it risk management

it risk management
IT RISK MANAGEMENT
Case study
LAHTI UNIVERSITY OF APPLIED
SCIENCES
Degree program in
Business Information Technology
Spring 2014
Yimei Lin
Lahti University of Applied Sciences
Degree Programme in Business Information Technology
LIN, YIMEI:
IT risk management
Bachelor’s Thesis in Business Information Technology, 72 pages, 8 pages of
appendices
Spring 2014
ABSTRACT
More and more companies are concern about their IT risks nowadays, especially
the companies relying on IS (Information System) in business. The objective of this
thesis focused on what risk in the case company should be paid the most attention to.
In short, the aim is to find out what the biggest threat was in the case company and
the reason. Moreover, when exploring the answer, it was possible to understand the
process of managing IT risks.
The general methodology of this study is deductive research method. It aimed to
check if the general IT risks found in literature in the case company. Moreover, the
researcher was to develop the theory that organized cyber criminals and hackers are
the riskiest security problem in business. Interviews and observation were carried
out collect the data.
The study revealed that, inadequate anti-virus software protection is the biggest
threat for the case company, and because the manager decided to ignore the existing
problems, it will be an even bigger threat in the future.
Key words: IT risks, risk management, software protection.
TABLE OF CONTENTS
LIST OF FIGURES
IV
LIST OF TABLES
V
LIST OF BOXES
1
2
3
4
VII
INTRODUCTION
1
1.1
Background
1
1.2
Statement of the problem
1
1.3
Research objective
2
1.4
Overview of thesis
2
RESEARCH METHODOLOGY
5
2.1
Research question
5
2.2
Research methods
5
2.2.1
Qualitative research method
5
2.2.2
Data collection and data analysis
7
LITERATURE REVIEW
10
3.1
IT risk overview
10
3.2
Risk management overview
10
3.3
IT Risk identification
13
3.4
Risk assessment
15
3.4.1
Asset impact analysis
16
3.4.2
Business impact analysis (BIA)
17
3.4.3
Vulnerability assessment
18
3.5
Risk countermeasures
19
3.6
Risk reduction
22
CASE STUDY
24
4.1
Case overview
24
4.2
IT risks identification
26
4.3
IT risks assessment
30
4.3.1
Asset impact analysis
31
4.3.2
Business impact analysis
32
4.3.3
Vulnerability assessment
34
4.4
Countermeasures
35
4.5
Risk reduction and recommendations
38
5
DATA ANALYSIS
44
6
CONCLUSIONS
50
7
DISCUSSION
51
7.1
Limitations
51
7.2
Validity and reliability
51
7.3
Future study suggestion
52
REFERENCES
53
APPENDICES
57
LIST OF FIGURES
Figure 1: Structure of thesis..................................................................................... 4
Figure 2: (Deductive"top down" method, 2013) ..................................................... 7
Figure 3: Risk management framework (Williams, M_o_R - Framwork, 2007) .. 11
Figure 4: The risk management process (Cadle & Yeates, 1991) ......................... 13
Figure 5: Basic layout t of the organization’s office ............................................. 25
Figure 6: Basic layout t of the premises ................................................................ 25
Figure 7: Human Threats: Threat-Source, Motivation, and Threat Actions.......... 57
Figure 8: Template risk register (derived from (Priest & Wood, 2012))............... 62
LIST OF TABLES
Table 1: Example table physical threats (derived from the course IT risk analysis
taught by Adrian Priest and Katie Wood).............................................................. 14
Table 2: Example table non-physical threats (derived from the course IT risk
analysis taught by Adrian Priest and Katie Wood) ................................................ 14
Table 3: Likelihood (derived from the course IT Risk Analysis (Priest & Wood,
2012))..................................................................................................................... 16
Table 4: Impact (derived from the course IT Risk Analysis (Priest & Wood, 2012))
............................................................................................................................... 16
Table 5: Example table critical asset ..................................................................... 17
Table 6: Example table essential asset................................................................... 17
Table 7: Example table normal asset ..................................................................... 17
Table 8: Example table related risk to critical assets ............................................. 17
Table 9: impact of unavailability (derived from the course IT Risk Analysis (Priest
& Wood, 2012)) ..................................................................................................... 18
Table 10: Cumulative Impact of Effect (derived from (ISACA)) ......................... 18
Table 11: Example of vulnerability assessment (Derived from core text- (Whitman
course technology/Cengage Learning)) ................................................................. 19
Table 12: Example of risk priority (derived from the course IT Risk Analysis (Priest
& Wood, 2012)) ..................................................................................................... 23
Table 13: Priority score (derived from the course IT Risk Analysis (Priest & Wood,
2012))..................................................................................................................... 23
Table 14: Color coding for priority rating (derived from the course IT Risk Analysis
(Priest & Wood, 2012)) ......................................................................................... 23
Table 15: Example of schedule for risk reduction (derived from the course IT Risk
Analysis (Priest & Wood, 2012)) .......................................................................... 23
Table 16: Identified physical threats (case company) ........................................... 27
Table 17: Identified non-physical threats (case company) .................................... 30
Table 18: Asset impact analysis (case company) .................................................. 31
Table 19: Related risks to critical assets (case company)...................................... 32
Table 20: Business impact of unavailability (case company) ............................... 33
Table 21: Cumulative Impact of Effect ................................................................. 33
Table 22: Vulnerability assessment for servers ..................................................... 34
Table 23: Vulnerability assessment for network components ............................... 35
Table 24: Vulnerability assessment for PCs .......................................................... 35
Table 25: Vulnerability assessment for backups ................................................... 35
Table 26: Countermeasures for physical threats in the case company .................. 36
Table 27: Countermeasures for non-physical threats in the case company ........... 38
Table 28: Priority of each risk in the case company .............................................. 38
Table 29: Schedule for risk reduction and recommendations (case company) ..... 43
LIST OF BOXES
Box 1: answers given by manager department from interview ............................. 45
Box 2: answers by IT department and business department from interview ......... 47
1
1
1.1
INTRODUCTION
Background
In the past decades, it was always heard from the press that crises are happening,
such as the economic crisis, energy crisis and nuclear crisis. Those crises have an
impact on individuals, businesses, organizations, even nations. It may result in
incredible impacts if people ignore the upcoming risks. However, not all the people
have the crisis awareness. People do not care about it much until they have losses.
The definition of risk ‘Effect of uncertainty on objectives’ (ISO 31000, 2009) was
brought up. The bias of risk that represents badness has changed.
Hence, with a serious consideration, risk management is momentous. It is aimed to
avoid the potential occurrence of risks, which is proactive. Indeed, not all probable
threats are defined when people try to analyze the risks. There are still possibilities
that the risk turns to be events that may cause negative impacts. Therefore, finding
resolutions to redeem losses and reduce impacts, which refer to crisis management,
is vital too (The difference between Crisis Management and Risk Management?
2010). Moreover, no matter which risks represent threats or opportunities, the
impacts of event need to be assessed carefully.
As information technology is being used widely in companies to support their
business, to secure IT becomes more significant. Every threat can be a disaster,
even related to the organization’s survival, especially for those companies that
depend on the information systems. The better knowing of risks, the more secure
the companies are. Therefore, managing IT risks in a company is vital to prevent
from threats leading to disasters and to give countermeasures for better problem
solving.
1.2
Statement of the problem
DTI (DTI Information Security Breaches Survey, 2006) reported that only less than
20 percent of small companies could survive without IT systems. In other words,
large corporations operate their business with IT systems and the numbers has
2
continued growing. Once the system breaks down or has something wrong, it may
cause lots of direct losses, such as loss of system facilities, production, sales,
communication, and control, also the business possibly fails. For instance, Comair,
which is a huge airline company, valued to be $780 million, experienced a fatal hit
due to the failure of crew-scheduling system. Thousands of passengers were
affected by the crushed system. (Westerman & Hunter, 2007) Moreover, indirect
consequences of IS disaster such as undetected fraud, financial loss through lack of
billing and payment processing facilities, liability for payment of fines, damages
and compensation, loss of customers, diminished public standing. Indeed, any
potential risks of information systems could turn out to be a disaster and cause loss.
1.3
Research objective
With the growing awareness for information technology security, it is worth to
study IT risk management in an organization. Managing IT risks was carried out in
case of business aiming at finding out which IT risk threatens the business most.
Proactive perspectives would be reminded to have about potential risks for
companies. In the case any loss is caused, this research would give some
suggestions to do the remediation in a short time. It would also support improved
decisions making for businesses and could protect them in a suitable way.
The company doing business in patent and intellectual property relies on IT systems.
The researcher did her internship in this business and wanted to study the IT threats
there for these purposes. Also, the research could help the company to be aware of
its IT security. Therefore, the case is provided as an example of management of IT
risks for better understanding.
1.4
Overview of thesis
Chapter two, states the research approach which has been applied in this thesis. The
research question will be carried out at the beginning of this chapter. The research
question concerns the levels of the IT risks with the vulnerabilities, the threats, the
countermeasures, and the asset values, as well. The introduction of the conceptual
3
framework is illustrated here. Data collection method and data analysis method will
be explained in details.
The literature review is provided in chapter three, which gives the ideas of IT risk
management. The theories cover a current framework for IT risk. According to this
framework, the risk assessment methodology was illustrated. The literature will
give a more detailed explanation why those elements are connected to the level of
the IT risks.
Chapter four, the case study is indicated to assess IT risks in the business. The
conduct of IT risks management which is comprised of identifying, estimating,
evaluating, planning, and implementing are described in the case study. The
researcher will start with risk identification, going on with an analysis for the risk,
business impacts, and evaluation for the risks. Countermeasures will be carried out
then. Recommendations will be summarized to reach the conclusion.
Chapter five includes the data collection and its analysis. Data will be collected
from interviews and observation. Some of employees and interns in the case
company will be interviewed randomly and individually in groups. According to
their answers from the interview, the observation reflects the reality. The data will
be analyzed in details.
Chapter six covers the results of analysis, findings and the conclusion of the
research question. The factors that influence the extent for IT risks in the case
company will be summarized to give a compact answer to the question. Figure 1
below indicates the structure of this thesis:
4
Chapter 1:
Introduction
Chapter 2:
Research methodology
Chapter 3:
Literature review
Chapter 4:
Case study
Chapter 5:
Data analysis
Chapter 6:
Conclusion
Chapter 7:
Discussion
Figure 1: Structure of thesis
• The importance of management of IT
risks, research purpose, overview of the
research
• Research question, introduction of
conceptul framework, research method.
Data collection method and data analysis
method.
• The methodology for IT risk
management.
• Theoritcal conclusions for IT risks
• Processes of IT risk management carried
out in the case company.
• Data provided as the evidence for
analysis
• Interviews and observation analysis
• Findings and summary of the research.
• Limitations
• Validity and reliability
• Future study suggestions
5
2
RESEARCH METHODOLOGY
In past decades, research was defined to have different academic meanings. A
definition in Oxford Dictionary is “the systematic investigation into and study of
materials and sources in order to establish facts and reach new conclusions”
(Research: Definition of research in Oxford dictionary). The research problem or
the hypothesis is a must to begin research. Literature review will assist the research
in gaining the specific knowledge for a particular area. Gathering data and
analyzing the findings are to refer interactively to the theory. According to the
analysis, conclusions could be made for theoretical formulation.
2.1
Research question
Based on the situation that people have been more aware of IT security, the case
company allowed the research to be put into practice. The partner in charge of the
technical field in the company expected to know the most potential IT related risks,
also the countermeasures for them. Therefore, the main idea of IT risk management
will be focused on the research question:
What IT risk should be paid the most attention for the case company and
why?
2.2
Research methods
The methodologies being used to reach new conclusions have many differences. In
this study, qualitative research method is adopted. Deductive approach is applied to
help the case study.
2.2.1
Qualitative research method
When referring to qualitative research process, it goes through people’s behavior,
perspective to get a deep understanding about the object, which focuses on the
process of exploration and discovery rather than numerical or mathematical process.
It also can be represented that subjective consciousness of human beings is using
“words” to be expressed for interpretation of an aspect. There are many approaches
6
to adopt in qualitative research. According to the research nature in this study, it
was concentrated on the meanings of aspect or findings of people’s thoughts and
behaviors, in order to acquire detailed information.
Correlative with description and explanation as a case study approach uses in this
study. For theory testing and development, the case design is helpful (Ghauri &
Gronhaug, 1995).The study problem contained in Chapter 2.1 is more explorative
and interpretive. Therefore, the researcher intends to study the process for making
decisions for those IT risks. In other words, characterizing and categorizing on the
basis of IT risks management and carrying out proper countermeasures for them are
detailed explained in this study. Since the study conducting in the case business, IT
risks management concatenating the resolution and recommendations according to
the identified risks. Hence, it is helpful to use qualitative research process to
provide suitable suggestions for the case company other than quantitative process
with numbers and statistics.
Deduction typically utilizes in quantitative research. Nevertheless, it is not absolute.
In fact, in deductive reasoning, theories and hypothesis are tested by samples or
data. Certainty becomes the target to reach a conclusion. Hypothesis formulates the
beginning, and the findings in the experiment will be adjusted to the hypothesis
through data. The following figure (see figure 2) could help to understand the
structure of deduction method.
7
Formulate hypothesis
Formulate research
questions to test hypothesis
Carry out experiment
(= collect data)
Confront outcome with
hypothesis(falsify)
Develop theory
Figure 2: (Deductive"top down" method, 2013)
The hypothesis formulated by the researcher is that inadequate anti-virus software
protection may be the biggest threat for the business is the first step to studying the
case company. General IT security checks will be implemented in order to collect
the having risks in the case company. For this reason, deductive reasoning was
decided by the researcher.
2.2.2
Data collection and data analysis
The research is carried out to manage IT risks, and it contains an identification and
assessment to get a deep understanding. Besides, interviews and observation are
adopted as methods to collect the data for the research.
Face-to-face interviews are conducted as well in this research paper. The interview
adopted in research was two-person conversation in order to acquire the
information needed for achieving research goals (Cannell & Kahn, 1968). Trust is
easier to build with extensive opportunities for asking and possibility for probing
(Tuckman, 1972). Besides, deeper realization can obtain other than other data
collection methods (Cohen, Manion, & Morrison, 2007). Oppenheim (1992) states
that compared to other data collection methods, respondents in interviews are more
8
involved. Unstructured interview adapts for this research paper because of its
flexibility and freedom. The questions prepared before interviews the questions to
manager department are:

