Assignment:
Respond to the following discussions from classmates (X4) with approximately 175 words or more each. Include a reference to each response. Be thoughtful and insightful and it must demonstrate critical thinking and analysis.
1. Risk assessment refers to information provided to decision-makers about factors that can negatively impact their organization. One of the most significant challenges to effectively assess risks is that it is impossible to identify every risk that can occur. Likely risks would be the most plausible risks identified during an assessment. These risks are the ones that are more likely to impact the organization. Since not every risk can be identified during an assessment, it can make it difficult to provide accurate data for individuals to make decisions on. Another challenge would be the accuracy of the data. If the data collected is not accurate, it can lead to missing risks in the assessment. For example, during any drug operation, I am required to complete an operational plan, which outlines the operation we are about to conduct. Once the operational plan is drafted, I have to complete a Composite Risk Management Worksheet and Risk Assessment Matrix to assist in identifying risks and vulnerabilities of the operational plan. A factor that increases the risk of the operation would be the subject’s criminal history. If the subject targeted has any firearm violations, assault charges, etc. it increases the risk of the operation because it is likely the subject would have a firearm with him and would become violent when confronted by law enforcement. Sometimes; however, this data is not accurate. If the agency that arrested the individual for assault or gun violations does not input the information into the system, it will lead to misleading information when we pull up the subject’s criminal history. If this occurs, the risk would be calculated incorrectly and therefore, can lead to consequences during the operation. Recently, the Air Force failed to accurately report the subject’s criminal charges to the Federal Bureau of Investigations (FBI). This resulted in many casualties from the Texas church shooting. If this same individual had been a target for an operation, his criminal history would not have been accurate and could lead to something similar occurring in the operation. Once the risks are identified, and proper control measures are identified, the operation is forwarded for approval based on the level of risk. The risks range from low to high, which are different across organizations. The level of risk determines whom the operation is forwarded to. The higher the risk, the higher the level of approval needed to conduct the operation. If the risk is inaccurate due to the data available, it can lead to the operation being forwarded to the incorrect individual for approval.
2. Risk assessment is done every day by just about everyone, we just do not realize it. Generally speaking, a risk assessment provides decision makers with information needed in determining and understanding factors that may negatively impact the operations or outcomes of an organization’s operational success. Threat analysis and assessment are the two key components determining whether or not there is sufficient evidence to warrant attention.
The quantitative approaches generally estimate a monetary value/cost associated to a risk. To illustrate risk the quantitative model includes tools such as bar, line, combination charts and graphs. There are some disadvantages of the quantitative model. Accuracy is hard to come by, the wide margin of error in results are misleading. Another disadvantage is the difficulty to represent effects on service delivery and information.
The qualitative approaches come when data and costs are not available. This approach may be taken by defining risk more subjectively in terms of high, medium, and low risks. Qualitative assessments rely on the expertise, experience and judgment of those conducting the assessment. Disadvantages to the qualitative approach include the fact that personal bias can be reflected in the assessment. The results also depend entirely on the skills and knowledge of the assessor or assessment team.
3. Risk assessments provide a broad picture of an organization, and the potential risks that may be encountered that may disrupt a CI. Radvanovsky notes that threats may be deliberate, accidental, or natural in origin (Identify known, Apparent, or Evident Threats, 2014). A general Risk Assessment will cover a wide range of areas, from information security to generalized risks. Security Vulnerabilities Assessments(SVA) are systematic examinations of networks to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation (What is an SVA, 2014). Vulnerabilities tests can be seen as more of a penetration test, where the vulnerabilities of system or environment are tested, similar to risk assessments, but different in the delivery and implantation of the how and why. SVA can more easily be thought of as an assessment conducted by individuals on a given enterprise regarding CI that specialize in locating and exploiting vulnerabilities. Risk assessments can be seen as identifying any significant risk, determining if sufficient procedures are in place to mitigate said risk.
A risk assessment would likely be appropriate in any enterprise as well as under a variety of circumstances. Threats can be seen in three distinct categories, natural disasters, accidental threats, intentional or malicious threats (What is a Threat). An example where a risk assessment would be more appropriate could likely be seen within the energy sector. Since each entity will define an asset as critical differently, a risk assessment within the energy sector should first identify the assets that are most critical and assess the potential for threats. After threats have been identified a risk assessment should identify ways to reduce said risks, and prioritize the measure needed to reduce the risk. If a bulk power supply station has been identified as have a particular vulnerability to earthquakes, it should be examined if best procedures are in place for mitigation, or if new procedures should be developed and what costs are associated with the potential risk.
The transportation sector can provide an instance where and SVA would be more suitable than a risk assessment. Airports have unique security needs, from computers to physical security, since 9/11 there is a constant need to not only assess and measure procedures but also to test for vulnerabilities. Physical-based vulnerabilities perform similar functions to network-based, but its primary function is to breach physical perimeters (What is an SVA, 2014). If a vulnerability where to be assessed at the airport check-in, a penetration test might be performed to test the vulnerability and develop better procedures to mitigate the possibility of a threat in the future.
4. In general, a risk assessment is good when an organization needs to understand what the current threats are, the potential impacts to the infrastructure and service, and potential mitigations to reduce the risk. This is useful after an organization installs new hardware, software, networking equipment, or after an incident. In any case, a risk assessment is more useful than a security vulnerability assessment (SVA)when mitigations have not been refined or put in practice. While not specifically stated, organizations should conduct a risk assessment at least once per year to identify up to date threats and risks. As an example, if a police department enters a public-private partnership to share information with other agencies, then it would be more useful to conduct a risk assessment than a SVA to understand any new risks to the police station. Per Taylor (2015) “one ?aw that will continually plague the efforts for accurate risk assessment is the necessity to rely on management perceptions, which when based on heuristics instead of facts, can lead to ?awed organizational strategy and increased industry threats” (p. 183). Therefore, a risk assessment cannot replace a SVA.
It is more useful to conduct a SVA when an organization already understands the risks, instituted mitigations, and maintain a desire to test the mitigations against simulated risks. This is necessary to determine if mitigations are effective or if they need further improvement. This assessment can test the physical aspects, such as entry points and general security, as well as any equipment attached to a network, software, and security protocol (Radvanovsky & McDougall, 2013). From the previous example, a police station would use a SVA to validate mitigation measures after taking steps to protect against known risks.
Your answer must be, typed, double-spaced, Times New Roman font (size 12), one-inch margins on all sides, APA format.