Cybersecurity Threats and Trends
VerifiedAdded on 2020/02/24
|15
|4238
|46
AI Summary
This assignment analyzes various cybersecurity challenges, risks, and trends based on provided research papers and reports. It delves into topics such as economic incentives for network security services, government roadmaps for cybersecurity, industry-specific risks in healthcare and finance, and the impact of cloud computing on security. The analysis draws upon insights from reputable sources like Cisco, DHS, NIST, and academic journals to provide a comprehensive understanding of the evolving cybersecurity landscape.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
[Document title]
[Document subtitle]
[Author name]
[Email address]
Abstract
[Draw your reader in with an engaging abstract. It is typically a short summary of the
document. When you’re ready to add your content, just click here and start typing.]
[Document subtitle]
[Author name]
[Email address]
Abstract
[Draw your reader in with an engaging abstract. It is typically a short summary of the
document. When you’re ready to add your content, just click here and start typing.]
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Contents
Introduction................................................................................................................................1
Comparative analysis of Threats................................................................................................2
Challenges of security/risk management approach....................................................................6
‘’Risk’’ and ‘’Uncertainty’’.......................................................................................................7
Risk control and mitigation........................................................................................................7
Recommendations......................................................................................................................8
Conclusion.................................................................................................................................9
References..................................................................................................................................9
Introduction................................................................................................................................1
Comparative analysis of Threats................................................................................................2
Challenges of security/risk management approach....................................................................6
‘’Risk’’ and ‘’Uncertainty’’.......................................................................................................7
Risk control and mitigation........................................................................................................7
Recommendations......................................................................................................................8
Conclusion.................................................................................................................................9
References..................................................................................................................................9
Introduction
Information security is about protecting the information systems of an organization against
security related threats. These threats can either occur accidently or could be deliberate with
intensions to cause some harm. Irrespective of the presence of intentions, both cause the
concerns as they can affect the security posture of an organization. This research would
explore both deliberate and accidental threats that can cause harm to an organization
considering the case of VIC (Victorian) government. The objective is to explore if the VIC
policy is sound enough to help the organization combat these threats or there is a need for
improvement in which case, appropriate recommendations would be made on whether the
company should keep the security function with itself or outsource the same to an expert
organization in security domain.
The VIC government uses The Victorian Protective Data Security Framework (VPDSF) to
protect their data and systems. This framework identified standards of security, security
assurance model, security guidelines, and other supporting resources. The key objective of
this security framework is to ensure that security risks to the company are minimized. It
explains the process of establishing protection that includes identification of information and
its value, identification of risks to data, application of measures for data security, creation of a
secure culture in the organization and taking steps to mature the security capabilities of the
organization.
Security Risks and Concerns
Information security is about protecting the information systems of an organization against
security related threats. These threats can either occur accidently or could be deliberate with
intensions to cause some harm. Irrespective of the presence of intentions, both cause the
concerns as they can affect the security posture of an organization. This research would
explore both deliberate and accidental threats that can cause harm to an organization
considering the case of VIC (Victorian) government. The objective is to explore if the VIC
policy is sound enough to help the organization combat these threats or there is a need for
improvement in which case, appropriate recommendations would be made on whether the
company should keep the security function with itself or outsource the same to an expert
organization in security domain.
The VIC government uses The Victorian Protective Data Security Framework (VPDSF) to
protect their data and systems. This framework identified standards of security, security
assurance model, security guidelines, and other supporting resources. The key objective of
this security framework is to ensure that security risks to the company are minimized. It
explains the process of establishing protection that includes identification of information and
its value, identification of risks to data, application of measures for data security, creation of a
secure culture in the organization and taking steps to mature the security capabilities of the
organization.
Security Risks and Concerns
High Exposure Risks: Insiders in VIC can take advantages of situations and the
access given to them to cause attacks and such risks of attacks have high exposure.
This is because internal employees would be well aware of the policies and
procedures of the company and its security systems such that before launching any
attacks, they would find the work around to cause maximum damage without getting
caught [1].
Medium Exposure Risks: When information of data is leaked to unauthorized
personnel, it can be a medium exposure risk as it would affect the integrity of the
organization and its system and can also cause data modifications during transit.
Medium-Low Exposure Risks: Certain risks can result into damage of the properties
of information that may be sensitive or confidential. Legal policies can help in such
cases but such attacks can cause further attacks or risks related to regulatory and legal
compliances. However, the likelihood that such things would happen is not high.
Low Exposure Risks: Because of large number of people working in the same
organization, human errors that can cause operational or technical issues can occur
but they are not easily identified. Yet it can cause severe damages if the roll back does
not happen on time [2].
Comparative analysis of Threats
Security Threats are either deliberate that are used for causing a harm or can be caused
accidently because of ignorance or a mistake.
Accidental threats can be:
Natural calamities causing physical infrastructure damages resulting into data loss
such as happening in the cases of cyclones, earthquake, hurricanes, and tornadoes
Breakdown in hardware can cause technical failures
Human errors or mistakes can cause harm to the security of organization such as
caused in the cases of device loss, opening of unknown emails, tampering with
security levels of machines, and downloading of unsafe files.
Social Engineering is another way that can affect security. It may only be used for
tricking someone into giving away confidential personal information but when this
information is leaked to wrong people, it can pose serious risks to the security of the
person whose data is obtained (AlKalbani, et al., 2015).
access given to them to cause attacks and such risks of attacks have high exposure.
This is because internal employees would be well aware of the policies and
procedures of the company and its security systems such that before launching any
attacks, they would find the work around to cause maximum damage without getting
caught [1].
Medium Exposure Risks: When information of data is leaked to unauthorized
personnel, it can be a medium exposure risk as it would affect the integrity of the
organization and its system and can also cause data modifications during transit.