What was the IT problem happened before?

What caused the problems?

How long did it take to solve it?

Who solved/or not?

Are you now having a solution for this problem just in case if it happens
again?

Who is to ask for the access passwords?

Does the same problem happen again?

What anti-virus and anti-malware are installed on machine?

Why chose this software to be your protection software?

How do you think about the software?

Have you thought to change better anti-virus software?
The questions for business department and IT department are:

Do you use memory sticks to back up your work document?

Will you let browsers save passwords on intranet system How often do you
change your password on the intranet system

How often do you clear your cookies?

Will you log out websites before you shut down computer?

Do you upgrade software on your machine often?

Have you ever clicked pop-ups on websites?

Why did you click the pop-ups on websites or in emails?

Will you turn off computer directly when you leave?
Sometimes those questions are closely related to the research question, and test the
hypotheses that the author of this research paper made. It is significant for data
analysis, the next step, to figure out the answer of the research.
9
Interviewees are randomly selected at least two people from one of departments
among the case company, including business department, the IT department, and
manager department. The same question may have many different answers due to
various factors, such as personality, experience, awareness, and knowledge. It is
very personal but also more credible and reliable to analyze the data into different
groups.
In this research report, the author thinks inadequate anti-virus and anti-malware
protection would be the most worthy of attention in the case company. Hence,
during the interview, researcher will ask questions about IT security protection
situation in the business for the IT department.
Observation in the scientific area is to study natural phenomenon and try to figure it
out the consequences of the phenomenon with hypothesis (Shipman, Wilson, &
Todd, 2009). Furthermore, observation provides a reality check that if people do
what they say to do (Robson, 2002). Researcher can discover if there is something
missing in the interview (Cohen, Manion, & Morrison, 2007). Besides, the
hypothesis will be formulated from observation.
Thus, to be one of the employees in the case company, researcher participates in the
observation, with firsthand experience and impression to think about the hypothesis.
Additionally, employees in the company are observed from their actions, working
habits with computers, printers, and other IT assets. The observation starts when
they are on work and off work, such as when they are doing a tasks assigned by the
managers, and when they leave the office to have a break, to be the evidence or
improvement of risks identification. The researcher will record their behavior.
The data presented in interview and observation is analyzed by comparing different
departments’ responses, behaviors. The researcher will interpret and summarize the
information to get respondents’ perspectives of IT risks. The level of IT risks will
be estimated to induce the hypothesis and reach the conclusion.
10
3
3.1
LITERATURE REVIEW
IT risk overview
ISO 27001 Standard as Information Security Standard (Threats & vulnerabilities,
see appendices) is to be considered to be the base of the IT risk management in this
thesis. Common IT threats listed for different companies at the end of this paper as
a reference.
Noteworthily, those definitions are not critical, more and more potential IT risks
and vulnerabilities would discover in the future. Moreover, it has to be adapted to
the different companies.
Venafi, which focuses on certificate management solutions, brought out the top IT
security risks expect in 2013. Organized cyber criminals and hackers are the riskiest
security problem which infects IT systems with malware. It would cause data
disclosure and another associated damage resulting in bad business operation
(Venafi, 2013).
3.2
Risk management overview
People have noticed that the harmful influence is not one kind that risks can bring to
them anymore. Hence, some professional delimits risk management as an
efficiency to manage both potential opportunities and disadvantageous issues
through culture, structures and processes (VMIA, 2010).
Since the financial crisis affecting global economy, loads of corporations faced
adverse conditions. However, it could be an opportunity to be introspective what
issues or risks do exist in theirs. Risk management becomes significant due to the
high expectations from stakeholders, as well. The fewer troubles when doing
business, the more profits they could get. A better decision may make from risk
management as well, so that the work is possibly more productive and efficient in
the company. (Hopkin, 2010)
11
In fact, quite many representations were given to illustrate the process of risk
management. Williams (2007) introduced the framework of risk management in
M_o_R Guide, involving principles, approach, process that has some similarities to
ISO 31000 (2009) standard, and embedding and reviewing ( See figure 3).
Twelve principles promote organizations to prepare policies, procedures and plan
based on their own requirements (Williams, M_o_R - The Facts, 2007). The
approach in the following figure (See figure 3) represents as five arrows to policy,
process guide, strategies, risk register and issue log. First, to identify the context to
acquire the needed information and the potential risks to avoid or mitigate damage,
last but not least, the opportunities to improve the performance. Assessment applies
estimation and evaluation to analyze the likelihood and impacts on business.
Afterwards, in terms of the detailed countermeasures planned for the threats and
opportunities, taking action to fit the expectation is the goal. Communication as an
activity goes through the whole process.
Figure 3: Risk management framework (Williams, M_o_R - Framwork, 2007)
Referred to the risk management process, Cadle and Yeats (1991) brought up a
similar process, which is for project management, illustrated in Figure 4. The figure
12
(See figure 4) advocates the steps to move upon the objectives achieved. Case
Study will follow the general process up due to its clearness and simplexes.
The risk management plan will be carried out before identifying the risks in the
business. The purpose of the research is to manage IT risks in the business; thus,
good plan is the key to the point. Analysis from the previous IT risks reports or
surroundings could be helpful for the plan to make. Besides, the meetings with the
crew in the business are important to plan how many people should get involved in
the research. Keeping the risk report simple and structural is the company who
would like to see the most.
Once the plan ready, the threats in the business are able to ascertain from the
document reviews and information from the crew in the business. They could be
collected by different aspects or categories, such as physical/nonphysical risks,
natural/human/environmental risks (Stoneburner, Goguen, & Feringa, 2002), and
internal/external risks. To register the threats could give the overall risks for the
business. Besides, as mentioned before, not all threats around the company detected.
They may occur in anytime, thus, the plan and register have to be modified
occasionally.
Stoneburner, Goguen and Feringa mentioned the impact and likelihood of the risks,
which are necessary for risk assessment. “This is so that management attention can
focus on those risks with the greatest probability of occurring and those that will
most damage the project if they do happen.”(Stoneburner, Goguen, & Feringa,
2002). Within the scenario in the case business, the next chapter will introduce
details about risk assessment.
Giving the countermeasures to the foreseeable threats is the next step. The provided
countermeasures are to reduce the possibility of the risk occurrence or prevent it.
After all things are setting up, the company could take actions to achieve the
objectives.
13
Figure 4: The risk management process (Cadle & Yeates, 1991)
3.3
IT Risk identification
The previous chapter briefly states various classifications of threats.
Physical/nonphysical, natural/human/environmental (Stoneburner, Goguen, &
Feringa, 2002), internal/external risks will be referred in the case study. Although
those classifications overlap for somehow, they may provide a lead to the research
finds. The researcher considers the threats to be divided into two major parts:
physical and non-physical. Categories of natural/environmental/human and
internal/external threats respectively belong to the two parts, which are as in the
following table (See table 1 & 2) with sample descriptions.
Physical threats
Natural threats
Description
ID

