Skip to main content

1.4 Information Security Risk Concepts and Principles

1.4 Information Security Risks, Concepts and Principles


1.4 Information Security Risks, Concepts and Principles

 

What is Risk? 

 

Let us look into some of the widely accepted definitions of Risk.




Risk Elements – Probability & Impact


  •  If you observe, almost every definition speaks directly or indirectly about two terms:  

Probability & Impact.


  •  In simplest form, Risk is the product of Probability & Impact


·         i.e. Risk= P * I 



 

Both the terms are equally important while determining risk. Let us understand with an example. Probability of damage of a product is very high, let say 1, however that product hardly costs anything and hence Impact is Nil i.e. zero even if the product is damaged. So risk of rain on articles will be:


Risk = P * I  


i.e. Risk = 1 * 0 = 0


  • Probability is also known as likelihood, possibility, chances etc. 


  •  Likelihood or probability is used to calculate the risk that an organization faces based on the number of events that may occur within a given time period. 


  •  Factors that can impact likelihood are:

 

Factors

Description

Volatility

Unpredictability of conditions from one moment to another.

Velocity

Speed of reaction & recovery  to an event.

Proximity

Time from the event occurring and the impact on the organization.

Interdependency

Materialization of two or more types of risk might impact the

organization differently, depending on whether the events occur simultaneously or consecutively

Motivation

Motivation of the perpetrator results in a higher chance of success.

Skill

Skilled perpetrator increases likelihood.

Visibility

If vulnerability is visible and known, likelihood of target increases.

 

CIA Principle

 

  • Risk practitioners are required to have a solid understanding of CIA and the interrelationship between the three principles and a fourth – non-repudiation.


  •  CIA stands for Confidentiality-Integrity-Availability.

 

  •  They are inversely related. To increase one of them results in decreasing at least one of the others or substantially increasing cost.  


  • For example: increasing confidentiality increases processing time, which reduces availability.



Confidentiality

 

  • Confidentiality refers to privacy of data.

 

  • Principle of confidentiality requires that data should be available to only authorized users. 


  • Confidentiality can be ensured by following principles:

  •  Access on the basis of need to know

  • Access on the basis of least privilege


Integrity


  • Integrity refers to correctness, completeness and accuracy of data.


  • Principle of integrity requires guarding of data against improper modification, exclusion or destruction of information.


  • Risk practitioners need to have technical expertise to verify integrity controls.


  • Users' interaction with the data must be carefully considered to determine whether there is an integrity risk.


Availability

 

  • Availability refers to timely access to information and data.


  • In some cases, near-real-time availability may be needed for safety and system operations.


  • It is very important that the business determines the level of availability requirement for smooth business functioning.


  • Gap between required level and current level of availability indicates availability risks.


  • To be prepared for a natural disaster, it is appropriate to assume the worst-case scenario. This helps the organization to strengthen its ability to recover.


Non - repudiation

 




  • Non-repudiation refers to a positive guarantee that a given action was carried out by a given individual or process.


  • Non-repudiation requires tracing of responsibility and enforcing accountability.


  • Non-repudiation can be implemented through digital signatures and certificate-based authentication in a public key infrastructure (PKI).


  • Risk practitioners should ensure non-repudiation is implemented for critical processes such as deletion of records or modification of data.


  • Public key infrastructure (PKI) allows senders to provide authentication, integrity validation and non-repudiation.


  • Most important aspect to establish non-repudiation is the use of individual and unique ID. It is difficult to establish whether the non-repudiation is shared or generic IDs are used as there can be multiple users.


Key aspects from CRISC exam perspective



CRISC Question

Possible Answer

What is the greatest concern for user of generic/shared accounts?

  •   Accountability cannot be established

  • Non - repudiation cannot be imple

What is the objective of non-repudiation? 

For enforcing responsibility and accountability 

How non - repudiation can be implemented? 

Nonrepudiation can be implemented through digital signatures and certificate-based authentication in a public key infrastructure (PKI).

Which method is used to provide message integrity, sender  authentication and non - repudiation?

Public Key Infrastructure

Best method to protect the confidentiality of data being transmitted over a network

  • Data encapsulation

  • Data encryption

Most effective control against insider threats to confidential information

Role based access controls (RBAC)

Once likelihood has been determined, the next step is

To determine the magnitude of impact

Most important in determining the risk mitigation strategy is to determine

  • Impact Analysis

  • Risk Ranking

Confidentiality can be ensured by following principles of:

  • Access on the basis of need to know

  • Access on the basis of least privilege

 


Video Tutorial - 1.4A Meaning of Risk


Video Tutorial - 1.4B CIA Principles 


Video Tutorial - 1.4C Hash & Digital Signature 


Video Tutorial - 1.4D IS Risks and Other concepts 


Flashcards - 1.4 Information Security Risk Concepts and Principles 


 

Practice Questions - Information Security Risk Concepts and Principles





Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us
Read more