Quantitative Analysis of Information Security Risk

Journal of International Commercial Law and Technology, 2011

Information has always been one of the most important assets a company possesses. Trade secrets, patents and 'know-how' are important business assets. In a postindustrial economy, however, knowledge-based assets have become crucial not only for the survival of any company, but also for its continued existence. Every company decision is based on reliable and accurate information. Moreover, today companies retain a significant amount of sensitive, confidential and classified information on their computer systems and networks. It therefore follows that anything that threatens the information assets of the company will directly endanger the performance and efficiency of the company. Unfortunately, corporate information assets are susceptible to various forms/types of cyber attacks. These attacks range from unauthorised access, malicious mobile code and inappropriate use to disclosure and information and/or data theft. The increased use of the Internet by companies highlights these vulnerabilities and renders the effective protection thereof all the more relevant. It is submitted that adversaries no longer launch cyber attacks for fame, but rather for financial gain. Companies need to strike a balance between the protection of sensitive and confidential corporate information and the availability of such information to stakeholders. Corporate information must be available to stakeholders, and in some instances to the public, not only to encourage investment in the company, but also to comply with the company's statutory duty of disclosure and transparency. The importance of corporate information and the protection of its integrity against ever-increasing risks and threats necessitate that companies gain assurance that reasonable steps are taken to secure the corporate information assets. Failing this, the company and/or its employee(s) may face potential legal liability. This paper will first analyse the most prevalent cyber risks facing companies today before moving on to identify crucial legal questions that directors and members of top management must ask themselves in order to determine their potential legal exposure in instances of security breaches.

res publication, 2012

Insufficient security can result in downtime, or even worse, reduce credibility with customers and partners. Many organisations have preventive security measures in place, such as firewalls, antivirus systems and networking monitoring software. But while prevention can go a long way in safeguarding information assets, having a plan in place for meeting potential threats is critical. Realizing comprehensive security relies upon organizations ability to strategically assess areas of potential weakness, which is where having an assessment of business overall security program comes in and thereafter setting the business objectives for information security, often called security program design and management. The focus of this paper is on the major objectives to be considered for safeguarding the business information.

Encyclopedia, 2021

This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY

The ever increasing trend of Information Technology (IT) in organizations has given them new horizon in international market. Organizations now totally depend on IT for better and effective communication and daily operational tasks. Advancements in IT have exposed organization to information security threats also. Several methods and standards for assessment of information security in an organization are available today. Problems with these methods and standards are that they neither provide quantitative analysis of information security nor access potential loses information malfunctioning could create. This paper highlight the necessity of information security tool which could provide quantitative risk assessment along with the classification of risk management controls like management, operational and technical controls in an organizations. It is not possible for organizations to establish information security effectively without knowing the loopholes in their controls. Empirical data for this research was collected from the 5 major banks of Pakistan through two different questionnaires. It is observed that mostly banks have implemented the technical and operational control properly, but the real crux, the information security culture in organization is still a missing link in information security management.

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL's research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.

2010

The ever increasing trend of Information Technology (IT) in organizations has given them new horizon in international market. Organizations now totally depend on IT for better and effective communication and daily operational tasks. Advancements in IT have exposed organization to information security threats also. Several methods and standards for assessment of information security in an organization are available today. Problems with these methods and standards are that they neither provide quantitative analysis of information security nor access potential loses information malfunctioning could create. This paper highlight the necessity of information security tool which could provide quantitative risk assessment along with the classification of risk management controls like management, operational and technical controls in an organizations. It is not possible for organizations to establish information security effectively without knowing the loopholes in their controls. Empirical data for this research was collected from the 5 major banks of Pakistan through two different questionnaires. It is observed that mostly banks have implemented the technical and operational control properly, but the real crux, the information security culture in organization is still a missing link in information security management.

