Security risk
Encyclopedia
Security Risk describes employing the concept of risk
to the security risk management paradigm to make a particular determination of security orientated events.
According to CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems
of United States of America
a risk is:
IETF RFC 2828 define risk as:
framework for the purposes of isolating and analysing unique events, outcomes and consequences.
Security risk is often, quantitatively, represented as any event that compromises the assets, operations and objectives of an organisation. 'Event', in the security paradigm, comprises those undertaken by actors intentionally for purposes that adversely affect the organisation.
The role of the 'actors' and the intentionality of the 'events', provides the differentiation of security risk from other risk management silos, particularly those of safety, environment, quality, operational and financial.
Risk = Consequence × Threat × Vulnerability
Risk = Consequence × Likelihood
Risk = Consequence × Likelihood × Vulnerability
Factor Analysis of Information Risk
deeply analyze different risk factor
s and measure security risk.
There are a number of methodologies to analyse and manage security risk: see :Category:Risk analysis methodologies
Usually after a cost benefit analysis a countermeasure
is set to decrease the likelihood or the consequence of the threat
. Security service is the name of countermeasure while transmitting the information.
- Risk in Psychology
Given the strong influence affective states can play in the conducting of security risk assessment, many papers have considered the roles of affect heuristic
and biases in skewing findings of the process.
Risk
Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
to the security risk management paradigm to make a particular determination of security orientated events.
According to CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems
Committee on National Security Systems
The Committee on National Security Systems is a United States intergovernmental organization that sets policy for the security of the US security systems.-Charter, mission, and leadership:...
of United States of America
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
a risk is:
- A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
IETF RFC 2828 define risk as:
- An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result.
Introduction
Security risk is the demarcation of risk, into the security silo, from the broader enterprise risk managementEnterprise Risk Management
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...
framework for the purposes of isolating and analysing unique events, outcomes and consequences.
Security risk is often, quantitatively, represented as any event that compromises the assets, operations and objectives of an organisation. 'Event', in the security paradigm, comprises those undertaken by actors intentionally for purposes that adversely affect the organisation.
The role of the 'actors' and the intentionality of the 'events', provides the differentiation of security risk from other risk management silos, particularly those of safety, environment, quality, operational and financial.
Common Approaches to Analysing Security Risk
Risk = Threat × HarmRisk = Consequence × Threat × Vulnerability
Risk = Consequence × Likelihood
Risk = Consequence × Likelihood × Vulnerability
Factor Analysis of Information Risk
Factor Analysis of Information Risk
Factor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...
deeply analyze different risk factor
Risk factor
In epidemiology, a risk factor is a variable associated with an increased risk of disease or infection. Sometimes, determinant is also used, being a variable associated with either increased or decreased risk.-Correlation vs causation:...
s and measure security risk.
There are a number of methodologies to analyse and manage security risk: see :Category:Risk analysis methodologies
Usually after a cost benefit analysis a countermeasure
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
is set to decrease the likelihood or the consequence of the threat
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
. Security service is the name of countermeasure while transmitting the information.
Psychological Factors relating to Security Risk
Main article: RiskRisk
Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
- Risk in Psychology
Given the strong influence affective states can play in the conducting of security risk assessment, many papers have considered the roles of affect heuristic
Affect heuristic
The affect heuristic is a heuristic in which current affect influences decisions. Simply put, it is a "rule of thumb" instead of a deliberative decision...
and biases in skewing findings of the process.
See also
- Asset (computing)
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- CountermeasureCountermeasureA countermeasure is a measure or action taken to counter or offset another one. As a general concept it implies precision, and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Common Vulnerabilities and ExposuresCommon Vulnerabilities and ExposuresThe Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly-known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland...
(CVE) - Common Vulnerability Scoring SystemCVSSCommon Vulnerability Scoring System is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized...
(CVSS) - Exploit (computer security)Exploit (computer security)An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
- Full disclosureFull disclosureIn computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
- Information SecurityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- ISMS
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- RiskRiskRisk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
- Security controlSecurity controlsSecurity controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...
- Security service (telecommunication)Security service (telecommunication)Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....
- threatThreat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- vulnerabilityVulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
- Vulnerability managementVulnerability management"Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.- Vulnerability Management Programs :...
- w3afW3afw3af is an open-source web application security scanner. The project provides a vulnerability scanner and exploitation tool for Web applications...
External links
- 800-30 NIST Risk Management Guide
- 800-39 NIST DRAFT Managing Risk from Information Systems: An Organizational Perspective
- FIPS Publication 199, Standards for Security Categorization of Federal Information and Information
- FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems
- 800-37 NIST Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
- FISMApedia is a collection of documents and discussions focused on USA Federal IT security
- Internet2 Information Security Guide: Effective Practices and Solutions for Higher Education
- The Institute of Risk Management (IRM) is risk management's leading international professional education and training body
- http://www.eisf.eu/resources/library/SRM.pdf NGO Security Risk Assessment Recommended Guidance