Risk and Vulnerability Analysis

Risk Management

Risk and vulnerability analysis

Risk can be defined as a prediction of future events and their outcomes and consequences. Initially, as these predictions are being made, there is no guarantee that these event will actually occur. At this point, it becomes vital to apply probabilities in order to determine the likelihood of the event occurring. Risk analysis, therefore, is a process of describing risks involved in any situation or organization. Vulnerability on the other hand, tends to focus more on the consequence an event will have on the organization if it occurs. It combines, therefore, the aspects of uncertainty of the event and the consequences that come with it (Lewis, 2006).

Process used to analyze threats

US-VISIT is a department within the Department of Homeland Security (DHS) that enhances the department's mandate of providing security to the citizens of U.S.. U.S.-Visit's main objective is to provide biometric services to other departments and institutions of the federal, state and local government. These biometric services include mostly digitized photograph and fingerprints. Mostly, this information is retrieved from entry points into the country such as airports and also at the Visa issuing officers across the world. Therefore, with this information at hand, it is possible for the immigration offices to determine the eligibility of international travelers to be issued with an American visa. This process is very important in preventing identity theft and denies criminal elements from gaining access into the U.S. Moreover, it becomes easier to identify individuals who may be staying in the U.S. illegally or have overstayed beyond the time they were granted permission to be in the U.S. Therefore, the U.S.-Visit department is very crucial since the information it avails for the various departments assists in decision making and legislation of relevant policies (Homeland Security, 2012).

Since this department holds sensitive and private information, it becomes highly susceptible to risks associated with privacy (DHS, 2004). These threats have been identified and categorized into four major groups as shown in the table below:

Table 1: Risks to privacy of information at the U.S.-VISIT

Type of Threat

Description

Unintentional threats (posed by insider)

These may include mistakes in the design of information systems, its development, configuration and operation. Some errors are also committed by employees of the various institutions that store this information. This may happen physically, for example when an employee leaves documents where they can be seen. As such, confidential information can fall into the wrong hands.

Intentional threats (from insider)

Actions involving the incorrect use of authority and disregard of regulations. These may include browsing for information that is confidential or deleting information from a workstation.

Intentional and unintentional threats from authorized outsiders

These threats include misuse of authority to access confidential information with malicious intent and circumventing procedures to gain access to information systems without proper authorization. Flaws in policies and system hiccups can lead to unintentional access to confidential information.

Intentional threats from unauthorized outsiders

Threats may be electronic, personnel attacks, and physical attack. These entails actions such theft of information equipments, hacking and tapping of communications and social engineering in general.

Source: U.S.-VISIT Program, Increment 2: Privacy Impact Assessment; In Conjuction with the Interim Final Rule of August 31, 2004.

The threats indicated in table 1 were identified through the process of information life cycle. At all the stages of the cycle; collection, use, processing, and destruction, issues are analyzed and threats to privacy identified (DHS, 2004).

Operational risks mainly focus on failures within an organization that are intentionally committed. For example, a hacker can cause an interruption in the ICT system within the organization leading to losses and security threats. Intertwined here is the cause analysis which is related to the threat identification process. Figure 1 gives a comparison of the threat identification process and the cause analysis process.

Fig.1 A comparison of the threat identification process and cause analysis process

Threat identification process

Cause analysis process

Discussion of uncertainties

Discussion of causes

Discussion of probabilities

Discussion of scenarios

Probability assignment

Uncertainty assessment

Identification of scenarios

Information gathering

It is also crucial to analyze the resources at the attacker's disposal and this should include issues such as the resources needed by the attacker to carry out the specific attack, an in depth intelligence on who are the most likely attackers, what motivates the attacker, and the knowledge and technical know-how necessary to carry out the attack. For example, for the risk analysis team set up for U.S.-VISIT, this information would be helpful in effectively allocating the required measures in place to avert any leakage of classified information. Finally, it is important for an organization to analyze its internal structures and operations with the aim to identify the measures laid out to prevent attackers and preparedness of the personnel and systems to possible attacks (Aven, 2008).

Best risk management practices

Risk management, if carried out properly can help reduce the occurrence of undesirable events. This can be achieved through four distinct steps; prevention measures, preparedness, response and recovery (PPRR). The first two steps involve the steps the organization takes before a crisis happens to endeavor to prevent it from occurring in the first place. The response phase takes into account the actions taken by the organization during any crisis in order to ensure organization's process return to normalcy and finally the recovery process involves the steps taken by the organization to ensure operations return to the previous or even better state (Johansson, 2007). Figure 2 illustrates this process in detail.

Fig.2 Risk management using PPRR

RISK Management

PREVENTION

Actions to prevent a risk event

PREPAREDNESS

Measures set to prepare for a risk event

RESPONSE

Steps taken to deal with occurrence of a risk event

RECOVER

Actions to ensure return to normalcy

BEFORE A RISK EVENT OCCURRENCE

DURING A RISK EVENT

AFTER A RISK EVENT

Various risks have different levels of impact on an organization and therefore it is proper to analyze the various risk elements identified into categories. Afterwards, the risks need to be prioritized depending on the probability of each risk actually happening and its expected consequences on the organization and the eventual effect it will have on the organizations' operations. The risk managers are then supposed to evaluate these impacts with regard to cost, time and labor requirements (Zisa, 2011). Figure 3 puts this into perspective.