Risk Factor (computing)
   HOME

TheInfoList



Click Here for Items Related To - Risk Factor (computing)
OR:
Risk Factor (computing) on:   [Wikipedia]   [Google]   [Amazon]

In
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
, risk factor is a collective name for circumstances affecting the likelihood or impact of a
security risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environme ...
.


Definitions


FAIR

Factor Analysis of Information Risk (FAIR) is devoted to the analysis of different factors influencing
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
. It decompose at various levels, starting from the first level Loss Event Frequency and Probable Loss Magnitude, going on examining the
asset In financial accountancy, financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value ...
, the
threat A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...
agent capability compared to the
vulnerability (computing) Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
and the
security control Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the c ...
(also called
countermeasure A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...
) strength, the probability that the agent get in contact and actually act against the asset, the organization capability to react to the event and the impact on stakeholders.


ISACA

Risk factors are those factors that influence the frequency and/or business impact of risk scenarios; they can be of different natures, and can be classified in two major categories:ISACA THE RISK IT FRAMEWORK (registration required)
/ref> * Environmental, further subdivided in: ** Internal environmental factors are, to a large extent, under the control of the enterprise, although they may not always be easy to change. ** External environmental factors are, to a large extent, outside the control of the enterprise. * Capability of the organization, further subdivided in: **
IT risk management IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.: :''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an ...
capabilities—To what extent is the enterprise mature in performing the risk management processes defined in the
Risk IT Risk IT, published in 2009 by ISACA,ISACA THE RISK IT FRA ...
framework ** IT capabilities—How good is the enterprise at performing the IT processes defined in
COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...
** IT-related business capabilities (or value management)—How closely do the enterprise’s value management activities align with those expressed in the
Val IT Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to ...
processes


Risk scenario

An
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
risk scenario is a description of an IT related event that can lead to a business impact, when and if it should occur. Risk factors can also be interpreted as causal factors of the scenario that is materialising, or as
vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
or weaknesses. These are terms often used in risk management frameworks. Risk scenario is characterized by: * a
threat A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...
actor that can be: ** Internal to the organization (employee, contractor) ** External to the organization (competitor, business partner, regulator, act of god) * a threat type ** Malicious, ** Accidental ** Failure ** Natural * Event ** Disclosure, ** Modification ** Theft ** Destruction ** Bad design ** ineffective execution ** inappropriate use *
asset In financial accountancy, financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value ...
or resource ** People and organization ** Process ** Infrastructure or facilities ** IT infrastructure ** Information ** Application * Time ** Duration ** Timing of occurrence (critical or not) ** Timing to detect ** Timing to react The risk scenario structure differentiates between loss events (events generating the negative impact), vulnerabilities or vulnerability events (events contributing to the magnitude or frequency of loss events occurring), and threat events (circumstances or events that can trigger loss events). It is important not to confuse these risks or throw them into one large risk list."An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006
;


See also

*
Asset In financial accountancy, financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value ...
*
Attack (computing) A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...
*
Countermeasure (computer) In computer security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so ...
*
Computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Computer insecurity Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
*
Information Security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
*
Information security management Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The cor ...
*
ISACA ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only.
*
Information security management system Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core ...
*
ISO/IEC 27001 ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
*
IT risk Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
*
Risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environme ...
* Risk Management *
The Open Group The Open Group is a global consortium that seeks to "enable the achievement of business objectives" by developing "open, vendor-neutral technology standards and certifications." It has over 840 member organizations and provides a number of servi ...
*
Threat (computer) In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application. A threat can be either a negative " intentional" event (i.e. hacking: ...
*
Security control Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the c ...
*
Security risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environme ...
*
Security service (telecommunication) Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation. X.800 and ISO 7498-2 (Information processing systems †...
*
Vulnerability (computing) Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...


References

{{DEFAULTSORT:Risk Factor (Computing) Computer security Risk analysis