Medium-Low Exposure Risks: Certain risks can result into damage of the properties
of information that may be sensitive or confidential. Legal policies can help in such
cases but such attacks can cause further attacks or risks related to regulatory and legal
compliances. However, the likelihood that such things would happen is not high.
Low Exposure Risks: Because of large number of people working in the same
organization, human errors that can cause operational or technical issues can occur
but they are not easily identified. Yet it can cause severe damages if the roll back does
not happen on time [2].
Comparative analysis of Threats
Security Threats are either deliberate that are used for causing a harm or can be caused
accidently because of ignorance or a mistake.
Accidental threats can be:
Natural calamities causing physical infrastructure damages resulting into data loss
such as happening in the cases of cyclones, earthquake, hurricanes, and tornadoes
Breakdown in hardware can cause technical failures
Human errors or mistakes can cause harm to the security of organization such as
caused in the cases of device loss, opening of unknown emails, tampering with
security levels of machines, and downloading of unsafe files.
Social Engineering is another way that can affect security. It may only be used for
tricking someone into giving away confidential personal information but when this
information is leaked to wrong people, it can pose serious risks to the security of the
person whose data is obtained (AlKalbani, et al., 2015).
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
There are several ways in which either the accidental threats are avoided or their negative
impacts are reduced through mitigation such as:
The critical data of an organization can be continuously monitored to check if any
changes are being made in the data. At this point, permissions can be used such that
the modification in the data is only allowed to designated people who are responsible
for managing data.
All the company prints should be shredded before disposing if they contain
confidential business information to ensure that the data does not reach the wrong
person who can misuse it.
People performing different functions in an organization may be provided with
different access rights to information. A programmer may only be given access to the
front end and not the storage systems of the company.
Every piece of data that gets exchanged over the internet from the company must be
encrypted such that it can only be read by the intended receiver of the message (S,
2016)
IT auditors can perform checks on the security systems of the company to ensure that
they are up to the mark and in case, they are not suggestions can be made by the
auditor for improvement.
Transaction logs containing the information of use of data can help company keep a
check on users which would help in identification of any
Deliberate Threats are caused by threat agents who intend to cause harm to an organization.
Some examples of such deliberate attacks include denial of service attacks, espionage,
extortion, espionage, data breach, phishing, spamming, keylogging, malware, virus, spyware,
worms, and so on.
To assess the level of risk that each type of threats can cause the company, a Risk rating
model, which assesses the likelihood of the risk occurrence and their impacts on security
posture of the company, can be used. Specific steps that would be followed in the process
include identification of risks, estimation of probability of occurrence, estimation of impact
levels, determination of risk severity, identification and analysis of loopholes to fix and
customization of the risk model based on analysis (Brey, 2007).
Risk Identification: The first step in the process is identification of security risks for the
Victorian government, and these include:
impacts are reduced through mitigation such as:
The critical data of an organization can be continuously monitored to check if any
changes are being made in the data. At this point, permissions can be used such that
the modification in the data is only allowed to designated people who are responsible
for managing data.
All the company prints should be shredded before disposing if they contain
confidential business information to ensure that the data does not reach the wrong
person who can misuse it.
People performing different functions in an organization may be provided with
different access rights to information. A programmer may only be given access to the
front end and not the storage systems of the company.
Every piece of data that gets exchanged over the internet from the company must be
encrypted such that it can only be read by the intended receiver of the message (S,
2016)
IT auditors can perform checks on the security systems of the company to ensure that
they are up to the mark and in case, they are not suggestions can be made by the
auditor for improvement.
Transaction logs containing the information of use of data can help company keep a
check on users which would help in identification of any
Deliberate Threats are caused by threat agents who intend to cause harm to an organization.
Some examples of such deliberate attacks include denial of service attacks, espionage,
extortion, espionage, data breach, phishing, spamming, keylogging, malware, virus, spyware,
worms, and so on.
To assess the level of risk that each type of threats can cause the company, a Risk rating
model, which assesses the likelihood of the risk occurrence and their impacts on security
posture of the company, can be used. Specific steps that would be followed in the process
include identification of risks, estimation of probability of occurrence, estimation of impact
levels, determination of risk severity, identification and analysis of loopholes to fix and
customization of the risk model based on analysis (Brey, 2007).
Risk Identification: The first step in the process is identification of security risks for the
Victorian government, and these include:
Technology Obsolescence
Network failure
Network errors
Power failure
Hardware failure
Hardware errors
Faulty planning
User Errors
Technical Failures
Operational problems (ESET, 2016)
Communication interception
Repudiation
Sabotage
Incomplete data
Missing data
Data theft
Equipment Theft
Social Engineering
Infiltration
Espionage (CGI, 2013)
Misuse of resources
Unauthorized communication
Quality deviations
Financial Fraud
Intellectual property compromise
Environmental Threats
Natural Disasters
Terrorism (Shahri & Ismail, 2012)
The next step is to estimate the likelihood of the occurrence of each risk that is identified in
the previous step. There can be some agent factors and some vulnerability factors that would
be used here for estimating this likelihood by giving each the likelihood rating from 0 to 9.
Agent factors can include skill level of attackers, attack motive, resource requirements of
attacker, and the size of the attackers group. Vulnerability factors can be ease of vulnerability
Network failure
Network errors
Power failure
Hardware failure
Hardware errors
Faulty planning
User Errors
Technical Failures
Operational problems (ESET, 2016)
Communication interception
Repudiation
Sabotage
Incomplete data
Missing data
Data theft
Equipment Theft
Social Engineering
Infiltration
Espionage (CGI, 2013)
Misuse of resources
Unauthorized communication
Quality deviations
Financial Fraud
Intellectual property compromise
Environmental Threats
Natural Disasters
Terrorism (Shahri & Ismail, 2012)
The next step is to estimate the likelihood of the occurrence of each risk that is identified in
the previous step. There can be some agent factors and some vulnerability factors that would
be used here for estimating this likelihood by giving each the likelihood rating from 0 to 9.
