This is also known as a vulnerability assessment (Shimonski, 2005).
Enlisting senior management support so that security is taking seriously within the organization and so that employee and manager alike understand the value of assets and the seriousness threats that may exist (Shimonski, 2005; Schwartz, 2003).
Establish a security budget so that from year to year an organization has the finances necessary to deal with security threats as they occur but also take measures to prevent security issues (Shimonski, 2005; Garcia, 2000).
Create a task force that can respond successfully and expediently to security emergencies (Shimonski, 2005). Along these lines a security breech plan of action should be developed and all employee informed of the proper steps to take if a security breech occurs.
Establish a recovery plan that will help protect assets. This should include establishing back up so a company has somewhere to go and can restore systems should an attack occur within an organizational structure (Shimonski, 2005; Sampson, 1992).
Sampson (1992) suggests the following steps for protecting data and organizational assets: (1) analyzing potential business risks, (2) protecting revenues from current or future losses, (3) reducing or removing an organizations exposure to risk and (4) filing claims or prosecuting any criminal actions that do occur within the workplace (p. 17).
Sampson (1992) suggest that organizations protect themselves from the following threats: (1) Catastrophes (external), (2) electrical power problems (external) and (3) computer crimes and viruses (internal and external threats) (p. 21).
Organizations must also work to decide whether potential threats are low probability or high probability within the organization (Grassie, 2000). This will enhance the organizations ability to manage threats. High consequence and high probability threats are the most important to manage as assets are most at risk from these threats (Grassie, 2000). On the same notes security managers shouldn't necessarily disregards high consequence but low probability threats unless the threat source is truly unlikely to affect an organization (Grassie, 2000).
Garcia (2000) suggests that organization must first (1) identify assets, including physical and intangible assets within the organization, (2) then decide what assets require what levels of protection based on the asset value, (3) next decide what the probability of an attack is, (4) identify what the consequence of a loss may be, (5) identify high consequence events and then (6) develop a risk management program that takes into consideration all of these factors (Garcia, 44). One way organizations can effectively manage threats is by creating a matrix to enable security teams to graphically review all assets and threats and determine how resources are best allocated (Garcia, 2000).
How Do Natural Threats Pose A Risk
Natural disasters pose just as much risk to organizations as man created threats (Sampson, 1992). Flood, fire, hurricanes and other natural disasters can result in serious damage to an organizations computer system, database and paper records (Sampson, 1992). Whereas an organization can take steps to prevent an external hacker from accessing their computer system, it is much more difficult to predict natural threats within an organization context.
Natural disasters can also have a domino effect enabling opportunists or hackers to penetrate a system. For example, fiber optic cables lost in a storm or power outages can allow computer viruses to attack (Sampson, 1992). To help mitigate such natural disasters it is vital that organizations prepare disaster mitigation or relief plans to address the heavy losses that may occur in the event catastrophe occurs (Sampson, 1992). Most government agencies and financial institutions already require an emergency disaster plan be in place in the event a natural disaster occurs (Sampson, 1992). The focus of the plan should be ensuring that an organization can continue to operate despite a catastrophic event; protection may include adequate insurance coverage and obtaining back up records (Sampson, 1992).
Other threats an organization must consider include catastrophic threats that may result from terrorist attacks (Grassie, 2000). While this is more often a concern among government agencies and financial institutions, all businesses should be aware of the potential for terrorist threats, which can "dramatically change the outcome of risk analysis" (Grassie, 2000).
Best Measures to Protect Assets
Schwartz (2003) suggests that an organizations information assets are the most important to protect because an organizations bottom line success is "linked to these information assets" (163). Further he suggests that any given technology is supported or "described by" information assets and this reliance on information assets in itself may pose security threats (Schwartz, 163).
Technology breakthroughs are occurring daily that often undermine previous measures to protect information assets, thus it is not enough for an organization to adopt the latest technology (Schwartz, 2003). Rather, an organization must work toward continuous improvements, which will result in ever evolving measures to ensure organizational security over time.
To protect human assets within the organization a corporation must also engage in cultural security measures. Culture is an important determinant of "whether and how remote risks are considered in actual protection applications" (Grassie, 136). Every company has a unique culture that determines what actions are acceptable and what are not; an organization that embraces an open environment that is knowledgeable of security measures and tolerates only "limited security restrictions" is prone to different threats than an organization that embraces only tight security measures (Grassie, 136). In an open environment organizations are less likely to devote resources to protect itself from low probability but high-risk threats (Grassie, 2000). An organizations past risk history may also determine what procedures are put into place to mitigate risk. A workplace that exhibits more "antisocial behaviors" is more likely to be at risk than an organization that is more cohesive (Grassie, 2000).
Garcia (2000) suggests that organizations take into consideration what assets require protection; these may include physical assets such as communications equipment, computer networks, information assets, human resource databases, proprietary formulas and even "strategic planning information" (44). Personnel and visitors are also assets however requiring protection in the organizational context (Garcia, 2000).
The intent of the research in this study is to examine what (1) what types of business threats exist (2) what steps organizations can take to successfully mitigate risks and (3) what changes are needed in organizational structure or daily activities to prevent future threats from posing serious risk or consequence. To accomplish this feat the researcher engaged in qualitative methods that help explain how people "define their needs" and why or how they "seek assistance" given a particularly phenomena (Darlington & Scott, 2002).
Particularly the researcher was interested in surveying the current literature that exists with respect to assets and threat management to determine what organizations are doing correctly to help mitigate risk. Methods employed for this study include data collection, observation and documentation analysis of multiple studies conducted previously analyzing security risk management within organizations (Darlington & Scott, 2002). From the data colleted the researcher then disseminated findings by carefully comparing and synthesizing the information gathered from the literature review.
Because the research is qualitative in nature it is difficult to generalize the findings of the research across all settings. While the researchers acknowledges this limitation, the researcher did take steps to obtain data that would provide the reader with "sufficient information" regarding the phenomena at hand using data gathered that as best as possible can be generalized to a majority of organization in similar settings (Darlington & Scott, 2002). The researcher aimed to gather data that included samples representative of the phenomena in general so that a better understanding of the phenomenon being investigated (assets and threats) could be calculated.
As technology continues to advance more and more organizations are relying on information systems to manage complex data transfers. While this enables organizational efficiency in most cases, it also poses increasing threats to organizational systems and other assets within an organization. An organizations assets are its lifeline, thus it is more important than ever than organizations adopt practices that will ensure the safety and well being of all assets within the organization, large and small.
Much of the threats and risks that exist within an organization result from internal and external forces. Fortunately there are a number of steps organizations can take to mitigate potential risks and threats. Organization must work to develop access controls, intrusion detection and other complete systems designed and installed to protect assets against risks (Garcia, 2000). Such tools are best utilized after an organization has engaged in proper risk analysis (Garcia, 2000). In a rapidly changing and dynamic work environment where technology systems are advancing at a phenomenal pace, organizations simply can't afford not to adopt measures to protect their assets. Assets come in many forms, and include an organizations information systems, organizational systems and people (Garcia, 2000; Grassie, 2000; Schwartz, 2003; Sampson, 1992).
All of these assets must be considered when analyzing risk within the organization. True security and protection can be achieved when organizations appropriately allocate resources to the most pressing threats within an organizational context (Garcia, 2000).…