To install StudyMoose App tap and then “Add to Home Screen”
Save to my list
Remove from my list
Information Security is one of the keys aspects for an organisation to sustain and grow. Without Information Security, an organisation is always at risk, both Technically and Strategically. To eliminate and reduce these risks, Risk Management and Risk Mitigation techniques have to be put in place. Risk Mitigation Techniques reduces the risks faced in Information Security. In this paper, we would learn about Risk Mitigation in Information Security in detail and some of the Quantitative and Qualitative techniques for Risk Mitigation.
The overall objective of this paper is to conduct a comprehensive literature review and synthesis of Risk Mitigation based on the prior work done by many researchers.
Information security is the practice of the protecting the information or data and preventing its unauthorized use, access, modification and destruction.
It is designed to secure the Confidentiality, Integrity and Availability of the information, which is also called as CIA Triad [1]. Information security risk is something which poses a threat to the CIA triad of information.
Risk Management is the process of identifying, evaluating, assessing and mitigating the risks or threats faced by an organization [2].
It involves successful identification of the risks and their source, how much impact will it have on the organization, what is the probability of occurrence of these risks, which risks are acceptable and the steps taken to mitigate these risks [3]. “InfoSec risk management (ISRM) is the process of managing these risks, to be more specific; the practice of continuously identifying, reviewing, treating, and monitoring risks to achieve risk acceptance.” Risk Management, in recent times, has become one of the important tasks for an organization and is considered as a backbone in enhancing the security of an IT organization [2].
Risk Mitigation is the process of finding the risk, identifying it and taking preventive measures to diminish the risk according to the needs of the decision makers of an organization.
It is about “monitoring, tracking and evaluating risk process effectiveness” through the utilization of the IT systems.
The organizations can focus more on their prolonged business strategies and goals, once they have an appropriate risk mitigation technique in place. Risk Mitigation can be considered as an important process as it helps the organizations which are looking forward to the changes in its business venture, future investment and information systems. Additionally, it is stepwise process which aims at “identifying, addressing and reducing” the risks even before they form a part of either a threat or a successful IT operation in organizations [4].
Risk mitigation basically includes preventing, controlling and sometimes accepting the risk. There are a quite number of ways to mitigate the risks. Each of these techniques might require distinctive resources at different times; however, the selection of the mitigation technique for an organization is very difficult. The main reason behind this is, in many of the risk mitigation models, the hidden and inconspicuous risks and threats are overlooked [5].
Risk Mitigation has its emphasis on applying strategic and tactical approaches to reduce any negative impact of the risks to systems’ overall “functionality, reliability, performance and maintainability”. The main objective of risk mitigation is to lower the approximate expense of the system downtime by applying a set of technical or organizational measures, which in turn helps in lowering the risk [6]. The components of risk mitigation are risk identification, risk decision, risk treatment and risk monitoring (as illustrated in Fig. 1) [5].
In risk identification, the potential risks are identified by the experts by using different techniques such as risk rating, screening and assumption risk analysis. Risk decision helps the decision makers to assess the impacts of different types of risks and decide what kinds of risks are acceptable to the organization. Risk treatment helps in adding the management’s point of view is in handling and treatment of risks by comparing different resorts to the risks. It also assists to define a strategy to deal with the risks. Once the risk treatment has been applied, risk monitoring helps in keeping an eye on risk milestone using milestone tracking [5].
There are following two techniques which have been explained for risk mitigation: Quantitative and Qualitative.
Quantitative techniques, as the name suggests, uses quantitative values such as the amount of data to determine the likelihood of occurrence of the risk and an estimated loss associated with the risk(s) [5]. Below are some Quantitative Techniques for Risk Mitigation:
Bayesian Models
Bayesian model uses the probability hypothesis to understand the instability/uncertainty of information, and results in visualization of information into the network diagram, as a new model of information representation and thinking. The use of a Bayesian model has substantially increased in recent times, with its broad usage in detecting the faults and “reliability assessment in enterprise power, medical, education, Military and so on” [7].
Failure Mode and Effect Analysis (FMEA)
Failure mode and effect analysis is a quantitative method to determine the possibility that the suggested model or design is likely to fail. Failure mode can be referred to as a failure in the model under test and effects analysis is required to investigate the impact of the failure of a smaller system on the entire network/system. The main objective of FMEA is to find, identify and remove any possible failures or issues in the model or system under test. The results of FMEA not only can help the developers to improve their risk mitigation model but also can the management team to implement measures to control or prevent the damage to the system and to make a better plan for emergency response [8].
Fault Tree Analysis
A fault tree is an acyclic graph that helps in identifying all branches of all occasions that may lead to a mishap or system failure and the frequency of occurrence of these kinds of events. It is a top to down logic diagram which uses boolean logic to show how combinations of different individual failures might bring down the entire system. Fault tree analysis is a risk mitigation technique which can be used when we have enough information about the faults which are likely to occur and detailed causes of these faults [9].
Monte Carlo Method
Monte Carlo method is a mathematical and statistical method that gives the decision-maker with a number of different outcomes and the probability of their occurrence by projecting the lower and upper bound conceivable results along with its consequences. It also permits the professionals to look for the components that are causing changes in the risk assessment model [10].
Sensitivity Analysis
Sensitivity Analysis helps in finding out which risks would have a foremost effect on our project by finding out how “sensitive” a proposed model is to its different parameters and to any change made in its structure [5].
Qualitative techniques use a relative degree of risk or resource value based on the priorities or rankings in different categories such as bad, okay, good; low importance, high importance, very high importance; or on a scale from 1 to 10. “A qualitative technique assesses the impact and likelihood of the identified risks in a rapid and cost-effective manner” [5]. Below are some Qualitative Techniques for Risk Mitigation:
Business Impact Analysis (BIA)
The International Standards Organization ISO22301 [12] defines BIA as “process of analyzing activities and the effect that a business disruption might have upon them”. The most important BIA process steps are:
(a) Identifying business activities and the people who own their management;
(b) Identifying the staff to accumulate best-fitting data;
(c) Identifying the worst case scenarios that have a huge impact on the company’s status, its finances and resources;
(d) Identifying the duration of time during which any disruption in business activities are not acceptable and will result in a huge loss for any organization. [11].
Root Cause Analysis (RCA)
Root Cause Analysis focuses on the losses of resources because of different types of failures. It tries to find the root cause of the failure rather than only looking at the obvious cause [5].
Cause and Effect Analysis
Cause and effect analysis is an organized and structured method to find out all the possible causes of a failure. It structures all the possible factors in wide categories that could have been responsible for a system failure so that all the hypothetical situations are considered [5].
Consequence / Probability Matrix
“The consequence/probability matrix aims to produce a level of risk or risk rating”. The structure of the matrix and the definitions associated with it totally depend on the setting in which it has been used and it is important that a proper design is utilized for these circumstances [5].
In conclusion, we emphasized the importance of Risk Mitigation for an organization. We also discussed about the Quantitative and Qualitative Techniques used for Risk Mitigation. In any of the techniques that we use for Risk Mitigation, we have to first identify the risk, then make a decision about the risks that can be a potential threat for our system and then finally monitor them. However, in reality, attacker/hacker will try to find some loophole in our security. Hence, we have to aware of all kinds of potential threats.
Risk Mitigation Techniques in Information Security. (2022, Sep 06). Retrieved from https://studymoose.com/risk-mitigation-techniques-in-information-security-essay
👋 Hi! I’m your smart assistant Amy!
Don’t know where to start? Type your requirements and I’ll connect you to an academic expert within 3 minutes.
get help with your assignment