Risk factor (computing)
Encyclopedia
In Information security
, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk
.
(FAIR) is devoted to the analysis of different factors influencing the IT risk
. It decompose at various levels, starting from the first level Loss Event Frequency and Probable Loss Magnitude, going on examining the asset, the threat
agent capability compared to the vulnerability (computing)
and the security control (also called countermeasure
) strength, the probability that the agent get in contact and actually act against the asset, the organization capability to react to the event and the impact on stakeholders.
risk scenario is a description of an IT related event that can lead to a business impact, when and if it should occur.
Risk factors can also be interpreted as causal factors of the scenario that is materialising, or as vulnerabilities
or weaknesses. These are terms often used in risk management frameworks.
Risk scenario is characterized by:
The risk scenario structure differentiates between loss events (events generating the negative impact), vulnerabilities or vulnerability events
(events contributing to the magnitude or frequency of loss events occurring), and threat events (circumstances or events that can trigger loss
events). It is important not to confuse these risks or throw them into one large risk list.
-->
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk
Security risk
Security Risk describes employing the concept of risk to the security risk management paradigm to make a particular determination of security orientated events.According to CNSS Instruction No...
.
FAIR
Factor Analysis of Information RiskFactor Analysis of Information Risk
Factor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...
(FAIR) is devoted to the analysis of different factors influencing the IT risk
IT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
. It decompose at various levels, starting from the first level Loss Event Frequency and Probable Loss Magnitude, going on examining the asset, the threat
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
agent capability compared to the vulnerability (computing)
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
and the security control (also called countermeasure
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
) strength, the probability that the agent get in contact and actually act against the asset, the organization capability to react to the event and the impact on stakeholders.
ISACA
Risk factors are those factors that influence the frequency and/or business impact of risk scenarios; they can be of different natures, and can be classified in two major categories:.- Environmental, further subdivided in:
- Internal environmental factors are, to a large extent, under the control of the enterprise, although they may not always be easy to change.
- External environmental factors are, to a large extent, outside the control of the enterprise.
- Capability of the organization, further subdivided in:
- IT risk management capabilities —To what extent is the enterprise mature in performing the risk management processes defined in the Risk ITRisk ITRisk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...
framework - IT capabilities—How good is the enterprise at performing the IT processes defined in COBITCOBITCOBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
- IT-related business capabilities (or value management)—How closely do the enterprise’s value management activities align with those expressed in the Val ITVal ITVal IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards...
processes
- IT risk management capabilities —To what extent is the enterprise mature in performing the risk management processes defined in the Risk IT
Risk scenario
An IT riskIT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
risk scenario is a description of an IT related event that can lead to a business impact, when and if it should occur.
Risk factors can also be interpreted as causal factors of the scenario that is materialising, or as vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
or weaknesses. These are terms often used in risk management frameworks.
Risk scenario is characterized by:
- a threatThreat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
actor that can be:- Internal to the organization (employee, contractor)
- External to the organization (competitor, business partner, regulator, act of god)
- a threat type
- Malicious,
- Accidental
- Failure
- Natural
- Event
- Disclosure,
- Modification
- Theft
- Destruction
- Bad design
- ineffective execution
- inappropriate use
- asset or resource
- People and organizaztion
- Process
- Infrastructure or facilities
- IT infrastructure
- Information
- Application
- Time
- Duration
- Timing of occurrence (critical or not)
- Timing to detect
- Timing to react
The risk scenario structure differentiates between loss events (events generating the negative impact), vulnerabilities or vulnerability events
(events contributing to the magnitude or frequency of loss events occurring), and threat events (circumstances or events that can trigger loss
events). It is important not to confuse these risks or throw them into one large risk list.
See also
- Asset
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- Countermeasure (computer)Countermeasure (computer)In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Information SecurityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- Information security managementInformation Security ManagementInformation security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage...
- ISACA
- ISMS
- ISO/IEC 27001ISO/IEC 27001ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- ISACA
- RiskRiskRisk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
- Risk ManagementRisk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
- The Open GroupThe Open GroupThe Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- Security controlSecurity controlsSecurity controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...
- Security riskSecurity riskSecurity Risk describes employing the concept of risk to the security risk management paradigm to make a particular determination of security orientated events.According to CNSS Instruction No...
- Security service (telecommunication)Security service (telecommunication)Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
External links
-->