<Previous Lesson

Information Systems

Next Lesson>

Lesson#30

Threat Identification

Threat Identification

“A threat is some action or event that can lead to a loss.”
Various types of threats may exist that could, if they occur result in information assets being exposed,
removed either temporarily or permanently, lost, damaged, destroyed, or used for un-authorized purposes
are identified. Susceptibility to threats, whether logical or physical are a major risk factor for the data base
and information system of an organization. These risks are to be identified and steps that include physical
and logical controls need to be instituted and monitored on a regular basis. Security measures can be
designed only if we know what kind of threats or risks are to be guarded against. Obviously, we would also
have to determine the frequency of the known and the unknown risks or threats.
Threats and risks are usually used synonymously. These are always there and cannot be avoided but should
be managed to minimize losses and maximize returns. Each level of management and each operational
area perceives risk differently and communicates these perceptions in different terms.

29.1 Types of Threats

Physical threat – This refers to the damage caused to the physical infrastructure of the information
systems, e.g.
Fire
Water
Energy Variations
Structural damage
Pollution
Intrusion

Logical – This refers to damage caused to the software and data without physical presence.
Viruses and worms
Logical intrusion

Likelihood of occurrence of Threat:
Having identified the threats, they need to be ranked on the basis of their probability of occurrence.
Sometimes analysis on occurrence of threat is easily available. For example, the insurance company might
be having a study of occurrence of fire incidents in a city for the purposes of fire insurance; however, the
extent of threat resulting from a new virus may not yet have been identified or become known to the users,
etc. In such a situation where no past data or reliable source of probability occurrence is available, users can
be asked to give the best estimate of how frequently the threat is possible to occur. Usually, higher the value
of the information asset identified, higher are the chances for it being susceptible to vulnerability, for
example, an ERP software built up to a high integration level, may need to be provided with high level of
security against potential threats.

29.2 Control Analysis
The goal of this step is to analyze the controls that have been implemented or are planned for
implementation by the organizations to minimize or eliminate the likelihood of occurrence of threat. To
derive an overall likelihood rating that indicates the probability that a potential vulnerability may be
exercised within the construct of the associated threat environment. Security controls encompass the use of
134
technical and non-technical methods. Technical methods are safeguards that are incorporated into
computer hardware, software and firmware such as controls mechanisms, identification and authentication
mechanisms, encryption methods, intrusion detection software, etc. Non technical controls are management
and operational controls such as security policies and operational procedures and personnel, physical and
environmental security. The control categories for both technical and non technical control methods can be
further classified as either preventive or detective. These two sub-categories are explained as follows
Preventive controls inhibit attempts to violate security policy and include controls as access control
enforcement, encryption and authentication
Detective controls warn of violations or attempted violations of security policy which include such
controls as audit trails, intrusion detection methods.

Likelihood Determination
To derive an overall likelihood rating that indicates the probability that a potential value may be exercised
within the construct of the associated threat environment, the following governing factors must be
considered.
o Threat-source motivation and capability
o Nature of the vulnerability
o Existence of effectiveness of current controls

29.3 Impact analysis
The next major step in measuring level of risk is to determine the adverse impact resulting into a successful
exercise of vulnerability. Before beginning the impact analysis, it is necessary to obtain the following
necessary information.
System mission
System and data criticality
System and data sensitivity
The information can be obtained from existing organizational documentation, such as the mission impact
analysis report or asset criticality assessment report. A business impact analysis report or asset criticality
assessment report. The adverse impact of a security event can be described in terms of loss or delay of
any or all of the three security goals.
Loss of integrity: System and data integrity refers to the requirement that information should be
protected from improper modification. Integrity is lost if unauthorized changes are made to the
data or IT system by either intentional or accidental loss of system or data. Violation of integrity
may be the first step in a successful attack against availability or confidentiality. For all these
reasons, loss of integrity reduces assurance of an IT system.
Loss of availability: If a mission-critical IT system is unavailable to its end user, the organization’s
missions may be affected. Loss of system functionality and operational effectiveness.
Loss of confidentiality: System and data confidentiality refers to the protection of information from
unauthorized disclosure. The impact of unauthorized disclosure of confidential information can
range from the jeopardizing of national security. Unauthorized, unanticipated, or unintentional
disclosure could result in loss of public confidence embarrassment or legal action against the
organization.

