You may recall from Week 1 that it is helpful to conceive of information as a resource when considering computer security. Irreplaceable and potentially lost or stolen money is like that in a bank account.
Traditionally, when we think of our assets, we think of things like cash, real estate, machinery, and so on. Information is increasingly seen as a resource that can be leveraged to create more value. If you consider how much music and gaming programs are worth to media companies or video game companies in today's digital environment, you'll see that information is fast becoming the most valuable asset.
When we view information as a valuable resource, we can develop measures to keep it safe and limit the damage it does in the event of a disaster.
Risk Management
The value of an individual's or organization's information assets is assessed, and if necessary, continuing protection is implemented, through the use of information security risk management.
Intangible information such as paper can be easily protected by implementing measures like locking filing cabinets or limiting access to archived materials, which are commonplace in today's world.
Intangible information, on the other hand, such as the thoughts of employees, is considerably more difficult to safeguard. For example, a company might try to keep information safe by making sure their workers are satisfied and enforcing contracts that prohibit them from leaving to work for a competing company.
Incentives as well as imperatives
Risk management for information security looks at the process from two angles: imperatives and incentives. Imperatives are compulsions that force you to take a specific course of action. A reward or opportunity for doing something is referred to as an "incentive."
Legislation and regulation are the driving forces behind the need for information security. Legislative imperatives include the Computer Misuse Act and the Data Protection Act. The Payment Card Industry Data Security Standard (PCI-DSS) is an example of a regulatory standard that outlines how retailers should protect all card transactions.
Trust is the most crucial motivator of all. People and organizations are more likely to collaborate with each other if their data is secure. In order to build this trust, all parties must assess their own and each other's information security processes to make sure that the data is adequately protected. For example, demonstrating compliance with standards such as PCI-DSS or the ISO27000 set of standards for building and implementing information security management systems can be done.
Risk Analysis
The everyday language uses the term "risk," but the study of risk assessment and management has developed into a distinct field of study in and of itself. Here, we'll take a quick look at how you may put some of these concepts to use in order to better protect your data by recognizing, assessing, and decreasing potential threats.
The possibility of negative outcomes or losses is what is meant by the term "risk." It is often possible to identify and estimate potential dangers, as well as their likelihood of occurring.
For qualitative risk analysis, the most common method is to produce a likelihood–impact matrix, where each risk event is scored against a predetermined scale and then plotted on a two-dimensional grid. Each risk's position on the grid is a representation of how significant it is in comparison to the others. The simplest matrix is a 2 by 2 grid, which is created by assigning a value of high or low to both likelihood and influence. Risks can be dealt with in the following sequence, starting with the highest priority:
● high-impact, high-likelihood risks
● high-impact, low-likelihood risks
● low-impact, high-likelihood risks.
Analysis of risk in the real world
Successful assaults on email, banking, and password information will have significant consequences, and these attacks will almost certainly be targeted as a result of their high monetary worth to criminals and terrorists alike. Hence, they should be placed in the high-high section.
A risk matrix that shows the level of risk and the likelihood of risk. Email, banking information, and a password are all included under "high possibility, high effect."
Study materials and digital images could be a high-impact target for a hacker, but the cash value of these items is negligible. These belong in the "high-low" section.
A table displaying the level of risk and the likelihood of that risk occurring. Among the low-probability, high-impact options are Study materials and digital images.
The impact of an attack on digital music or videos will be minimal because they can be readily re-downloaded. The possibility of this happening is high, though, due to the ease with which these assets can be replicated and traded. Because of this, they are placed in the low-to-high box.
The matrix represents risk levels and the likelihood of the risk occurring. Digital music and digital videos are included in the "high likelihood, low effect" category.
When it comes to safeguarding your data, conducting a risk assessment is essential. For each piece of information on your list, perform a similar risk analysis, as Lewis did, to assess the effect and threat level associated with that piece of information.
Visit cyber security for more information