Loss of essential services
1

Fire, smoke
2
14
Human threats
Environmental threats

Natural disasters
3

Terrorist attack
4

Malicious action
5

Errors and negligence
6

Loss of key staff
7

Industrial action
8

Long-term power failure
9

Telecommunication failure
10
Table 1: Example table physical threats (derived from the course IT risk analysis taught by Adrian
Priest and Katie Wood)
Non-physical threats
Internal threats
External threats
Description
ID

Malicious software
11

Insiders misuse IT
12

Systems crash
13

Web development carelessness
14

Attack from hacker, cracker,
15
computer criminal
Table 2: Example table non-physical threats (derived from the course IT risk analysis taught by Adrian
Priest and Katie Wood)
The reason the researcher classifies the risks as in the above table is to let threats be
clear at a glance. What is more, it is simpler to carry out countermeasures from a
clear starting point.
Tiller (2011) indicated a list for organized threats as follows:

Natural threats: flood, fire, earthquake, tornado, mudslide, and so forth,
those “acts of God” can threaten people’s lives and properties.

Human accidental: fire, explosion, crash, operational errors, maintenance
errors, programming errors, hazardous material, medical emergencies.
15

Human deliberate general: terrorism, sabotage, strike, kidnap, vandalism,
riot and the like.

Human deliberate technical: hackers, crackers, cyber criminals, cyber
industrial espionage.

Technical: worms, viruses, spam, Trojan horses, spyware.

Environmental: power outages, water leaks, temperature control failure,
telecommunications failure, and things.
There are always threats that are not being noticed until they display. Additionally,
the list on display might be incomprehensive. Nevertheless, the concepts will give
supports when doing the case research.
Stoneburner, Goguen and Feringa (2002) gave a good example of personal threats
identification. It illustrates the threats-source, motivation and theirs action (see
figure 7 in Appendix). The probability of the occurrence about those risks depends
on the human’s motivation, resources, and abilities. They also proposed that
individuals, organization and procedures should get involved when identify the
risks.
3.4
Risk assessment
Information Security Survey (2008) gave a report that around 52 percent of
organizations do not care about the security risk assessment. Risk assessment is a
part of risk analysis to estimate the level of the risks in the business. Its outcome
helps to refine appropriate controls for avoiding or reducing the risk. When it comes
to IT risk, a measure of it can be defined as a product of probability and impact: risk
= probability * impact (OHSAS 18001, 2007). To identify the risk level, it has to
analyze the potential vulnerabilities and controls in order to conclude the
probability. Vulnerability may become harmful in IT system and impacts awfully to
the business. The magnitude of impacts refers to the relevant value of IT assets and
data or other IT components affected (Stoneburner, Goguen, & Feringa, 2002).
(See table 3 & 4).
16
Likelihood (derived from (Risk management plan final))
Title
Very Low
Score
20
Low
40
Medium
60
High
80
Very High
100
Description
Highly unlikely to occur; however, still needs to be
monitored as certain circumstances could result in this risk
becoming more likely to occur during the project
Unlikely to occur, based on current information, as the
circumstances likely to trigger the risk are also unlikely to
occur
Likely to occur as it is clear that the risk will probably
eventuate
Very likely to occur, based on the circumstances of the
project
Highly likely to occur as the circumstances which will
cause this risk to eventuate are also very likely to be
created
Table 3: Likelihood (derived from (Risk management plan final))
Impact (derived from the course IT risk management (Priest & Wood, 2012))
Title
Very Low
Score
20
Description
Insignificant impact on the business. It is not possible to
measure the impact on the business as it is minimal
Low
40
Minor impact on the business, e.g. < 5% deviation in scope,
scheduled end-date or business budget
Medium
60
Measurable impact on the business, e.g. 5-10% deviation in
scope, scheduled end-date or business budget
High
80
Significant impact on the business, e.g. 10-25% deviation in
scope, scheduled end-date or business budget
Very High
100
Major impact on the business, e.g. >25%% deviation in
scope, scheduled end-date or business budget
Table 4: Impact (derived from the course IT Risk Analysis (Priest & Wood, 2012))
3.4.1
Asset impact analysis
Information assets include hardware, software, systems, and services as servers,
modems, routers, some technology assets such as printers, scanner, shredder and
beamer. If the business relies on technical assets, it will be impacted when those
assets make a loss. It is necessary to consider the impacts on business if the
17
company loses the IT assets in a short term or long term. Virginia Tech IT security
office creates inventory forms of information assets (Risk Assessment for
Information Assets) and categorizes them into critical, essential and standard as
follows (See table 5 & 6 & 7 & 8).
Critical –the organization cannot proceed with the work without this information
asset even in the short term period.
Priority
1
2
Critical Asset
Brief Description
Table 5: Example table critical asset
Essential – the organization could survive with the loss of this information asset
within a week, but eventually the information assets would be in use.
Essential
E
Essential Asset
Brief Description
Table 6: Example table essential asset
Normal– the organization can proceed smoothly without this information asset for
a limited period, whereas, individuals may influence.
Normal
N
Normal Asset
Brief Description
Table 7: Example table normal asset
For a brief description could be consulted from the asset profitability, or the cost to
replace or repair.
Priority
Critical Asset
Related Risk (By ID)
and Comment
1
2
Table 8: Example table related risk to critical assets
3.4.2
Business impact analysis (BIA)
The prioritized critical assets impacting on business are analyzed by cumulative
impact after a period. The objective of the BIA is to assess tangible and intangible
impacts were considering in the worst case scenario (See table 9 & 10).
18
Impact of Unavailability
Impact
Legal implications
Loss of sales
Reduced revenue
Reduced operating capability
Reduced decision making capability
Definition
Fines, penalties, contractual obligations
Loss from selling goods services
Loss of income from loss of sales
Inefficient working
Overwhelmed solutions
Table 9: impact of unavailability (derived from the course IT Risk Analysis (Priest & Wood, 2012))
Cumulative Impact of Effect and Loss Range
Cumulative Impact after a period unavailable
4hrs 8hrs 12hrs 1d 3d 5d 10d 20d
Impact
Legal implications
Loss of sales
Reduced revenue
Reduced operating capability
Reduced decision making
capability
Table 10: Cumulative Impact of Effect (derived from (ISACA))
Grade
1
2
3
4
5
6
7
3.4.3
Effect
Catastrophic
Critical
Major
Severe
Noticeable
Acceptable
Limited
Vulnerability assessment
Vulnerabilities can encompass everything. The applicable vulnerabilities should
determine on the identified risks and its significance to the services to the
organization. Moreover, a new vulnerability may be detected while assessing other
risks (See table 11).
Asset: router
Threat
Human error
Possible vulnerabilities
Employees or contractors may cause outage
19
Forces of nature
Software attack
Technical hardware failure
if configuration errors are made
All information assets in the organisation are
subject to forces of nature unless suitable controls
are provided
Internet Protocol (IP) is vulnerable to denial of
service attack; Can reveal sensitive information
unless suitable controls are implemented
Hardware can fail and cause an outage
Table 11: Example of vulnerability assessment (Derived from core text- (Whitman course
technology/Cengage Learning))
3.5
Risk countermeasures
Organizations give countermeasures in response to the identified threats to mitigate
or prevent damages to business and the company. Countermeasures to physical
security aim at protecting people from a harmful situation, IT assets from theft or
damage. It also protects against unauthorized access to equipment, IT installations,
electronic media and documentation. Furthermore, countermeasures should be
given to dealing with sabotage or espionage.
It should prepare from three phases towards to the identified threat: which
resolution to prevent or reduce the occurrence before it happens, when it is
happening after it causes damages. When planning measures for physical threats, it
can be divided into several steps (Philpott & Einstein, 2011):

Deterrence: such as policies, procedures, technical devices and controls to
protect people and IT assets.

Detection: monitoring for potential breakdowns in protective mechanisms.

Delay: delay getting enough time until security team comes to deal with it.

