Information Technology Reference
In-Depth Information
Four factors, namely assets, vulnerabilities, threats and countermeasures, determine the
level of risk in an information system. The risk analysis process mainly deals with these
four factors. The constructed risk model in the risk analysis process manipulates these
factors and estimates the risk.
Risk is the probability of the exploitation of vulnerability in an asset by a threat.
Because risk is a probability, the risk analysis process is not a well-defined task. There
are many uncertainties that risk analysis has to deal with.
After the definitions of the basic concepts, it is more suitable to define the risk
management process in depth. As said before, there is no technology and budget to
eliminate the risk. That is why there is always risk when we deal not only with
information systems but with everything in our lives. But, the complete acceptance of
risk without performing anything can certainly cause much damage. So, it is necessary to
manage the risk by using risk management. Risk management is the mechanism that
basically estimates the risks and proposes countermeasures. Estimated risk amount, cost
of countermeasures and security requirements are the three main inputs in suggesting
countermeasures.
Risk management is divided into two sub-processes: risk analysis and risk mitigation.
Risk analysis is the first process in which risk is estimated. Risk mitigation is the second
process in which necessary risk controls are made according to the risk amount
(estimated in risk analysis), cost and security requirements.
Risk analysis may be either quantitative or qualitative. Quantitative risk analysis
methods use mathematical and statistical tools to represent risk. Qualitative risk analysis
methods do not use any mathematics; instead risk is stated with the help of adjectives.
Risk model is the heart of the risk analysis process. Risk model converts the information
about assets, vulnerabilities and threat into risk value. The only and most important
outcome of the risk analysis process is the estimated risk obtained from the risk model.
The risk mitigation process does not just decrease the risk. The basic action, which is
performed inside the risk mitigation process, is the control of risks according to risk
amount, cost and security requirements. The control of the risk may include the reduction
of risk, the acceptance of risk, the transfer of risk and even the escalation of risk actions.
If too many countermeasures are used, both cost and difficulties of using the information
system increase. This requires the elimination of some of the countermeasures. This is
just an example of why escalation of risk is sometimes required.
The risk management process is not performed only once. Risk management is not a
result. Risk analysis and risk management processes form a risk management cycle. The
risk analysis process establishes the basis of a cost-effective risk mitigation process. This
cycle should continue periodically since information technologies are always changing.
That means that assets, vulnerabilities and threats are changing. Moreover, more cost
effective countermeasures may be produced. All these factors require performing risk
management cycles periodically. The period of this cycle should be determined by the
management of the organization.
The dynamic structure of the information age certainly affects the risk management
process. A number of information security risk analysis methods became obsolete
because of the profound changes in information technologies. Revolutionary changes in
information technologies have converted many risk analysis methods into inconsistent,
long-lasting and expensive instruments. Therefore, risk analysis methods should be
adapted, modified or redesigned according to changes in information technologies and
today's needs. The tools and methods used in risk management processes of the 1980's
Search WWH ::
Custom Search