A Report on Information Technology Risk Management

Questions: Task1. For this question you are required to make at least two (2) forum postings, arguing either for or against the quantitative method of risk assessment. You will be assessed on what you contribute to the debate in terms of quality not quantity (though your posting should at a minimum be a few sentences long). You may either create new thread or reply to a previous posting. All new threads should contain the subject line Quantitative Debate (I will do the posting, just need 2 arguments with refs to base the posts on please) 2. Study Exhibits 61.1 and 61.2 from Reading 3, and answer the following questions:(a) Explain in your own words what is meant by the terms Sweet Spot and Discretionary Area (see Exhibit 61.1) (b) Explain the significance of a security decision that is located to the right of the Sweet Spot but outside the Discretionary Area (see Exhibit 61.1). (c) Explain the significance of a security decision that is located to the left of the Sweet Spot but still inside the Discretionary Area (see Exhibit 61.1). (d) Explain why you think the Defined Highest Acceptable Risk is located on the Sweet Spot, but the Defined Lowest Acceptable Risk is located to the right of the Sweet Spot (see Exhibit 61.2).3. In Reading 7 for this subject, Ozier states that The [ALE] algorithm cannot distinguish effectively between low frequency/high-impact threats (such as fire) and high-frequency/low impact threats (such as misuse of resources). Explain why this is the case. Give an appropriate example to illustrate your explanation. 4. (Note: Make sure you show ALL your working for this question) The following threat statistics have been gathered by a risk manager. Based on these, calculate the ALE for each threat. 5. (Note: Make sure you show ALL your working for this question) Using the figures you calculated above, determine the relative ROSI (return on security investment) for each of the same threats with the following controls in place. Remember that a single control may affect more than one threat, and you need to take this into account when calculating the ROSI. Based on your calculations, which controls should be purchased? 6. Consider the data in the two tables that appear in questions 4 and 5 above. Sometimes a control may affect the cost per incident and sometimes the occurrence frequency, and sometimes both. Why is this the case? Illustrate your answer with an example drawn from the data provided.7. The year is 1999 and you are the risk manager for a large financial institution. You apply the Jacobsons Window model (Reading 11) to determine your companys preferred response to the impending Y2K bug. According to the model, should you accept, mitigate, or transfer the Y2K risk? Why? Do you agree with the models recommendations? Why or why not? 8. (Note: Make sure you show ALL your working for this question) You want to persuade management to invest in an automated patching system. You estimate the costs and benefits over the next five years as follows: Benefits: Year 1 Year 2 Year 3 Year 4 Year 5 $2,000 $2,500 $4,000 $4,000 $4,000 Costs: Year 1 Year 2 Year 3 Year 4 Year 5 $3000 $2000 $750 $250 $250 C alculate the Net Present Value (NPV) for this investment. Assuming that management has set the Required Rate of Return at 10%, should the investment be made? Why or why not?9. There are a number of qualitative risk assessment models that are available for use, such as FRAAP, OCTAVE, OWASP and CRAMM. Choose one of these models and briefly describe how risk assessment is conducted under this model. Describe an example situation where you could use this selected model. Give your assessment of the validity, or otherwise, of this risk assessment model. Answers: 1. Quantitative Debate Post 1 (Supporting quantitative method of risk assessment) As per a fact, quantitative method under risk assessment refers to a particular technique that quantifies the amount of risk based on the previously-identified level of risk. Utilization of those tools of risk assessment have expanded the extent of intelligibility including that of soundness, and so risk may be easily recognizable. It embraces an expressive matter that is associated to each stage of the specific risk assessment (. ., 2007). To this regard, on reviewing the details of this method it may be identified that by using these sequential steps one may easily point out the different hazards, outcomes of those hazards it they exist at all, probability of the hazards, and attributes of