Response: procedures and actions for responding to a breach

Recovery: plan to continue business and operations like before the incident

Reassessment: revisit the strategic plan to ensure the implementation right
for the incident.
Physical security controls include exterior, entrance, administration, property and
environment. Businesses are convincing enough for burglars to make the theft in
20
the company. To secure office premises for keeping out thieves, damages, attacks,
the company may use self-closing doors, window locks, security curtains or
window, shutters or alarms. In case the building catches fire, fire detection and
extinguisher systems have to be inspected often that they are working. The electric
power needs emergency power failure controls, voltage maintenance, surge
protection and back-up power in case of the power failure. Furthermore, the
humidity control which makes power on needs to be ensured at a normal level.
Internal assets, especially for the server, have to be locked and kept eyes on it. The
otiose extensions should unplug. It is better keeping the important paper
information in the locker and shredding it before throwing out. The policy to warn
employees not putting the sensitive documents on the table when they are not
working on them could make. Moreover, employees should be encouraged to pick
up the documents from printers, faxes, and photocopiers promptly. CCTV cameras
could monitor visitors in case they walk to the sensitive areas.
Referred to non-physical threats, regarding the identified threats example
mentioned in Chapter 3.2, there are four possible consequences (RFC 2828):

Unauthorized disclosure: mainly reflected in
o exposure of sensitive data
o interception of sensitive data in transit
o inference of sensitive data analysis
o intrusion from system breach

Deception: main features like
o an unauthorized entity masquerading as an authorized entity
o falsification of data to deceive an authorized entity
o repudiation

Disruption: performances in
o incapacitation of system operation
o modification of the system function or data
o hindering delivery of services through system operation

Usurpation: mainly in
o misappropriation of system resources
21
o misuse leading to perform wrong function to system
Unauthorized disclosure may occur when users get access to the system through
password, PIN code, or dynamic biometrics. Another possibility is when users get
access to hardware with problems, like memory device. Therefore, it has to stop
unauthorized access to the password file, or install intrusion detection software.
What is more, it is also feasible to use account lockout mechanisms and automatic
workstation log out or encrypted network links. Besides, the company should offer
training for employees and enforce policies with strong passwords rather than a
general one.
Nevertheless, it is still probably hard to keep systems or hardware safe with the
power authentication, such as key loggers. After sneaky people get access to
information assets, systems have to determine whether they have the right to access
a resource. Except reliable information, systems also control the access to the
particular fields in a file or applications. More than one authorization is required.
The administrators could choose the system permission right and its level of people.
Alternatively, individuals have access to certain resources by setting roles
individually. Firewalls are the most general way to prevent routing attacks, protect
vulnerable systems from outside, also regarded as monitoring point.
Attackers intrude packets through an outside source IP address, the best way is to
reject external packets with an inside source IP address. Different attacks with
different resolution, only when they are discovered and found out the attack type,
the countermeasures could work. Thus, it is important to install intrusion
prevention systems. They can block traffic as a firewall by using IDS algorithms.
Not only attacks in non-physical threats, malicious software is another huge
potential risk to pay attention to. Nowadays, it is even more various, the malware
known as virus1, worm2, logic bomb3, Trojan horse4, backdoor5, mobile code6,
auto-rooter7, spammer/flooder8, key loggers9, rootkit10, zombie aka bot11.
The common malware around organization exists during communication, in
transferring information and archiving process. More and more companies are
using email instead of paper to communicate with internal people and clients. It
22
allows simple, auditable information with multiple parties and more convenient to
transfer records.
However, the convenience may become adverse because it is same easy to spread
viruses. Therefore, a well-publicized and sensible e-mail policy that all staff is
aware of should be established in the business. The policies can consider the
requirement for permission before transmission of documents or possible control of
types of file transmitted. Organizations may monitor e-mail legally on its own
system.
Removable storage is an excellent device for data leakage. The use of facilities such
as Truecyrpt allows companies to ensure that all data on removable storage
encrypted. It is also possible to manage the ability of users to copy files to flash
disks.
Backing up and archiving play important roles in business security. The malware is
easy to be injected through SQL injection in systems. Only safe input is allowed in
the construction of a command. There is another important countermeasure to be
noticed, companies must apply security patches and upgrades on time to protect the
systems.
3.6
Risk reduction
One of the objectives of risk management is to avoid, transfer or mitigate the risks;
also to reduce the bad effects on the organization has to be created.
Recommendation of measures is taken to protect the business with priorities.
Evaluating risks begins to set up the priority of them according to their probability
of occurrence and its impact on business (Risk Plan). The priority score is supposed
to be counted as follows (See table 12 & 13 & 14 & 15):
Priority = (Likelihood + Impact) / 2
ID
Threats
Likelihood
Impact
1
2
3
Fire, smoke
Natural disasters
Loss of essential
20
30
30
20
30
70
Priority
score
20
30
50
Rating
Very low
Low
Medium
23
services
Table 12: Example of risk priority (derived from the course IT Risk Analysis (Priest & Wood, 2012))
The Rating bases on the calculated Priority score. Rating is determined as follows:
Priority Score
0 – 20
21 – 40
41 – 60
61 – 80
81 – 100
Priority Rating
Very low
Low
Medium
High
Very High
Table 13: Priority score (derived from the course IT Risk Analysis (Priest & Wood, 2012))
The following table is used to color-code the identified risks:
Priority Rating
Very low
Low
Medium
High
Very High
Color
Blue
Green
Yellow
Orange
Red ©
Table 14: Color coding for priority rating (derived from the course IT Risk Analysis (Priest & Wood,
2012))
A risk plan provides a priority form for countermeasures to take for each risk. To
minimize the probability of occurrence, people should take the preventative
actions. People are supposed to take the contingent actions to reduce the impact.
Persons and time for taking care of the risks are important too. For example:
Rating ID Preventative Action
Action Contingent
Actions
Resource Date
Actions
High 7 Install
IT staff
ASAP Pinpoint
firewall
exactly
what the
problem is
Table 15: Example of schedule for risk reduction (derived from (Risk Plan))
Action
Resource
IT
people
Action
Date
When it
happens
24
4
4.1
CASE STUDY
Case overview
The researcher chose the company to be the study case because the researcher
worked there as an intern for a while. The permission to manage IT risks in the case
company admitted, meanwhile the company supported researcher to do the research
in the business.
Case company has been trading for years in a 1 storey office, in a building that
provides intellectual property monetization and research on global scale services.
IP commercialization services, technology-driven M&A, and strategic advisory
service are offered to all potential clients. The company is not an IT company, but
relies on IT to survive.
Twenty-one people worked there when researcher arrived in the company. Three
people including IT leader worked for the IT department, four partners who launch
the company, 1 HR, the remaining people work on the business department, their
work includes consulting, scouting, analyzing the patents and connecting clients.
Besides, everybody in the company has a computer with two screens for business.
Two servers support the system. Two phones prepared in the company for clients
calling.
The construction of the premises described as bellow (See figure 5 & 6). It is
helpful for the researcher to identify and evaluate the physical potential risks
through the structure.
Interior:
25
Figure 5: Basic layout t of the organization’s office
Exterior:
Figure 6: Basic layout t of the premises
26
4.2
IT risks identification
There are IT risks being discovered in common as some malicious software,
attackers and the like. Nevertheless, many threats are decided by the people’s
behavior, habits, and awareness. Before the researcher discovers the threats in the
company, the interviews and observations are able to give some hints about the
existing threats and their level.
The researcher categorized physical threats into natural, human and environmental
threats for better reading and understanding the risks. Geographical location and its
weather condition should be considered when identifying the risks. As Information
Security Standard listed, natural threats such as floods may threaten the IT assets in
the company. The case company locates in the Alps with higher elevation causing
more rain and snow. It belongs to humid continental climate. Thus, in late spring
and the whole summer, showers and thunderstorms appear most often. Considering
these natural factors, the natural threats are identified as below.
For human threats, owing to the lack of entrance access, frauds and thieves are
possible to get into the building and office to make theft. There were quite many
people visiting the office, such as postmen, customers, students, deliverymen. It is
hard to recognize everyone who comes over the office. It could be a risk for IT
assets. Errors and negligence could happen with every person. The researcher
observed that most employees like to put their coffee or water next to the PC. If they
spill out their drinks by accident, it may break a connection or damage the sensor of
PCs.
The case company mainly hires interns, thus, the staff is not always stable.
Anybody may leave the office any day. It happened when the researcher was
involved with the business, that intern left after two weeks because of his visa
problems. So not so much time to hand over his tasks and people complained about
the work he left behind. Long term power and telecommunication failures are
always a risk because it is not that easy to control by the companies.
Physical threats
Description
ID
27
Natural threats

Natural disasters
1
 Thunderstorms, PCs are easily
interfered; circuit boards melted, easy
to catch fire.

Loss of essential services
2
 Incorrect temperature,
 Incorrect humidity causes PCs strike.
Human threats

Malicious action
3
 Frauds and thieves or make the theft
of IT assets or staff belongings.

Errors and negligence
4
 Insiders destruct IT assets by accident,
e.g. spilling water on IT assets by
accident;

Environmental threats
Loss of staff
 IT people leave with loads of
unfinished IT tasks without making it
clear.
 Long-term power failure
5
6
 Electricity cut off by accident
 Loaded consumption.

