Risk Assessment of Information Technology Systems

By Nikolic, Bozo; Ruzic-Dimitrijevic, Ljiljana | Issues in Informing Science & Information Technology, Annual 2009 | Go to article overview

Risk Assessment of Information Technology Systems


Nikolic, Bozo, Ruzic-Dimitrijevic, Ljiljana, Issues in Informing Science & Information Technology


Introduction

Information technology, as a technology with the fastest rate of development and application in all branches of business, requires adequate protection to provide high security. The aim of the safety analysis applied on an information system is to identify and evaluate threats, vulnerabilities and safety characteristics. IT assets are exposed to risk of damage or losses. IT security involves protecting information stored electronically. That protection implies data integrity, availability and confidentiality. Nowadays, there are many types of computer crimes: money theft 44%, damage of software 16%, theft of information 16%, alteration of data 12%, theft of services 10%, trespass 2% (Boran, 2003).

In order to minimize losses, it is necessary to involve risk management and risk assessment in the areas of information technology and operational risks. Risk management and risk assessment are the most important parts of Information Security Management (ISM). There are various definitions of Risk Management and Risk Assessment [ISO 13335-2], [NIST], [ENISA Regulation], but most experts accept that Risk Management involves analys is, planning, implementation, control and monitoring of implemented measurements, and Risk Assessment, as part of Risk Management. It consists of several processes:

* Risk identification,

* Relevant risk analysis,

* Risk evaluation

Risk Management recognizes risk, accesses risk, and takes measures to reduce risk, as well as measures for risk maintenance on an acceptable level. The main aim of Risk Assessment is to make a decision whether a system is acceptable, and which measures would provide its acceptability. For every organization using IT in its business process it is significant to conduct the risk assessment. Numerous threats and vulnerabilities are presented and their identification, analysis, and evaluation enable evaluation of risk impact, and proposing of suitable measures and controls for its mitigation on the acceptable level.

The security policy has changed in the last years. From checklists for identifying specific events, the information security has risen onto a higher level, i.e. the security policy and strategy consider threats and weaknesses of the business environment, and IT infrastructure (Dhillon, 2001).

Risk Management

In the process of risk identification, its sources are distinguished by a certain event or incident. In that process, the knowledge about the organization, both internal and external, has an important role. Besides, past experiences from this or a similar organization about risk issues, are very useful. We can use many techniques for identifying risk: checklists, experienced judgments, flow charts, brainstorming, Hazard and Operability studies, scenario analysis, etc.

In order to assess the level of risk, likelihood and the impact of incidental occurrences should be estimated. This estimation can be based on experience, standards, experiments, expert advice, etc. Since every event has various and probably multiple consequences, the level of risk is calculated as a combination of likelihood and impact. Risk analysis or assessment can be quantitative, semi-quantitative, and qualitative (Macdonald, 2004).

Quantitative approach to risk assessment assigns numerical values to both impact and likelihood. The quantitative measure of risk calculated by statistical model is used to judge whether or not it is acceptable. Figure 1 represents relations between consequences, likelihood and limits of acceptance.

Event A has both low values, and risk is acceptable as far as it is under the limits. Event C is above the limits with high frequency and huge consequence. It is unacceptable, and it needs some measurements to reduce consequence and/or probability. For event B, which is in grey zone between the limits, it is hard to make decision.

[FIGURE 1 OMITTED]

Semi-quantitative assessment classifies threats according to the consequences and probabilities of occurrence. …

The rest of this article is only available to active members of Questia

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

Risk Assessment of Information Technology Systems
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Help
Full screen

matching results for page

    Questia reader help

    How to highlight and cite specific passages

    1. Click or tap the first word you want to select.
    2. Click or tap the last word you want to select, and you’ll see everything in between get selected.
    3. You’ll then get a menu of options like creating a highlight or a citation from that passage of text.

    OK, got it!

    Cited passage

    Style
    Citations are available only to our active members.
    Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

    1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

    Cited passage

    Thanks for trying Questia!

    Please continue trying out our research tools, but please note, full functionality is available only to our active members.

    Your work will be lost once you leave this Web page.

    Buy instant access to save your work.

    Already a member? Log in now.

    Oops!

    An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.