by Kyle Gulau
Risk is the potential loss resulting from the balance for threat, vulnerabilities, and value. Management of risk is the process of coordinating efforts of a firm to reduce the total risk in the system and allow for maximum value. This process involves determining what value you offer, threats and vulnerabilities to the system as well as countermeasures.
Typically one way to determine the risks in a system is to perform a vulnerability and security assessment. A typical single server operation can consist of: A web server OS, a web server application, A sweb server front end, and website forums. These 4 functions that are employed in the website are all very unique and require different methods for ensuring risk is minimal.
Business Continuity Planning
To start, most business already use a form of this process. They compile a list of risks and what to do. That’s why most business carry different types of insurance, have fire alarms, and have surveillance. Businesses recognize that there are certain risks and take action to manage them.
The macro level planning for the business is something that IT security professionals rarely think about or are involved in. The “business people” are usually only involved in this process. It is important to realize that IT security has a big role in the company and should have a voice at the table at all times. To adequately protect the business and its data it’s important that there is a plan in place as well as a budget and support from the company.
Things a security professional need to contribute first and foremost is to have a risk management plan for their own “branch”. Arguably, IT security professionals manage security for the whole company, but it is important to define these risks as just information/technology risks. This process includes determining what are the most valuable IT assets, what the risk are to losing or damaging those assets, determine how likely the risk is to occur, and what countermeasures will be needed in the event of different scenarios.
Identifying and Valuing Assets
Identifying what you have accurately is important so you know how well to protect it. Assets can include everything from hardware, software, and data. Methods to valuate values of assets could involve using the original cost spent, although this doesn’t account for depreciation. Another method could be current market value, or use a qualitative method which places a priority on assets rather than a dollar amount
Identifying and Valuing Risks
This is also very important because there are a lot of unknowns in this area. Some good risk assessment terms are vulnerability, threat, and risk. Vulnerability is being aware of a weakness in the system. A threat is a knowing there is a method to exploit your system. A risk is having both vulnerability and a threat simultaneously. According to Solomon it is best to use a qualitative method on risk because then you have a prioritized list of what to fix first. It is important also to keep a dollar amount on risks as well.It’s important to use both methods so you can keep track of what is financially important as well as watch things that you can’t put a dollar amount on. There are a variety of ways you can put this process into numbers and evaluate your situation based on a mathematical formula.
Risk avoidance is the most obvious one. If you can discover ways to avoid risk altogether, why wouldn’t you do it? A simple example could be you have a lot of sensitive data on machines, to avoid risk, don’t have extra usb inputs on computers. A simple solution for a relatively simple problem, but obviously there would other ways to get the data, so the risk isn’t avoided it is merely mitigated.
Risk mitigation is a better way to manage risk. As shown in the example above, there is rarely one solution to managing risk. Risk mitigation allows you to recognize that you have covered all the bases but you are actively pursuing how to minimize the risk. Another example of mitigation would be a firewall on a network. You know that you’ll be able to block most problems but there still could be someone motivated that could get past it.
There comes a point when you just accept the risk, such as with the firewall. This is risk acceptance. Knowing the risk is there but taking no further actions to reduce risk because the costs would be too great to further reduce risk which is already insignificant.
Finally. a specific way to help you discover vulnerabilities in your system vulnerability assessments. This process can also be included in other process when either developing a process or when reviewing systems already in place.
Harwood discusses a great process of discovering website vulnerability and security assessments. This process can discover a lot of things and depending on how serious you are you might find out more than you wanted.
Let’s start with the end results first. After your testing is complete of the application you want to generate a report which outlines what was tested for on the applications front end as well as database. This means that you should define the tools used and results found, as well as the specific fields and code that was used to manipulate the site. The report should also include short term and long term recommendations which outline actions needed in the time frames defined.
When managing risk and looking for ways to mitigate risk, you should always research and stay alert of growing security trends. There are lots of tools available that can help firms with in house security testing. It may also be beneficial to use outside help to help complete the task. They will be able to think outside the box and think more like a potential hacker.
Harwood, M. (2011). Security Strategies in Web Applications and Social networking (, pp. 284-310). Sudbury, MA: Jones & Bartlett Learning.
Solomon, M. G., & Chapple, M. (2005). Information Security illuminated (, pp. 8-111). Sudbury, MA: Jones & Bartlett Learning.
about the author
More about Kyle Gulau:
Kyle Gulau enjoys computer programming as well as drumming and skiing. He is currently a student at Western Michigan University is active in the CIS program and FIN program.
questions or comments?
If you have any questions or comments about this article, feel free to contact us!