Contrast risk, threat and vulnerability.
The threat, risk, and vulnerability are terms that commonly used in the risk management. Even though they seem to be very similar, they cannot be used instead of each other, because in a theory of the risk management there a distinct difference between them. The threat is one of the factors that cannot be controlled or influenced directly from the perspective of the risk manager. It exists independently from the current situation and the main task of the risk manager is to identify the threat on time and come up with a plan how to avoid it, prevent it, minimize the consequences of facing it. Analyzing a threat means that risk managers should find the source of the specifying attack and make sure that the project is secured from that threat (Marius, 2015). The risk is one of the measurable potential dangers. It should be correctly evaluated by the manager and carefully managed. Risk shows what is the likelihood of occurring threat and every manager should be well-informed about current risks in order to make reasonable management decisions ("Risk vs Threat vs Vulnerability – and Why You Should Know the Differences", 2014). The vulnerability can be determined as a weakness of the currently existing system or project that enables some sort of attack and shows the security flows that can be used against the company or product (Marius, 2015).
2. Explain the relationship between the risk and loss.
The risk and the loss are tightly bound in the risk management. Those are other terms that are often confusing and can be used in wrong way instead of each other. Losses are the consequences of some actions and risk is only an assumption or prediction about the potential loss. What is important to understand that risks evaluation shows only the probability of the loss. It may lead or not lead to the loss per se if the probability is not very high if the risk was managed in a smart way, even if the company were just lucky. As well as the loss also can be not a result of risky choices or risky behavior ("The Difference between Risk & Loss", 2011). It is crucial to analyze your risks and make sure that potential loss does not exceed risks limits.
3. Describe risk management and assess its level of importance in information security.
Inherently every organization is exposed to risks. The main goal of the risk management is “to plan, organize, staff, lead, control the resources to decrease the possibility of loss” ("Risk Management for Texas State Agencies", 2004). Risk management potentially leads to the increased productivity, reduction of the threatful incidents, reduction of the severity of the loss. The process of risk management consists of the following steps: identifying the potential risks, analyzing what may be the consequences and how severe they can be, selecting the most appropriate way to manage those risks, the implementation of the chosen method and evaluation of how successful chosen methods were ("Risk Management for Texas State Agencies", 2004).
There are a few ways how a company can respond to the risk. First of all, it is the elimination of the cause of the potential problem. Secondly, the reduction of the probability of the problem occurrence which leads to the mitigation of the severity of the expected monetary value of the unwanted event. Thirdly, accepting the possibility that a loss may happen and creating a recovery plan (Stanleigh, 2016).
Risk Management and Risk Assessment play the vital role in the managing information security. Information Security experts agree that information security risk management is a recurring activity that is supposed to complete a careful risk assessment by identifying the existing and potential threats to the information security, find the vulnerability that may lead to security breaches and make sure that all risk are minimized and thoughtfully managed ("Risk Management - 2014 Information Security Guide", 2014).
Depending on the sphere were company works, the level of importance of the information security varies. For example, the company that deals with the sensitive financial information should pay tremendous attention to securing the private data of the customers. The same goes to the companies that promise their clients confidentiality and anonymity. One of the examples is data leakage from the dating website Ashley Madison in 2015 when data of 37 million users were accessed and posted online by a group of hackers (ROBINSON & ZOLFAGHARIFARD, 2015). The consequences for the image of the companies were tremendous and it is almost impossible to recover from that. The information security is also important if the company aims to prevent industrial espionage. Companies that value that intellectual property since this is their main asset should not just disregard the threat but invest in secure servers and work of information security specialists.
4. Argue the need for organizations to take risks with its data (e.g., Is it a risky practice to store customer information for repeat visits.)
It is not always reasonable for the company to take risks with customers data. Storing sensitive information that belongs to the clients can potentially lead to data theft, data loss, corrupted data, lawsuits, loss of accountability ("7 Risks of Dropbox to Your Corporate Data - Company-Box", 2016). For example, Google stores all the geolocation data from our cell phone and tracks all the moves of our cell phones. This information can be accessed only by the user himself/herself, but it is not guaranteed that if third parties will get access to the phone or google account that those data will be safe.
Nevertheless, a lot of companies are ready to take a risk of storing such kind of the information since it provides deeper insights into how to manipulate the client into buying more products offered by the company, how to offer more relevant services and provide better assistance. The potential profit of using this information for a lot of companies exceeds potential risks and allows to improve user experience and create a more positive image.
5. Describe the necessary components in any organizational risk management plan.
There are 6 components in the risk management plan such as definitions, assumptions, risk breakdown structure , probability impact matrix, accuracy estimates (cost & schedule), risk register. In the section “Definitions” risk manager should describe the probabilities of the occurrence of specified risk in terms as Very Low , Low, Medium, High and Very High. In the section “Assumptions” risk manager should describe about project costs, project schedule, if the team has prior experience in the required technologies and similar projects, who are the stakeholders of the project. In the risk breakdown structure project manager specifies all the categories of the risks and breaks them down to the smaller ones that can be easily handled. Probability Impact Matrix shows which factors should be considered while prioritizing the tasks. Also risk manager should write down what are the probabilities of meeting specific deadlines in such terms as Low, Medium, High. Risk Register should include the list of all important risks in the table format that has such columns as Risk Description, Probability, Impact, Risk= Probability x Impact, Priority, Response Plans (Roseke, 2015).
References:
Risk vs Threat vs Vulnerability – and Why You Should Know the Differences. (2014). Pinkerton. Retrieved 14 January 2017, from https://www.pinkerton.com/ blog/risk-vs-threat-vs-vulnerability-and-why-you-should-know-the-differences/
Marius, M. (2015). What's the difference between the terms “risk”, “threat”, and “vulnerability”?. Linkedin.com. Retrieved 14 January 2017, from https://www.linkedin.com/pulse/whats-difference-between-terms-risk-threat-mihai-marius
The Difference between Risk & Loss. (2011). Riskviews. Retrieved 14 January 2017, from https://riskviews.wordpress.com/2011/03/02/the-difference-between-risk-loss/
Risk Management for Texas State Agencies. (2004). Sorm.state.tx.us. Retrieved 14 January 2017, from https://www.sorm.state.tx.us/rmtsa-guidelines-2/rmtsa-introduction/rmtsa-volume-one-table-of-contents/rmtsa-vol-i-section-two-chapter-1
Stanleigh, M. (2016). Risk Managementthe What, Why, and How | | Business Improvement Architects. Bia.ca. Retrieved 14 January 2017, from https://bia.ca/risk-management-the-what-why-and-how/
Risk Management - 2014 Information Security Guide. (2014). Spaces.internet2.edu. Retrieved 14 January 2017, from https://spaces.internet2.edu/display/2014infosecurityguide/Risk+Management
ROBINSON, M. & ZOLFAGHARIFARD, E. (2015). Hackers have posted details of cheating spouses who AshleyMadison.com. Mail Online. Retrieved 14 January 2017, from http://www.dailymail.co.uk/sciencetech/article-3202851/Ashley-Madison-customers-exposed-Hackers-finally-posted-details-cheating-spouses-use-adultery-site.html
7 Risks of Dropbox to Your Corporate Data - Company-Box. (2016). Company-box.nl. Retrieved 14 January 2017, from http://company-box.nl/english/7-risks-dropbox-corporate-data/
Roseke, B. (2015). Risk Management Plan Components. ProjectEngineer. Retrieved 14 January 2017, from http://www.projectengineer.net/risk-management-plan-components/