Agent factors can include skill level of attackers, attack motive, resource requirements of
attacker, and the size of the attackers group. Vulnerability factors can be ease of vulnerability
discovery, awareness in the attacker group about the vulnerability, and the probability of
detection of the attack if made (CenturyLink Solutions Consulting, 2014).
Once the threat likelihood is estimated, the resulting impacts would be rated between 0 and 9.
Some impact factors can be technical such as accountability, availability, confidentiality, and
integrity, or business specific such as financial loss, reputation damage, non-compliance
issues, and privacy violations (Engine Yard, Inc., 2014).
The risk likelihood and its impact factors rating are multiplied for each risk to find out the
severity of risk from low, medium, high to critical. Risks can then be categorized based on
the rating of severity such that priority can be given to each while taking decisions for
resolution (Chen & Zhao, 2012). Risk severity is:
Low, when probability of occurrence is medium and the level of impact is low and when
likelihood is low but impact is medium.
Medium, when probability of occurrence is Low and the level of impact is High, when both
are medium and when likelihood is high but impact is low.
High, when probability of occurrence is medium and the level of impact is high and when
probability of occurrence is high but the level of impact is medium.
Critical, when both probability of occurrence and the level of impact are high then the risk
can be considered as critical (Gopinath, 2011).
These risks are given priorities from critical to low in the same sequence while taking
decisions for resolution. If these risks are assessed for the Victorian Government then factors
that may not have been considered in the security framework of VIC can be added or
improvements can be made with risks identified in the process.
The table shows the risk calculation for all risk factors and an overall risk rating is given to
identified risks based on each probability factor as discussed earlier for the VIC government.
detection of the attack if made (CenturyLink Solutions Consulting, 2014).
Once the threat likelihood is estimated, the resulting impacts would be rated between 0 and 9.
Some impact factors can be technical such as accountability, availability, confidentiality, and
integrity, or business specific such as financial loss, reputation damage, non-compliance
issues, and privacy violations (Engine Yard, Inc., 2014).
The risk likelihood and its impact factors rating are multiplied for each risk to find out the
severity of risk from low, medium, high to critical. Risks can then be categorized based on
the rating of severity such that priority can be given to each while taking decisions for
resolution (Chen & Zhao, 2012). Risk severity is:
Low, when probability of occurrence is medium and the level of impact is low and when
likelihood is low but impact is medium.
Medium, when probability of occurrence is Low and the level of impact is High, when both
are medium and when likelihood is high but impact is low.
High, when probability of occurrence is medium and the level of impact is high and when
probability of occurrence is high but the level of impact is medium.
Critical, when both probability of occurrence and the level of impact are high then the risk
can be considered as critical (Gopinath, 2011).
These risks are given priorities from critical to low in the same sequence while taking
decisions for resolution. If these risks are assessed for the Victorian Government then factors
that may not have been considered in the security framework of VIC can be added or
improvements can be made with risks identified in the process.
The table shows the risk calculation for all risk factors and an overall risk rating is given to
identified risks based on each probability factor as discussed earlier for the VIC government.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Risks
Skill
level Motive
Opportu
nity Size
Ease of
discove
ry
Ease of
exploit
Awaren
ess
Intrusio
n
detectio
n
Liklihoo
d
Loss of
confide
ntiality
Loss of
integrity
Loss of
availabil
ity
Loss of
account
ability
Financia
l
damage
Reputat
ion
damage
Non-
complia
nce
Privacy
violatio
n Impact Severity
Power
failure 5 2 7 1 3 6 9 2 4.375 9 7 5 8 1 2 1 5 4.75 Medium
Network
failure or
errors 0 7 9 2 4 0 1 4 3.375 7 2 9 7 4 3 6 1 4.875 Medium
Technolo
gy
Obsolesc
ence 6 3 7 1 0 7 1 7 4 8 0 4 9 2 4 6 1 4.25 Medium
Hardwar
e failure
or errors 2 8 8 6 0 9 4 1 4.75 9 7 4 7 5 0 7 8 5.875 Medium
Operatio 8 8 4 9 3 2 2 1 4.625 2 9 0 9 5 4 8 8 5.625 Medium
Commun
ication
intercept
ion 9 5 4 5 4 5 9 3 5.5 6 6 5 8 4 3 6 0 4.75 Medium
Repudiat
ion 2 1 1 2 7 9 9 9 5 3 2 0 5 7 5 0 0 2.75 Low
Espionag
e 6 9 8 1 7 6 7 4 6 1 5 2 8 4 9 0 2 3.875 High
Infiltratio
n 2 9 7 9 8 5 0 0 5 1 2 1 3 8 7 4 5 3.875 Medium
Social
Engineeri
ng 0 7 8 5 2 3 0 1 3.25 9 1 9 6 5 0 1 2 4.125 Medium
Technical
Failures 4 2 0 4 4 9 4 3 3.75 4 1 1 1 7 7 9 4 4.25 Medium
Data
theft 6 3 0 3 1 1 7 8 3.625 7 5 9 7 1 6 0 6 5.125 Medium
Misuse
of
resource
s 0 7 6 5 0 7 7 0 4 7 5 5 6 7 9 2 8 6.125 High
Staff
shortage 7 7 6 8 0 3 5 9 5.625 8 5 8 2 9 3 5 4 5.5 Medium
Unauthor
ized
communi
cation 4 4 1 7 1 5 8 0 3.75 4 5 2 0 9 5 9 3 4.625 Medium
User
Errors 9 8 4 9 2 2 5 4 5.375 1 4 5 0 7 9 7 1 4.25 Medium
Sabotage 1 3 2 9 5 2 2 8 4 0 1 6 2 2 0 6 5 2.75 Low
Quality
deviation
s 8 2 8 5 7 9 9 5 6.625 9 4 8 7 4 6 8 9 6.875 Critical
Environm
ental
Threats 2 4 2 0 0 6 3 3 2.5 5 9 5 1 9 0 9 4 5.25 Low
Intellect
ual
property
comprom
ise 0 8 9 5 7 2 9 5 5.625 3 8 7 3 9 9 8 6 6.625 High
Incomple
te or
missing
data 6 8 8 7 5 6 4 7 6.375 2 3 4 3 4 3 5 5 3.625 High
Faulty
planning 5 7 7 3 3 1 3 5 4.25 7 4 8 0 5 4 8 4 5 Medium
Financial
Fraud 0 8 2 9 5 2 8 1 4.375 6 0 0 7 9 4 2 9 4.625 Medium
Equipme
nt Theft 7 2 3 6 6 3 0 0 3.375 8 7 2 2 3 7 7 0 4.5 Medium
Terroris
m 6 2 8 7 9 3 1 8 5.5 9 9 7 3 3 1 0 6 4.75 Medium
Natural
Disasters
(Shahri &
Ismail,
2012) 6 6 8 8 0 7 1 3 4.875 7 8 0 3 7 2 9 9 5.625 Medium
The table above identifies each risk from critical, high risk, medium level and low level risks.
