You are on page 1of 13

228 Informatica Economică vol. 15, no.

1/2011

Security Risk Management - Approaches and Methodology

Elena Ramona STROIE, Alina Cristina RUSU


Academy of Economic Studies, Bucharest, Romania
ramona.stroie@gmail.com, alinatv17@yahoo.com

In today’s economic context, organizations are looking for ways to improve their business, to
keep head of the competition and grow revenue. To stay competitive and consolidate their
position on the market, the companies must use all the information they have and process
their information for better support of their missions. For this reason managers have to take
into consideration risks that can affect the organization and they have to minimize their
impact on the organization. Risk management helps managers to better control the business
practices and improve the business process.
Keywords: Risk Management, Security, Methodology

1 Introduction
Today’s economic context
characterized by a competitive environment
is
2 Risk management: definition and
objectives
The concept of the risk management is
which is permanently changing. To face this applied in all aspects of business, including
fierce competition, managers must take the planning and project risk management, health
correct strategic decisions based on real and safety, and finance. It is also a very
information. In order to maintain the common term amongst those concerned with
authenticity and the accuracy of the IT security. A generic definition of risk
information used in the decision process, any management is the assessment and mitigation
organization must use informatics systems to of potential issues that are a threat to a
process their information and for a better business, whatever their source or origin. [2]
support of their missions. For this reason, The concept of risk management is now
the management risk of the security fairly universally understood, having been in
information plays a very important role in the widespread use for a number of years. It is
organizational risk management, because it applied in all aspects of business.
assure the protection of the organization from To discuss the definition of the risk
the threatening information attacks, that management is necessary to explain in
could affect the business activity and advance the meaning of the three main
therefore its mission. concepts:
An effective risk management process is Risk is the potential that a chosen action or
based on a successful IT security program. activity (including the choice of inaction)
This doesn’t mean that the main goal of an will lead to a loss (an undesirable outcome).
organization’s risk management process is to Threat is the potential cause of an unwanted
protect its IT assets, but to protect the impact on a system or organization (ISO
organization and its ability to perform their 13335-1). Threat can also be defined as an
missions. Therefore, the risk management undesired event (intentional or unintentional)
process should not be treated primarily as a that may cause damage to the goods of the
technical function carried out by the IT organization.
experts, who operate and manage the IT Vulnerability is a weakness in system
system, but as an essential management procedures, architectural system, its
function of the organization and its leaders. implementation, internal control and other
[1] causes that can be exploited to bypass
security systems and unauthorized access to
information. Vulnerability represents any
weakness, administrative process, act or
Informatica Economică vol. 15, no. 1/2011 229

statement that makes information about an approach may be an effective response to the
asset to be capable of being exploited by a security risks that have already occurred
threat. through creating security incidents. The
Risk management is a process consisting on: analysis of the causes of producing security
- identifying vulnerabilities and threats to the incidents could help the organization to
information resources used by an prevent their repetition and be prepared for
organization in achieving business any possible problems. Companies that
objectives; respond to security incidents in a calm and
-risk assessment by setting the probability rational way, meanwhile they determine the
and impact of its production, following causes that have allowed the incidents to
threats by exploiting vulnerabilities; occur, will be able to respond in a shorter
- identify possible countermeasures and time to similar problems arising.
deciding which one could be applied, in There are six steps that an organization
order to reduce the risk to an acceptable should take into consideration when the
level, based on the value of information reactive approach is applied:
resource to the organization. [3] 1. Protecting human life and safety
The goal of performing risk management is It's the most important and most active of
to enable the organization to maintain at the the six. Organizations have to respect laws
highest values the activity results. This that protect the employers and that require
process should combine as efficient as protection measures to prevent work
possible, all factors which can increase the accidents. Development of computerization
probability of success and decrease of the production process has led many of its
the uncertainty of achieving objectives. Risk activities in an organization so they often can
management should be an evolving process. arise where production risks and security of
Particular attention should be given to the their information systems is likely to
implementation of the strategies for endanger human life and health.
eliminating or reduce the risk and their 2. Controlling damage
appliance, to the analysis of the past It is an activity that consists on stopping or
evolution of risks and to the controlling the spread of the damage
present and future prediction of the produced through the risks fulfilled. In case
events. Management process should of a cyber-attack, organizations should take
be implemented at the highest management actions to protect information, important
level. application and the hardware components, as
In IT&C, one of the most important goal of soon as possible, and minimize the time
risk management is to accomplish by better when the system is not working properly.
securing the informatics systems that store, Sometimes maintaining the system available,
process, or transmit organizational during such an attack, may increase the
information; by enabling management to damages.
make well-informed risk management 3. Damage assessment
decisions to justify the expenditures that are Damage assessment will be done by restoring
part of an IT budget and by assisting activity and after reinstatement of all systems
management in authorizing (or accrediting) affected by risk. If cyber damage assessment
the IT systems, on the basis of the supporting involves conducting detailed investigations
documentation resulting from the on the incident, immediately proceeded to
performance of risk management. [1] restore or replace hardware, reinstall the
software used and recovery affected data.
3 Risk Management approaches: If the damage assessment takes too long,
Proactive and reactive approach contingency plans should be considered so
Risk management can be approached in two that the organization resumes normal activity
ways: reactive and proactive. The reactive without bigger damage.
230 Informatica Economică vol. 15, no. 1/2011

