Information risks: concept, analysis, assessment

Table of contents:

Information risks: concept, analysis, assessment
Information risks: concept, analysis, assessment
Anonim

In our era, information occupies one of the key positions in all spheres of human life. This is due to the gradual transition of society from the industrial era to the post-industrial one. As a result of the use, possession and transfer of various information, information risks may arise that can affect the entire sphere of the economy.

Which industries are growing fastest?

Growing in information flows is becoming more and more noticeable every year, as the expansion of technical innovation makes the rapid transfer of information related to the adaptation of new technologies an urgent need. In our time, industries such as industry, trade, education and finance are developing instantly. It is during the transfer of data that information risks arise in them.

Information risks
Information risks

Information is becoming one of the most valuable types of products, the total cost of which will soon exceed the price of all products of production. This will happen because forIn order to ensure the resource-saving creation of all material goods and services, it is necessary to provide a fundamentally new way of transmitting information that excludes the possibility of information risks.

Definition

In our time there is no unambiguous definition of information risk. Many experts interpret this term as an event that has a direct impact on various information. This may be a breach of confidentiality, distortion, and even deletion. For many, the risk zone is limited to computer systems, which are the main focus.

Protection of information
Protection of information

Often, when studying this topic, many really important aspects are not considered. These include the direct processing of information and information risk management. After all, the risks associated with data arise, as a rule, at the stage of obtaining, since there is a high probability of incorrect perception and processing of information. Often, due attention is not paid to the risks that cause failures in data processing algorithms, as well as malfunctions in programs used to optimize management.

Many consider the risks associated with the processing of information, solely from the economic side. For them, this is primarily a risk associated with the incorrect implementation and use of information technology. This means that information risk management covers such processes as the creation, transfer, storage and use of information, subject to the use of various media and means of communication.

Analysis andclassification of IT risks

What are the risks associated with receiving, processing and transmitting information? In what way do they differ? There are several groups of qualitative and quantitative assessment of information risks according to the following criteria:

  • according to internal and external sources of occurrence;
  • intentionally and unintentionally;
  • directly or indirectly;
  • by type of information violation: reliability, relevance, completeness, data confidentiality, etc.;
  • according to the method of impact, risks are as follows: force majeure and natural disasters, errors of specialists, accidents, etc.
  • Data protection
    Data protection

Information risk analysis is a process of global assessment of the level of protection of information systems with the determination of the quantity (cash resources) and quality (low, medium, high risk) of various risks. The analysis process can be carried out using various methods and tools for creating ways to protect information. Based on the results of such an analysis, it is possible to determine the highest risks that can be an immediate threat and an incentive for the immediate adoption of additional measures that contribute to the protection of information resources.

Methodology for determining IT risks

Currently, there is no generally accepted method that reliably determines the specific risks of information technology. This is due to the fact that there is not enough statistical data that would provide more specific information aboutcommon risks. An important role is also played by the fact that it is difficult to thoroughly determine the value of a particular information resource, because a manufacturer or owner of an enterprise can name the cost of information media with absolute accuracy, but he will find it difficult to voice the cost of information located on them. That is why, at the moment, the best option for determining the cost of IT risks is a qualitative assessment, thanks to which various risk factors are accurately identified, as well as the areas of their influence and the consequences for the entire enterprise.

Information security methods
Information security methods

The CRAMM method used in the UK is the most powerful method for identifying quantitative risks. The main goals of this technique include:

  • automate the risk management process;
  • optimization of cash management costs;
  • productivity of company security systems;
  • commitment to business continuity.

Expert risk analysis method

Experts consider the following information security risk analysis factors:

1. Resource cost. This value reflects the value of the information resource as such. There is an evaluation system of qualitative risk on a scale where 1 is the minimum, 2 is the average value and 3 is the maximum. If we consider the IT resources of the banking environment, then its automated server will have a value of 3, and a separate information terminal - 1.

Information security system
Information security system

2. The degree of vulnerability of the resource. It shows the magnitude of the threat and the probability of damage to an IT resource. If we talk about a banking organization, the server of the automated banking system will be as accessible as possible, so hacker attacks are the biggest threat to it. There is also a rating scale from 1 to 3, where 1 is a minor impact, 2 is a high probability of resource recovery, 3 is the need for a complete replacement of the resource after the hazard is neutralized.

3. Assessing the possibility of a threat. It determines the likelihood of a certain threat to an information resource for a conditional period of time (most often - for a year) and, like the previous factors, can be assessed on a scale from 1 to 3 (low, medium, high).

