takes, a risk assessment must be undertaken to understand which are best security measures suited for protecting information security framework: (1) confidentiality; (2) integrity; and (3) availability. (Munteanu, 2004) Munteanu states that that are various standards including documents and books entitled: "Information Security Best Practices" which are targeted at managers of information technology managers however in these publications Munteanu notes that there are "similar limitations and inconsistencies in description of risk assessment methodologies that follow in information systems risk literature" including

1) Inconsistent or too general definitions of risk assessment;

2) lack of rigor;

3) Applicability of risk assessment models depend on the analyst knowledge and business context;

4) Lack of an exhaustive and up-to-date database of risk vulnerabilities and exposure applicable in quantitative models; and 5) Many standards with little or no substantial differences. (Munteanu, 2004)

This study utilizes questionnaires that are included in a risk assessment, which provides identification of "...risks and risks impacts, and recommendations of risk-reducing measures." (Munteanu, 2004) the methodology in this study contains nine specific steps as follows:

1)System Characterization;

2) Threat Identification;

3) Vulnerability Identification;

4) Control Analysis;

5) Likelihood Determination;

6) Impact Analysis;

7) Risk Determination;

8) Control Recommendations; and 9) Results Documentation. (Munteanu, 2004)

The work of Munteanu (2004) states that "...prerequisite to qualitative risk analysis, and the lack of good data may be that of "good data" and it may be the lack of good data that is the "main reason qualitative analysis of information security risk is not usually performed. Qualitative assessment use risk assessment matrix and questionnaires." (Munteanu, 2004) in the risk, matrix risks are generally rated as low, medium, or high and in questionnaires people use a risk scale for risk ranking. In this case, the qualitative assessment undergoes a transformation and becomes a qualitative-quantitative one." (Munteanu, 2004) Before the assessment is begun it is critical that the analyst gain and understanding of the use of the computer by the individual in terms of the computer 'processes and functions' including the 'framework' of the users applications and the technology characteristics used by the individual in combination with the philosophy of those applications and use with the constraints, interdependencies and the "...interactions between information system components." (Munteanu, 2004) This study relates that there are three points-of-view on information availability that have to be addressed, which are:

1) Organizational;

2) Users; and 3) Computer Network

The following chart lists categories of these three: (Muntenu, 2004)

Muntenu (2004) states of risk analysis:

Calculating the risks is a subjective estimation, in terms of: low, medium or high. In this case, we simply use a matrix risk-value and a risk impact ranking, but we can estimate exactly what value risks have. Most qualitative risk analysis methodologies make use of these elements and the assessment depends on the experience and judgment of the professional who made the analysis or identify quality elements that have an impact on information security. In fact, we talk about a "what-if" analysis. The analysts use qualitative variables but the result must be finally quantitative to serve the scope of a management decision..."

The 'General Security Risk Assessment' is illustrated as follows:

General Security Risk Assessment

Source: ASIS international guidelines Commission as cited in Muntenu

For example, as in the management of information technology internet security in terms of the number of incidents because that is the precise measurement in the assessment and analysis of risk to security.

Qualitative Risk Assessment

Qualitative risk assessment in the study reported by Muntenu (2004 relates that four elements were accounted for:

1) Asset value;

2) Threats;

3) Vulnerability; and 4) Controls.

The assessment goal in Burd's study was stated to be for the purpose of determining if the existing risk exposure is addressed by security controls that are in place. Further addressed is the correct or accepted techniques in making this analysis. Specific technological risks are addressed and inherent risk involvement in applications using the database server and the database management system. Also needing addressed in the study was particular transaction risk on the database. All these findings hold "significance for the assessment" however only a qualitative approach is not sufficient in making this analysis. In the event of such a scenario, "the database administration is reactive and makes the changes on the database at the moment when he knows the vulnerability." (Muntenu, 2004)

Limitations to Quantitative Approach

Qualitative risk assessment is "scenario-based" in its approach while quantitative analysis "assigns monetary values to the components identified in the risk assessment phase." Higher efficiency represents fewer breakdowns in security processes. Because of this, in business organization information systems, the analyst identifies the assets, the threats that could have an effect on these assets and the vulnerabilities associated with the identified assets. In this case and in view of the theory of social capital and the assets represented by adolescents, which is the focus of the present study this factor is something that can only be qualitatively analyzed but to understand system efficiency the qualitative business system analysis will serve well to inform the present study therefore that process is herein reviewed. Muntenu goes on to relate that qualitative process elements include:

1) Financial value of the asset

2) Cost to build the asset

3) Value of the asset to the competition; and 4) Cost to recover the asset. (Muntenu, 2004)

Muntenu (2004) additionally states: "If we assume that the database server stores financial information, the value of the data may be based on two factors" which are those of:

1) the data contribution to the financial goals of the company; and 2) the value of the data to an external individual or organization.