4. Determine the damage cause Therefore organizations have to develop in


During this activity, to discover the starting parallel the incident response method and
point of an attack, it is necessary to proactive approach to security policies.
understand what resources have been Proactive approach consists in several main
targeted by attacks and which vulnerabilities categories of activities:
were exploited to gain access or to - Making special training activities for staff
discontinue the services. It should be whose work is or risk;
investigated the system configuration, and - Develop and implement a formalized
also the patch level, system logs, audit logs work procedures to meet safety
and audit trails. These operations help to requirements and quality standards for
discover the place where the attack started each of its activities;
and what resources were affected. - Establish an internal control system on
5. Repairing the damage compliance the work procedures
This activity is very important because the developed and on specific legislation in
damage must be repaired in the shortest time force (of personnel carrying out inspection
in order to restore the information system, to activities, establish procedures for the
resume organization’s activity and to recover conduct of control, the establishment of
the data affected by the attack. That is why measures for eliminating the possibility of
every business action plan should include a application dysfunction found in the
strategy data recovery. After the damage has inspection, etc.)
been repaired the elimination or the reduction - Periodic evaluation for the viability of
of the vulnerabilities that were exploited proactive measures is applied in order to
during the incident should be considered. reduce or eliminate risks.
6. Review responses and updating policies
Another activity related to the reactive 4 Risk management process
approach, refers to the process of evaluating Risk management is a permanent cycle
the way in which the back-up plans and the process that involves activities for
strategies of restoring the activity have establishing, monitoring and ensuring
functioned during the security incident. If continual improvement of the organization’s
there had been some failures in the process, activity. This process contains four main
there should be made the replacements or the activities, which have to be permanent
changes needed. applied and developed:
The proactive approach of the risk - Design the management system involves
management has several advantages identifying business requirements, assessing
compared with the reactive approached the likelihood and the impact of the risks,
described above. Rather than wait for the including the implementation of a security
occurrence of incidents and then to repair the policy and selecting the adequate
damage, is better and cheaper to minimize countermeasures for the existing risks;
the likelihood or the impact of occurring the - Implement the management system involves
risk, from the beginning. Organization’s applying control measures and work
leader should develop plans for protecting procedures, resource allocation, setting the
the organization’s most important assets by responsibilities and conduct training and
implementing controls that reduce the risk of awareness programs;
exploitation of organization’s vulnerabilities - Monitoring, reviewing and reassessing the
by malicious software, due to malicious or management system involve an evaluation of
accidental misuse. A proactive approach can effectiveness of controls and working
help organization to effective reduce the procedures, of business changes, of previous
significant effect of the numbers of security incident reports and of existent risks;
incidents that can occur in the future, but will - The improvement and update of the
not completely eliminate these problems. management system involves correcting the
Informatica Economică vol. 15, no. 1/2011 231

identified dysfunctions, or eliminating the compliance with existing regulations in the


