Threats --- A threat can be an internal or external circumstance who's impact could have negative or undesirable effects on an organisational asset. The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
Vulnerabilities --- A vulnerability is a loophole or weakness of a safeguard in an asset that makes an threat potentially more harmful or costly more likely to occur on a frequent basis - resulting in a security breach or a violation of the system’s security policy.
Risk Management
So, given that risk can never be completely eliminated -- no matter how secure a system might be -- the solution in line is risk mitigation i.e. reducing risk to a level thats acceptable to an organisation. To do this, we must look at three main elements:
- Identification
- Analysis (part II)
- Control (part III)
Risk Identification
Identifying an organisations assets and determining its value is a critical step in determining the appropriate level of security required for an asset. This can be both quantitative (cost) and qualitative (importance)
If done properly some of the benefits of the asset valuation would be:
- supports quantitative and qualitative risk assessments, business impact assessments and security auditing
- facilitates cost/benefit analysis and supports management decisions regarding the selection of appropriate safeguards
- can be used to determine insurance requirements, budgeting and replacement costs in case of downtime
- helps limit personal liability
The process of
threat analysis can be broken down into the following steps:
1. Definition: Define the actual threat
2. Identification: Identify possible consequences to the organisation if the threat is realised
3. Frequency: Determine the probable frequency of a threat
4. Probability: Determine the probability that a threat will actually materialise
Vulnerability assessments consequently provide a baseline for determining appropriate and necessary safeguards.
Keeping software such as operating systems up to date with vendor released patches is an example of how vulnerabilities can be adequately addressed.
References and recommended reading:
Risk Management Guide for Information Technology Systems
IT asset management
ISO standard 17799
Web Security for Network and System Administrators David Mackey ISBN 13: 978-0-619-06495-2