Telecommunication failure
7
 Internet connection failed
 Telephone services failed.
Table 16: Identified physical threats (case company)
Malicious software nowadays becomes very vital to the information system. Not
only could the malware be installed by criminals or hackers, but also could be
carried inside the programs or emails or other vulnerable software. The malicious
software listed below (see table 17) were common malware derived from the course
IT Risk Analysis (Priest & Wood, 2012) which may appear in the case company.
The researcher got to know that there is no malware detected yet in the case
company. Whereas, it cannot be judged whether malicious software will ever come
to the company. There are always errors by accidents that no one can expect. No
matter the organization or the individuals have to take this risk and try to minimize
the damage.
28
The threats described in Insiders misuse IT are based on the interviews and
observations. IT people interviewed told that it had happened before, that an IT
intern deleted the database file by accident; it was too late to realize the mistakes
until the system did not work well. It took two days to repair. Hence, mistakes
cannot be expected, the only action to take is to reduce the damage. Moreover, the
researcher observed people from business and IT department and found that people
load some unknown software during work. Besides, a few people leave the office
during break lock their PCs or just shut down the PCs without stopping the
programming that is running. It could be a leak for cyber-criminal to attack.
System crash happened in the case company once because of the unorganized
access given to the students. From the interview of IT people, the research got to
know the system developed by students too. Hence, there was one special server for
students to test their work. However, some students just uploaded their work
without downloading the previous version of the system; it caused the system to
crash and the server was down. The researcher assumed that it might happen again
if no actions were to be taken.
On the account of the lack IT people in the case company, the security of web
development tools might be dismissed. Due to the responsibility of the IT security,
the researcher as an IT intern worked to develop the system during check the
security problems which are listed below (see table 17).
As Venafi researched, cyber-criminal and hackers are the most dangerous risks for
organizations. The risks shown below (see table 17) of external threats were
derived from the course IT Risk Analysis (Priest & Wood, 2012).
Non-physical threats
Description

Internal threats







Malicious software:
Email pushing, spoofing and apps
Virus
Worm
Logic bomb
Trojan horse
Backdoor
Mobile code
ID
8
29






Auto-rooter
Spammer/flooder
VOIP
Keyloggers
Rootkit
Zombie aka Bot

Insiders misuse IT
 An employee accidentally deletes or
falsifies, corrupts data in dropbox.
 Loading untested and insecure
software on a machine
 Shut down the computer directly
without stopping the working
programs.

9
Systems crash
 Server crash making the files on a
hard disk unrecoverable

10
Web development carelessness
 Cross- site Scripting or XXS
 SQL injection
11
 FTP Credential theft
 PhpMyAdmin (database used in the
case company): the biggest threat is
that someone could use an exploit to
read the plain text
username/password.
External threats
 Resuqe (run commands in the
background, also used in the case
company): without authentication,
everything is exposed.
 Attack from hacker, cracker,
computer criminal
 Brute force attack
 DoS stands for Denial of Service,
 Eavesdropping
 IP address spoofing through net
access
 Source route attacks through net
12
30
access
 Attack servers through LAN access
 Tiny fragment attacks through
TCP/IP
 Hacking system by vulnerabilities.
Such as if people don’t log out
website or click the checkbox: stay
signed in.
 Cookie theft
 Session hijacking
Table 17: Identified non-physical threats (case company)
The threats identified above (See table 17) were referred to the common threats
happened, researcher assumes it will occur in the case company, as well. Some of
the threats were identified based on the physical factors, system usage, and so on,
from interviews and observation.
The inquiry is about the intranet system they are using in the organization. The
system crashed once before, thus, the researcher was eager to know what happened,
how it happened, and how it solved. The main reason was about the authentication
access. Because many IT students were doing projects on the intranet system,
before the system crashed, everyone had the right to change the codes and deploy to
the server. Therefore, without carefulness, the server was down and didn’t work
anymore. This incident would happen again if they did not find a solution.
To observe people’s behavior, it will help the researcher to evaluate the potential
threats.
4.3
IT risks assessment
Asset impact analysis, business impact analysis and vulnerability assessment
formed the IT risks assessment for the case company. The information assets in the
organization include a shared printer, a shredder, servers, PCs, networking
components, and confidential assets such as spreadsheets, documents, electronic
documents, images, emails from customers or projects and other records.
31
4.3.1
Asset impact analysis
The researcher enabled to find out the information assets and assess its situation and
analyze the asset's impact for the organization, (See table 18).
Priority
1
Critical Asset
Servers
Brief Description
Daily used intranet website for staff
in the organization, also backups in
the server, information stored in
servers will make the main
profitability for the organization. It
will cost a lot and take long time to
install everything if the servers don’t
work.
2
Essential
E
Network components
Network supports the intranet
(modems, routers, cables, and website and business to work. The
so on)
organization may spend some
money to repair or replace.
Essential Asset
Brief Description
PCs
There are enough PCs to use for
employees, if their PCs are down;
there are always spare ones to use.
Indirect profitability for business.
Could cost a lot of money to replace.
E
Backups
Normal
N
Normal Asset
Shredder
Important files such as spreadsheets,
documents, emails and other records
always have at least two backups.
That information may be the
business secrets, and result in direct
profits.
Brief Description
It will cost some money to repair or
replace.
Table 18: Asset impact analysis (case company)
The consequences of non-physical threats had concluded in the previous Chapter
3.4. The risks identified would give rise to the mentioned consequences. Researcher
gave some explanations for IT assets and analyzed the related risks to the critical
assets which indicated as follows (See table 19):
Priority
Critical Asset
1
Servers
Related Risk (By ID) and
Comment
Related risks:
3: Malicious action
4: Errors and negligence
32
6: Long-term power failure
8: Malicious software
9: Insiders misuse IT
10: System crash
11: Web development carelessness
12: Attack
2
Network components
(modems, routers, cables, and
so on)
Comment: servers stored all the
information and also backups, once
servers being stolen, or out of power,
or any damages from insiders and
outsiders, the organization may be
out of work and business.
Related risks:
3: Malicious action
4: Errors and negligence
7: Telecommunication failure
8: Malicious software
12: Attack
Comment: network components
could be an easy way to get access to
the servers and PCs without
authentication. Those related risks
may cause problems to IT assets.
Table 19: Related risks to critical assets (case company)
4.3.2
Business impact analysis
Business means everything to any organization. If information technology is
unavailable for a while, especially for companies who rely on it, loss will be made
somehow. According to the scenario in the case company, including its business
situation and the usage of the information technology, researcher concluded the
business impact of IT unavailability as below (See table 20 & 21). The impacts
mainly focus on intangibility because the tangible resources restrains.
Impact of Unavailability
Impact
Highly costly loss of
tangible assets or
resources
Loss of sales
Reduced revenue
Definition or Comment
If the tangible assets such as servers or backups breaks
or out of use, it will cost a lot to repair or totally
abandon.
Customers do not satisfy anymore with a bad
reputation or failure of the project in the organization.
Loss of sales and make less money for the
33
Reduced operating
capability
Reduced decision
making capability
Reduce the assurance of
an IT system
Loss of productive time
and operational
effectiveness
Loss of public
confidence
organization
Leaders in the company may make wrong decisions
Leaders may make overwhelmed solutions with
business cases and mislead the business.
If data is modified or destructed, resulting in the loss
of integrity, the broken data may lead the people to
make inaccurate and wrong decisions.
If denial of service happens, IT systems are
unavailable to its end users; the projects may be
affected.
Data confidentiality refers to the protection of
information from unauthorized disclosure. Weak
protection of information may lead to disclosure of
private data, also may result in legal action against the
company.
Table 20: Business impact of unavailability (case company)
Cumulative impact of business effect deduced from the situation which researcher
understood from the company, containing the previous IT incident which
researcher knew from interviews and own experience in the organization and
observations.
Cumulative Impact of Effect
Impact
Highly costly loss of tangible
assets or resources
Loss of sales
Reduced revenue
Reduced operating capability
Reduced decision making
capability
Reduce the assurance of an IT
system
Loss of productive time and
operational effectiveness
Loss of public confidence
Table 21: Cumulative Impact of Effect
Grade
1
2
3
4
Effect
Catastrophic
Critical
Major
Severe
Cumulative Impact after a period unavailable
4hrs 8hrs 12hrs 1d 3d 5d 10d 20d
6
7
7
6
5
7
7
6
4
7
7
6
3
6
6
5
1
5
6
4
4
6
3
2
5
1
5
5
5
4
3
2
1
4
3
2
1
7
5
7
5
7
4
6
3
4
2
1
1
1
3
34
5
6
7
4.3.3
Noticeable
Acceptable
Limited
Vulnerability assessment
Vulnerability assessment is aimed to find out the possible vulnerabilities for
information assets in the organization. The critical and essential assets analyzed in
details (See table 22-25).
Asset: servers
Threat
Malicious action
Errors and negligence
Long-term power failure
Malicious software
Insiders misuse IT
System crash
Web development carelessness
Attack
Possible vulnerabilities
Malicious people may break the security and
steal or destroy servers on purpose.
Employees may cause an outage by errors.
Power failure may cause servers outage and
effect on work.
Malicious software may cause an outage,
seriously may lead to data breach or data
modification unless suitable controls take.
Insiders may become vulnerable easily for
malicious software without their carefulness.
Crashed system may have loaded storage
without noticing and cause an outage.
Web development may ignore the vulnerability
and forget to enhance patches for the system.
Any attack on purpose may get every
information they want to get, through SSH,
freenas server, remote, DoS, eavesdropping, IP,
LAN, anything without necessary patches.
Table 22: Vulnerability assessment for servers
Asset: Network components (modems, routers, cables, and so on)
Threat
Possible vulnerabilities
Malicious action
Sneaky people may cause outage
if configuration errors are made
Errors and negligence
Employees may cause an outage of those
components by accidents.
Telecommunication failure
Network in the organisation may be out of use
due to its failure.
Malicious software
Malicious software may pass through routers
which have been connected to lots of machines; if
the machine is lack of protection, malicious
software may control the machine and get access
to other IT assets.
35
Attack
Attack may start from monitoring network, there
are monitoring network software to capture the
authentication token (often a cookie) used to
represent a user's session with an application;
Table 23: Vulnerability assessment for network components
Asset: PCs
Threat
Errors and negligence
Insiders misuse IT
Malicious action
Malicious software
Attack
Possible vulnerabilities
Employees may destruct PCs by accidents.
Employees may misuse PCs and give rise to data
leakage.
Sneaky people may get access to the machines
when employees don’t lock their PCs and leave it
alone.
Malicious software may pass through unpatched
software installed on the machines; also when
employees surf the unsafe websites and click
something with virus.
Attack may go through websites people have
browsed in order to capture the authentication
token (often a cookie) used to represent a user's
session with an application; also to guess their
password, masquerade users.
Table 24: Vulnerability assessment for PCs
Asset: Backups
Threat
Errors and negligence
Malicious action
Malicious software
Attack
Possible vulnerabilities
Insiders may delete the backups by accident.
Sneaky people may get access to the machines
and modify or delete the backups.
Malicious software may destroy the backups.
Attackers may do damages to the backups and
lead to unrepairable data.
Table 25: Vulnerability assessment for backups
4.4
Countermeasures
The appropriate countermeasures for each identified threat in the organization are
addressed (See table 26 & 27).
Physical threats
Natural disasters:
 Thunderstorms, PCs are easily
interfered; circuit boards melted,
easy to catch fire
Countermeasures
Always switch off machines when there
is a thunderstorm. Also, disconnect
broadband router from the telephone
line and electricity socket.
36
Fire detection including heat sensors,
smoke detectors, and auto-dial fire
alarms if it is possible.
Loss of essential services:
 Incorrect temperature,
 Incorrect humidity causes PCs
strike.
Malicious action:
 Frauds and thieves or burglars
make the theft of IT assets or
staff belongings
Errors and negligence:
 Insiders destruct IT assets by
accident, e.g. spilling water on
IT assets by accident;
 Drown PCs near unclosed
windows by unexpected heavy
rainwater.
Loss of key staff:
 Key IT people leave with loads
of unfinished IT tasks without
making it clear.
Long-term power failure:
 Electricity cut off by accident
 Loaded consumption.
Telecommunication failure:
 Internet connection failed
 Telephone services failed
Extinguisher system including wet pipe,
dry pipe if it is possible.
When the weather is abnormal, try to
keep right temperature and humidity in
the office.
Basic building security such as locks for
doors and windows between rooms,
security curtains and alarms.
These threats are hard to prevent.
Guidelines or principles in the
organization could help people remind
to protect assets.
The threat is unexpected; the only
solution is to find the next one who can
take the responsibility.
Electricity is cut off by unknown
reasons suddenly, remind employees to
save their work anytime just in case.
It is hard to avoid.
If the internet connection fails, make
calls ask for technical support.
If telephone service fails, use cellphone
to make calls for technical support.
Table 26: Countermeasures for physical threats in the case company
Non-physical threats
Malicious software
 Email pushing, spoofing and
apps
 Virus
 Worm
 Logic bomb
 Trojan horse
 Backdoor
 Mobile code
Countermeasures
Install anti-malware and anti-virus
protection on every machine in the
organization.
Keep programs and hardware up to date.
Remind employees not to click any
pop-ups on websites.
37






