1). Contrast Risk, Threat, and Vulnerability.
Risk defines the intersection of threats, vulnerability, and assets. However, its intricate usage refers to the probability for loss and destruction to propertybecause of a threat harnessing a vulnerability (Aven, 2011). A threat, on the other hand, refers to anything that an organization is trying to safeguard against due to its ability to harness a vulnerability either accidentally or intentionally and cause damage or loss to property. Threats occur in different forms mainly actual, conceptual or inherent. Lastly, vulnerability is a gap or weak point in an organization’s security program that can be harnessed by a threat. Risk, therefore, is a result of both threats and vulnerabilities and hence mutually inclusive with the two. The absence of either a threat or vulnerability may translate to a lower risk or no risk at all. It is therefore of paramount importance to understand the underlying threats and vulnerabilities before endeavoring to assess the inherent or actual risk.
Threats generally are impossible to control but can be identified and corrective measures put in place to mitigate their likely resultant effects. Risk, on the other hand, can be mitigated to lower the vulnerability and its overall impact. A vulnerability is mostly caused by weaknesses in a system and hence can be treated by identifying these weaknesses and correcting them. Identification of risk, therefore, involves thoroughly assessing the system or organization for any inherent and persistent threats and vulnerabilities. It also goes without saying that once these threats and vulnerabilities are properly handled, then the overall risk level is lowered or even eradicated completely (Birkmann, Cardona, Carreño, Barbat, Pelling, Schneiderbauer&Welle, 2013).
2). Explain the relationship between risk and loss.
Risk as aforementioned above is the probability of occurrence of an unforeseeable circumstance in the future resulting in loss or damage. As further explained it is a result of the association of both threats and vulnerabilities working simultaneously. Some of the vulnerabilities can be controlled while the threats can only be handled by reducing the degree of their resultant damages (Ingram, 2015). Loss,on the other hand, is either a direct or indirect act that has already caused damage to the organization. While risk is futuristic in nature, a loss is an action of the past. The organization faced by a risk should worry about mitigating its effects in the future. The loss takes many forms mainly financial, economic and physical loss.
However, it is possible to have a scenario where there is a risk without loss and where there is loss without risk. The two can be both mutually exclusive and mutually inclusive. The difference between the two terms is better explained by Dave Ingram in his analogy of a gun. A risk is putting a rifle with one bullet on your head and pulling the trigger. A loss is the result of the bullet being fired. A risk without a loss is when you pull the trigger, and the chamber happens to be empty without any single bullet. A loss without risk would be putting a rifle with several bullets on your head and pulling the trigger (Ingram, 2015). The inherent danger to the management would be to decide how many bullets in the gun would be too many. Doing nothing may result to no loss irrespective of the risk since it is possible to have no bullet in the gun. However, the likelihood of having a loss due to the presence of a bullet is quite higher and hence necessitates risk management (Ingram, 2015). The overseeing management in a business setup should undertake a thorough analysis on all available and non-available threats and vulnerabilities. This information will then enable them to decide on the level of risk facing a certain system or program. If this risk level is acceptable, then the program can be executed but if it is not, then it would be better of stopping the program all together.
3). Describe Risk management and assess its level of importance in information security.
Risk management refers to an attempt at reducing the level of risk or the effects of the potential loss happening(“Seven Components to a Risk Management Plan,” 2014). Information security is vitally important especially for private information such as organizational secrets, employees’ personal data and organizations’ servers and private networks. The security of such information is of utmost importance to a company since if they land on the hands of wrong people, they could be used wrongly. A company should ensure that their customers’ information is well protected or risk losing their trust. An organization whose secret information lands in the hands of its competitors could end up being in big trouble and experience great loss and organizational sabotage by the competitor. Information security should also be assessed based on its nature as being either a threat or vulnerability. Then risk management can be undertaken successfully.
4). Argue the need for organizations to take risks with its data (e.g. is it a risky practice to store customer information for repeat visits.)
Organizations are often involved in a very big risk in storing any customer information for any amount of time. This is because there already exists an inherent threat posed by hackers who can hack into the organization’s system at any time and steal such information. The practice, is therefore, a risk. However, companies can assess the level of the threat and institute measures with the goal of avoiding them. Based on a cost-benefit analysis, an organization can professionally decide whether storing such information is worth the risk or not. This can lead to the company effectively keeping this information and assuring the customers of their information being safe and in good custody. Organizations do not keep customers’ information for no specific reason. The decision to store such information is born by the management so that they can track the total number of customers they have and the frequency by which these customers visit their site. Some customers are also easily frustrated by having to enter their information again and again when visiting these organizations’ sites and therefore prefer this information being in the custody of the organization.
5). Describe the necessary components in any organizational risk management plan.
An effective organizational risk management plan should contain the following components well outlined: roles and responsibilities, budgeting, timing, scoring and interpretation, thresholds, communication, tracking and auditing (“Seven Components to a Risk Management Plan,” 2014). Roles and responsibilities are ranked as either leading or supporting and a detailed description of both is provided. The management then must decide on the budgetary needs of the risk management process. Timing is of a paramount essence since this prescribes the date of initial risk assessment and the frequency of risk management process. Scoring and interpretation entail coming up with the appropriate methods for both qualitative and quantitative risk analysis. The company should set its thresholds and levels above which a risk is considered important and warrants acting upon and vice versa. Communication is crucial since it involves the documenting and communicating of the above information to the management and other involved parties. Finally, tracking and auditing will ensure that all the information about the organizational risk management plan is well documented for futuristic usage(“Seven Components to a Risk Management Plan,” 2014).
References
Aven, T. (2011). On some recent definitions and analysis frameworks for risk, vulnerability, and resilience. Risk Analysis, 31(4), 515-522.
Birkmann, J., Cardona, O. D., Carreño, M. L., Barbat, A. H., Pelling, M., Schneiderbauer, S., … &Welle, T. (2013). Framing vulnerability, risk and societal responses: the MOVE framework. Natural hazards, 67(2), 193-211.
Ingram, D. (2015, November 06). The Difference Between Risk and Loss. Retrieved January 11, 2017, from http://blog.willis.com/2014/12/the-difference-between-risk-and-loss/
Seven Components to a Risk Management Plan. (n.d.). Retrieved January 11, 2017, from http://blog.method123.com/2014/10/06/seven-components-to-a-risk-management-plan/#!prettyPhoto