unsustainable decisions or applying new field and ensuring the effectiveness of those
control measures. activities. In this sense can be considered
Risk management encompasses three national or international standards developed
processes: risk assessment, risk mitigation and published by professional organizations
and the reassessment of the residual risk. [1] and associations.[4]
Risk assessment process includes Thus, it requires work to watch these procedures:
establishing criteria under which the - The way of identify and evaluate on
evaluation takes place (procedure on existing existing threats and vulnerabilities, and
threats and vulnerabilities, and risks risks associated with;
associated with, proceedings concerning the - Setting the values of impact and
impact and likelihood of identified risks, risk probability of impact and likelihood
assessment procedures, procedures for identified risks;
identifying measures to mitigate or eliminate - The way of risk assessment;
risks, procedure for selecting the best - The way of identifying measures to
measures to mitigate or eliminate the risks) mitigate or eliminate risks;
and identifying and assessing risks.. - The way of selecting the best measures to
The risk mitigation refers to determining mitigate or eliminate the risks.
optimal measures to eliminate or mitigate the 2. System characterization
risks, to planning, implementing the This step provides information about the
optimized selected measures, according to resources, data and boundaries of the IT
the plan, and controlling the rightfulness of system. It is very important that to define the
the implementation process. specific field of
Reassessment of the residual risk consist in interest, links and dependencies between the
evaluating the remaining risk after the risk resources that are being analyzed. For this
mitigation step and determine whether it is an step, the responsible person has to collect
acceptable level or whether additional information about hardware, software, data
measures should be implemented to further and information, system interfaces, system
reduce or eliminate the residual risk, before mission, persons who support and use the IT
before the organization can perform work system, system security architecture, system
properly. security policies, technical, operational and
management controls.
5 Risk Assessment for IT systems In gathering the information, the persons
Risk assessment is the first process in the risk involved must apply the up mentioned
management methodology. The objectives of procedures and should use some of the
the risk assessment process are to determine following techniques: questionnaires, the on-
the extent of potential threats, to analyze site interviews, documents review and
vulnerabilities, to evaluate the associated automated scanning tools. This activity can
risks and to determine the contra measures be conducted throughout all the eight steps of
that should be implemented. The risk the risk assessment process.
assessment methodology encompasses eight 3. Threat identification
primary steps, as follows: In this step are identified the potential threat-
1. Define specific working procedures of risk sources. A threat is the potential that a
management activity particular vulnerability is exploited by
To make a proper assessment of the risks to external factors, intentionally or accidentally,
the operation of an IT system needs to be in order to produce the associated risks. A
established a system of working procedures threat-source could not represent a cause to a
that describe in detail each of the operations risk, if there is no vulnerability that can be
carried out for this purpose. The development exploited. A threat-source is defined as any
of working procedures needs to consider
232 Informatica Economică vol. 15, no. 1/2011

circumstance or event with the potential to A common taxonomy is CIA (confidentiality,


cause harm to an IT system. [5] integrity, availability), which defines the
Threats can be based on human (deliberate or characteristics of the organization's data. [5] The
unintentional) or non-human (external or components of CIA are as follows :
internal to the operating environment) Confidentiality – is the property of the data
actions. Human threats can occur most often which defines the fact that the information is
and are the most dangerous ones. In this not compromised through being accessed by
category are included unintentional acts, such unauthorized users.
as negligence or errors and deliberate attacks, Integrity –– is the property of the data which
like unauthorized access to confidential defines the fact that information is not altered
information, destruction of important by unauthorized users, in a way that is
information, information theft, misuse of detected or undetectable by authorized users.
data, falsification of information, sabotage Availability – ensures that principals (users
the system. The non-human threats don’t and computers) have appropriate access to
concern directly the human actions, and resources.
could be floods, earthquakes, landslides, The following table is a list of examples for
avalanches, supply voltage drops, voltage threats and their effects over security objective
fluctuations etc. of CIA. This list does not claim to be exhaustive:

Table 1. Threats and their effects over security objective of CIA


The security objectives that are affected
THREATS
CONFIDENTIALITY INTEGRITY AVAILABILITY
1. Human
1.1. Deliberate human threats
Interception and espionage X
Placing destructive codes X X X
Destruction with intention of date and
X X
facilities
Unauthorized access of data X X
Use of pirated software X
Falsifying identity X X
1.2. Unintentional human threats
Personnel operating errors X X
Programming errors X X X
Technical failure X X
2. Non-human
2.1. External operating environment
Fire X X
Earthquakes X X
Floods X X
2.2. Internal operating environment
Supply voltage drops X
Voltage fluctuations X X