Auto-rooter
Spammer/flooder
VOIP
Keyloggers
Rootkit
Zombie aka Bot
Insiders misuse IT
 An employee accidentally
deletes or falsifies, corrupts data
in shared local disk.
 Loading untested and insecure
software on a machine
 Shut down the computer directly
without stopping the working
programs.
System crash:
 Server crash making the files on
a hard disk unrecoverable
Web development carelessness
 Cross- site Scripting or XXS
 SQL injection
 FTP Credential theft
 PhpMyAdmin (database used in
the case company): the biggest
threat is that someone could use
an exploit to read the plain text
username/password.
 Resuqe (run commands in the
background, also used in the
case company): without
authentication, everything is
exposed.
Inform employees to back up their work
at least twice.
The removable storage may carry the
virus; inform employees using it as less
as possible.
Install firewall to monitor the
downloading if there is any possible
attached virus.
Set up a system for backups every day
on time in case the server crash and all
data disappear.
Inform IT people when they develop a
system with full attention and
carefulness.
Cross-site scripting: using scanner
software to detect vulnerabilities and
then fix whatever people find.
SQL rejection can prevent it by scanning
for problem code and fixing it.
Credential theft: Microsoft gave the
countermeasure for this threat.
(http://msdn.microsoft.com/en-us/librar
y/ff648641.aspx):
PhpMyAdmin: (How to secure
phpMyAdmin)(http://stackoverflow.co
m/questions/2631269/how-to-secure-ph
pmyadmin)
Resque: make authentication settings
Attack from hackers, crackers,
computer criminal
 Brute force attack
Redmine: secure people’s Redmine by
patching Ruby on Rails.
Install Brute force detection software , it
will alert people
38
 DoS stands for Denial of
Service,
 Eavesdropping
 IP address spoofing through net
access
 Source route attacks through net
access
 Attack servers through LAN
access
 Tiny fragment attacks through
TCP/IP
 Hacking system by
vulnerabilities. Such as if people
don’t log out website or click the
checkbox: stay signed in.
 Cookie theft
 Session hijacking.
Install firewall in every machine in the
organization.
Inform people to clear their cookies on
the often used website every two weeks.
Tell employees to encrypt their
important documents and files.
Change password for wireless network
every three months.
Change passwords for all servers every
three months.
Table 27: Countermeasures for non-physical threats in the case company
4.5
Risk reduction and recommendations
Researcher deliberated on the scores of likelihood and impact from interview and
observation, although the information was limited (See table 28).
ID
Threats
Likelihood
Impact
1
2
Natural disasters
Loss of essential
services
Malicious action
Errors and
negligence
Loss of key staff
Long-term power
failure
Telecommunication
failure
Malicious software
Insiders misuse IT
System crash
Web development
carelessness
Attack
20
20
3
4
5
6
7
8
9
10
11
12
Rating
60
20
Priority
score
40
20
Low
Very low
40
50
80
50
60
50
Medium
Medium
20
60
80
40
50
50
Medium
Medium
60
40
50
Medium
100
80
60
80
80
60
80
80
90
70
70
80
Very high
High
High
High
60
100
80
High
Table 28: Priority of each risk in the case company
39
The schedule for the case company to deal with the potential risks could be very
significant. It tells their most important thing to secure their IT (See table 29).
40
Rating
Very
high
ID
Preventative Actions
8
Install anti-malware and
anti-virus on every machine.
Keep programs and software
up to date.
Remind employees do not
click pop-ups on websites.
High
High
9
10
Action
Resource
IT people
IT people
and
employee
IT manager
Inform employees to back up
their work documents at least
twice.
IT people
and
managers
Inform employees using
removable storage as less as
possible.
IT people
and
managers
Install firewall to monitor the
downloading.
IT people
Set up a system for backup
every day on time.
IT people
and IT
manager
Action Date
Contingent Actions
Action
Action Date
Resource
IT people and When the
managers
malicious
software
infects at least
one machine
already
When start
machines’
configuration
Cut off the internet or
electricity to prevent all the
information disclosed, call
technical team to repair.
ASAP
Reduce the damage and ask IT Employees
people in the company for
helps
When the
assets stop
working
ASAP
Ask IT people for helps.
When the
assets stop
working
Employees
41
High
11
Inform IT people when they
develop the system with full
attention and carefulness.
IT manager
Cross-site scripting: using
scanner software to detect
vulnerabilities and then fix
whatever people find.
SQL rejection can prevent it
by scanning for problem code
and fixing it.
Credential theft:
http://msdn.microsoft.com/en
-us/library/ff648641.aspx
PhpMyAdmin:
http://stackoverflow.com/que
stions/2631269/how-to-secur
e-phpmyadmin
Resque: make authentication
settings
IT people
IT people
IT people
IT people
IT people
Redmine: secure people’s
IT people
Redmine by patching Ruby on
Rails.
Every month
Reduce the damage on
Employees
business and ask IT people for
helps
When the
assets stop
working
42
High
Medium
Medium
12
3
4
Install Brute force detection
software, it will alert people
Install firewall in every
machine in the organization.
IT people
ASAP
Cut off internet or electricity,
and use the backup to run the
system again.
IT people
Once the attack
has been
detected.
Inform people to clear their
cookies on the often used
website every two weeks.
Tell employees to encrypt
their important documents
and files.
Change password for wireless
network every three months.
Change passwords for all
servers every three months.
Basic building security such
as locks for doors and
windows between rooms,
security curtains and alarms.
IT people
and IT
manager
IT people
and IT
manager
IT people
Managers
ASAP
Cut off internet or electricity,
and use the backup to run the
system again.
Department
When it’s
discovered
Make an IT notebook for
guidelines and principles
IT people
and
managers
ASAP
Try to reduce the damage on
Employees
IT assets, if not, ask IT people
for helps.
When the
assets stop
working
IT people
IT people
43
Medium
5
Unexpected threat, hard to
prevent
Medium
6
ASAP
Medium
7
Remind employees to save
IT people
their work anytime just in case and IT
manager
Unexpected threat, hard to
prevent
Low
1
ASAP
Very low
2
Fire detection including heat
Managers
sensors, smoke detectors, and
auto-dial fire alarms if it’s
possible. Extinguisher system
including wet pipe, dry pipe if
it’s possible.
Unexpected threat, hard to
prevent
Table 29: Schedule for risk reduction and recommendations (case company)
Find the next one who can
Managers
take the responsibility of the
person who left the company.
Call the power company to fix Department
it
Make calls to the technical
people to repair
Department
Put out the fire or call fire
brigade
Employees
Reduce the damage on IT
assets
Employees
When it
happens
When the
power stop
working
When the
telecommunica
tion stop
working
When it
happens
When it
happens
44
5
DATA ANALYSIS
The research is aimed to find out if the hypotheses by the author and answer for the
research question matches. The hypothesis, that inadequate anti-virus and
anti-malware protection is the biggest threat in the case company, verifies through
interviews and observation into groups.
The questions to technical department were different from others, in order to know
how manager department dealt with the problems and whether their actions worked.
In manager department, only one manager took charge of IT and technical affair.
The interview for this department was mainly specific for him. Answers by
technical manager from manager department were given as follows (See box 1):
Q1: What was the IT problem happened before?
–
The server for project students ‘testing was totally crashed and out of use.
Q2: What caused the problems?
–
Unorganized access rights. Everyone had the right to deploy their own work
on the server in order to test if their work was working. If the student didn’t
import the previous student’s codes and deployed his new codes, once there
were conflicts between their codes, the system must crash over and over
again.
Q3: How long did it take to solve it?
–
It never solved. The server for students testing was abandoned.
Q4: Why not solved?
–
IT people tried, but because there were so many students deployed their
codes on the server perhaps in the meantime, and it’s very complicated and
time-wasting to revert their codes one by one, hence, there was no way
except abandoned the server.
Q5: Are you now having a solution for this problem just in case if it happens again?
45
–
Anyone who wants to test his work on the server must ask IT people for
access password, also they have limitations on the server, for example they
only have the access to import the correct codes which are perfectly
working on the production server for business people, but no access to
deploy to production server.
Q6: Who is to ask for the access passwords?
–
IT team leader and technical manager
Q7: Does the same problem happen again?
–
Not yet
Q8: What anti-virus and anti-malware are installed on machine?
–
Microsoft Security Essentials
Q9: Why chose this software to be your protection software?
–
It’s free and build-in software.
Q10: How do you think about the software?
–
It’s okay; at least there is no virus and malware showing yet.
Q11: Have you thought to change better anti-virus software?
–
Nope, we don’t want to spend lots of money on it.
Box 1: answers given by manager department from interview
The questions from Q1 to Q7 in the Box one indicated that the technical manager
realized the risk after it happened and took actions to prevent. It was a great idea for
project students to work individually and combine their codes to the existed system
codes, but it had to fail without effective and correct disciplines for deploying codes.
They were aware that the proper limitations could prevent the system to crash.
From Q8 to Q11, it illustrated that the expenses and convenience for the company
on the protection software were the most important factor to be concerned about.
46
Moreover, they thought the protection was so far so good, because nothing
happened yet.
Answers for each question were prepared in interviews. During interviews,
researcher asked questions and people to select one of the answers. The outcomes
by IT department and business department showed in box 2. There were two IT
people and two people from the business department being interviewed. The coding
is as follows: I1 = IT leader, I2 = IT intern. B1- B2 = business interns (See box 2the answer like “A/B” means people have different answers).
Q1: Will you let browsers save passwords on intranet system?(web development
carelessness) (Yes, every website/ Not every website, it depends on if I can trust the
website)
–
I1 - I2: Not every website, it depends on if I can trust the website.
–
B1 - B2: Yes, every website.
Q2: How often do you change your password on the intranet system?( web
development carelessness) (Very often/Sometimes/Never)
–
I1 - I2: Never
–
B1 - B2: Never
Q3: How often do you clear your cookies? (attack)(Every week/Every
month/Never)
–
I1 - I2: Every week
–
B1 - B2: Every month
Q4: Will you log out websites before you shut down computer? (attack)(Every
time/Sometimes/ Never)
–
I1 - I2: Never/Every time
–
B1 - B2: Never/Every time
Q5: Do you upgrade software on your machine often? (attack)( Every time when
47
the notification shows/ Sometimes/ Never)
–
I1 - I2: Never/Sometimes
–
B1 - B2: Every time when the notification shows
Q6: Have you ever clicked pop-ups on websites? (malicious software)( Yes/No)
–
I1 - I2: Yes/No
–
B1 - B2: Yes/No
Q7: Why did you click the pop-ups on websites or in emails (for people who
answered Yes)?( Wrong clicking/ Curiosity)
–
I1 - I2: By wrong clicking
–
B1 - B2: Curiosity/Wrong clicking
Q8: Will you turn off computer directly when you leave? (misuse IT)(Every
time/Sometimes/Never)
–
I1 - I2: Never/Sometimes
–
B1 - B2: Sometimes
Box 2: answers by IT department and business department from interview
The questions were asked to determine the likelihood for the identified threats.
From the given answers, even the interview was in groups, some answers did not
have much difference.
However, the box two provided some information, for instance, saving passwords
seemed to be convenient for users, but it is risky because it will give a chance to
someone who may steal the FTP credential. On this question, business people are
more aware of the convenience.
Masquerading the user and make information exposed are easy without changing
passwords. Unfortunately, all people involved in the interview provided the answer
