1.4 Information Security Risks, Concepts and Principles
1.4 Information Security Risks, Concepts and Principles
What is Risk?
Let us look into some of the widely accepted definitions of Risk.
Risk Elements – Probability & Impact
If you observe, almost every definition speaks directly or indirectly about two terms:
Probability & Impact.
In simplest form, Risk is the product of Probability & Impact
· i.e. Risk= P * I
Both the terms are equally important while determining risk. Let us understand with an example. Probability of damage of a product is very high, let say 1, however that product hardly costs anything and hence Impact is Nil i.e. zero even if the product is damaged. So risk of rain on articles will be:
Risk = P * I
i.e. Risk = 1 * 0 = 0
Probability is also known as likelihood, possibility, chances etc.
Likelihood or probability is used to calculate the risk that an organization faces based on the number of events that may occur within a given time period.
Factors that can impact likelihood are:
CIA Principle
Risk practitioners are required to have a solid understanding of CIA and the interrelationship between the three principles and a fourth – non-repudiation.
CIA stands for Confidentiality-Integrity-Availability.
They are inversely related. To increase one of them results in decreasing at least one of the others or substantially increasing cost.
For example: increasing confidentiality increases processing time, which reduces availability.
Confidentiality
Confidentiality refers to privacy of data.
Principle of confidentiality requires that data should be available to only authorized users.
Confidentiality can be ensured by following principles:
Access on the basis of need to know
Access on the basis of least privilege
Integrity
Integrity refers to correctness, completeness and accuracy of data.
Principle of integrity requires guarding of data against improper modification, exclusion or destruction of information.
Risk practitioners need to have technical expertise to verify integrity controls.
Users' interaction with the data must be carefully considered to determine whether there is an integrity risk.
Availability
Availability refers to timely access to information and data.
In some cases, near-real-time availability may be needed for safety and system operations.
It is very important that the business determines the level of availability requirement for smooth business functioning.
Gap between required level and current level of availability indicates availability risks.
To be prepared for a natural disaster, it is appropriate to assume the worst-case scenario. This helps the organization to strengthen its ability to recover.
Non - repudiation
Non-repudiation refers to a positive guarantee that a given action was carried out by a given individual or process.
Non-repudiation requires tracing of responsibility and enforcing accountability.
Non-repudiation can be implemented through digital signatures and certificate-based authentication in a public key infrastructure (PKI).
Risk practitioners should ensure non-repudiation is implemented for critical processes such as deletion of records or modification of data.
Public key infrastructure (PKI) allows senders to provide authentication, integrity validation and non-repudiation.
Most important aspect to establish non-repudiation is the use of individual and unique ID. It is difficult to establish whether the non-repudiation is shared or generic IDs are used as there can be multiple users.
Key aspects from CRISC exam perspective
Video Tutorial - 1.4A Meaning of Risk
Video Tutorial - 1.4B CIA Principles
Video Tutorial - 1.4C Hash & Digital Signature
Video Tutorial - 1.4D IS Risks and Other concepts
Flashcards - 1.4 Information Security Risk Concepts and Principles