Another taxonomy, called STRIDE, consists R – Repudiation – consists in creating a


in identifying various threat types. STRIDE situation in which denying performing an
considers threats from the attacker’s action, could not be confirmed or
perspective. [6] contradicted by the other parties. Non –
The components of STRIDE are: repudiation is a system’s ability to counter
S – Spoofing identity – refers to the repudiation threats.
situations in which a cyber-attacker can pose I – Information disclosure – involve the
as something or somebody else. exposure of information to individuals who
T – Tampering – involves malicious are not supposed to have access to it.
modification of data or code.
Informatica Economică vol. 15, no. 1/2011 233

D – Denial-of-service (DoS) – deny or of specific features of the security system


degrade the availability of service to valid and security, technical and operational
users. measures used to protect the system or the
E – Elevation of Privilege (EoP) - occurs way the personnel appointed to use the
when a user gains increased capability, often system, fulfills his tasks.
as an anonymous user who takes advantage One important action in the vulnerability
of a coding bug to gain admin or root analysis process is the identification of the
capability. vulnerability source. Some of these sources
4. Vulnerability identification are previous risk assessment documentation
The purpose of this stage is to identify the of the IT system, system’s audit reports,
system vulnerabilities (defects/ weaknesses) security’s review reports, vulnerabilities lists,
that can be exploited by potential threats. such as the NIST I-CAT vulnerability
Vulnerabilities are represented by the database, security advisors and system
system’s weaknesses, which, if exploited by software security analysis. To identify
some accidents or intentional actions, could system vulnerabilities different test methods
result in a violation of system's security. are used:
Suggested methods for vulnerabilities - Automated vulnerability scanning tolls that are
identification have to take into account used to automatically scan a group of hosts or
vulnerabilities sources, performances and a network for known vulnerable services.
requirements of the system development. [7] - Safety tests and evaluation are special
techniques used to identify vulnerabilities in
The methodology for vulnerabilities
an IT system during a risk assessment process.
identification depends on the nature of the IT The purpose of system’s security testing is to
system and the stage of the system test the efficiency of the security controls that
development: have been implemented.
- If the IT system is in the design stage, System penetration system that can be used
identifying vulnerabilities should be in addition to security controls tests to ensure
focused on security policies, planned that several IT system components are
security procedures, system requirements secure. The goal of this activity is to test the
and the analysis of security product IT system in terms of a threat source and to
distributor. identify potential defects in the system
- If the IT system is under implementation, protection schemes.
identifying vulnerabilities should be As a result of this step, staff dealing with the
focused specific information such as the risk assessment designs a list of security
planned features of the system described requirements that includes basic safety
in the documentation, test results and standards, procedures, processes and
previous evaluation or the way the transfers of information associated with an IT
personnel appointed to carry out system in security areas like management,
implementation, fulfills his tasks. operational and technical area.
- If the IT system is operational, identifying
vulnerabilities should include an analysis

Table 2. Vulnerability identification


Vulnerability Threats Affected goods
Fire
Earthquakes
Floods
Supply voltage drops
No back-up Data
Voltage fluctuations
Use of pirated software
Unauthorized access of data
Placing destructive codes
Inadequate configuration Technical malfunction Data
234 Informatica Economică vol. 15, no. 1/2011

management Interception and espionage


Unauthorized access of data
Unauthorized changes of the
Technical malfunction Data
attributions of
Error programming Software
programmers with operational staff
Inadequate training of staff Data
Routing / rerouting wrong messages
responsible for data communications
Security measures implemented in a Denial of Service Data
wrong way Unauthorized access of data Software
Non-regularly updating antivirus Data
Malicious code
software Software
Fire
Earthquakes
Floods Data
Lack of business continuity plans or Supply voltage drops Software
procedures for data recovery Voltage fluctuations Hardware
Use of pirated software Ancillary facilities
Unauthorized access of data
Placing destructive codes

5. Risk’s likelihood determination 6. Impact analysis


To determine the likelihood that a potential In this phase of the risk assessment process,
threat to exploit a vulnerability of the IT it is determined the negative results of a
system should be considered the following potential exploitation successful of a
factors: vulnerability. Before starting the impact
- Threats-sources’ motivation and analysis, it is necessary to collect information
capability; about the role of the system, system and data
- Nature of the existing vulnerabilities; criticality or system and data sensitivity. This
- Existence and effectiveness of current information can be obtained from the
controls; existing documentation, such as analysis
The likelihood that a vulnerability be report of the impact over the mission of the
exploited by a particular threat, need to be company or the assessment report regarding
evaluated in order to determine the the critical assets. The negative impact of a
associated risk. security event can be described in term of
An often used scale for evaluating the loss or degradation of the three of the most
likelihood of risk is the high, medium or low important characteristics of the information:
scale (sometimes it is used the extended integrity, availability and confidentiality. [8]
versions, as the very low – low – medium – Integrity is lost if unauthorized changes to
high – very high version). The risk’s data or IT system are made by accidental or
likelihood high means that the threat-source intentional actions. If loss of data or system
is highly motivated or very strong or the integrity is not corrected and the system is
security controls are inefficient or all these used with the corrupted data, wrong results
conditions together are cumulative. On can be obtained and wrong decisions can be
another hand, if the risk’s likelihood is made. Violation of system integrity may be
medium, it is probably, if the threat source the first step of a successful attack made on
is highly motivated or very strong, that the the availability and confidentiality of an IT
control of the system's security to be good system.
enough to prevent most of the manifestation If the system availability to end-user is
of the threats. The case of a low likelihood affected, whole organization activity can be
means that the threat's source is weak or affected. Loss of system functionality and
poorly motivated or the security controls efficiency can lead to loss or reduction of the
can prevent or, at least, significantly impede productivity or the employers’ performance.
the exercise of the threats.
Informatica Economică vol. 15, no. 1/2011 235

System confidentiality refers to the - The probability that a threat source to


protection of information against exploit vulnerability;
unauthorized disclosure. The impact of - The impact dimension, in case the threat
unauthorized disclosure of highly classified source exploits with success the
information can lead to attacks on vulnerability;
organization’s interests or even on national - Preparation of existing or planned security
security. controls to be implemented in order to
Tangible impacts can be measured reduce or eliminate risk.
quantitatively in term of loss of turnover, To measure risk is necessary to identify or
cost of system repair or level of effort develop a method of evaluating it. One such
necessary for correcting the problems caused method is the risk level matrix. This matrix is
by of a successful exploitation of a threat. a 3x3 to 5x5 matrix which contains values
Some other impacts can’t be measured in for threat likelihood on columns and for
units and for this reason they are classified threat impact on rows. We choose, for our
and described as high, medium and low. exemplification, the values High, Medium
7. Risk determination and Low, for both the dimensions. For the
The role of this step it to assess the risk level 5x5 matrix are added 2 values: Very High
of an IT system. Risk determination for a pair and Very Low. Depending on the type of
of a “threat-vulnerability”, can be expressed risk, the values could be replaced with
as a function of: numbers. The following matrix is an example
of a 5x5 risk matrix:

Table 3. 5x5 risk matrix


Severity of Threat Likelihood:
negative Very Very
High Medium Low
impact: High Low
Very Very
Very High High Medium Low
High High
Very
High High High Medium Low
High
Medium Mare High Medium Low Low
Very
Low Medium Medium Low Low
Low
Very Very
Very Low Low Low Low
Low Low

The result of the evaluation the risk, using the not very high to affect the objectives of
proper method chosen, must be interpreted in the company’s activities, so that the
order to determine the type of the risk (negligible, leading management could assume its
tolerable or intolerable): realization without implement all the
- The negligible risk does not need any countermeasures.
measure to be applied. It is monitored - If the risk has an intolerable level, then it
periodically. needs an immediate response. This means
- The tolerable risk does not need also any that the management team must identify
countermeasure to be implemented, but it and implement the right measure to reduce
is permanently monitored and whenever it or eliminate the risk (risk mitigation). In
is identified any growing of its value; it some cases, in which the risk management
will become the object of some team does not have the needed level of
supplementary actions, in order to reduce means, for implementing certain
its level. This means that the level risk is
236 Informatica Economică vol. 15, no. 1/2011