those hazards. Thus, it may be said that quantitative method of assessing risk includes effectual engineering, financial factors, and that of ecological analysis. Post 2 (Supporting quantitative method of risk assessment) On contrary to the quantitative technique of risk evaluation, this approach of quantitative analysis gives a more detailed scenario. The ultimate cause of providing increased focus upon quantitative approach of assessing risk is that to assess the presence of all risks by means of this approach. This is said to incorporate both probability of key hazards as well as their impacts. Hence, this approach makes it easier to specify which risk requires to be taken care of as per its priority. 2. Discussing sub-questions Sweet Spot and Discretionary Area: For reducing the hazards and their occurrence, organization incorporates an effective information security system. For implementing such an effective security system, it is important for the organizations to take up certain amount of expense. Another fact in this regard is that the extent of efficiency of a security system is in fact directly proportional to expense (Adler, Leonard Nordgren, 1999). On the other side, enhanced security system refers to the occurring of risk would reduce, which means risk is inversely proportional to the extent of incurred expense. Now, if a two-dimensional area is considered whereby security is to be measured by means of horizontal axis and that of expense by means of vertical axis, then the point of intersection of cost and that of risk curve, whereby both risks and costs are at equilibrium, the point is known as sweet spot. Also, it is important for every organization requires taking up at least some amount of expense to manage risk, and there are some level of risks that may not be reduced. Thus, if the predefined lowest cost, minimum extent of risk which cannot be reduced and all current practices associated to risk prevention are simultaneously considered, then the space in that dimensional area is called discretionary area. Security decision located towards the right of Sweet Spot and outside of Discretionary Area: As per the given figure, we can say that in such particular context, increasing aspects of security refers to some level of costs that has equivalent impacts upon reduction of risk as the level of risk reduced almost equally as that of the enhancement of security concerns. Discussion: The reason behind this context is the subsequent to that of Sweet Spot, and the proportional risk reduction rate has become lower than the incremental rate of incurred expense. 3. Arguments are raised that algorithm did not succeed to distinguish amidst the high impact/low frequency threats as well as high frequency/low impact threat. For instance, fire is considered to be low frequency high impact threat as well as misuse of resources is low impact high frequency threat(Yokouchi, 2007). The algorithm ALE could not make proper differentiation amidst the two threats. The cause may be explained along with an example. When an organization emphasizes upon the risk loss estimates, Annualized Loss Expectancy may be estimated. For calculation of this, the formula use is: Annualized Loss Expectancy = Asset Value * Exposure factor As per the given formula, it may be identified that on measuring the annualized loss expectancy, generally two factors are considered: asset value as well as exposure factor. On multiplying these two factors, the outcome is single loss exposure. Thus, it just measures the one dimension named risk (Adler, Leonard Nordgren, 1999). Thus, it does not succeed in identifying the frequency as well as impact or emphasis on the outcome. In matter of low frequency/high impact threat, the outcome magnitude may coincide with the outcome of high frequency/low impact threat. Thus, as a matter of fact it may be stated that oversimplification approach of ALE algorithm may be considered key factor associated with failing of drawing distinct difference amidst low frequency/high impact threat and that of high frequency/low impact threat. 