that they never changed the password on websites. People like to use the same
passwords for different websites, once the password lost; intruder may make other
48
thefts on the websites people are usually browse. Hence, password is a significant
problem.
Same as cookies, it contains the authentication token, once the cookies exposed,
anyone could represent a user’s session with an application and so easy to attack the
system. People from the IT department were more careful with the cookies and
clear it every week; it is a very good way to protect their information.
What is more, hackers could hack the system by vulnerabilities such as if people do
not log out website or keep signed in or old programs without patches. Interviewees
from both departments gave the answer they never log out the website. Thus, the
possibility the system being hacked was raised.
People clicked the pop-ups on websites by mistakes and curiosities. Malicious
software is easy to install automatically on machines. Insiders’ misuse IT will
damage the machine or lead to data lost.
Observation was conducted by concerning the reality of the interview and new
discoveries missing from the interview data. Observers were technical manager,
random people whoever leaving their machines alone and browsing social media
website in the case company and IT interns when applying codes, was selected
randomly from each department.
Started from manager level, technical manager knew to protect machines by
anti-virus software, but without checking the security level of the software.
Researcher pointed out that free anti-virus may not cover much protection for safety.
Nevertheless, for the case company, they are not willing to pay for anti-virus
software. From researcher’s side, it may be not necessary to pay that much on
anti-virus now. Nevertheless, as the company develops and gets stronger,
especially for a company who relies on the information system to do business, it
will attract lots of troubles to come after without a precise protection. When
researcher was in the case business, the potential chances to become a bigger
company were foreseen. A good anti-virus protection is impending and needed.
Unfortunately, researcher found that the company did not plan to do so even when
researcher left the company.
49
Moreover, something like IT usage instructions was not able to see in the case
company. People used IT as their way and their habits. Water, food could be seen
often near their machines. The spilling water or food may lead to machine’s strike.
There were lots of people, as students, postman, clients, and someone people
coming without appointment came in and out of the company. During lunch break,
researcher left later on purpose to check the situation and found that employees
usually put their belongings upon or under the table. It is okay when the insiders are
around. However when all people leave and sometimes even there is no one in the
big office, meanwhile the door keeps open, it is very dangerous.
More worthy of noticing, more than half machines including IT and business
people’ were not locked when people left. Also, someone kept their webpages open,
some documents showed through the whole screen. If someone intrudes when
everybody leaves, how huge loss will take because of this?
Everybody in the company browse social media websites during work, for work,
entertainment, relax. It increased the possibility of getting virus because there are
always pop-ups on those social media.
Furthermore, researcher found no matter how many times to inform other IT people
to be careful with the codes when helping project students to deploy their work on
the staging server (which is used for IT people to test), the staging server is always
crashed. Thus, the codes have to be reverted and the correct codes deployed again.
50
6
CONCLUSIONS
When developing the intranet system, whoever the IT people or project students are,
carelessness is the most dangerous for system crash. Without clear disciplines for
IT usage, making loss is about time. Employees in the company should be educated
to strengthen their IT security awareness and teach them how to reduce the risks.
How people use information system is based on their benefits, convenience is the
first thinking condition. People with IT risks awareness care more about the
information disclosure. Lack of IT knowledge can become vulnerable for attackers.
Risk consciousness is low in the company because business goes smoothly with
information technology. Only when the risks turn to be an event and cause loss, the
company starts to take action to decrease the loss. People think their surroundings
are safe without an obvious sign of distress.
On the whole, the top management decision is the key of the IT security factors in
the case company. In addition, insiders’ behavior and their awareness can enhance
or lessen the risks.
Owing to the case company relying on information system to survive, and its data is
much more worth, weak anti-virus software protection might lead to the data breach
and ruin the business. A lagging action taken by manager side will bring more
troubles and loss to the company. People think it is perfectly safe because there is
no loss having made since years by using this anti-virus software. Losses mean
risks. The anti-software software had not installed until researcher left the company;
even there were instructions and warnings. Ignoring the existing problems could
threaten the case company.
From the researcher’s opinion, inadequate anti-virus software protection is the
biggest threat for the case company, and because the manager decided to ignore the
existing problems, it will threaten more.
51
7
7.1
DISCUSSION
Limitations
Due to the limited resource and time, there was only one technical manager, two IT
people, and two business people being interviewed. Identified risks in the case
company consisted of a part of the referred previous literature. Besides, still risks
have not been found yet because of the limited hits, but it does not prove the
unfound risks do not exist. The question asked in the interview did not cover all
sides of IT risks, and the answers from people were very simple, not much time to
ask deeper questions. The data might not be collected completely and may lead to
mistakes. Observations are subjective and it is difficult to compare the outcome in
different time and from different people.
However, the research firmly believes that there will be more findings and
discoveries in the future studies.
7.2
Validity and reliability
In qualitative research, validity might be defined by authenticity, depth and the
scope of data collected (Winter, 2000). The data gathered from interviews and it
was honest and true. The research is valid because the real inquiries and observation
conducting in the case company with permission. All employees in the business use
computer for daily work, researcher as one of the employees in the case company
was able to get the first hand information.
Reliability in qualitative research could address as stability of observations, parallel
forms, inter-rater reliability, which their common property is to be continued once
and once again (Denzin & Lincoln, 1994). For the reliability of this study, interview
and observation were divided into groups. They have different background,
experience, awareness, knowledge, but some of their answers were similar in an
interview. Observation was implemented carefully without influences on people
during work, breaks, off work. The observation is stable. The days to observe were
52
chosen randomly to see if their behavior was unintentional or became habits
already.
7.3
Future study suggestion
As was mentioned before, the number of interviews was limited because of the
company scope and resources. Ticking time restrained the range of the questions. A
questionnaire might be a good choice to cover more questions and may get more
data from different departments. Quantitative research method might help to
summarize the conclusion, as well.
53
PUBLISHED REFERENCES
DTI Information Security Breaches Survey (2006)..
OHSAS 18001. (2007). "Risk is a combination of the likelihood of an occurrence of
a hazardous event or exposure(s) and the severity of injury or ill health that can be
caused by the event or exposure(s)" .
Information Security Survey. Departent for Business Enterprise and Regulatory
Reform. (2008).
ISO 31000. (2009).
Cadle, J., & Yeates, D. (1991). Project Management for Information Systems.
Cannell, C. F., & Kahn, R. L. (1968). Interviewing.
Cohen, L., Manion, L., & Morrison, K. (2007). Research Methods in Education.
CR, K. (1985). Research Methodology-Methods and Techniques.
Creswell, J. W. (2008). Educational Research: Planning, Conducting, and
Evaluating Quantitative and Qualitative Research.
Denzin, N. K., & Lincoln, Y. S. (1994). Handbook of Qualitative Research.
Edmonds, W. A., & Kennedy, T. D. (2013). An Applied Reference Guide to
Research Designs.
Ghauri, P., & Gronhaug, K. (1995). Research Method in Business Studies.
Hopkin, P. (2010). Fundamentals of Risk Management.
Oppenheim, A. (1992). Questionnaire Design, Interviewing and Attitude
measurement.
Philpott, D., & Einstein, S. (2011). The Integrated Physical Security Handbook.
Priest, A., & Wood, K. (2012). IT Risk Analysis.
54
RFC 2828. (n.d.). Internet Security Glossary.
Robson, C. (2002). Real World Research .
Shipman, J., Wilson, J., & Todd, A. (2009). Introduction to Physical Science.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for
Information Technology Systems.
Strauss, A., & Corbin, J. (1998). Basics of qualitative research.
Tiller, J. S. (2011). Adaptive Security Management Architecture.
Trochim, W., & Donnelly, J. P. (2007). The research Methods Knowledge Base.
Tuckman, B. W. (1972). Conducting Education Research.
VMIA. (2010). Risk Management: Developing & Implementing a Risk
Management Framewrok.
Westerman, G., & Hunter, R. (2007). IT Risk: Turning Business Threats into
Competitive advantage.
Whitman course technology/Cengage Learning. (n.d.).
Winter, G. (2000). A Comparative Discussion of the Notion of 'Validity' in
Qualitative and Quantitative Research .
55
ELECTRONIC REFERENCES
Research: Definition of research in Oxford dictionary. (n.d.). Retrieved from
http://www.oxforddictionaries.com/definition/english/research
Table 19.1 Terminology of Malicious Programs Name Description. (n.d.).
Retrieved from
http://staff.icar.cnr.it/cannataro/unical/RSI/Lezioni/Stallings4E/Crypto4e-PDF-T
CS 356 Systems Security. (n.d.). Retrieved from
http://www.cs.colostate.edu/~cs356/lecture-notes/lecture-12.pdf
ISACA. (n.d.). Business Impact Analysis. Retrieved from
http://www.isaca.org/Groups/Professional-English/business-continuity-disaster-re
covery-planning/GroupDocuments/Business_Impact_Analysis_blank.doc
The difference between Crisis Management and Risk Management? (2010,
February 23). Retrieved from Crisis Management and Global Tracking Solutions:
http://globaltracking.wordpress.com/2010/02/23/the-difference-between-crisis-ma
nagement-and-risk-management/
Deductive"top down" method. (2013, May 20). Retrieved from
http://earthsciencesociety.files.wordpress.com/2013/05/inductive-deductive2.jpg
Computer Security: Principles and Practic. (n.d.). Retrieved from
http://people.eecs.ku.edu/~saiedian/Teaching/Fa09/710/Lectures/ch07.pdf
Risk Assessment for Information Assets. (n.d.). Retrieved from
http://webcache.googleusercontent.com/search?q=cache:dN9-hgeuZOwJ:www.se
curity.vt.edu/downloads/risk_assessment/bia.doc+&cd=1&hl=en&ct=clnk
Risk management plan final. (n.d.). Retrieved from
http://www.med.govt.nz/majorevents/pdf-library/resource-bank/budgeting-financi
al-management-and-risk-management/Risk-management-plan-Fast5-Netball-Worl
d-Series.pdf
56
Risk Plan. (n.d.). Retrieved from Free download documents and templates::
http://www.boxdox.com/risk-plan/
Threats & vulnerabilities. (n.d.). Retrieved from ISO 27001/ISO 22301:
http://wiki.iso27001standard.com/index.php?title=Threats_%26_vulnerabilities
Venafi. (2013). Top security threats for 2013. Retrieved from ITBusinessEdge:
http://www.itbusinessedge.com/slideshows/top-security-threats-for-2013.html
Vickers, J. (2006). The Problem of Induction. Retrieved from
http://plato.stanford.edu/entries/induction-problem/#CanIndJus
Williams, G. (2007). M_o_R - Framwork. Retrieved from About M_O_R:
http://www.mor-officialsite.com/AboutM_o_R/WhatIsM_o_R.aspx
Williams, G. (2007). M_o_R - The Facts. Retrieved from
http://webcache.googleusercontent.com/search?q=cache:OIjaTT1v7OkJ:www.mo
r-officialsite.com/nmsruntime/saveasdialog.aspx%3FlID%3D352+&cd=1&hl=en
&ct=clnk
57
APPENDICES
Figure 7: Human Threats: Threat-Source, Motivation, and Threat Actions (Stoneburner, Goguen, &
Feringa, 2002)
58
Threats & vulnerabilities (ISO 27001)
Threats:

