information system security - risk analysis
This revision notes describes what is meant by risk analysis - an important part of the process for any business to address potential problems with information system security
What is Risk Analysis?
Risk Analysis has been defined as:
"a formal process of determining risks and developing a plan to deal with them"
Risks do not arise all by themselves. A risk is normally a product of two factors: threats (something could go wrong) and vulnerabilities (the information system/s used by the business will allow things to do wrong).
Threats include:
- Deliberate manipulation of information prior to input/processing
- Impersonation
of a legitimate user
- Untrained or poorly trained staff
Vulnerabilities include:
- Poor website or network design (e.g. which can allow "hackers"
into a system or web site)
- Poor recruitment procedures
The first - and key stage - in addressing risks is to do a risk analysis:
A risk analysis process has three main stages:
| (1) Understanding risks to the business and how they can occur |
| (2) Understanding the potential cost to the business if they do occur (a business should focus its attention with the risks that have the greatest potential cost) |
| (3) Identifying suitable and effective measures and
policies to: - Minimise the likelihood of the threats happening - Prevent or detect the threat - Enable appropriate recovery action to be taken |
Many risks can be quantified - since they occur in most businesses - and there
is lots of evidence of how threats and vulnerabilities arise.
The most important element in the process is that risk decisions are taken openly. Denying the presence of risk is not helpful. But trying to reduce the risk to zero is not realistic, and will normally cost more than it will save.
Teacher Subject Newsletters | Teacher Forums | Online Store | tutor2u News tutor2u on Twitter: Subject Blogs: About tutor2u | Copyright | Privacy | Terms of Use | Contact tutor2u Our Development Partners: |