4. Threat Cost per incident Occurrence frequency SLE ARO ALE Software piracy $600.00 1 per month 600 52 $31,200.00 Computer virus/ worm $2,000.00 1 per month 2000 12 $24,000.00 Information theft (hacker) $3,500.00 1 per 3 months 3500 4 $14,000.00 Information theft (employee) $6,000.00 1 per 4 months 6000 3 $18,000.00 Denial-of-service attack $11,000.00 1 per 2 years 11000 0.5 $5,500.00 Laptop theft $4,000.00 1 per 5 years 4000 0.2 $800.00 Web defacement $1,500.00 1 per 2 years 1500 0.5 $750.00 Fire $500,000.00 1 per 10 years 500000 0.1 $50,000.00 Flood $300,000.00 1 per 15 years 300000 0.066667 $20,000.00 5. Threat Cost per incident Occurrence frequency SLE ARO ALE Software piracy $500.00 1 per 4 months 500 3 $1,500.00 Computer virus/ worm $1,300.00 1 per 5 months 1300 2.4 $3,120.00 Information theft (hacker) $2,000.00 1 per 6 months 2000 2 $4,000.00 Information theft (employee) $7,000.00 1 per 13 months 7000 0.923076923 $6,461.54 Denial-of-service attack $4,000.00 1 per 10 years 4000 0.1 $400.00 Laptop theft $5,000.00 1 per 10 years 5000 0.1 $500.00 Web defacement $1,500.00 1 per 5 years 1500 0.2 $300.00 Fire $75,000.00 1 per 10 years 75000 0.1 $7,500.00 Flood $50,000.00 1 per 15 years 50000 0.066666667 $3,333.33 Return on Security investment needs to be calculated for every threat in association with the specific control. As per the given table it has been identified that return upon security investment is greater for IDS as well as Insurance. These controls may be bought to combat issues like information hacking or flood(Yokouchi, 2007). 6. On considering the two tables of answer 4 and 5, one may identify that expense per incident as well as frequency of change occurrence based on control. It has been observed that it is control that considerably impacts upon the expense per incident. An instance may be referred to in this scenario to explain the influence of control within the frequency of incident occurrence (Alhawari, Karadsheh, Nehari Talet Mansour, 2012). For combating with system virus, the total expense of the aspect was $2000 and that of occurrence frequency of 1 every month. On introducing control antivirus the expense was $1300 as well as occurrence frequency was 1 every fifth month. The cause is that there are various types of anti-viruses to fight the computer viruses. Their policy of license as well as cost may change with the alterations in the cost of incident as well as occurrence frequency. 7. During the year 1999, being a risk manager of a financial institution, I had applied the Window Model of Jacobson to respond to the T2K bug. This bug means the problem within both digital and non-digital data documentation and storage that is the result of the practice of abbreviation of four digit year to two digits. Thus, the year 2000 as well as 1900 cannot be differentiated. Various approaches were introduced to solve the Y2K bug (Vinaja, 2013). Observation suggests that data re-partitioning, data expansion, windowing, etc can be used to solve the issue. Here in this regard, the Window Model of Jacobson may be used. As per this model, risk may be attributed as per its occurrence frequency and that of the outcome of influence of every occurrence. This model of Jacobson had an assumption that suggests that each of the risks has either high or low occurrence frequency(Prado, 2011). Besides, each risk has high or low influence or outcome. It shows that generally two types of class es are responsible to causing such loss of equal magnitude while indicated in terms of annual rate or annualized loss expectancy. I totally agree with the recommendations of this model that reflects high or low risk requires to be addressed by selecting a proper security measure possessing a positive return upon investment based on the link between implementation cost as well as reduction in ALE. The Jacobsons Window Model suggests that other things remaining constant the security measure must be implemented based on the investment return. 8. Year Benefit Cost Net Cash flow Present Value Factor (@10%) Present Value 1 2000 3000 -1000 0.909090909 -909.091 2 2500 2000 500 0.826446281 413.2231 3 4000 750 3250 0.751314801 2441.773 4 4000 250 3750 0.683013455 2561.3 5 4000 250 3750 0.620921323 2328.455 Net Present Value 6835.661 The given table shows the calculation the net present value (NPV). This value refers to an effective mechanism to assess the investment options. It is identified that NPV of this very investment is quite positive. Within this method, all future cash flows are transformed into present value for estimating the potential of investment. 