measures, the process of decision would made taking into consideration the risk
be transferred to higher forum of behavior of the organization and the
management. partner that support and control better the
For our hypothetical example, we could define risk.
the level very low for the negligible risk, the - Risk Assumption. Organizations can
level low for tolerable risk and the values choose to acknowledge the existence of
medium, high and very high for the intolerable risk and monitor it. They also can ignore
risk.
it, but this action can be very dangerous.
8. Results documentation The decision to assume a risk must be
After the threat sources and vulnerabilities well documented and analyzed by the
are identified, risk assessed and provided, the management team of the organization.
results should be written in an official report. - Risk Elimination. The goal of this action is
Risk Assessment Report is a report addressed to eliminate the risk, but most of the
to managers and owners that helps them to options tend to eliminate organization out
take decision concerning security policies of the market. An organization that
and procedures. A risk assessment report doesn’t prefer risk will not survive on the
presents in a systematic and analytical way market.
the existing risks and how these can be To reduce the risk, organizations should use
exploited in order to help managers to some tools like:
understand and allocate resources to reduce - Identify all the methods available for
or correct any losses reducing the risk and choose the optimal
ones.
6 Risk mitigation - Planning the appropriate activities for
After the risk assessment, any organization applying the method previously chosen. If
has to implement methods to reduce the level risks are related to activities deadline
of risk. Since it is almost impossible to using activity planning software can
eliminate all risks, top managers must reduce risks within reasonable limits.
implement the most effective measures to - Implementing the activities planned in
reduce risk to an acceptable level and to order to mitigate the risks. Some of the
minimize the negative impact of risk on the measures generally applied are:
organization’s mission and goals. Training the staff dealing with activities
There are several methods to reduce risks, at risk - many IT risks are connected to
which are applied depending on the type untrained personnel and this affects
of risk: productivity and work quality. Through
- Risk Avoidance. Where it is possible, training in security field, there can be
managers should choose not to implement reduced the likelihood of incidents and
some processes and procedures that can their effect.
generate a higher level of risk or Redesigning security measures -
complicates the organization’s activity. organizations should identify those
- Risk Limitation. Risk can be reduced by threats and vulnerabilities that generate
implementing security measures and risks with a strong impact on company’s
procedures. When implementing these activity and improve the security systems
measures it should be taken into account permanently.
the cost and benefits of the When control actions must be taken, the
implementation. If costs of the risk following rule applies: Address the greatest
reduction outweigh the benefits, accepting risks and strive for sufficient risk mitigation
risk should be preferred to implementing at the lowest cost, with minimal impact on
the expensive security measures. other mission capabilities. [1]
- Risk Transference. Risk can be shared The methodology of implementing security
with different partners or transferred to measures contains several steps:
insurance companies. This action must be
Informatica Economică vol. 15, no. 1/2011 237

- Establishing personnel responsible for - Informing personnel about security


security measures imposed
Security personnel is responsible for Many security programs fail because of a
creating, implementing and evaluating lack of efficient communication. Most of the
security policies and also for oversight technical employees believe that technical
security processes. The only security solutions are sufficient to any problems. It is
problem that doesn’t concern security necessary that any security program to have
personnel is security management. One of the two essential components: awareness and
security personnel tasks is defining a security communication programs. These programs
table, an official document indicating the should receive sufficient resources and
responsibilities of the person involved in this attention in order to achieve the goals.
activity and the way security is approached. During the awareness program employees are
Another tasks is gathering information about informed about the impact of the security
existing policies, information that are policies on their behavior. The
valuable in understanding what functions communication program involves a continue
properly in the organization, how communication between responsible
information about risk are communicated to personnel and top managers concerning the
the top managers, how is decided the priority efforts and success in maintaining the level
of the projects and how the security security at an acceptable level.
processes are structured. - Auditing and monitoring security
- Establishing main activities to ensure The auditing of security-relevant events and
security the monitoring system activity are key
To ensure an effective security within the elements in an analyzing risk process. For
company, it is necessary to go through some recovery from security breaches and for
stages that are crucial. The main steps of a keeping under control the access to
security program are presented in order to information, this step is essential.
help any organization to implement a correct In the process of minimizing the level of risk,
security program. There are four important organizations should consider some security
steps that have to be defined from the controls that can be classified as follows:
beginning: risk assessment and documents technical, management and operational or a
and data classification; establishing access combination of these. The purpose of these
rights; defining security policies and controls is to prevent and limit the risks in
planning, designing and implementing order to achieve the goals.
security controls. Technical controls
- Defining requirements for improving Technical controls can range from very
security quality simple to very complex and usually must be
Another task of the responsible personnel is combined in order to determine the system’s
to define the requirements for improving good functionality. These measures are
security quality. The team proposes solutions divided in three categories according to their
for the identified problems, which are purpose.
important in the process of planning, First category includes the basic technical
designing and implementing security measures that are used to support the
measures. This step is often overlooked, but implementation of other security measures:
it is vital. Any organization is different and - Identification: identify users, processes
for this reason measures implemented in and information resources.
another company can’t be suitable for other. - Cryptographic keys: key generation,
If insufficient time is allocated to the process distribution, storage and maintenance.
of defining requirements, unimportant data - Security administration: are measures that
can be protected from non-existing threats. must be configured to meet security
system requirements.
238 Informatica Economică vol. 15, no. 1/2011