29.4 Risk Determination/Exposure Analysis
This phase relates to analyzing how much the information assets are exposed to various threats identified
and thus quantifying the loss caused to the asset through this threat. This phase relates to analysis of both
physical and logical threats and comprises of four steps. Four steps are usually followed while analyzing the
135
exposure.
Figure out whether there are any physical or logical controls in place
Employees are interviewed
Walk trough’s are conducted
How reliable are these controls
Check whether the firewall stops a virus from entering the organization’s system
Check whether the antivirus installed stops the virus from execution
We cannot start an earthquake to see if the building can absorb shocks or not
What is the probability that occurrence of threat can be successful against these controls
Compare assets identified with threats identified to see if controls exists
Estimate the probability of occurrence based on past experience and future
apprehensions/expectations
How much loss can occur due to the threat being successful
scenarios are written to see how an identified potential threat can compromise control
Risk identification is often confused with risk mitigation. Risk mitigation is a process that takes place after
the process of risk assessment has been completed. Let’s take a look at various risk mitigation options.
Risk assumption: To accept the potential risk and continue operating the IT system or to
implement controls to lower the risk to an acceptable level.
Risk Avoidance: To avoid the risk by eliminating the risk cause and e.g. forgo certain functions of
the system or shut down the system when risks are identified.
Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a
threat’s exercising a vulnerability e.g. use of supporting preventive and detective controls.
Risk Planning: To manage risk by developing a risk mitigation plant that predicts implements and
maintains controls.
Research and acknowledgement: To lower the risk of loss by acknowledging vulnerability or flaw
and researching controls to correct the vulnerability.
Risk Transference: To transfer the risk by using other options to compensate loss such as
purchasing insurance.

29.5 Occurrence of threat
When a threat occurs, there can be following consequences.
1. Controls against the threat exists
Controls can help stop the occurrence of the threat.
Threat occurs but damage is avoided by the controls
Threat circumvents controls and causes damage
2. Controls against threat do not exist.
Threat has not yet been identified
Threat has been identified but the consequent loss is considered as minor
Threat occurs, whether identified or not and causes damage to the system.
136
Threat can cause damage whether controls exist or not.
Cumulative amount of loss can be a major threat to the system. There is no international standard on
acceptable level of losses. Materiality of every loss, howsoever determined by management must be written
and backed up by the approval of those who are in charge of the IT Governance. Review of these matters
will be undertaken when a security audit is done in order to ascertain the comfort level the can draw from
the security policy of the organization.

29.6 Computing Expected Loss
In fourth step of the exposure analysis, the amount of expected loss is computed through following formula
A = B x C x D
1. A = Expected Loss
2. B = Chances (in %) of threat occurrence
3. C = Chances (in %) of Threat being successful
4. D = Loss which can occur once the threat is successful

Control Adjustment
This phase involves determining whether any controls can be designed, implemented, operated. The cost of
devising controls should not exceed the expected potential benefit being en-cashed and the potential loss
being avoided. The controls that could mitigate or eliminate the identified risk appropriate to the
organization’s operations are provided. The goal of the recommended controls is to reduce the level of risk
to the IT system and its data to an acceptable level. Following factors should be considered in
recommending controls and alternative solutions to minimize or eliminate identified risks.
Effectiveness of recommended options
Legislation and regulation
Organizational policy
Operational Impact
Safety and reliability
The control recommendations are the results of the risk assessment process and provide the risk mitigation
process during which the recommended procedural and technical security controls are evaluated, prioritized
and implemented.
It should be noted that not all possible recommended controls can be implemented to reach and to
determine which ones are required and appropriate for a specific organization, a cost analysis, should be
conducted for the proposed recommendations of controls to demonstrate that the costs of implementing
the controls can be justified by the reduction in the level of risk. In addition, the operational impact and
feasibility of introducing recommended option should be evaluated carefully during the risk mitigation
process.
The above decision takes into account consideration of following factors:
5. Personal judgment of the situation
6. Any information gained on desired/non-existing controls during the previous phases
7. Seek demands of users for an ideal control environment.
Existing controls should not be totally discarded while adjusting controls. They can either be terminated
totally, due to the threats not being there any more or existence of better controls or modification for
betterment, this phase should consider the security to be cost effective, and integrated.

<Previous Lesson

Information Systems

Next Lesson>

Home

Lesson Plan

Topics

Go to Top

Next Lesson
Previous Lesson
Lesson Plan
Topics
Home
Go to Top