Resulting is "the indirect value of the database server is the most difficult assessment." (Muntenu, 2004) Muntenu relates the work of Dillard (2004) who presented a five-step process in making determination of the asset value and some security metrics. Those five steps are as follows:

1) Assign a monetary value to each asset class.

2) Input the asset value for each risk;

3) Produce the single loss expectancy value (SLE);

4) Determine the Annual Rate of Occurrence (ARO); and 5) Determine the Annual Loss Expectancy (ALE). (Muntenu, 2004)

Stated as 'Single Loss Expectancy' (SLE) is that this "represents the expected impact of a specific threat event and can be computed by multiplying the exposure factor of a given threat by the financial value of the asset (AV)." The exposure factor (EF) is the percentage of asset loss caused by identified threat and can be calculated by multiplying the threat frequency level (TL) with the impact factor (if). The threat frequency level (TL) is calculating by multiplying the threat probability (TP) by the risk factor (RF), where the risk factor is the criticality factor (CF) of the attack divided by the effort (E) required performing the exploit.

EF = (((TP x (C / E)) x (VF x AP)) / 100)

Calculating the exposure factor following this formula does not take into account the time variable." (Muntenu, 2004)

Muntenu next states that this formula is adjusted through estimation of three other elements:

1) Average time period for threat identification;

2) Average time period for releasing technical procedures to reduce or accept threat; and 3) Average time period necessary till the system becomes operational and the threat eliminated. (Muntenu, 2004)

The sum of these three variables is termed exposure time. This equation would appear as follows:

Average Time Period (ATP) Threat Identification

Average Time Period (ATP) Release technical procedures reduction/acceptance of threat

Average Time Period (ATP) for system to become operational and threat eliminated

TOTAL SUM = EXPOSURE TIME

According to Muntenu: "Exposure factor will be bigger when exposure time is longer. Because estimating exposure time is based on security historical incidents, its value will be highly subjective. The annualized rate of occurrence (ARO) is the probability of a threat occurring during a one-year time frame." (Muntenu, 2004)

Annual Loss Expectancy' (ALE) is the 'single loss expectancy' multiplied "by the annualized rate of occurrence (ARO) or:

ALE=SLE * ARO

Muntenu states importantly that it is not easy to apply these formulas and to realize a cost-benefit analysis by taking the ALE and subtracting the initial cost of the countermeasure and the annual recurring cost of the countermeasure. The main problem when the analyst applies this formula is the numerical expression of the variables included. A rare threat is different from a threat that will never appear. Lacking of exhaustive threat probability database, the analyst puts in this formula a value based on a qualitative assessment. The impact factor and… READ MORE

How to Reference "Security and Online Privacy Regulations: An Analytical" Research Proposal in a Bibliography

Related Research Proposals:

Adolescent's Awareness and Their Lack of Implementing Term Paper

ADOLESCENT'S AWARENESS and THEIR LACK of IMPLEMENTING INFORMATION SECURITY and ONLINE PRIVACY REGULATIONS of (82525) 83436

AN ANALYTICAL ASSESSMENT of ADOLESCENT'S AWARENESS and THEIR LACK of IMPLEMENTING INFORMATION SECURITY and… read more

Term Paper 40 pages (11261 words) Sources: 30 Style: APA Topic: Computers / IT / Internet

---

Teenager's Awareness and Their Lack of Implementing Term Paper

Teenager's Awareness and Their Lack of Implementing Information Security and Online Privacy Concepts

This work contains a research proposal for a behavioral medication intervention for teens ages 12 to 17,… read more

Term Paper 31 pages (8637 words) Sources: 30 Style: APA Topic: Child Development / Youth / Teens

---

Different Preferences in Learning Between American and French Learners in a Multinational Corporate Setting Dissertation

Preferences in Learning between American and French Learners in a Multinational Corporate Setting

The way training is delivered in a corporate environment has a tremendous effect on results. This study… read more

Dissertation 65 pages (23082 words) Sources: 65 Style: APA Topic: Education / Teaching / Learning

---

Information Policy Term Paper

Policy & Privacy

Lamb, Gregory M. 2006. "The end of privacy?" The Record. July

In an increasingly digitized world, activists and private citizens are rightly raising concerns regarding privacy. Privacy… read more

Term Paper 4 pages (1108 words) Sources: 0 Topic: Computers / IT / Internet

---

Tenure: Perceptions of Online Professors Essay

Post Tenure



The Perceptions of Online Professors Regarding Tenure and Post-Tenure Review



Over the course of several months, researchers here have compiled a wealth… read more

Essay 20 pages (5554 words) Sources: 24 Topic: Education / Teaching / Learning

---

View 100+ more related papers  >>