Espionage, resource misuse, IP compromise and missing data are seen as high level of risk
while quality deviation is critical for VIC. Certain risks were found to be low on severity
such as sabotage, environmental threats and repudiation. This could be due to the fact that the
damage can occur only in selective cases such as data warehouse damage in the case of
natural calamity, reputation resulting from sabotage of users, issues affecting security posture
due to repudiation, and so on (TrustSphere, 2012). In most of these cases, mitigation is easy
Skill
level Motive
Opportu
nity Size
Ease of
discove
ry
Ease of
exploit
Awaren
ess
Intrusio
n
detectio
n
Liklihoo
d
Loss of
confide
ntiality
Loss of
integrity
Loss of
availabil
ity
Loss of
account
ability
Financia
l
damage
Reputat
ion
damage
Non-
complia
nce
Privacy
violatio
n Impact Severity
Power
failure 5 2 7 1 3 6 9 2 4.375 9 7 5 8 1 2 1 5 4.75 Medium
Network
failure or
errors 0 7 9 2 4 0 1 4 3.375 7 2 9 7 4 3 6 1 4.875 Medium
Technolo
gy
Obsolesc
ence 6 3 7 1 0 7 1 7 4 8 0 4 9 2 4 6 1 4.25 Medium
Hardwar
e failure
or errors 2 8 8 6 0 9 4 1 4.75 9 7 4 7 5 0 7 8 5.875 Medium
Operatio 8 8 4 9 3 2 2 1 4.625 2 9 0 9 5 4 8 8 5.625 Medium
Commun
ication
intercept
ion 9 5 4 5 4 5 9 3 5.5 6 6 5 8 4 3 6 0 4.75 Medium
Repudiat
ion 2 1 1 2 7 9 9 9 5 3 2 0 5 7 5 0 0 2.75 Low
Espionag
e 6 9 8 1 7 6 7 4 6 1 5 2 8 4 9 0 2 3.875 High
Infiltratio
n 2 9 7 9 8 5 0 0 5 1 2 1 3 8 7 4 5 3.875 Medium
Social
Engineeri
ng 0 7 8 5 2 3 0 1 3.25 9 1 9 6 5 0 1 2 4.125 Medium
Technical
Failures 4 2 0 4 4 9 4 3 3.75 4 1 1 1 7 7 9 4 4.25 Medium
Data
theft 6 3 0 3 1 1 7 8 3.625 7 5 9 7 1 6 0 6 5.125 Medium
Misuse
of
resource
s 0 7 6 5 0 7 7 0 4 7 5 5 6 7 9 2 8 6.125 High
Staff
shortage 7 7 6 8 0 3 5 9 5.625 8 5 8 2 9 3 5 4 5.5 Medium
Unauthor
ized
communi
cation 4 4 1 7 1 5 8 0 3.75 4 5 2 0 9 5 9 3 4.625 Medium
User
Errors 9 8 4 9 2 2 5 4 5.375 1 4 5 0 7 9 7 1 4.25 Medium
Sabotage 1 3 2 9 5 2 2 8 4 0 1 6 2 2 0 6 5 2.75 Low
Quality
deviation
s 8 2 8 5 7 9 9 5 6.625 9 4 8 7 4 6 8 9 6.875 Critical
Environm
ental
Threats 2 4 2 0 0 6 3 3 2.5 5 9 5 1 9 0 9 4 5.25 Low
Intellect
ual
property
comprom
ise 0 8 9 5 7 2 9 5 5.625 3 8 7 3 9 9 8 6 6.625 High
Incomple
te or
missing
data 6 8 8 7 5 6 4 7 6.375 2 3 4 3 4 3 5 5 3.625 High
Faulty
planning 5 7 7 3 3 1 3 5 4.25 7 4 8 0 5 4 8 4 5 Medium
Financial
Fraud 0 8 2 9 5 2 8 1 4.375 6 0 0 7 9 4 2 9 4.625 Medium
Equipme
nt Theft 7 2 3 6 6 3 0 0 3.375 8 7 2 2 3 7 7 0 4.5 Medium
Terroris
m 6 2 8 7 9 3 1 8 5.5 9 9 7 3 3 1 0 6 4.75 Medium
Natural
Disasters
(Shahri &
Ismail,
2012) 6 6 8 8 0 7 1 3 4.875 7 8 0 3 7 2 9 9 5.625 Medium
The table above identifies each risk from critical, high risk, medium level and low level risks.
