Exceptional Computer Services is the company, which is engaged in the sphere of information services and actions, which are closely linked with information and data security. The fact is that, digital data is seriously subjected to risks and attacks, consequently, the issues of data assessment are of great importance for Exceptional Computer Services Company. Originally, the organizational policy of the company requires the company information security group to initiate the risk assessment procedures on a regular basis.
The assessment of the risks entails the data gathering phase with the following proceeding of the information, and evaluation of Annual Loss Expectancy (ALE)’ and the ‘Estimated Annual Cost’. In the light of this fact it should be stated that the business unit managers should assist in the process of defining the most important operations for the evaluation, as the risk assessment expectations are valuable only for the most important operations.
The business functions of the Exceptional Computer Services generally entail the offering of high quality IT and information security services for the population. The fact is that, successful business performance in this sphere requires thorough technical and HR management along with the proper marketing strategy and allocation of the resources for the maintenance and development of the technical systems. ECS is generally regarded as a service provider, thus, the company is responsible for the high quality “on demand computing power”. Originally, the principle of marketing performance is based on cyclical and time-sensitive managerial and computing systems.
The conventional approach has been for organizations either to “over-provision” computing resources to be able to respond to short term needs, or to attempt a prioritization of normal functions that can be delayed or skipped altogether whenever the resource demand peaks. From this point of view, it should be stated that most of the risks assessments should take into consideration the cyclical nature of possible threats.
The aim of this analysis is to assess the possible risks, closely associated with the information security and data privacy preservation. It is necessary to emphasize that these risks incorporate not only technical issues, but also the issues, linked with human factor.
The main approach of the analysis is to analyze the risk-worthiness of the service provider computing grid service. It is aimed at taking into consideration the various aspects of informational security, including the security of computing and communication systems.
The methodology for identifying and assessing the risks is generally the following:
- Identify and value the critical business functions.
- Estimate probabilities of occurrence for the most likely threats and threat agents.
- Calculate Risk Exposure (RE) for the critical business function.
- Identify additional security countermeasures and calculate a return on the potential security investment.
- Offer a final recommendation, based on RE and exploration of potential additional countermeasures.
Risk Assessment Process
First of all, it should be stated that risk assessment in its quantitative form is the procedure, which is aimed at analyzing the Annual Loss Expectancy (ALE)’ and the ‘Estimated Annual Cost’ in the context of possible losses and formulation of the necessary recommendations for avoiding the losses, or diminishing the possible consequences of the dangers. According to Baker (2008) risk assessment in the companies, which are engaged in informational activity is generally linked with the following actions:
- Development of the new computer and data communication systems
- Defending the new technologies and innovations from the investigations and industrial espionage performed by competitors
- Improvement of the security options
Threats and Vulnerabilities
The possible risks are generally evaluated from the range of the most serious threats in the sphere of IT. As Golden (2008) emphasizes, the risks may be divided into the following categories:
- Human Factor
- Technological Risks
- Malicious Acts
- Natural Disasters
Nevertheless, it should be emphasized that only those threats for which a companion vulnerability exists need be considered. A potential threat with no exploitable vulnerability is not a real threat, and therefore presents no real risk.
The table lists the potential threats and threat probabilities from each of the four major threat sources. These threats have been hypothesized based on an analysis of the computing grid service description and associated known threat environments.
|Category of the threat||Potential risk||Annualized Rate of Occurrence|
|Human Factor||Negligent staff||1 in 100|
|Mistakes in Administration||1 in 1000|
|Restructuring of the control Process||1 in 10|
|Technical Risks||System Failure||1 in 250|
|Malicious Acts||Spammers||1 in 1000|
|Phishers||1 in 500|
|Cyber Criminals||1 in 1000000|
|Spyware||1 in 1000|
Human Factor Threats
Negligent staff is the problem of improperly adjusted HR management. Moreover, it is generally regarded to be the most common internal problem for any company. Originally, the probability is quite small, nevertheless, it should be taken into consideration, and prevented as soon as possible. Considering the fact, that part of ECS staff is employed without any background check, the probability of failure because of this reason increases.
Mistakes in Administration are even less probable, nevertheless, the consequences of such failures may be more serious.
Restructuring of the Control Process is the factor, which originates numerous mistakes and failures during the adaptation and testing period. Initially, it is the managerial risk.
System Breakdown is often regarded as the technical problem, which is closely linked with the problem of negligent and poorly trained staff.
Phishers, spammers and Spyware are the risks of the same category, consequently, all the assessments and prevention acts should be aimed at improving the security system.
Natural disasters are rather hard to assess, as this factor depends on the geographical location of the office and the technical features of the equipment.
|Category||Threats||Estimated Likelihood||Risk Exposure. Annualized Loss Expectancy (ALE)|
|Human Factor||Negligent staff||0.5 %||$ 5000|
|Mistakes in Administration||0.2 %||$ 200000|
|Restructuring of the control Process||1 %||$ 50000|
|Technical Factorst||System Failure||2 %||$ 40000|
|Malicious Acts||Spammers||0.1 %||$ 100|
|Phishers||0.2 %||$ 500|
|Cyber Criminals||0.5 %||$ 1000|
|Total ALE||$ 301600|
Table 1 Risk Assessment (Cordesman and Cordesman, 2007).
