Risk Assessment
In module 2 I learnt about two things; cybersecurity actors and vectors, and cyber security risk identification, assessment and management. The first unit dealt with cybersecurity threat actors and vectors. Before diving into two units, it was important to understand what is meant by cybercrime. Cybercrime was defined as an intentional act that threatens the integrity, confidentiality, or accessibility of information assets or systems. The intentional act is inspired by financial gain, ideology, or to cause harm to a specific individual or organisation. Information security professional often quote the world renowned military strategist Sun Tzu who said
Know thy enemy and know thyself, and you will not be imperiled in a hundred battles (Nachreiner, 2012)
When individuals or organisation’s want to know themselves, they are required to identify vulnerabilities that an attacker may target. The source of an attack typically referred to as an attacker uses various methods to succeed in attack. These methods are referred to as vectors. South Africa developed the Electronic Communication and Transactions (ECT) Act, № 25 of 2002 to support and regulate electronic communications and transactions. The Act encourages awareness of information security and related technologies, and provides legal guidelines created to prevent abuse of information systems. Cybersecurity vectors include malware, payment fraud, social engineering, data breaches and network attacks. The various types of attackers include lone hackers, insiders, hacktivists and organised crime. Understanding the attackers and the vectors they use is important in helping individuals and organisations in identifying their vulnerabilities and applying appropriate mitigation strategies.
The second unit dealt with assessing and managing risk. I learnt that cyber risk is a business risk and it is senior management’s responsibility to ensure that risk assessment and effective planning of controls is implemented. The process of identifying risks and assessing information security starts with establishing a clear and accurate identification of information assets and the resulting consequences if they are compromised or lost. The risk identification and assessment process generated four deliverable; the information asset classification worksheet, asset valuation worksheet, threat-vunerability-asset (TVA) worksheet, and a ranked vulnerability assessment worksheet.
Risk can be defined as the likelihood of a vulnerability being exploited. Risk can be quantitatively expressed as:
Risk = (Likelihood x Value) — Controls + % Uncertainty
The equation can be used to tabulate a ranked list of risk factors based on the identified vulnerabilities likelihood given the associated information asset value. The module ended by highlighting the five strategies of managing risk which include: avoiding risk, controlling risk, transferring risk, mitigating risk, and accepting risk.
I felt a bit overwhelmed by the assignment which required me to generate a TVA worksheet. By identifying various information assets and value for a fictional eCommerce business, I was able to think of potential vulnerabilities associated with the associated information asset. By multiplying the information asset value and likelihood of vulnerability risk, I was able to calculate the risk value. I was then able to produce a ranked vulnerability assessment worksheet from the TVA risk value results. The exercise was intimidating because I have no experience in information security identification and assessment.
In coming up with controls for the vulnerabilities I identified, I realised that it is important to have an extensive historic and up to date knowledge of information security risks, and remedies. Having an appreciation of the technical knowledge required to secure information systems would be advantageous in having a holistic understanding of cyber security environment.
Do the benefits of being hyperconnected through technology outweigh the risks?
The advent of information of things (IoT) has turned regular electrical devices into internet ready smart devices that share information. Often manufacturers of electronic devices do not develop the smart devices with information security in mind. For example, a smart refrigerator is able to share information about its cooling parameters such the thermostat, gas cylinder data, and sensor data to help the manufacture offer better customer services and predict when the unit need maintenance. However, malicious actors can use vulnerabilities in the devices to compromise other devices within which the smart device is installed. Some smart devices maybe life saving devices such as smoke detectors and security systems however if compromised, they maybe rendered unusable and pose a risk to the users. In my opinion, the benefits do not outweigh the risks if vulnerabilities in the devices are not mitigated.
What changes would you suggest to your organisation’s current information security risk management processes, based on your learnings from this week?
I would encourage senior management to provide regular cyber security training to all staff. I am convinced that the least sophisticated attack vectors such as phishing will remain the most cost effective and popular method attack vectors if all staff members remain uninformed. Staff that is cybersecurity inclined will not only practice information security best practices in the organisation context but in their personal lives as well. It is now more important than ever that staff are knowledgeable in cyber security with the growing trend of working remotely. Ensuring organisation information assets are accessible to legitimate staff has increasingly become riskier and organisations are required to implement controls that respond to the information security trends.