Espionage, resource misuse, IP compromise and missing data are seen as high level of risk
while quality deviation is critical for VIC. Certain risks were found to be low on severity
such as sabotage, environmental threats and repudiation. This could be due to the fact that the
damage can occur only in selective cases such as data warehouse damage in the case of
natural calamity, reputation resulting from sabotage of users, issues affecting security posture
due to repudiation, and so on (TrustSphere, 2012). In most of these cases, mitigation is easy
such as use of Disaster recovery to retrieve data in case of physical damage. Thus, with low
level risks, there would not be a major impact on the security posture of the VIC government
(Shahri & Ismail, 2012).
Challenges of security/risk management approach
VIC government can either manage its risks on its own by establishing internal department
for Risk management or with established governance procedures and policies or can
outsource the operations to an external security expert allowing them to manage security
systems of the company. Most organizations had their own security systems implemented in
earlier days but in the past decades, companies have started to outsource their security
management processes to third party security management contractors for two primary
reasons that include (MYOB, 2016):
Because of increasing competition between different organizations across markets, it
is essential for companies to focus more on their core work which is why non-core
activities are often outsourced to some third party solution provider. As security is
also a non-core process, it is outsourced by organizations to external parties to save on
the internal costs and resources that would otherwise be used if security is handled
internally (Hu, et al., 2007).
Cost of establishing, maintaining and updating security systems has drastically
increases over the years with increasing threats and upcoming new technologies.
However, the third party companies provide the same systems to multiple companies
on a large scale which saves them costs per organization and this benefit can be used
by companies when security processes are outsourced (Chen, et al., 2004).
There are many challenges that companies can face when managing security in either case
and thus, taking decision on whether to outsource security is very critical. An organization
outsourcing security would have less control over its security systems and thus, it is essential
that the security agency is both trustworthy and competent for which an extensive
background check is needed to be done before taking a decision to outsource. Outsourcing
can help an organization enhance its security posture in various ways such as the following
(HP Enterprise, 2015):
level risks, there would not be a major impact on the security posture of the VIC government
(Shahri & Ismail, 2012).
Challenges of security/risk management approach
VIC government can either manage its risks on its own by establishing internal department
for Risk management or with established governance procedures and policies or can
outsource the operations to an external security expert allowing them to manage security
systems of the company. Most organizations had their own security systems implemented in
earlier days but in the past decades, companies have started to outsource their security
management processes to third party security management contractors for two primary
reasons that include (MYOB, 2016):
Because of increasing competition between different organizations across markets, it
is essential for companies to focus more on their core work which is why non-core
activities are often outsourced to some third party solution provider. As security is
also a non-core process, it is outsourced by organizations to external parties to save on
the internal costs and resources that would otherwise be used if security is handled
internally (Hu, et al., 2007).
Cost of establishing, maintaining and updating security systems has drastically
increases over the years with increasing threats and upcoming new technologies.
However, the third party companies provide the same systems to multiple companies
on a large scale which saves them costs per organization and this benefit can be used
by companies when security processes are outsourced (Chen, et al., 2004).
There are many challenges that companies can face when managing security in either case
and thus, taking decision on whether to outsource security is very critical. An organization
outsourcing security would have less control over its security systems and thus, it is essential
that the security agency is both trustworthy and competent for which an extensive
background check is needed to be done before taking a decision to outsource. Outsourcing
can help an organization enhance its security posture in various ways such as the following
(HP Enterprise, 2015):
The overheads of the company that are incurred in managing office, its systems and
operations are reduced.
The productivity of the team managing security processes is high as it is the core
function of the outsourcing organization
The security agency would have more experience and resources for applying best
security management practices through professional training and thus, it would be
advantageous for the company.
Some security related processes like screening and hiring of professionals, payroll
management, monitoring and tracking would be offloaded to the security agency
thereby saving efforts, time and resources for the company.
The outsourcing agency can be more flexible in changing the company’s security
posture based on the requirements of the business (MYOB, 2016).
When the system is outsourced, the liabilities of managing risks would get shared
such that responsibility of finding solutions to problems would be combined
Organizations can leverage on the resources, experience and expertise of security
agencies to get the best management practices.
The cost of establishing and managing security department would be eliminated as the
security agency can make use of their own established infrastructure for managing
security for the organization (MYOB, 2016)
‘’Risk’’ and ‘’Uncertainty’’
Uncertainty is an outcome which cannot be predicted or controlled and pose the risk when an
action or a series of actions occur in the situation. Risk is that situation in which a loss can
occur because of an outcome resulting from an uncertainty. The two can be compared on the
basis of several criteria’s mentioned in the table below:
Basis of
comparison
Uncertainty Risk
Meaning It is situation in which outcome
cannot be predicted or controlled
It is the probability that the
outcome of a given situation
would cause a loss
Outcome Unknown Known
Probabilities Assigned Not assigned
operations are reduced.
The productivity of the team managing security processes is high as it is the core
function of the outsourcing organization
The security agency would have more experience and resources for applying best
security management practices through professional training and thus, it would be
advantageous for the company.
Some security related processes like screening and hiring of professionals, payroll
management, monitoring and tracking would be offloaded to the security agency
thereby saving efforts, time and resources for the company.
The outsourcing agency can be more flexible in changing the company’s security
posture based on the requirements of the business (MYOB, 2016).
When the system is outsourced, the liabilities of managing risks would get shared
such that responsibility of finding solutions to problems would be combined
Organizations can leverage on the resources, experience and expertise of security
agencies to get the best management practices.
