Risk Identification in Information Security

Risk Identification in Information Security

How does risk identification contribute to effective risk management of information security?

Risk identification plays an essential part in the process of risk management and in dealing with the pressing issue of information security in the modern working and networked environment. Risk identification also plays an important role in the selection and prioritization of various problems in terms of their significance to the organization or institution. Furthermore, risk identification leads to an assessment of the value assets of the company or enterprise. It is imperative that an organization properly identifies all possible risks so that the communities of interest within that organization have a clear picture to construct an assessment of the vulnerabilities to these assets.

The present study is intended to research the ways in which risk identification is useful as an integral and essential part of the process of the risk management of information security. I hope that my research question and paper will help further the understanding of the role that risk identification plays in risk management, and that this research can be instrumental in providing some new insight into risk identification.

Overview of risk identification and IT

The issue of security has become an important if not crucial area of concern for all online companies, ecommerce institutions and Web users. The issue of security, as well as privacy, can be seen in the increasing concern about online shopping and customer confidence in the online payment process. The issue of privacy intrusion has also become central to today's online world, especially in the area of ecommerce. There has in recent years been an increase in the reports of fraud and credit card infringements. This has also resulted in efforts to create and disseminate more effective security measures and methods. All of these aspects have to be taken into account in understanding the problem of risk identification as a necessary prerequisite for good risk management in the information age.

With the advent and increasingly ubiquitous nature of the Internet, online networking and communications technologies, there has on the one hand been an exponential increase in the free flow of information and the growth of online business. The internet as a boon to various industries and commerce has meant not only that information and information sharing have become more accessible and faster, but that various new technologies can be used to increase business and transaction processes. In essence, the Internet has meant that the barriers that existed before between countries and nations, as well as markets, have all but disappeared.

On the other hand this modern phenomenon has also resulted in certain unique and challenging problems and risks to both commercial and private integrity that has become of paramount importance in the modern organization and business. As the internet has progressed in complexity and interactivity, as well as in the exponential increase in the number of online users, so have the threats of privacy invasion and other forms of intrusion and fraud.

The Internet has grown considerably during the past decade, particularly with respect to its use as a tool for communication, entertainment, and marketplace exchange. This rapid growth has been accompanied, however, by concerns regarding the collection and dissemination of consumer information by marketers who participate in online retailing. These concerns pertain to the privacy and security of accumulated consumer data & #8230;and the perceived risks that consumers may experience with respect to these issues

(Miyazaki, and Fernandez, 2001, p. 27)

Risk identification as well as risk assessment is therefore seen as a cardinal issue in today's IT and online environment. As one article on this subject states, "Operational IT planning should identify and assess risk exposure to ensure policies, procedures, and controls remain effective" (Booklet: Management ). Furthermore, it is generally stressed that this risk identification should be thorough and extensive. It should"... identify the location of all confidential customers and corporate information, any foreseeable internal and external threats to the information, the likelihood of the threats, and the sufficiency of policies and procedures to mitigate the threats" (Booklet: Management). As many IT specialists note, it is imperative that management consider the results of the identification and assessment of risks in overseeing all IT operations.

The above points therefore stress the central role that the identification of risk factors play in the security of the company or firm involved. As many experts comment, the reality of modern online and networking interactions and communications in business and other organizational activities is that any system is vulnerable to hacking and other security issues. It should also be noted that the general consensus is that the majority of security breaches occur as a result of common vulnerabilities in the system that could easily have been checked.

However, the identification of risk factors in terms of information security brings a large number of variables and criteria into play. These include not only issues of policy and procedure, but also human factors and issues such as training and human error that have to be taken into account in the assessment of risk.

Definitions

Before discussing the aspect of risk identification in detail and in relation to factors such as risk assessment and management, it is firstly important to clearly define the parameters of the term risk identification. The CISA Review Manual 2006 provides the following definition of risk management:

Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization." (

A number of important aspects need to be identified and unpacked from this definition. The first is that risk identification is on ongoing process which must be continuously repeated and maintained, as the online information environment is constantly changing with many new threats and risks emerging on a daily basis. Therefore, the process of identification must be one that is designed to be maintained over time and should also be flexible enough to adapt to new threats or risks in the online environment.

A second important point is that the measures or counter-measures taken as a result of identification and assessment of risks must be balanced in order to ensure that these measures taken do not impact negatively on aspects such as efficiency and productivity. In other words, risk identification is related to value assessment and counter -- measures instituted to protect the assets of the company or organization should not jeopardize the integrity of the organization.

In essence risk identification can be understood as The "… likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset)" (SPECIAL REPORT: Security Directives and Compliance). Furthermore, this means that the optimal management of security risks implies the correct and timely identification of possible risk factors that may threaten the company. This in turn refers to an ongoing and detailed awareness of the value of the assets of the company or organization. "… managers need to identify the value of the IT and information assets that might be impacted; then conduct a threat and vulnerability analysis to identify the potential effect and the probability of that occurrence" ( SPECIAL REPORT: Security Directives and Compliance) Therefore, it follows that in order to accomplish adequate risk identification one must take into account the important concept of vulnerability. Vulnerabilities as a central aspect of risk identification will be discussed in more detail in the following section.

Vulnerabilities

Vulnerabilities to the system in information security constitute a risk. These vulnerabilities can mean the loss of integrity and confidentiality and can consequently lead to other losses, such as loss of income. However, the identification of all risks is often an impossible task and the term residual risk is used to describe all remaining risks after the identification and assessment. In this sense, risk assessment follows from the identification of the risk and is usually carried out be a team of experts in the areas of the business affected.

There are many common types of vulnerabilities that need to be acknowledged and included in any strategy of risk identification and management. One of the most pervasive and common risks is identity theft. An article that provides some insightful and relatively contemporary statistics on the extent of ID theft is Internet Commerce Grows 88% by Dollar Volume and 39% by Transaction Volume: Fraud Remains a Concern. For example, the author notes that in recent years the "…. United States remained the top source country for security events generated with an overwhelming 79%, followed by Canada (5.7%), Taiwan (2.6%), Korea (2.5%) and the U.K. (2.4%)" (Internet Commerce Grows 88% by Dollar Volume and 39% by Transaction Volume: Fraud Remains a Concern). Another source that attests to the serious extent of this risk is FraudWatch International (http://www.fraudwatchinternational.com). The identify Theft section to this site is constantly updated with some of the latest information and data and provides a wealth of information on ID theft practices such a phishing as well as possible solutions to these problems.

Phishing Spear Phishing and Pharming

The following is intended to provide a very brief overview of examples of some the most dangerous and pervasive security risks in the online and networked world. One of the most insidious of identity theft is known as phishing. The term 'phishing' refers to the practice of "fishing for information." This term was originally used to describe "phishing" for credit card numbers and other sensitive information that can be used by the criminal. Phishing attacks use "…spoofed emails and fraudulent websites to deceive recipients into divulging personal financial data, such as credit card numbers, account usernames and passwords, social security numbers etc." (All about Phishing) . Thompson ( 2006) clearly outlines the basics of a phishing attack.

A typical phishing sends out millions of fraudulent e-mail messages that appear to come from popular Web sites that most users trust, such as eBay, Citibank, AOL, Microsoft and the FDIC. According to the Federal Trade Commission, about 5% of recipients fall for the scheme and give information away. Phishers wish to irrationally alarm recipients into providing sensitive information without thinking clearly about the repercussions. Victims might be told someone has stolen their PIN and they must click on the provided link to change the number. (Thompson, 2006. p. 43)

Bielski (2005) illustrates the reality of identity theft and techniques of phishing. He refers to this pervasive threat to major American commercial institutions; "…. The Bank of America's & #8230;loss of government worker data and & #8230; Choicepoint's "data leaks" (Bielski, 2005, p.7). This study also the discuses the risk of phishing to smaller intermediate companies. (Bielski, 2005, p.7)

There are numerous studies that point to the increasing cost of phishing, not only the individual but also to the commercial institutions that are negatively affected.

Phishing costs victims and financial institutions money and time. Victims must correct credit records and repair other phishing-related damage, while financial institutions must absorb customer losses, as well as costs from issuing new credit cards, answering calls and shutting down fraudulent websites. (Wetzel, 2005, p. 46)

Spear phishing is a relatively new and extremely effective form of phishing. A useful definition of this type of ID fraud is as follows;"Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source" ( Spear Phishing). Furthermore, spear phishing attempts are most likely to be conducted by "…sophisticated groups out for financial gain, trade secrets or military information." spear phishing" ( Spear Phishing).

In essence the difference between spear phishing and ordinary phishing is that the former is more directed and does not contact hundreds or thousands of potential victims but focuses on a single company or enterprise. The central problem with this form of identity theft is that it appears to be genuine in that the request to provide information comes from known and trusted sources within company, enterprise or institution. The central factor in this form of phishing is that the phishing e-mails appear to be sent from organizations or individuals that the potential victim recognizes and from whom he or she would normally receive email. This makes it as very deceptive type of identity theft and one that is often very difficult to combat.

