一個(gè)識(shí)別信息安全風(fēng)險(xiǎn)的整體風(fēng)險(xiǎn)分析方法外文翻譯-在線瀏覽
2025-01-04 08:34本頁(yè)面
【正文】 sis on the people and process aspects of information systems. This is a major oversight, given that people and processes are widely considered to be the leading causes of security breaches ., Siponen, 2020。 Wade, 2020. In addition, there is no mon approach to identifying which IT assets are to be included in the analysis. An IT professional developing a list of technical assets may not be aware of important userdeveloped spreadsheets and applications that contain significant security risks. Specific confidential information that warrants safeguarding may also be omittedSecond, estimates of expected losses are based on the value of assets, and are widely inaccurate for a variety of reasons. Determining the value of intangible assets, such as information, is considered difficult, if not impossible, to estimate Gerber and von Solms, 2020. Yet, information is one of the most important assets of an anization and is the focal point of information security. Estimates for the value of tangible assets may be inaccurate because in many cases only replacement costs are considered, which does not include the financial loss due to disruption of operations Suh and Han, 2020. In cases where cost of disruption of operations is included in the asset value, the estimate is highly subjective. Finally, expected financial losses based on asset value typically do not include the social impact of a potential breach, such as loss of customer confidence Bent and Kailay, 1992Third, probability estimates of the likelihood of an identified vulnerability being exploited are monly considered to be wild uesswork. One reason for this is that likelihood is determined by past history of security breaches, and this is largely underreported ., Strang, 2020。 Keeney et al, 2020. Another reason that estimates of likelihood of occurrence are inaccurate is because making a more accurate estimate requires a high level of expertise by the estimator ., Gerber and von Solms, 2020, which an anization may not possess. See Baskerville 1991 for additional discussion on weak quantitative estimates inherent in traditional risk analysis, which continue to existA fourth limitation of the traditional method to risk analysis is the time and cost involved in conducting such an analysis. The bottomup nature of the traditional method ., driven from a micro, technology assets perspective tends to be timeconsuming, especially in medium to large anizations Halliday et al., 1996. Significant amounts of time may be spent analyzing assets of low importance to critical business processesA fifth limitation to a technologyfocused analysis is that it is often solely conducted by IT professionals. This is problematic because business users are not involved, which only contributes to a lack of security awareness across an anization. Equally important, risks inherent in business processes that may be identifiable by a business user may go undetected by an IT professionalIn summary, the traditional method of conducting risk analysis for information security employs calculations based largely on guesswork to estimate probability and financial loss of a security breach. Secondly, its focus on technology is at the detriment of considering people and processes as significant sources of security risk. Finally, an ITcentric approach to security risk analysis does not involve business users to the extent necessary to identify a prehensive set of risks, or to promote securityawareness throughout an anization. 4. A PROPOSED HOLISTIC RISK ANALYSIS METHOD A holistic risk
公司管理相關(guān)推薦
鄂ICP備17016276號(hào)-1