The cost of establishing and managing security department would be eliminated as the
security agency can make use of their own established infrastructure for managing
security for the organization (MYOB, 2016)
‘’Risk’’ and ‘’Uncertainty’’
Uncertainty is an outcome which cannot be predicted or controlled and pose the risk when an
action or a series of actions occur in the situation. Risk is that situation in which a loss can
occur because of an outcome resulting from an uncertainty. The two can be compared on the
basis of several criteria’s mentioned in the table below:
Basis of
comparison
Uncertainty Risk
Meaning It is situation in which outcome
cannot be predicted or controlled
It is the probability that the
outcome of a given situation
would cause a loss
Outcome Unknown Known
Probabilities Assigned Not assigned
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Ascertainment Cannot measure it Can measure it
Minimization No Yes
Control Uncertain situation cannot be
controlled
Risk can be controlled (Xero,
2016)
Some risks are systematic such as inflation or market risks while others are unsystematic like
financial loss or business slow down (NIST, 2014).
Risk control and mitigation
VIC government makes use of its security data framework risk control and mitigation. The
framework is used to identify preventive measures for controlling these risks through the
given guidelines in the framework document. These guidelines include security protocols
related to:
Analysis of the evolving risks in the security of the information systems
Identification of the security updates required for improving the security framework
Maintenance of a risk register for recording various types of risks including their
entry, monitoring and review.
Implementation of security systems and strategies as defined in the procedures and
policies of the security framework such as access management, business continuity
management, personnel management, service agreements, physical management and
ICT management (Cisco, 2013)
Security functions incorporation within the routine functions or activities of the
organization
Ensuring meeting of obligations concerning organization security by everyone
working in the organization
Reviewing changing security needs of the company and identifying possibilities for
improving the security policies accordingly (OECD, 2008).
Spread awareness of security aspects in the company and give training to people to
ensure that they follow security protocols.
Monitoring and reviewing incident management system so as to identify needs for
improvement and implementing the same
Conducting annual security compliance review to ensure that right practices are bring
followed (DHS, 2009)
Minimization No Yes
Control Uncertain situation cannot be
controlled
Risk can be controlled (Xero,
2016)
Some risks are systematic such as inflation or market risks while others are unsystematic like
financial loss or business slow down (NIST, 2014).
Risk control and mitigation
VIC government makes use of its security data framework risk control and mitigation. The
framework is used to identify preventive measures for controlling these risks through the
given guidelines in the framework document. These guidelines include security protocols
related to:
Analysis of the evolving risks in the security of the information systems
Identification of the security updates required for improving the security framework
Maintenance of a risk register for recording various types of risks including their
entry, monitoring and review.
Implementation of security systems and strategies as defined in the procedures and
policies of the security framework such as access management, business continuity
management, personnel management, service agreements, physical management and
ICT management (Cisco, 2013)
Security functions incorporation within the routine functions or activities of the
organization
Ensuring meeting of obligations concerning organization security by everyone
working in the organization
Reviewing changing security needs of the company and identifying possibilities for
improving the security policies accordingly (OECD, 2008).
Spread awareness of security aspects in the company and give training to people to
ensure that they follow security protocols.
Monitoring and reviewing incident management system so as to identify needs for
improvement and implementing the same
Conducting annual security compliance review to ensure that right practices are bring
followed (DHS, 2009)
The risk response and mitigation mechanisms are decided based on the level of
severity of the risk. Risks that are critical to the company or have high severity are
avoided in most cases or taken for resolution or mitigation on priority if they occur. In
case of VIC, the deviation from quality is considered as a critical case of risk and
thus, organization needs to have quality checks and ensure that quality standards are
always met. High risk categories identified for VIC included Espionage, resource
misuse, IP compromise and missing data. In each of these cases, actions have to be
taken on priority for resolution or mitigation. Risks with medium level of severity
may be reduced with appropriate mitigation plan that would reduce the impact caused
by the risks such that the security posture of the company could be maintained. Low
severity risks are mostly avoided as they can be accepted without any major threats to
the organization but their resolution can take significant resources of the organization
(Security Awareness Program Special Interest Group, 2014).
Recommendations
Based on the findings from the current studies on risks and uncertainties likely to be
encountered by VIC, some recommendations can be made that would be useful for enhancing
the VIC security posture and these include:
VIC may ooutsource its risk management operation to a security expert third party
service provided as it could save on the costs for the company as well as enhance the
security posture with best practices applied by the expert organization for security.
Training may be given to the staff on the security risks and possible control measures
such that they work in a way that reduces security risks that the company can
otherwise encounter in the case of lack of awareness in employees.
The security systems should be kept updated with eh latest technologies and strategies
that can be used for combating threats which is possible with regular audits conducted
on security systems of the company as they would reveal the security gaps that are
required to be filled.
A risk register can be maintained by the company to record the risks occurring, the
measures taken for mitigation as well as possible risks that can occur such that actions
for solving problems can be taken faster.
severity of the risk. Risks that are critical to the company or have high severity are
avoided in most cases or taken for resolution or mitigation on priority if they occur. In
case of VIC, the deviation from quality is considered as a critical case of risk and
thus, organization needs to have quality checks and ensure that quality standards are
always met. High risk categories identified for VIC included Espionage, resource
misuse, IP compromise and missing data. In each of these cases, actions have to be
taken on priority for resolution or mitigation. Risks with medium level of severity
may be reduced with appropriate mitigation plan that would reduce the impact caused
by the risks such that the security posture of the company could be maintained. Low
severity risks are mostly avoided as they can be accepted without any major threats to
the organization but their resolution can take significant resources of the organization
(Security Awareness Program Special Interest Group, 2014).