Access to the network by unauthorized persons

Bomb attack

Bomb threat

Breach of contractual relations

Breach of legislation

Compromising confidential information

Concealing user identity

Damage caused by a third party

Damages resulting from penetration testing

Destruction of records

Disaster (human caused)

Disaster (natural)

Disclosure of information

Disclosure of passwords

Eavesdropping

Embezzlement

Errors in maintenance

Failure of communication links

Falsification of records

Fire

Flood

Fraud

Industrial espionage

Information leakage

Interruption of business processes

Loss of electricity

Loss of support services
59

Malfunction of equipment

Malicious code

Misuse of information systems

Misuse of audit tools

Pollution

Social engineering

Software errors

Strike

Terrorist attacks

Theft

Thunder stroke

Unintentional change of data in an information system

Unauthorized access to the information system

Unauthorized changes of records

Unauthorized installation of software

Unauthorized physical access

Unauthorized use of copyright material

Unauthorized use of software

User error

Vandalism
Vulnerabilities:

Complicated user interface

Default passwords not changed

Disposal of storage media without deleting data

Equipment sensitivity to changes in voltage

Equipment sensitivity to moisture and contaminants

Equipment sensitivity to temperature

Inadequate cabling security

Inadequate capacity management

Inadequate change management

Inadequate classification of information
60

Inadequate control of physical access

Inadequate maintenance

Inadequate network management

Inadequate or irregular backup

Inadequate password management

Inadequate physical protection

Inadequate protection of cryptographic keys

Inadequate replacement of older equipment

Inadequate security awareness

Inadequate segregation of duties

Inadequate segregation of operational and testing facilities

Inadequate supervision of employees

Inadequate supervision of vendors

Inadequate training of employees

Incomplete specification for software development

Insufficient software testing

Lack of access control policy

Lack of clean desk and clear screen policy

Lack of control over the input and output data

Lack of internal documentation

Lack of or poor implementation of internal audit

Lack of policy for the use of cryptography

Lack of procedure for removing access rights upon termination of
employment

Lack of protection for mobile equipment

Lack of redundancy

Lack of systems for identification and authentication

Lack of validation of the processed data

Location vulnerable to flooding

Poor selection of test data

Single copy

Too much power in one person
61

Uncontrolled copying of data

Uncontrolled download from the Internet

Uncontrolled use of information systems

Undocumented software

Unmotivated employees

Unprotected public network connections

User rights are not reviewed regularly ”
62
Figure 8: Template risk register (derived from (Priest & Wood, 2012))
The titles from left side to the right are: ID, Type, Raised By, Received By, Description of Risk, Description of Impact, Cost, Probability Rating,
Impact Rating, Priority Rating, Proximity, Possible Response Actions, Chosen Action, Target Date, Contingency Actions, Action owner/custodian (if
differs from risk owner), Closure Date, Cross References.
63
Endnotes:
1
Virus
–Attaches itself to a program and propagates copies of itself to other programs
–Boot sector – Infects the system boot record, therefore virus is spread upon booting of disk
–File infector – Infects files that operating system regards as executables
–Macro virus – Infects files with embedded codes that are interpreted by an application
2
Worm
–Program that propagates copies of itself to other computers(CS 356 Systems Security)
–Replicating program that propagates over network (Using email, remote execution, remote login,
and so on)
–Phases similar to a virus:
•Dormant, Propagation, Triggering, Execution
•Propagation phase: searches for other systems, connects to them, copies self to them and runs
(Computer Security: Principles and Practic)
•Execution – may implant other malware
3
Logic bomb
–Triggers action when a particular condition occurs
4
Trojan horse
–Program that contains unexpected additional functionality
5
Backdoor
–Program modification that allows unauthorized access to functionality
6
Mobile code
–Software that can be shipped unchanged to a heterogeneous collection of platforms and execute
with identical semantics (CS 356 Systems Security) ( Table 19.1 Terminology of Malicious
Programs Name Description.)
7
Auto-rooter
–Malicious hacker tools used to break into new machines remotely Kit (virus generator) Set of
tools for generating new viruses automatically
8
Spammer/Flooder
–Programs used to send large volumes of unwanted e-mail, or to attack systems with a large
volumes of traffic to carry out a Denial of Service (DoS) attacks (CS 356 Systems Security)
9
Keyloggers
–Capture keystrokes on a compromised system
–Note: These are now more commonly hardware oriented as software keyloggers are easily
identified and compromised by modern systems
10
Rootkit
–Set of hacker tools used after attacker has broken into a computer system and gained root-level
access (CS 356 Systems Security)
11
Zombie aka Bot
–Program on infected machine activated to launch attacks on other machines (CS 356 Systems
Security)
–three characteristics:
64
•The bot functionality
•Remote control facility – Which is what distinguishes a bot from a worm
•Spreading mechanism to propagate the bots and construct the botnet.
–Bots used for:
•Distributed denial-of-service attacks
•Spamming
•Sniffing traffic
•Spreading new malware
•Manipulating online polls/games
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement