Risk Assessment of Information Technology Systems
Nikolic, Bozo, Ruzic-Dimitrijevic, Ljiljana, Issues in Informing Science & Information Technology
Information technology, as a technology with the fastest rate of development and application in all branches of business, requires adequate protection to provide high security. The aim of the safety analysis applied on an information system is to identify and evaluate threats, vulnerabilities and safety characteristics. IT assets are exposed to risk of damage or losses. IT security involves protecting information stored electronically. That protection implies data integrity, availability and confidentiality. Nowadays, there are many types of computer crimes: money theft 44%, damage of software 16%, theft of information 16%, alteration of data 12%, theft of services 10%, trespass 2% (Boran, 2003).
In order to minimize losses, it is necessary to involve risk management and risk assessment in the areas of information technology and operational risks. Risk management and risk assessment are the most important parts of Information Security Management (ISM). There are various definitions of Risk Management and Risk Assessment [ISO 13335-2], [NIST], [ENISA Regulation], but most experts accept that Risk Management involves analys is, planning, implementation, control and monitoring of implemented measurements, and Risk Assessment, as part of Risk Management. It consists of several processes:
* Risk identification,
* Relevant risk analysis,
* Risk evaluation
Risk Management recognizes risk, accesses risk, and takes measures to reduce risk, as well as measures for risk maintenance on an acceptable level. The main aim of Risk Assessment is to make a decision whether a system is acceptable, and which measures would provide its acceptability. For every organization using IT in its business process it is significant to conduct the risk assessment. Numerous threats and vulnerabilities are presented and their identification, analysis, and evaluation enable evaluation of risk impact, and proposing of suitable measures and controls for its mitigation on the acceptable level.
The security policy has changed in the last years. From checklists for identifying specific events, the information security has risen onto a higher level, i.e. the security policy and strategy consider threats and weaknesses of the business environment, and IT infrastructure (Dhillon, 2001).
In the process of risk identification, its sources are distinguished by a certain event or incident. In that process, the knowledge about the organization, both internal and external, has an important role. Besides, past experiences from this or a similar organization about risk issues, are very useful. We can use many techniques for identifying risk: checklists, experienced judgments, flow charts, brainstorming, Hazard and Operability studies, scenario analysis, etc.
In order to assess the level of risk, likelihood and the impact of incidental occurrences should be estimated. This estimation can be based on experience, standards, experiments, expert advice, etc. Since every event has various and probably multiple consequences, the level of risk is calculated as a combination of likelihood and impact. Risk analysis or assessment can be quantitative, semi-quantitative, and qualitative (Macdonald, 2004).
Quantitative approach to risk assessment assigns numerical values to both impact and likelihood. The quantitative measure of risk calculated by statistical model is used to judge whether or not it is acceptable. Figure 1 represents relations between consequences, likelihood and limits of acceptance.
Event A has both low values, and risk is acceptable as far as it is under the limits. Event C is above the limits with high frequency and huge consequence. It is unacceptable, and it needs some measurements to reduce consequence and/or probability. For event B, which is in grey zone between the limits, it is hard to make decision.
[FIGURE 1 OMITTED]
Semi-quantitative assessment classifies threats according to the consequences and probabilities of occurrence. …