CSIA 350: Cybersecurity Acquisition Risk Analysis Report

Verified

Added on 2022/10/10

AI Summary

This report delves into the critical aspects of risk management within the procurement of cybersecurity services and products, focusing on product accountability, operational risks, and the significance of IT control frameworks. It examines the challenges posed by the evolving cybercrime landscape and the need for robust cybersecurity measures to protect sensitive data and information. The report explores product accountability in the cybersecurity industry, highlighting the lack of product liability and its implications for both buyers and suppliers. It also addresses operational risks, categorizing them into actions of individuals, technology and system failures, internal processes, and external events, and discusses strategies for mitigating these risks, such as risk transference. Furthermore, the report emphasizes the importance of IT governance frameworks, including COBIT, ITIL, and ISO/IEC 27002, in ensuring that IT investments align with business objectives and meet both internal and external IT needs. The conclusion underscores the ongoing evolution of the cybersecurity sector and the continuous need for proactive risk management strategies to safeguard against emerging threats.

Running head: ACQUISITION RISK ANALYSIS 1
Acquisition Risk Analysis
Student’s Name
Institution Affiliation

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

ACQUISITION RISK ANALYSIS 2
Introduction
Research has found that cybersecurity has become a critical part of the current society
which solely depend on technology since both threat actors as well as defenders continuously
come up with new services and products to pawn each other. The far-reaching need as the ever
transforming cybercrime environment is one of the reasons that has resulted in the cybersecurity
department to experience such a challenging time to gain acknowledgement as an authentic
sector. Even though additional technological segments are being propelled by higher production
and declining high-tech inadequacies, the cyber security industry is being propelled by
exponentially skyrocketing cases of cybercrime. As a result, this is the primary reason as to why
the cybersecurity industry is existent (Trautman, 2015). Consequently, the sector of
cybersecurity paybacks to the society in the sense that it safeguards all user’s data and
information from getting into wicked hands that could lead to catastrophic losses in terms of
money as well as privacy. Indeed, in the absence of cybersecurity practices put in place,
organizations could lose vital resources as well as clients that cannot trust them to secure their
digital resources and data. There are many sources that call for cybersecurity services and
products such as endpoint protection for personal computers (PCs) mobiles devices and laptops,
consultation to strengthen or build defenses, and network security to secure networks against
intrusion and unauthorized accessibility. In light of this statement which discuss about the
significance and the need for the presence of cybersecurity sector, this paper will explore major
features of risk management for procurement of cybersecurity services and products by buyers
and suppliers to involve product accountability concerns, operational risks, and the significance
of IT control frameworks.
Product Accountability in the Industry of Cybersecurity

ACQUISITION RISK ANALYSIS 3
Product accountability is defined as the provider being held accountable for inserting a
faulty merchandise for use by the end user either intentionally or not. The product is supposed to
adhere to the normal expectations of the customer. Therefore, in case the consumers experience a
fault or loss, the producer is said to be responsible for failing to meet the rational expectation of
their produce. Indeed, product accountability is the propelling aspect for business operations to
ensure that their merchandises as well as services attain the prospects to avert getting sued.
Nonetheless, product liability is a state that that is almost non-existent in the industry of
cybersecurity. Almost all cybersecurity corporations if not all declare their selves as leaders in
cybersecurity sector having the capability to safeguard clients information and data without any
incidents despite the fact that this could not be true.
The dependability is that cybersecurity services and products could backfire as cyber
risks keep on evolving. Nevertheless, cybersecurity corporations are not held accountable in case
their merchandises miscarry. Consequently, this leads to cybersecurity sector is likely to become
more reactive and not practical. The deficiency of merchandise accountability levied on
cybersecurity companies has been hazarded to be key essence for some cyber related attacks and
support for the cybersecurity legal responsibility being on high demand in the current corporate
world (Park, 2018). The increase in cyber product charge due to the intensified regulations has
been put in place, nevertheless, no any industry standard that has led to a more challenging
setting for cybersecurity purchasers making attempts to ensuring that they buy the best
cybersecurity services and products.
According to Von Solms and Van Niekerk (2013) till that time that cyber product liability
will realize complete achievement, is when the risk management strategy of many organizations
will adopt product accountability in the procuring of cyber cover. Cyber coverage aids