Recommendations
Based on the findings from the current studies on risks and uncertainties likely to be
encountered by VIC, some recommendations can be made that would be useful for enhancing
the VIC security posture and these include:
VIC may ooutsource its risk management operation to a security expert third party
service provided as it could save on the costs for the company as well as enhance the
security posture with best practices applied by the expert organization for security.
Training may be given to the staff on the security risks and possible control measures
such that they work in a way that reduces security risks that the company can
otherwise encounter in the case of lack of awareness in employees.
The security systems should be kept updated with eh latest technologies and strategies
that can be used for combating threats which is possible with regular audits conducted
on security systems of the company as they would reveal the security gaps that are
required to be filled.
A risk register can be maintained by the company to record the risks occurring, the
measures taken for mitigation as well as possible risks that can occur such that actions
for solving problems can be taken faster.
There are multiple factors that can together add to the severity of a risk and thus,
every risk may be rated on all these factors to identify the risk severity and develop
priorities accordingly.
High and medium level risks may be avoided altogether but if they still occur, the
company can deal with them on priority using the pre-decided mitigation measures
during the analysis stage.
A culture supporting secure practices must be fostered in the company by ensuring
that security consideration are added in standard operating procedures for every
activity of the company such that either the risks are avoided or are mitigated safely.
Conclusion
This paper explored the concept of security, uncertainity and risks using a real case study of
VIC government that has implemented a security framework in the organization. The paper
explored if the security framework was sufficiently addressing all the security concerns of the
organization. Various tiles of risks including deliberate and accidental risks that are faced by
VIC were explored to identify the levels of severities using a risk rating methodology. It was
found that quality deviation was considered as the critical risks for the organization while
Espionage, resource misuse, IP compromise and missing data were found as high on the level
of risk severity. This rating was decided on the basis of multiple factors that included agent
factors such as skill, level of motivation, opportunities and size of the group exploiting
vulnerabilities, vulnerability factors such as the ease of discovery of vulnerability, user
knowledge, and capabilities of the organization to detect intrusion. There were also certain
impact factors identified such as technical factors like availability, confidentiality,
accountability, and integrity, as well as some business factors like financial loss, reputation
damages, privacy violation and non-compliance of security procedures. Based on the study,
certain recommendations were made to enhance e VIC security posture such as security
outsourcing to third party, training on security aspects to employees, and embedding of the
security aspects in standard operating procedures.
every risk may be rated on all these factors to identify the risk severity and develop
priorities accordingly.
High and medium level risks may be avoided altogether but if they still occur, the
company can deal with them on priority using the pre-decided mitigation measures
during the analysis stage.
A culture supporting secure practices must be fostered in the company by ensuring
that security consideration are added in standard operating procedures for every
activity of the company such that either the risks are avoided or are mitigated safely.
Conclusion
This paper explored the concept of security, uncertainity and risks using a real case study of
VIC government that has implemented a security framework in the organization. The paper
explored if the security framework was sufficiently addressing all the security concerns of the
organization. Various tiles of risks including deliberate and accidental risks that are faced by
VIC were explored to identify the levels of severities using a risk rating methodology. It was
found that quality deviation was considered as the critical risks for the organization while
Espionage, resource misuse, IP compromise and missing data were found as high on the level
of risk severity. This rating was decided on the basis of multiple factors that included agent
factors such as skill, level of motivation, opportunities and size of the group exploiting
vulnerabilities, vulnerability factors such as the ease of discovery of vulnerability, user
knowledge, and capabilities of the organization to detect intrusion. There were also certain
impact factors identified such as technical factors like availability, confidentiality,
accountability, and integrity, as well as some business factors like financial loss, reputation
damages, privacy violation and non-compliance of security procedures. Based on the study,
certain recommendations were made to enhance e VIC security posture such as security
outsourcing to third party, training on security aspects to employees, and embedding of the
security aspects in standard operating procedures.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
References
AlKalbani, A., Deng, H. & Kam, B., 2015. ORGANISATIONAL SECURITY CULTURE AND
INFORMATION SECURITY COMPLIANCE FOR E-GOVERNMENT
DEVELOPMENT: THE MODERATING EFFECT OF SOCIAL PRESSURE, s.l.:
RMIT University.
Brey, P., 2007. Ethical Aspects of Information Security and Privacy, s.l.: Springer Berlin
Heidelberg.
CenturyLink Solutions Consulting, 2014. CenturyLink Assessments: seCurity,infrAstruCture
And disAster reCovery, s.l.: CenturyLink Technology Solutions.
CGI, 2013. Developing a Framework to Improve Critical Infrastructure Cybersecurity, s.l.:
CGI.
Chen, D. & Zhao, H., 2012. Data Security and Privacy Protection Issues in Cloud
Computing. Shenyang, China, International Conference on Computer Science and
Electronics Engineering.
Chen, L.-C., Longstaff, T. A. & Carley, K. M., 2004. THE ECONOMIC INCENTIVES OF
PROVIDING NETWORK SECURITY SERVICES ON THE INTERNET
INFRASTRUCTURE, s.l.: Carnegie Mellon University .
Cisco, 2013. Australian Government Cyber Security Review, s.l.: Cisco.
DHS, 2009. A Roadmap for Cybersecurity Research, s.l.: DHS.
Engine Yard, Inc., 2014. Security, Risk, and Compliance, s.l.: Engine Yard.
ESET, 2016. TRENDS 2016 (IN) SECURITY EVERYWHERE, s.l.: ESET.
Gopinath, S., 2011. Working Group on Information Security, Electronic Banking, Technology
Risk Management and Cyber Frauds, Mumbai: Reserve Bank of India .
HP Enterprise, 2015. Cybersecurity Challenges, Risks, Trends, and Impacts: Survey
Findings, s.l.: MIT.