Managing information security risks as they occur

There are the following options for solving problems with emerging risks:

  • accepting risk and taking responsibility for their losses;
  • reducing the risk, that is, minimizing the losses associated with its occurrence;
  • transfer, that is, the imposition of the cost of compensation for damage to the insurance company, or the transformation through certain mechanisms into a risk with the lowest level of danger.

Then, the risks of information support are distributed by rank in order to identify the primary ones. To manage such risks, it is necessary to reduce them, and sometimes - to transfer them to the insurance company. Possible transfer and reduction of risks of high andmedium-level on the same terms, and lower-level risks are often accepted and not included in further analysis.

Data protection
Data protection

It is worth considering the fact that the ranking of risks in information systems is determined on the basis of the calculation and determination of their qualitative value. That is, if the risk ranking interval is in the range from 1 to 18, then the range of low risks is from 1 to 7, medium risks are from 8 to 13, and high risks are from 14 to 18. The essence of enterprise information risk management is to reduce the average and high risks down to the lowest value, so that their acceptance is as optimal and possible as possible.

CORAS risk mitigation method

The CORAS method is part of the Information Society Technologies program. Its meaning lies in the adaptation, concretization and combination of effective methods for conducting analysis on examples of information risks.

CORAS methodology uses the following risk analysis procedures:

  • measures to prepare the search and systematization of information about the object in question;
  • provision by the client of objective and correct data on the object in question;
  • full description of the upcoming analysis, taking into account all stages;
  • analysis of submitted documents for authenticity and correctness for a more objective analysis;
  • carrying out activities to identify possible risks;
  • assessment of all the consequences of emerging information threats;
  • highlighting the risks that the company can take and the risks thatneeds to be reduced or redirected as soon as possible;
  • measures to eliminate possible threats.

It is important to note that the listed measures do not require significant efforts and resources for implementation and subsequent implementation. The CORAS methodology is quite simple to use and does not require much training to start using it. The only drawback of this toolkit is the lack of periodicity in the assessment.

OCTAVE method

The OCTAVE risk assessment method implies a certain degree of involvement of the information owner in the analysis. You need to know that it is used to quickly assess critical threats, identify assets and identify weaknesses in the information security system. OCTAVE provides for the creation of a competent analysis, security group, which includes company employees using the system and employees of the information department. OCTAVE consists of three stages:

First, the organization is assessed, that is, the analysis group determines the criteria for assessing the damage, and subsequently the risks. The most important resources of the organization are identified, the general state of the process of maintaining IT security in the company is assessed. The last step is to identify security requirements and define a list of risks

How to ensure information security?
How to ensure information security?
  • The second stage is a comprehensive analysis of the company's information infrastructure. Emphasis is placed on quick and coordinated interaction between employees and departments responsible for thisinfrastructure.
  • At the third stage, the development of security tactics is carried out, a plan is created to reduce possible risks and protect information resources. The possible damage and the probability of the implementation of threats are also assessed, as well as the criteria for their evaluation.

Matrix method of risk analysis

This analysis method brings together threats, vulnerabilities, assets, and information security controls and determines their importance to the organization's respective assets. The assets of the organization are tangible and intangible objects that are significant from the point of view of usefulness. It is important to know that the matrix method consists of three parts: a threat matrix, a vulnerability matrix, and a control matrix. The results of all three parts of this methodology are used for risk analysis.

It is worth considering the relationship of all matrices during the analysis. So, for example, a vulnerability matrix is a link between assets and existing vulnerabilities, a threat matrix is a collection of vulnerabilities and threats, and a control matrix links concepts such as threats and controls. Each cell of the matrix reflects the ratio of the column and row element. High, medium, and low grading systems are used.

To create a table, you need to create lists of threats, vulnerabilities, controls, and assets. Data is added about the interaction of the contents of the matrix column with the contents of the row. Later, the vulnerability matrix data is transferred to the threat matrix, and then, according to the same principle, information from the threat matrix is transferred to the control matrix.

Conclusion

The role of dataincreased significantly with the transition of a number of countries to a market economy. Without the timely receipt of the necessary information, the normal functioning of the company is simply impossible.

Together with the development of information technology, so-called information risks have arisen that pose a threat to the activities of companies. That is why they need to be identified, analyzed and evaluated for further reduction, transfer or disposal. The formation and implementation of a security policy will be ineffective if the existing rules are not used properly due to the incompetence or lack of awareness of employees. It is important to develop a complex for compliance with information security.

Risk management is a subjective, complex, but at the same time an important stage in the company's activities. The greatest emphasis on the security of their data should be made by a company that works with large amounts of information or owns confidential data.

There are a great many effective methods for calculating and analyzing information-related risks that allow you to quickly inform the company and allow it to comply with the rules of competitiveness in the market, as well as maintain security and business continuity.

Recommended: