CMIT 425 Week 1 Essay

Week 1 Essay Questions

Question 1

From a quantitative perspective, where monetary and numeric values are assigned to company assets, businesses use metric formulas in a five-step process to complete risk analysis. These steps are: 1) Assign value to assets, 2) Estimate potential loss per threat, 3) Perform threat analysis, 4) Derive the overall loss potential per threat, and 5) Reduce, transfer, or accept risk.

From the qualitative perspective of risk analysis, businesses gather experienced personnel, present them with a scenario involving a threat and potential loss, and ask them score every category per threat. Scores are given in the categories of: Severity of Threat, Probability of Threat, Potential Loss, Effectiveness of Firewall, and Effectiveness of IDS. A score of 0.1 – 5 is given after each scenario, in each category, with 0.1 being lowest and 5 being highest. This is used to rank seriousness of threats and the validity of possible counter measures.

1. Assign Value to Assets – Place a value on a company asset by determining is monetary value (market value), maintenance cost, profitability, recoverability, and protection cost.
2. Estimate Potential Loss per Threat – Estimate how much a threat would cost the business. This is calculated by defining physical damage and productivity costs, lost confidentiality value, cost to recover, value lost in the event of a device failure, and calculating the Single Loss Expectancy (SLE). This is calculated by taking the Asset Value and multiplying by the Exposure Factor (EF). Exposure Factor is an amount of loss an asset will suffer due to a threat, in percentage form. SLE = Asset Value ($$$ Numeric Value) * EF (%).
3. Perform a Threat Analysis –Gather information about the current threats facing the company or threats that could appear and calculate the Annualized Rate of Occurrence (ARO). ARO is calculated by gathering specific information on each defined threat facing a business and determining the frequency it could take place in one year.
4. Derive the Overall Loss Potential per Threat –Gather information to determine how much a loss will cost, probability, and remedial measures for each threat. Calculate the Annualized Loss Expectancy (ALE), loss per year, with the formula: SLE * ARO = ALE. Use this formula to determine cost/benefit for each threats countermeasure.
5. Reduce, Transfer, or Accept the Risk –After all calculations are made and evaluated, determine if it is best for the business to Reduce (use risk reduction methods to minimalize risk), Transfer (purchase insurance) or Accept (live with it) the risk.

All information was gathered and paraphrased, to provide this answer, from the “Fundamentals of Information Systems Security/Information Security and Risk Management” on Wikibooks.org.

References

Wikibooks.org. (2016). Fundamentals of Information Systems Security/Information Security and Risk Management. Retrieved from https://en.wikibooks.org/w/index.php?title=Fundamentals_of_Information_Systems_Security&stable=1

Question 2

Define the terms Vulnerability, Threat, Threat Agent Risk, Exposure, and Control.

Three Different Controls:

1. Vulnerability – is an asset (software, hardware, or procedural) weakness that can be exploited and result in harm or loss.
2. Threat – is a situation or event that could result in negative payoffs or undesirable outcomes. Any potential danger to information or systems.
3. Threat Agent Risk –The entity that exploits an asset (software, hardware, or procedural) vulnerability.
4. Exposure –An instance of being exposed to losses from a threat. Vulnerability causes exposure to threats.
5. Control – Controls are measures/actions taken to provide security to information and assets. Security controls can be classified into three categories: Administrative, Technical/Logical, and Physical.

All information was gathered and paraphrased, to provide this answer, from the “Fundamentals of Information Systems Security/Information Security and Risk Management” on Wikibooks.org and Module 3 “Risk and Risk Management” on Umucecollege.com.

1. Administrative – procedures, policies, and rules, that are used to govern personnel and operations within a business/organization. Example: Policies, work standards, procedures, guidelines, personnel screening, or training.
2. Technical/Logical – software, hardware, or technology used to provide protection to information, device, or network. Example: Access control mechanisms, passwords, identification and authentication methods, or security devices.
3. Physical – security measures in a physical form to prevent unauthorized access to information, equipment, or a specified area. Example: Controlled access into a facility, department, or room, locking computers/devices, facility perimeter security, intrusion monitoring, or environmental controls.

References

University of Maryland University College. (n.d.). Module 3: Risk and Risk Management. Retrieved from https://umuc.equella.ecollege.com/file/0971d22b-bd26-4311-ba3d-aa1898278ff9/1/CSIA303-1209.zip/Modules/M3-Module_3/S3-Commentary.html#pagetop

Wikibooks.org. (2016). Fundamentals of Information Systems Security/Information Security and Risk Management. Retrieved from https://en.wikibooks.org/w/index.php?title=Fundamentals_of_Information_Systems_Security&stable=1

Question 3

Four basic ways of handling risk:

All information was gathered and paraphrased, to provide this answer, from the “Fundamentals of Information Systems Security/Information Security and Risk Management” on Wikibooks.org and Module 3 “Risk and Risk Management” on Umucecollege.com.

1. Acceptance – Acceptance risk has two forms: opportunity-based risks and threat-based risks. Accepting a risk is identifying a risk and living with it through no action or formally agreeing it is beneficial and assign members to oversee its outcome. With opportunity-based risks, a business/company will accept a risk with the expectation of a beneficial or profitable outcome. For threat-based risks, a business/company will accept a risk due to the cost of threat prevention is greater than the calculated loss in the event of the threat.
2. Avoidance –A business/organization makes the decision to avoid situations or circumstances in which risk could arise. This is achieved by not partaking in actives where the costs/potential costs, outweigh the benefits/returns.
3. Transfer –transferring risk is the practice of transferring risk from a one business/organization, to another. This is achieved by a business/organization purchasing insurance or outsourcing a service to a third-party organization to transfer risk/responsibility from the originating business/organization to the third-party organization.
4. Mitigation –Mitigation of a risk occurs when a business/organization uses specific actions, processes, and technologies, to minimalize/eliminate a vulnerability in efforts to lessen the impact of a risk. This is achieved by keeping software up to date, using anti-virus software, or adding security tools to a network or workstation.

References

University of Maryland University College. (n.d.). Module 3: Risk and Risk Management. Retrieved from https://umuc.equella.ecollege.com/file/0971d22b-bd26-4311-ba3d-aa1898278ff9/1/CSIA303-1209.zip/Modules/M3-Module_3/S3-Commentary.html#pagetop

Wikibooks.org. (2016). Fundamentals of Information Systems Security/Information Security and Risk Management. Retrieved from https://en.wikibooks.org/w/index.php?title=Fundamentals_of_Information_Systems_Security&stable