Another disconcerting aspect of this form of spear phishing is that it can also be used to trick the victim into downloading malicious codes or malware. This can take place easily if the recipient clicks on the false web site and is unknowingly led to a site that automatically downloads the malware or spyware. This software can hijack or take over the user's computer and gain access to personal files and information, often with devastating consequences for the individual.

Pharming is another form of common identity theft which refers to the redirection of legitimate Web sites to false online addresses. Pundits claim that pharming can even foil experienced computer users and could become one of the most insidious privacy and security threats yet. Experts claim that pharming attacks are on the increase.

Pharming works in the following manner: when a user correctly enters a web address to access online information about his bank and credit cards, chances are the web site that appears may be a sham and operated by scammers. The user assumes that the site on which he or she is entering the data is authentic, as it is a perfect replica of the legitimate site. The user then enters his or her credit card details or other sensitive information, with obvious consequences.

The process of risk identification

Risk identification is a step in a process which includes asset identification and vulnerability assessments. In the light of the type of threats to information security discussed above, it is obvious that the process of security management would not be possible or effective without the clear identification of the risks posed and the way that these risks effect the particular assets of the company to institution. As one commentary notes;

Asset identification is the first step towards a secure organization. Too many companies are too eager to implement the most expensive technology with strong encryption and state-of-the-art authentication systems, without first thoroughly identifying all their assets. (Security+ TechNotes - Risk Identification)

In other words, the link between risk identification and asset identification is that the company should be very clear about the assets that are at risk in order to implement the most effective counter-measures and security strategies to combat these risks. Risk identification is therefore to a large extent dependent on the evaluation of assets. For example, …a company implements a firewall for their 2 Mbps shared Internet connection, but disregards the backup dial-up connection some distinguished employees have in their office. Also laptops including removable media from remote users, such as frequently traveling sales personnel, are too often 'forgotten' when a formal asset identification is not performed prior to developing the company's security program. (Security+ TechNotes - Risk Identification)

Once the assets are identified, a vulnerability assessment usually follows to determine the most vulnerable areas of security concern. This in turn leads to a threat assessment and to a risk identification. Following the logic of this process, risk identification refers to"…the likeliness of a threat actually leading to an incident" (Security+ TechNotes - Risk Identification).

Risk Identification and its importance

As Frame ( 2003) states, "Risk identification is the first step in the risk assessment process: "Its purpose is to surface risk events as early as possible, thereby reducing or eliminating surprises" (p. 49). The importance of risk identification in the process of security management is mainly to develop a sense of the sources of the security problems and issues. Once the possible impact or effect of the risk to the assets of the company has been established then, "… the risk analysts, working with managers and employees in the enterprise, engage in risk response planning to develop strategies" (Frame, 2003, p. 49). In essence, the important aim and rationale of risk identification is "…to avoid surprises" (Frame, 2003, p. 49).

The importance of the risk identification phase in security management is reiterated in a number of studies. Prybylski, (2008) state that;" Effective risk management is dependent on identification. Many risk stakeholders say, 'It's not the risks that I know about that concern me; it's the ones that we have not identified' " (Prybylski, 2008, p. 56).

The importance of the identification process is also underlined by modern concerns that this process should be 'rethought" and improved in the light of the continuing and developing threat to informstion security.

Institutions must reinvent the process of risk identification. They must eliminate "groupthink" situations in which viewpoints that differ from the majority are dismissed without adequate analysis and be mindful of unfocused debates that can skew the view of risk and create additional, unintended risk exposures. (Prybylski, 2008, p. 56)

The Human Element and Other Problematic Areas

Among the criteria that relates to the topic of risk, certain studies have stressed is the human element as being important in risk identification sand assessment. As Lineberry ( 2007) states: "Few companies properly address the human element of information security " ( p. 44 ) A security consultant, Debra Murphy, also notes that the human element in the identification of risk is often of cardinal importance. "There are times when the human element is the leaky faucet" that spills sensitive information…" (Lineberry, 2007, p. 44).

This also relates to the importance of the e-training gap. E-training refers to the training within the organization that enables staff to identity and deal with possible risks and security threats. As one study on this aspect notes, there is generally a lack of this type of training and that this is a possible internal risk factor that should be taken into account (Lineberry, 2007, p. 45). This applies particularly to risks such as scams and various forms of phishing those results in staff giving out information that may be a security risk. It also applies especially to staff who deal with the public and who are exposed to customer demands. They can easily be taken in by some scam if they do not have the requisite training; for example; "Social engineering scam artists, who use deceptive and manipulative tactics on individuals to gain unauthorized access to information, pounce on that customer-focused mandate" (Lineberry, 2007, p.44).