- System protection: ensure the quality of least privilege, user computer access
IT system implementation in terms of registration and termination.
design and manner in which the - Technical training to ensure that end users
implementation was accomplished. and system users are aware of the rules of
Another category includes the measures for behavior and their responsibilities in
prevention that prevent the occurrence of protecting the organization’s mission.
events that have a negative impact on the Second category, detection management
organization’s activity: security controls, includes:
- Authentication: these measures verify user - Implementation of personnel security
identity. Mechanisms used are passwords, controls, including personnel
PINs, personal identification numbers. investigation, rotation of duties
- Authorization: verify if employees are - Periodic review of security controls to
authorized to make changes to the system. ensure that they are effective
- Protected communications: ensure - Periodic system audits
integrity, confidentiality, availability of - The existence of a continuous
sensitive data during their transmission. management process
- Transaction privacy: protect against loss - The third category, recovery management
of privacy of important information. security controls, includes:
The third category, detection and recovery - Provide continuity of support and
measures, detects an adverse event and/or develop, test, and maintain the operations
recovers lost information in case of an plans
adverse event: - Establish the system capacity to respond
- Intrusion detection: ensure the detection to the incident and return the IT system to
of possible events with negative impact in operational status
order to avoid them or reduce their Operational security controls
impact. Operational security controls are used to
- Restore secure state: these measures are correct operational deficiencies that could
capable of bringing the system to last arise when a threat is exercised. These
known security state after a security include preventive and detection operational
breach occurs. controls
- Virus detection and eradication: detect, Preventive operational controls are as
identify and remove viruses to ensure follows:
system and data integrity. - Controlling data access
Management security controls - Limiting external data distribution
These controls are implemented to reduce the - Control software viruses
level of risk and protect the organization’s - Ability to create backup copies
mission. They are focused on policies, - Protect laptops, personal computers,
guidelines and standards for information workstations
protection. Management security controls - Provide emergency power source
includes three categories: preventive, - Control the humidity and temperature of
detection and recovery controls. the computing
First controls, preventive management Detection operational controls include the
security controls include the following following:
controls: - Providing physical security (motion
- Development and maintenance of system detectors, sensors and alarms)
security plans in order to support of the - Ensuring environmental security (smoke
organization’s mission. and fire detectors, fire sensors and alarms)
- Implementation of personnel security
controls, including separation of duties,
Informatica Economică vol. 15, no. 1/2011 239