Hu, Q., Hart, P. & Cooke, D., 2007. on information systems security – a on information
systems security – a neo-institutional perspective. Journal of Strategic Information
Systems, Volume 16, p. 153–172.
IBM Global Technology Services , 2011. Security and high availability in cloud computing
environments, s.l.: IBM Corporation.
AlKalbani, A., Deng, H. & Kam, B., 2015. ORGANISATIONAL SECURITY CULTURE AND
INFORMATION SECURITY COMPLIANCE FOR E-GOVERNMENT
DEVELOPMENT: THE MODERATING EFFECT OF SOCIAL PRESSURE, s.l.:
RMIT University.
Brey, P., 2007. Ethical Aspects of Information Security and Privacy, s.l.: Springer Berlin
Heidelberg.
CenturyLink Solutions Consulting, 2014. CenturyLink Assessments: seCurity,infrAstruCture
And disAster reCovery, s.l.: CenturyLink Technology Solutions.
CGI, 2013. Developing a Framework to Improve Critical Infrastructure Cybersecurity, s.l.:
CGI.
Chen, D. & Zhao, H., 2012. Data Security and Privacy Protection Issues in Cloud
Computing. Shenyang, China, International Conference on Computer Science and
Electronics Engineering.
Chen, L.-C., Longstaff, T. A. & Carley, K. M., 2004. THE ECONOMIC INCENTIVES OF
PROVIDING NETWORK SECURITY SERVICES ON THE INTERNET
INFRASTRUCTURE, s.l.: Carnegie Mellon University .
Cisco, 2013. Australian Government Cyber Security Review, s.l.: Cisco.
DHS, 2009. A Roadmap for Cybersecurity Research, s.l.: DHS.
Engine Yard, Inc., 2014. Security, Risk, and Compliance, s.l.: Engine Yard.
ESET, 2016. TRENDS 2016 (IN) SECURITY EVERYWHERE, s.l.: ESET.
Gopinath, S., 2011. Working Group on Information Security, Electronic Banking, Technology
Risk Management and Cyber Frauds, Mumbai: Reserve Bank of India .
HP Enterprise, 2015. Cybersecurity Challenges, Risks, Trends, and Impacts: Survey
Findings, s.l.: MIT.
Hu, Q., Hart, P. & Cooke, D., 2007. on information systems security – a on information
systems security – a neo-institutional perspective. Journal of Strategic Information
Systems, Volume 16, p. 153–172.
IBM Global Technology Services , 2011. Security and high availability in cloud computing
environments, s.l.: IBM Corporation.
ISC, 2010. The Pursuit of Integrity, Honor and Trust in Information Security, s.l.: ISC.
James, C., 2016. Cyber Security Threats, Challenges and Opportunities, s.l.: ACS.
JIRA Security and Privacy Committee (SPC) , 2007. Information Security Risk Management
for Healthcare Systems , s.l.: MITA (Medical Imaging & Technology Alliance) .
Khan, R. & Wanner, R., 2010. Practical Approaches to Organizational Information Security
Management, s.l.: SANS Institute.
MYOB, 2016. Company file security. [Online]
Available at: http://help.myob.com/wiki/display/ar/Company+file+security
MYOB, 2016. Protecting your confidential information. [Online]
Available at: http://myob.com.au/myob/australia/myob-security-recommendations-
1257829253909
NIST, 2014. Framework for Improving Critical Infrastructure Cybersecurity, s.l.: National
Institute of Standards and Technology.
OECD, 2008. Malicious Software (Malware): A security Threat to Internet Economy, s.l.:
OECD.
Security Awareness Program Special Interest Group, 2014. Best Practices for Implementing a
Security Awareness Program, s.l.: PCI.
Shahri, A. B. & Ismail, Z., 2012. A Tree Model for Identification of Threats as the First Stage
of Risk Assessment in HIS. Journal of Information Security, Volume 3, pp. 169-176 .
S, S., 2016. Difference Between Risk and Uncertainty, s.l.: Keydifferences.
TrustSphere, 2012. Advanced Security Methods for eFraud and Messaging, s.l.: TrustSphere.
Xero, 2016. Your data is safe with multiple layers of security. [Online]
Available at: https://www.xero.com/accounting-software/security/
James, C., 2016. Cyber Security Threats, Challenges and Opportunities, s.l.: ACS.
JIRA Security and Privacy Committee (SPC) , 2007. Information Security Risk Management
for Healthcare Systems , s.l.: MITA (Medical Imaging & Technology Alliance) .
Khan, R. & Wanner, R., 2010. Practical Approaches to Organizational Information Security
Management, s.l.: SANS Institute.
MYOB, 2016. Company file security. [Online]
Available at: http://help.myob.com/wiki/display/ar/Company+file+security
MYOB, 2016. Protecting your confidential information. [Online]
Available at: http://myob.com.au/myob/australia/myob-security-recommendations-
1257829253909
NIST, 2014. Framework for Improving Critical Infrastructure Cybersecurity, s.l.: National
Institute of Standards and Technology.
OECD, 2008. Malicious Software (Malware): A security Threat to Internet Economy, s.l.:
OECD.
Security Awareness Program Special Interest Group, 2014. Best Practices for Implementing a
Security Awareness Program, s.l.: PCI.
Shahri, A. B. & Ismail, Z., 2012. A Tree Model for Identification of Threats as the First Stage
of Risk Assessment in HIS. Journal of Information Security, Volume 3, pp. 169-176 .
S, S., 2016. Difference Between Risk and Uncertainty, s.l.: Keydifferences.
TrustSphere, 2012. Advanced Security Methods for eFraud and Messaging, s.l.: TrustSphere.
Xero, 2016. Your data is safe with multiple layers of security. [Online]
Available at: https://www.xero.com/accounting-software/security/
1 out of 15
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.