ACQUISITION RISK ANALYSIS 4
companies to recuperate from cyber-attacks resulting from the provider’s product failure to
secure their cyber assets. Although cyber coverage plays a critical part in a corporate to
financially improve, clients are still suffering with their information being filched minus any
actual reimbursement. In this sense, cyber insurance acts as an intermediate ground for
companies to be safeguarded in the event of a cyber-attack. However, cyber insurance is not an
appropriate spare for appropriate cyber product accountability requirements.
Operational Risk
Peltier (2016) defines cybersecurity operational risks as risks which have consequences
which impact on the availability, confidentiality, information integrity and information systems.
In this essence, operational risks occur in different forms, however, all these risks can
significantly affects the buyers and suppliers of services and products of cybersecurity. The
sources of cybersecurity operational risks are grouped into four key groups: actions of
individuals, technology and system failure, internal processes and lastly but not least external
events. Research has found that the most prevalent cyber operational risks originate from actions
of individuals which could be as a result of human mistakes and errors, unintentional or
deliberate, sabotage, fraud and theft (Cebula, & Young, 2010). Nevertheless, the occurrence of
operational risks compromises security leading to users and suppliers experiencing major
cybersecurity impacts.
If it happens that a cybersecurity contractor overlook a key operational risk, like a
software coding personnel failure to update the software appropriately, it can lead into
catastrophic results. Therefore, compromised cybersecurity services and products could result in
massive losses experienced by companies and this could result in losing of millions of shillings
to fix the problem or even lead to closure of the business (Chou, 2013). Apart from the expenses

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

ACQUISITION RISK ANALYSIS 5
incurred to fixing the compromised system and losing data, the existent and potential customers
will start to have doubts due to losing faith in the company and seek a different company that
they can entrust. The loss of consumer support will not only transpire to the organization hurt
from operational risk, but as well as the cybersecurity provider that generated the risk. In this
sense, to alleviate such operational risks from cybersecurity merchandises as well as services, a
risk transference treaty is ordinarily made.
According to Liscouski (2014) risk transference is an operational risk administration
approach through which a company decides to transfer the risk from itself by demanding the
users to purchase a premium from indemnity firms in interchange for protection. The purchase of
the insurance then protects the cybersecurity provider in case of an event where operational risk
occurs that will cover the business financially. Even through the transfer of risks aids suppliers to
counterpoise the fiscal impact of cyber-event the purchasing organization brand name could still
not be easier to recover. The superlative cybersecurity dealers understand that they are supposed
to design products and services which support flexibility and decline operational risks to the
ultimate possible level. Therefore, if it happens that suppliers are not capable of realizing this
need then, there is high probability that these suppliers will be heading to losing a competitive
advantage very quickly in the market (Martyn, 2015).
Significance of IT governance frameworks
Information technology governance offers a framework for corporations to make sure
that their IT investment supports the business objectivities (Lindros, 2017). Companies
experience numerous regulations that govern data protection and at the same time they are piled
up with pressure from customers, shareholders and stakeholders. Research has shown that when
IT investment work with their focus being on the business goals, they end up producing

ACQUISITION RISK ANALYSIS 6
measurable results that help in attaining their organizational objectives in an operational way. In
order to guarantee that a business meet both external and internal IT needs, a recognized IT
governance structure has to be implemented such as Information Technology Infrastructure
Library (ITIL), Control Objectives for Information and Related Technology (COBIT) and
ISO/IEC 27002 standard.
COBIT is a governance structure that was advanced by the ISACA, which offers
extensive framework tools, practices and models for managing IT enterprises world over. COBIT
is extensively used companies which their focus is risk mitigation and risk management
(Kohgadai, 2017). In this sense, COBIT could be used to understand the way through which a
particular cybersecurity service or product play part toward managing cyber-risks and to
determine whether they are suitable for the organization. On the other hand, ITIL provides a
range of best IT practices has been deliberate to streamline IT operations and services by
providing smooth and maximum resource efficiency. Therefore, the ITIL aids business in
defining basic security requirements for which aids in management of applications. Furthermore,
ISO/IEC 27002 standard is an IT security guideline that offers organizational information about
IT security controls. ISO/IEC 27002 standard offers similar commendations to ITIL, but every
business is required to perform its risk evaluation to identify its specific needs prior to deciding
on the IT services or products. For instance, ISO/IEC 27002 is primarily recommended for
physical protection of the business for monitoring accessibility to secure region with access
control that is revised every year.
IT governance structures are significant to the business in various ways. To begin with
structured framework models provides an excellent structure that can be followed by a business.
On the same note, a structured framework aids to ensure that all people in the organization stay