9. The Operating Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) method was normally introduced to assess the risks of bigger organizations with increased number of employees around more than 300. It needs to be noted that size was considered to be the only factor in this regard. It bigger organizations, several layers as hierarchy can be identified. This technique is usually responsible to maintain the computing infrastructure along with the internal capacity to run the assessment of risk measure. Besides, this is beneficial to interpret the outcomes in regard to critical assets (Benaroch, Jeffery, Kauffman Shah, 2007). This method involves an approach comprising of three phases for scrutinizing the organizational and certain technological aspects by gathering a comprehensive presentation of requirements associated to the organizational information security. This method is comprised of some workshops that may be arranged by the internal analysis team formed by several organizational employees. The approach emphasizes upon the capitalizing information from various organizational levels. Therefore, this focuses on certain critical aspects like identification of key assets, risks, threats, opportunities of the company. Also, this approach focuses on creation of a strategy to provide protection to company. The strategy of protection relies upon the practice, including the plan to mitigate all potential risks for supporting the objectives of the company. This approach may be applied to assess the potential risks related to the information security. This OCTAVE technique may prove increasingly effective to determine the optimum security in various organizations. This may be backed up by an effective example for explaining the utilization of this approach. In context to health care organizations, these need to maintain large database as well as records of patients(Caron Salvatori, 2014). It is utterly important to protect the confidentiality of the records or information. Here, application of OCTAVE may be highly beneficial for maintain security of the database within the health care organizations. The approach emphasizes upon the capitalizing information from various organizational levels (Pappas Panagiotopoulos, 2009). Therefore, this focuses on certain critical aspects like identification of key assets, risks, threats, opportunities of the company. Also, this approach focuses on creation of a strategy to provide protection to comp any. Enhanced security system refers to the occurring of risk would reduce, which means risk is inversely proportional to the extent of incurred expense. Also, it is important for every organization requires taking up at least some amount of expense to manage risk, and there are some level of risks that may not be reduced(Dey Kinch, 2008). Thus, if the predefined lowest cost, minimum extent of risk which cannot be reduced and all current practices associated to risk prevention are simultaneously considered, then the space in that dimensional area is called discretionary area. References ., P., ., R. (2007). Simulating the Potential Effect of Risk Management on Project Scheduling.Information Technology J.,6(1), 8-13. doi:10.3923/itj.2007.8.13 Adler, T., Leonard, J., Nordgren, R. (1999). Improving risk management: moving from risk elimination to risk avoidance.Information And Software Technology,41(1), 29-34. doi:10.1016/s0950-5849(98)00095-0 Alhawari, S., Karadsheh, L., Nehari Talet, A., Mansour, E. (2012). Knowledge-Based Risk Management framework for Information Technology project.International Journal Of Information Management,32(1), 50-65. doi:10.1016/j.ijinfomgt.2011.07.002 Benaroch, M., Jeffery, M., Kauffman, R., Shah, S. (2007). Option-Based Risk Management: A Field Study of Sequential Information Technology Investment Decisions.Journal Of Management Information Systems,24(2), 103-140. doi:10.2753/mis0742-1222240205 Caron, F., Salvatori, F. (2014). Managing Information for a Risk Based Approach to Stakeholder Management.International Journal Of Information Technology Project Management,5(2), 30-43. doi:10.4018/ijitpm.2014040103 Dey, P., Kinch, J. (2008). Risk management in information technology projects.International Journal Of Risk Assessment And Management,9(3), 311. doi:10.1504/ijram.2008.019747 Pappas, A., Panagiotopoulos, P. (2009). Information Technology risk management in e-commerce: classical and catastrophic risk approaches.IJASS,2(3), 250. doi:10.1504/ijass.2009.027663 Prado, E. (2011). Risk analysis in outsourcing of information technology and communication.JISTEM,8(3), 605-618. doi:10.4301/s1807-17752011000300005 Vinaja, R. (2013). IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing.Journal Of Global Information Technology Management,16(3), 82-84. doi:10.1080/1097198x.2013.10845644 Yokouchi, A. (2007). Introduction of Weather Risk Management Technology in Farm Management.Agricultural Information Research,16(4), 226-234. doi:10.3173/air.16.226