Risk Exposure Reduction Analysis
|Potential Threat||Avoidance||ROSI||Risk Levarage|
|Negligent staff||Regular training and qualification improvement||‑ $ 1,500||0.75|
|Mistakes in Administration||Regular training, analysis of the work||$ 70,000||27.00|
|Restructuring of the control Process||Experience exchange with other companies||$ 20,000||2.00|
|System Failure||Timely update of soft and hardware||$ 150,000||6.00|
|Spammers||Regular update of spammers list||‑ $ 3,500||0.42|
|Phishers||Security education for customers||‑ $ 1,500||0.31|
|Cyber Criminals||Data Security improvement||‑ $ 3,000||0.14|
|Spyware||Proper fire wall adjustments||‑ $ 2,000||0.53|
Along with financial estimation of the risks, it should be stated that company will also lose time, customers and marketing positions along with the financial losses. Consequently, the business function valuation may be measured in hours, customers, rates within the competitors etc.
As for the metrics of the risk assessment and exploitation, it is necessary to emphasize that the most valuable assessment scale will be the coefficient, which incorporates all the factors of risk and threat. These are the likelihood, financial loss, time expenses and, probably, rate of moral dissatisfaction. These factors, and the coefficient, which would entail all of them would entail not only financial loss or business performance, but also take into consideration the personality factor for those, who would be overcoming the consequences, or diminishing the potential threat.
Thus, the risk exposure may be expressed as the relation of the spent time, and forces with potential financial and marketing losses. Originally, this is expressed in the Annualizes Loss Expectancy with the calculation of the Risk Leverage.
Basic Instructions for ECS
In order to minimize the credibility of risk occurrence associated with data security, there is strong necessity to arrange the data confidentiality control in order to protect the data on hardware and software levels. All the customers should be educated on the means and measures of data protection, as protection of customers’ data is also in the primary interests of the ECS.
The next recommendation that should be given on the basis of the estimated risks is the arrangement and maintenance of the proactive IT audit. Originally, monitoring and reporting the system processes are the key for the timely identification and prevention of possible problems. These actions will essentially add to the general security system by registering all the unauthorized actions in the data communication systems. Moreover, properly adjusted proactive IT auditing is also aimed at responding the risks before they cause any accident, in distinction with the reactive IT auditing, which is aimed at post-accident analysis.
Resilience engineering is the factor, that presupposes properly planned technical engineering and the proper elaboration of security measures in response to the real facts and circumstances (but not in response to the appeared risks and the consequences of the risks and threats). According to Baker (2008, p. 397) it entails the following: “Resilience engineering: designing, building, testing, operating and maintaining both business processes (i.e. business continuity) and IT systems to provide reliable and secure services by reducing vulnerabilities and single points of failure and hence minimizing unplanned downtime and other disruptive incidents even if threats materialize”
The final recommendation, that should be given is related to the matters of education. It has been already stated that the professional education of the technical and managerial staff, as well as the awareness of the customers and users in the issues of technical and informational security are the keys to success in the issues of preventing any threats and minimizing the risks, which are closely associated with the human factor. Moreover, additionally to the education and qualification improvement, managers should give clear instructions to the employees, as they should clearly realize their obligations, especially in the security sphere. Originally, this is also the task of HR management department, as along with explaining the tasks, people should be motivated to perform them and maintain the security structure.
As for the conditions, under which the quantitative and qualitative Security Risk Assessment should be recommended, it is necessary to emphasize that such conditions will be generally regarded as the pre- and post- circumstances.
Thus, the quantitative analysis may be regarded as the evaluation of the potential risks, which has not been displayed or happened yet, consequently, it is the analysis of the potential and future threats, which may cause essential losses and expenditures. Qualitative analysis, in its turn, is the set of recommendations and rules, which may be used either for diminishing of the risks, or for the overcoming of the circumstances and problems, caused by the threat. Taking this statement into account, it is necessary to emphasize that Qualitative analysis seems to be more extended and universal for risk assessment and management procedures.
In conclusion it is necessary to emphasize that the risk assessment procedure for any organization is essentially averaged out. In the light of this fact, it should be stated that the precise risks may be calculated only after the threat or risk have their particular consequences. Anyway, as for the quantitative analysis and security risk assessment for the Exceptional Computer Services Company, it should be stated that in order to prevent all the threats and minimize all the possible risks, the company will have to take into consideration numerous aspects and factors of successful business and technical performance. Technical side of the problem entails numerous aspects, which are changing with the technical progress.
Baker, John C., et al. Mapping the Risks: Assessing Homeland Security Implications of Publicly Available Geospatial Information. Santa Monica, CA: Rand, 2008.
Cordesman, Anthony H., and Justin G. Cordesman. Cyber-Threats, Information Warfare, and Critical Infrastructure Protection : Defending the U.S. Homeland /. Westport, CT: Praeger, 2007.
Golden, James R. Economics and National Strategy in the Information Age: Global Networks, Technology Policy, and Cooperative Competition. Westport, CT: Praeger Publishers, 2008.
Lohmeyer, Daniel F., Jim Mccrory, and Sofya Pogreb. “Managing Information Security.” The McKinsey Quarterly (2008): 12.