ACQUISITION RISK ANALYSIS 7
on the same page since they are in a better position to view what is expected. Similarly, through
following IT standards it allow for knowledge sharing. It is possible for employees to share ideas
in organizations (Antonucci, 2017). In addition COBIT is an IT governance structure as well as a
supporting tool that enable managers to bridge the gap between technical issues, business risks
and control requirements (Evans, 2016). On the same note, COBIT allows for clear policy
establishment and good practices for IT control across the company, which aids to increase the
value achieved from IT.
Summary
The cybersecurity sector is of big benefit to the society since it works to safeguard all
user’s data and personal information from landing into the hands of malicious people. In the
process, cybersecurity helps to save users from falling victims of losing money, data and their
private information. Nevertheless, the cybersecurity sectors is far much away from offering full
security to its customers. It has been found that cybersecurity contractors are in continuous
attempt to stay ahead of intruders so that to minimize the countless potential operational risks
(Janakiraman, & Narayanan, 2019). The ever expanding operational risks have even resulted in
the emergence of novel need services and products like cyber coverage. In addition to that, the
cybersecurity lacks product liability and standardizations which is likely to lead to a problematic
business setting. Cybersecurity business that do not undergo product liability will not be held
responsible in case the service being offered does not deliver the promised services or products.
Despite the fact that companies world over are striving to implement product accountability
standards for cybersecurity products and services, consumers will inescapably keep on suffering
from the same problem (Smith, 2016).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

ACQUISITION RISK ANALYSIS 8
In conclusion, making use of IT governance frameworks by companies will aid them in
managing cyber-risks by their selves. The cybersecurity sector is still progressing and it will
keep on evolving hence cyber-risks will also keep growing with new technology implementation.
References
Antonucci, D. (2017). The Cyber Risk Handbook: Creating and Measuring Effective
Cybersecurity Capabilities. John Wiley & Sons.
Cebula, J. J., & Young, L. R. (2010). A Taxonomy of Operational Cyber Security
Risks. Software Engineering Institue, 1-47. doi:10.21236/ada609863
Chou, T. S. (2013). Security threats on cloud computing vulnerabilities. International Journal of
Computer Science & Information Technology, 5(3), 79.
Evans, L. (2016). Protecting information assets using ISO/IEC security standards. Information
Management, 50(6), 28.
Janakiraman, V., & Narayanan, A. (2019). Ensuring Site Reliability through Security Controls.
Kohgadai, A. (2017, December 14). Top Cyber Security Companies and Vendors. Retrieved
July 15, 2018, from https://www.skyhighnetworks.com/cloud-security-blog/top-cyber-
security-companies-and-vendors/
Lindros, K. (2017, July 31). What is IT governance? A formal way to align IT & business
strategy. Retrieved July 15, 2018, from
https://www.cio.com/article/2438931/governance/governanceit-governance-definition-
and-solutions.html

ACQUISITION RISK ANALYSIS 9
Liscouski, B. (2014, April 01). Measuring the Role of Risk Transfer in Cybersecurity
Management. Retrieved July 15, 2018, from
https://www.securitymagazine.com/articles/85371-measuring-the-role-of-risk-transfer-
in-cybersecurity-management
Martyn, P. (2015, June 25). Risky Business: Cybersecurity and Supply Chain Management.
Retrieved July 15, 2018, from
https://www.forbes.com/sites/paulmartyn/2015/06/23/risky-business-cyber-security-
and-supply-chain-management/#7cc96b5f5554
Park, M. (2018, April 18). 2018 Cybersecurity Market Report. Retrieved July 15, 2018, from
https://cybersecurityventures.com/cybersecurity-market-report/
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Smith, J. (2016, January 15). Businesses desperate for clarity on reasonable level of security.
Retrieved July 15, 2018, from
https://www.infosecurity-magazine.com/opinions/liability-change-attitudes/
Trautman, L. J. (2015). E-Commerce, cyber, and electronic payment system risks: lessons from
PayPal. UC Davis Bus. LJ, 16, 261.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security.
Computers & security, 38, 97-102.