7 Cost- benefit analysis technical. Technical controls are safeguards


The cost – benefit analysis represents the incorporated into computer hardware,
estimation and comparison of the relative software or firmware such as access control
value and cost associated with each proposed mechanism, authentication mechanism,
control. This analysis is an efficiency encryption methods and the non-technical
criterion used for choosing the control to be ones are management and operational
implemented. controls like policies, procedures and
In order to make a cost – benefit analysis an personnel and environmental security.
organization must follow the next steps: Technical and non-technical control
- Determining the impact of implementing described above can be classified into
new measure or improving the existing preventing controls and detective controls.
one Preventing controls inhibit attempts to violate
- Determining the impact of not security policies, meanwhile detecting
implementing new measure or improving controls alert violation or attempted violation
the existing one of security policies. These controls are
- Estimating the cost of implementation implemented during the risk minimization
which includes hardware and software phase.
purchase, cost of implementing new
policies and procedures, training cost and 9 Conclusion
system maintenance cost Since the economic environment is really
- Assessing the costs and benefits of fierce and constantly changing, organizations
implementation controls. that desire to remain on the market should
The organization must determine the pay greater attention to risk management
accepted level of risk to decide whether a process. Managers’ responsibility is very
measure will be implemented or not. The high and for this reason information security
following rules should be followed when risk management is of fundamental concern
deciding if a measure is implemented or not: to all organizations. This process is a long
- If the implementation reduces the level of term cycle and its importance should not be
risk more than is necessary, a less missed at any time. All steps must be
expensive alternative should be chosen followed, risk identification not being
- If the implementation costs more than the enough for saving an organization from
benefit that would be obtain after the disappearing from the market. Risk
implementation, another control should be identification should be done with greater
sought care; all risks must be identified and treated
- If the implementation does not reduce the carefully. The evaluation and assessment of
level of risk enough, more effective potential threats, vulnerabilities and possible
controls preferable with a similar cost damage is very important. After this
should be sought assessment is done, necessary controls
- If the implementation reduces the risk at should be implemented in terms of cost-
an acceptable level and is cost-effective. effectiveness and the level of risk reduced by
The measure should be implemented the implementation. To identify the most
appropriate controls a cost- analysis has to be
8 Control analysis done. Its results help managers implement
After the implementation of security policies, the most efficient controls that bring the
in case the occurrence of security incidents, greatest benefit to the organization.
the organization must re-evaluate the entire Risk management helps managers to better
risk management system, is being made as control the business practices and improve
appropriate approaches for change, in the the business process. If the results of risk
way to improve the security policies. analysis are well understood and the right
Security policies can be technical or non- measures are implemented, the organization
240 Informatica Economică vol. 15, no. 1/2011

not only that will not disappear from the information security risk management”,
market, but it will develop and more easily International Journal of Information
obtain the targeted results. Management, pp. 413-414, 2008.
Available: http://www.sciencedirect.com
References [6] M. Howard, S. Lipner, “The security
[1] G. Stoneburner, A. Goguen, A. Feringa, development lifecycle”, United States of
Risk Management Guide for Information America: Microsoft Press, 2006, pp.
Technology System, 2002. 114-116.
[2] S. Southern, “Creating risk management [7] E. Humphreys, ”Information security
strategies for IT security”, Network management standards: Compliance,
Security”, 2009, pp.13-14. governance and risk management”,
[3] Information Systems Audit and Control Information Security Technical Report
Association, Certified Information I3, 2008, pp. 247-249. Available:
Systems Auditors, 2006, pp.85-89. http://www.sciencedirect.com
[4] The Department of Trade and Industry, [8] M. Siponen, R. Willison, “Information
“Achieving Best Practice in Your security management standards:
Business Information Security: Problems and solutions”, Information
Protecting Your Business Assets”, pp. 8- and Management, vol. 46, pp.269-270,
22, Available at: 2009. Available at:
http://webarchive.nationalarchives.gov.u http://www.sciencedirect.com
k/tna/+/http://www.dti.gov.uk/files/file9 [9] E. Burtescu, Securitatea datelor firmei,
985.pdf/ Editura Independenta Economica, 2005.
[5] R. Bojanc, B Jerman-Blazic, “An
economic modeling approach to

Elena Ramona STROIE has graduated The Bucharest Academy of


Economics Studies, Faculty of Cybernetics, Statistic and Economic
Informatics in 2008. She holds a Master diploma in Informatic Systems for
Economic Processes and Resources Management from 2009 and in present
she is a PhD Candidate in Cybernetics and Economic Statistic with the
Doctor’s Degree Thesis: Methods of Risk Analysis and Assessment in an
Information System. Her areas of interests are: Information System Security,
Risk Analysis Management.

Alina Cristina RUSU has graduated The University of Craiova, Faculty of


Automatics, Computers and Electronics, Computers Engineer. She holds a
Master diploma in IT & C Security from Academy of Economics Studies and
present she is a PhD Candidate in Economic Informatics with the Doctor’s
Degree Thesis: Protection of confidential information in a computer system.
Her areas of interests are: Information Systems Security, Risk Analysis
Management and Security Policies in Informatics Systems.