Unpredictability and sophistication are key features of security risks that impact organizations. Threats that affect a company have far-reaching effects on its stakeholders like operators, re-insurers, vendors, and system integrators. Brenner et al. (2016) explained that each of the interconnected parties has a role in threat mitigation and should adopt safeguards to minimize risks to an acceptable level.
Elahi et al. (2011) reported that complete security is unattainable and the security department must constantly conduct mitigation of attackers’ damages and extension of duration or strategies for the prevention of further attacks. Major concerns of security experts in this regard are objective security risk estimates, which enable the implementation of better security countermeasures. Additionally, a risk assessment should involve identification of the source and potential effect, analysis of probability and impact, and evaluation to find out the need for intervention.
Both qualitative and quantitative risk assessment tools cover these three stages to provide outcomes that inform the planning process. The analysis, herein, discusses the features and uses of qualitative and quantitative risk assessment techniques, the adoption of the concurrent security model in designs of access control, and countermeasures for insider threats.
Qualitative and Quantitative Tools for Risk Assessment
The planning phase of risk management requires qualitative and quantitative risk analyses.
- Qualitative evaluation
It is essential for all the known risks but the applicability of quantitative assessment is constrained by the nature of a specific project and accessibility of data. Brenner et al. (2019) stated that the qualitative approach utilizes an existing scoring scale to prioritize the risks associated with a project. Such evaluation indicates the risks’ possibility of occurrence and the potential influence they may have on the objectives of the concerned project.
Based on the outcomes, the qualitative method enables the classification of risk into effect-based or maybe source-based groups. The benefits of qualitative risk assessment result from its ease of application as it uses simple risk categories (basically low or medium or high). According to Warrick (2015), the consequence-likelihood matrix is the most applicable method in the assessment of risks that impact the attainment of organizational security objectives.
The matrix is popularly applied in contexts where potential risks are numerous. This feature is the source of the approach’s effectiveness in varying ecological, governance, economic, and social contexts. Brenner et al. (2019), however, identified an inherent lack of certainty (distinctness) as a major disadvantage of qualitative tools. Fortunately, quantitative techniques can correct these limitations. The quantitative measures of uncertain potential results improve knowledge of risks leading to sound decisions for the planning phase.
- Quantitative analysis
It suits risks categorized as the highest risk. In its probabilistic assessment, the quantitative approach adopts a numerical rating. Brenner et al. (2019) argued that the success of quantitative tools depends on the availability of high-quality data, and adequately established project framework, and a list from qualitative inspection (showing how project risks are prioritized). Concerning the specified risks, quantitative investigation estimates the likely project outcome and rates the possibility of attaining the listed project goals.
The quantitative approach is, particularly, crucial in situations where the decision-making process is affected by uncertainty. Results from this type of analysis guide the selection of realistic cost, the setting of target coverage, and scheduling. Brenner et al. (2019) emphasized that risk assessment should adopt a quantitative method, which is not only cost-effective but also most appropriate for long-term applications. Cost-effectiveness is a major concern for owners of security assets, vendors, and integrators of such systems. Again, due to capability in the calculation of security incidents’ economic effect, quantitative methods are of importance in the process of underwriting cyber insurance.
Request for Assignment Help for only $8 per page
Qualitative vs, Quantitative: Which to Choose?
Risk quantification is a fundamental requirement in the management of cyber insurance. Brenner et al. (2019) argued that quantification of cyber risks improves premiums and avails a precise cyber risks cover, indicates exclusion conditions, and regulates the coverage of cyber risks. Elahi et al. (2011) argued that quantitative methods are, however, inappropriate for the requirements stage as risk factors like potential and damages due to attacks lack numerical measurements in the initial development stages. In this phase, also, the choice of the most suitable security solution becomes a challenge as it is impossible to quantify the impact of mitigation strategies or their repercussions. Qualitative tools are hence the most appropriate in the initial stages. This clearly shows the importance of integrating the qualitative and quantitative approaches in risk analysis.
Concentric Security Approach in Access Control Designs
‘Convergence’ is one of the words popularly used in the security field today. Scaglione (2009) noted that convergence is necessary for physical systems, between physical and logical structures, and within corporate procedures. The desired result is compliance. Access control and verification of identity are vital in security convergence. They improve the protection of vast electronic and documented information, physical and virtual infrastructure. Additionally, they enable monitoring of activities visitors, employees, and vendors to check compliance with regulations. Scaglione (2009) explained that security experts should carry out surveys to discover the presence of principles for access control in a security program that they own. The principles determine the efficacy of additional programs that would be made a part of the access control process.
Today’s economy is characterized by budget limitations amidst a surge in crime. This fact is blamed for the development of weakly founded programs and ineffective systems for access control. The primary components of access control individuals, policies, processes, and systems for physical security. All these elements have a critical role in the establishment of strong programs for access control. An effective security program in this regard safeguards digital information and recognizes the entry of visitors into a network. Restriction and monitoring of facilities are at its best when unauthorized users are detectable and arrangement of verified areas.
