Computer Security Risk Management: Threats, Vulnerabilities, and Mitigation, Essays (university) of Cybercrime, Cybersecurity and Data Privacy

Download Computer Security Risk Management: Threats, Vulnerabilities, and Mitigation and more Essays (university) Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!

Computer Security NAME Course Professor Date of Submission

Computer Security Risk Management Assignment 1 Part 1 Question 1 Based on a risk assessment, a number of actions can be done to enhance organizational outcomes. These will reduce the identified risk's potential impact, thus improving performance. The five actions for reducing risk after an assessment include:

1. Risk Avoidance - Cancelling plans for change which will eliminate the risk or its impact wholly.
2. Reduce the Risk: This entails measures meant to reduce occurrence or lessen the damage it may cause, and can be done through improvement of security to minimize vulnerabilities.
3. Risk Sharing: The passing on of part of the risk to the other party may be achieved by contracting out certain functions or buying insurance to limit the financial loss if the risks are realized.
4. Risk Retention: Accept the risk when mitigation exceeds the cost of the impact. This is generally when a risk is of low likelihood or the cost to prevent it outweighs the impact.
5. Risk Monitoring: That would also include ongoing monitoring and valuation of risks over time against mitigation strategies so that one may always be certain that mitigation strategies are effective and provide early warning of new risks. The Role of Planning, Staying on Task, Meeting Deadlines, and Utilizing Feedback in Reducing Risk

Question 2 Website Security Policy Analysis A strong website security policy would have a number of dimensions that not only make the policy credible in ensuring user data, but also for legal compliance reasons. The table below attempts to match the five key elements of a good policy against a website security policy scenario, in an effort to pinpoint cases where improvement might be done with the policy. Key Area Example from Scenario Improvement Data Collection & Privacy Collects email, addresses, and domain names. Should be more explicit in explaining data being collected. Cookie Usage "Cookies" are used to collect data without approval. State how users can opt-out of cookies and details on cookies used. Data Sharing Information shared with business partners. Clarify the types of business partners. User Consent & Control Allows users to manae browser settings to refuse cookies. Include an explicit request for consent before cookies are stored on the user's device. Legal Compliance & Transparency Information shared with third parties by a legal authority. Outline how user information will be protected from unauthorized access. Key Roles in the Risk Management Process

Risk management involves different roles by key personnel in both the identification and assessment of risks, and in driving the formulation and implementation of mitigating efforts. The CIO ensures to give oversight to the organization's overall risk management strategy, especially with regard to the IT infrastructure. The CIO aligns the risk management effort with the business goals of the organization and is responsible for devoting appropriate resources to the management of IT-related risks (Joint Task Force Transformation Initiative, 2012). The CIO works with other executives to ensure that the IT risk management strategy supports the broader organizational objectives. The CRO develops strategies for the mitigation of financial, operational, and strategic risks in the organization. they work with the senior management team to develop appropriate comprehensive frameworks that identify, assess, and mitigate risks (Giuca et al., 2021). This makes the CRO very important in the management of the cybersecurity posture within an organization. The role of the CRO is majorly related to the identification and mitigation of security risks that could affect the organization's IT systems, data, and infrastructure. Although the Risk Management Team will be made up of just a few core resources comprising risk analysts and specialized specialists, the team works closely with department heads in mapping operational-level identification and quantification of risks. The Compliance and Legal Teams ensure that risk management practices are within the law and set-up regulations. They are highly important in mitigating risks associated with legal non-compliance and ensure that the organization follows standards put up by the industry.

employees. The combination of threats and vulnerabilities results in risk, which is the potential harm from actualization of vulnerabilities by threats. The greatest threats within organizational security can be the employees. Most often, these threats are brought about by human error, malice, or negligence (Youssef, 2020). An employee may bring about a security breach intentionally or inadvertently because of information mishandling, not following laid-down security procedures, or mistakenly clicking on some phishing emails. Employees who bypass security controls or maliciously threaten an organization's information assets also pose a serious threat. The other major threat from employees can be insider threats; this may be malicious and not malicious. Malicious insiders may steal confidential data, sabotage systems, and make deliberate attempts to cause damage to the organization (Joint Task Force Transformation Initiative, 2012). These are not malicious insider threats, but they too usually occur because of silly mistakes, like poor judgment in password sharing, not correctly disposing sensitive documents, or not patching the security patches in the systems. These activities can put an organization in a very risky situation due to the associated risks that include data breaches, financial loss, and reputational damages. There are a few things that make employees the largest vulnerability in an organization's operations. One of the big vulnerabilities is lack of proper training. Without being educated in best practices for security, employees are more likely to commit mistakes that will lead to security breaches. Another issue involves a lack of Access Control. If the employees happen to have access to stuff that they do not need to go through in performing their duties, they result in the organization getting impaired - accidentally or intentionally. Any weak password policy or sharing passwords leads to the chances that an intruder will end up with access.

All these threats and vulnerabilities are posing great threats. Insider threats include malicious or accidental cases of serious consequences. When sensitive information is intentionally or accidentally revealed, there are potential regulatory fines that come along with legal liabilities (Joint Task Force Transformation Initiative, 2012). In this case, there could be a loss in the confidence of customers. Organizations should take a fully robust and proactive approach to managing risks- periodic risk assessments, enhancing employee training programs, and access controls. Besides, the organization should develop a security culture whereby employees understand the possible consequences of their actions and why it is important to follow established security protocols. Risk management is done through the formula: Risk = Threat × Vulnerability × Impact An example is a system with some particular threat likelihood of 0.5 on a scale that ranges from 0 to 1, where 1 is the certain case, a level of vulnerability in the same kind of scale at 0.7, and the possible dollar impact when the threat is realized at $100,000. With the formula, risk would come to Risk = 0.5 × 0.7 × $100,000 = $35,000. That is, the exposure arising from a loss quantification regarding the risk is estimated at 35,000 dollars. References Brumfield, C., & Haugli, B. (2021). Cybersecurity risk management. John Wiley & Sons. Ferreira, D. J., Mateus-Coelho, N., & Mamede, H. S. (2023). Methodology for predictive cyber security risk assessment (PCSRA). Procedia Computer Science, 219, 1555-

1563. https://doi.org/10.1016/j.procs.2023.01.

Youssef, A. E. (2020). A framework for cloud security risk management based on the business objectives of organizations. arXiv preprint arXiv:2001.. https://doi.org/10.48550/arXiv.2001.