International Journal of Network Security & Its Applications, 2018

The philosophy of Enterprise Security Risk Management (ESRM) drives a risk-based approach to managing any security risks, physical or logical and holistically applies to every security process. There are globally established risk principles that are common among any developed risk management standard. This model associates the relationship of risk principles to the practice of managing security risks. The ESRM processes, when successfully and consistently adapted to a security program, will define what a progressive security program looks like, drive strategic through initiatives, build the business understanding of security's role to develop a budgeting strategy, and initiate board-level, risk-based reporting. The management security leader's role in ESRM is to manage risks and unthinkable harm to enterprise assets and stockholder in partnership with the business leaders whose assets are exposed to those risks management. ESRM is part of educating business leaders on the realistic of impacts. These identified risks, presenting any potential strategies to mitigate those impacts, and enacting the option chosen by the business in line with acceptable levels of business risk tolerance. The present data should be used to showcase how our service helps identify, evaluate, and mitigate risks at face value that would be detrimental to a company's long-term prosperity. We need to show how using our security risk management will ultimately benefit the company's work by improving policies and procedures and reducing other expenses through the use of risk principles management.

ArXiv, 2018

Owing to recorded incidents of Information technology inclined organisations failing to respond effectively to threat incidents, this project outlines the benefits of conducting a comprehensive risk assessment which would aid proficiency in responding to potential threats. The ultimate goal is primarily to identify, quantify and control the key threats that are detrimental to achieving business objectives. This project carries out a detailed risk assessment for a case study organisation. It includes a comprehensive literature review analysing several professional views on pressing issues in Information security. In the risk register, five prominent assets were identified in respect to their owners. The work is followed by a qualitative analysis methodology to determine the magnitude of the potential threats and vulnerabilities. Collating these parameters enabled the valuation of individual risk per asset, per threat and vulnerability. Evaluating a risk appetite aided in prioritising...

2020

Information is the most critical asset of any organizations and business. It is considered as the lifeblood of the organization or business. Because of its importance, information needs to be protected and safeguarded from any forms of threats and this is termed as information security. Information security policy and procedure has been regarded as one of the most important controls and measures for information security. A well-developed information security policy and procedure will ensure that information is kept safe form any harms and threats. The aim of this study is to examine the relationship between information security policy effectiveness and information security threats. 292 federal government agencies were surveyed in terms of their and information security practices and the threats that they had experienced. Based on the collected, an analysis using partial least square structural equation modeling (PLS-SEM) was performed and the results showed that there is a significant relationship between information security policy effectiveness and information security threats. The finding provides empirical evidence on the importance of developing an effective information security policy and procedure.

Compunet ( The Egyptian Information Journal ), 2014

This technical paper describes the fundamental concepts and processes related with assessing information security risk management within organizations/institutions including: (1) a high level overview of the risk management process and risk assessment, (2) the basic concepts used in conducting risk assessments, and (3) how risk assessments can be applied across the organization's risk management three hierarchical Tiers including Tier 1 and Tier 3 of the information systems within any organization. Therefore, this work identifies and explains the main themes regarding risk assessments in organizations: Risk management process and ABSTRACT Information security risks are those risks that arise from the loss of confidentiality, integrity or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., goal, mission, functions, image and reputation), organizational assets, personnel, other organizations, and the country as a whole. Risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the useful analysis of threat and vulnerabilities information to determine the extent to which events or circumstances could adversely impact on organization/institution and the likelihood that such events or circumstances will occur. its main four components regarding assessing, framing, monitoring and responding; Risk assessment as the main component that addresses the potential adverse impacts on organizational operations, assets, etc.; Key risk assessment concepts that indicate risk models (threats, vulnerabilities and predisposing conditions, etc.), assessment approaches concerned with quantitative and semi-quantitative assessments as well as qualitative assessment, and analysis approaches andeffects of organizational culture on risk assessment; Applications of risk assessments through the main three risk assessments hierarchy's Tiers; Risk management process with its main four steps or operations as well as the risk management framework; Finally the administrative, proce4dural and technical controls conforming the policy and controlling the risks.