Types of Information Security Risks
Over the past few years, the importance to corporate governance of effectively managing risk has become widely accepted. The information security program is a critical component of every organisation’s risk management effort and provides the means for protecting the organization’s digital information and other critical information assets. Information security management means “keeping the business risks associated with information systems under control within an enterprise.”
Information Security Risks
The information security risk is defined as “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.”
Vulnerability is “a weakness of an asset or group of assets that can be exploited by one or more threats.
ISO classifies vulnerabilities into several standard categories: Hardware, Software, Network, Personnel, Site and Organization. Each of the mentioned categories has many examples of vulnerabilities and threats.
A threat is “a potential cause of an incident that may result in harm to system or organization.”
The typical threat types are Physical damage, Natural events, Loss of essential services, Disturbance due to radiation, Compromise of information, Technical failures, Unauthorised actions and Compromise of functions. Threats may be deliberate, accidental or environmental (natural) and may result, for example, in damage or loss of essential services.
Asset is “anything that has value to the organization, its business operations and their continuity, including information resources that support the organization’s mission.”
ISO Risk management is a fundamental requirement for sustaining the success of the company into the future and will help avoid threats that could jeopardise business continuity.
Risks should be identified, quantified or qualitatively described, and prioritized against risk evaluation criteria and objectives relevant to the organization.
A risk is a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event. Risk assessment quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness or other established criteria.
What is Risk Assessment?
What is Risk assessment consists of the following activities:
Risk assessment determines the value of the information assets, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effect on the risk identified, determines the potential consequences and finally prioritizes the derived risks and ranks them against the risk evaluation criteria set in the context establishment.
The purpose of risk identification is to determine what could happen to cause a potential loss, and to gain insight into how, where and why the loss might happen.
Risk identification should include risks whether or not their source is under the control of the organization, even though the risk source or cause may not be evident.
The risk identification is conducted in 5 steps:
- Identification of assets
- Identification of threats
- Identification of existing controls
- Identification of vulnerabilities
- Identification of consequences
Risk analysis may be undertaken in varying degrees of detail depending on the criticality of assets, extent of vulnerabilities known and prior incidents involving in the organization. A risk analysis methodology may be qualitative or quantitative, or a combination of these, depending on the circumstances. In practice, qualitative analysis is often used first to obtain a general indication of the level of risk and to reveal the major risks. Later it may be necessary to undertake more specific or quantitative analysis on the major risks because it is usually less complex and less expensive to perform qualitative than quantitative analysis.
Risk evaluation is a process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude are acceptable or tolerable.
The nature of the decisions pertaining to risk evaluation and risk evaluation criteria that will be used to make those decisions would have been decided when establishing the context. These decisions and the context should be revisited in more detail at this stage when more is known about the particular risks identified. To evaluate risks, organizations should compare the estimated risks (using selected methods or approaches as discussed in Annex E) with the risk evaluation criteria defined during the context establishment.