proper risk assessment methodology to access the extent of hacking as an information system security threat

proper risk assessment methodology to access the extent of hacking as an information system security threat

            Globally, there has been an increase in the number of cyber-crimes including hacking, identity theft, copyright infringement, click fraud, advance fee fraud and computer viruses. A number of people and organizations have reported cases of hacking and loss of confidential integrity of their data arising from such activities. In 2016 alone, 3 billion Yahoo accounts were hacked (Sobers & Sobers, 2018).In the year after, there were over 130 large-scale targeted cyber-attacks in the U.S. and the figure is said to be rising at a rate of 27 percent every year (Sobers & Sobers, 2018). The purpose of this research is to guide on the choice of a proper risk assessment methodology to access the extent of hacking as an information system security threat.

Qualitative risk assessment

This method of risk assessment highlights interested people’s views and thoughts on the chances of a risk such as a cyber-attack occurring(Sobers & Sobers, 2018). They would also be asked to fill a questionnaire which would ask for their views and this would be ranked in scales, such as “low-moderate-high” or “1-2-3,” used to arrive the risks final value (Bulgurcu, 2010). The method does not depend on mathematical knowledge since the risk can be obtained using a simple arithmetic addition or other forms of non-mathematical expressions of probability and impact assessment. Qualitative risk assessment is simple and can be performed within a short time. This method not only captures the user’s experience but also the user’s knowledge of the process being asked (Leal, 2018).risks can also be ranked relative to each other by this method. This provides an excellent tool in forming a sequence of addressing them, such as risks in health and safety.

However, according to Sobers & Sobers,(2018), qualitative risk assessment presents a problem of biases in probability and impact definition. Take a case study of a company where the human resource people (H.R) results will be up-to date than quality impacts and vice versa. Referring to bias in probability, this arises when an absence of knowledge on the schedules of other processes may lead to someone to thinking mistakes and failures happen more often in his own process than in the others. This information may be false (Leal, 2018). Due to the errors, arising from biases, it makes the assessment useful only in the local context where it is performed. This arises because people not within the context will have diverging opinions on impact value definition.

Quantitative risk assessment

According to Leal (2018), quantitative risk assessment emphasizes on factual and computable data. It involves highly mathematical and computational bases when calculating probability and impact values. This is usually done by expressing the risk values in money terms. Because of this reason, quantitative risk analysis can be used out of the contexts of the assessment(Leal, 2018). So as to express the risks as monetary values, the quantitative risk assessment makes use of this formula,

ARO (ALE=SLE*ARO)

Where SLE (single loss expectancy) is the value of the expected losses to be incurred if the risk occurs

ARO (Annual rate of occurrence): the frequency of the risk occurring annually.

ALE (Annual loss expectancy): money expected to be lost in a year.

The method presents a very precise value of the risk value and the maximum input in the capital that would make risk treatment worth since it still remains profitable for the organization. Take an example of a database value of USD 3.5 million (Humphreys,2008).

. Statistics by manufacturers predicts that a database failure, say, due to a software or a hardware, happens once every five years (ARO=1/5=0.2).

Therefore ALE=3.5*0.2 =USD 700.

This means the organization has an annual risk of undergoing losses of up to USD 700K in the event of loss or attacks on its database. So, any control measures that could be implemented ( e.g. Patch management and back-up)that would cost less would be profitable. (Zhang ,2010)However, quantitative assessments in most cases don’t get adequate data to be analyzed and the number of variables are  many making analysis unrealistic.

Methodology

The best method of methodological approach for threats such as hacking or primarily unauthorized system access by internal personnel would be using a qualitative risk assessment. It is able to tell most risks in normal conditions (Alberts et al. 2002). People’s perceptions about their jobs may act as a reference to help understand these risks as being relevant or not. This can be carried out by issuing a questionnaire. Sampling is done randomly to the members of staff in an organization, or the general public chosen randomly to people above a given age. The questionnaire will contain the following questions.

1. Have you ever heard of cyber-attacks?
2. How frequently do you hear about them?
3. Do you believe you are at a risk of a cyber-attack?
4. How probable is the risk occurring based on your knowledge on the occurrence of cyber-attacks?
5. Do you think your organization has put enough measures in place to safeguard itself against such attacks?
6. How would you rate its preparedness?

From the responses, the organization is able to assess the probability of the risk occurring and the impact values.

Conclusion

In conclusion, risk assessment plays an important role in risk management.it also faces a lot of challenges and can be affected by human, technical and administrative issues.it is therefore important to come up with a good research methodology .qualitative risk assessment can be used when quick and easy risk assessment is required. However, when big investments critical for security are concerned it would be wise to use quantitative risk assessment.

References

Alberts, C. J., & Dorofee, A. (2002). Managing information security risks: the OCTAVE approach. Addison-Wesley Longman Publishing Co., Inc..

Blakley, B., McDermott, E., & Geer, D. (2001, September). Information security is information risk management. In Proceedings of the 2001 workshop on New security paradigms (pp. 97-104). ACM.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), 523-548.

Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS quarterly, 503-522.

Ekelhart, A., Fenz, S., & Neubauer, T. (2009, January). Aurum: A framework for information security risk management. In System Sciences, 2009. HICSS’09. 42nd Hawaii International Conference on (pp. 1-10). IEEE.

Jerman-Blažič, B. (2008). An economic modelling approach to information security risk management. International Journal of Information Management, 28(5), 413-422.

Klipper, S. (2011). Information Security Risk Management. Verlag Vieweg+ Teubner. Wiesbaden.

Leal, R. (2018). Qualitative vs. quantitative information security risk assessment. Retrieved from https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

How to Write Your Best Dissertation: Step-by-Step Guide. (2018). Retrieved from https://www.edugeeksclub.com/blog/How_to_Write_Your_Best_Dissertation/

Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. information security technical report, 13(4), 247-255.

.Ray, B. K., Tao, S., Olkhovets, A., & Subramanian, D. (2013). A decision analysis approach to financial risk management in strategic outsourcing contracts. EURO Journal on Decision Processes, 1(3–4), 187–203.

Relph, A., & Parker, D. (2014).  Outsourcing: A strategic risk? Management Services, 58(3), 20–24.

Sady, B. A. (2013). 4 tips for managing outsourcing risks. CPA Practice Advisor, 23(8), 16.

Sobers, R., & Sobers, R. (2018). 60 Must-Know Cybersecurity Statistics for 2018. Retrieved from https://www.varonis.com/blog/cybersecurity-statistics/

Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Sp 800-30. risk management guide for information technology systems.

Thakurta, R., & Rao, U. H. (2015). Examining risks with outsourcing decisions: A case study. Journal of Services Research, 15(1), 159–170.

Wayman, M. (2013). Curbing outsourcing risks. Internal Auditor, 70(1), 41–44.

Wiengarten, F., Pagell, M., & Fynes, B. (2013). The importance of contextual factors in the success of outsourcing contracts in the supply chain environment: The role of risk and complementary practices. Supply Chain Management, 18(6), 630–64

Research Methodology. (n.d.). Research methodology approaches. Retrieved from http://www.dissertationretreat.org/researchMethodology.php

Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk management framework for the cloud computing environments. In Computer and Information Technology (CIT), 2010 IEEE 10th International Conference on (pp. 1328-1334). IEEE.