Concentric circles are most appropriate for designing and evaluating access control. Shehu and Garba (2020) described concentric circles as the rings that emerge and surround others with a single central point or source. The concentric protection circles involve the application of several layers (or rings), with the first ring at the site boundary and others occurring inwards and processes advance to reach high-value assets. Layers are placed in such a way that an intruder must cross several of them before the intended act is committed. Security is at its best if several layers separate the outside world from the most valued asset.
If a breakdown of procedures happens, the multiple layers offer dismissal. Unintentional security breaches within an office may be covered if there is adequate security in the outside environment. This happens because a single procedure is easier to break than more. The layers on which the model is constructed may represent physical obstacles such as walls, card readers, fences, intercoms, or windows. Even security officers guarding an entrance point, a receptionist, or armed personnel that patrol the business premises may represent the layers. A point that Scaglione (2009) stressed is that a component cannot work on its own to provide effective control. Therefore, several systems must be brought together to form a regulated security infrastructure.
When creating and setting up the layers for physical access control, Scaglione recommends the application of guidelines for Crime Prevention through Environmental Design (CPTED). CPTED aims to transform the physical environment in such a way that monitoring and restriction of access are attained. The barriers established using this principle are usually hard to violate. Besides, its manipulation of the environment leads to the harmonious management of frameworks in use. Layered security is also related to policies and processes. As such, accompanying the proven procedures with a sound policy statement makes a security intervention more valuable. The policy writing process should incorporate a clear description of the proposed philosophy and the intended implementation process.
Shehu and Garba discussed that although concurrent theory does not specify the number of circles to be used, scholars have suggested three and some recommend four rings. Therefore, during establishment, the least number of layers to incorporate is three. Security is more stable if the rings or layers number is five and above. Multiple layers minimize the possibility of intruder access. Either raising the number of layers or enhancing the efficacy of existing layers (or doing both) reduces the chances of intrusion.
One layer cannot achieve effectiveness on its own as it demands an impossible perfection needs. Besides, there are simpler practices (with little to no cost) that can be added to the layers to heighten security. Employee awareness of security rules and requirements is another crucial security layer. Access control establishment does not end with implementation. Layered systems must be assessed to confirm that they work towards the attainment of the pre-established objective, which is compliance.
Compliance is confirmed if procedures, policy verification, and physical security systems operate to consistently meet the design requirements. To ensure that the access control network attains the indicated working specifications, an organization should set compliance actions. For example, measures may be adopted to check if staff are consistent with the screening of visitors and that the practices follow the steps indicated in the policy. This also necessitates the pre-statement of security policy to show how staff should carry out their tasks.
The final phase in access control development is installation. Here, Scaglione (2009) encourages simplicity. The author explained that complex systems are often ineffective and end-users tend to dodge features of such security establishments to regain effective functioning in the corporate setting. A major guideline, therefore, is that security systems should be aligned with corporate culture.
Countermeasures for addressing the Insider threats
In an insider threat, an insider is an individual within the perimeter and one whose actions are not interrupted by security measures meant to bar intruders from the network (MacKinnon, Bacon, Gan, Loukas, Chadwick, and Frangiskatos, 2013). Some insiders even have permission to log into the organizational network. An employee, a contractor, or any person with a business-based formal link with a firm may be an insider. Therefore, an insider becomes a threat if they gain unauthorized access to sensitive information or when an outsider forces to assist them with some form of action.
A former employee (or other types of insiders) could also use the login credentials they retained for the wrong course. MacKinnon et al. (2013) explained that tracking insider attacks is very difficult because their adverse knowledge of company systems and networks enable them to successfully hide their tracks. Below are the measures used to mitigate insider threats in the place of work:
Countermeasures for Workplace Violence and Cyberthreats
a) Technological Methods
In addressing violence and threats at work, technology-based methods can be applied. According to Waters (2016), technology enables security staff to detect potential attacks and follow the tracks to discover the offender early enough to hinder the occurrence of the attack. Given the capability of insiders to enter a firm’s networks and systems, they can easily enter a restricted zone using known vulnerability points. To hinder insider attacks, therefore, a company should employ multiple layers of technological protection. Several security choices minimize the number of vulnerable areas that insiders could use. An example is the installation of systems for detecting intrusion.
These systems uncover real-time network attacks and those on host administration through the application of signatures of the previous attack. The signature-oriented instruction detection procedures relate audit logs of a firm against a record of popular threat signatures to find out if the company’s networks are vulnerable to attacks. Notable improvements are happening in the area of anomaly-focused systems of detecting intrusion to enable fast recognition of strange sections, almost immediately. Waters (2016) presented Anomaly Detection at Multiple Scales, which is built to enhance the ability of intrusion-detecting devices to screen large data quantities very fast.
The second example is the honeypot technologies. Waters (2016) explained this as a resource for an information system that is digital. Examples include databases, log in details, credit card credential, and documents specifically developed to capture offenders. Honeypots are gaining prominence in the detection of insider threats. After the digital entities are set up, security personnel expect them to remain untouched. Therefore, any insider that gets in contact with the honeypots is regarded as a potential attacker. An advantage of this approach is its collection of data only with contact because this eliminates chances for gathering unnecessary data.
Honeypots also have a variety of applications including fraud and theft detection, hindering automated breaches, and acquisition of information on looming attacks. Honey tokens and honeynets are also identified by Waters (2016) as other forms of honeypot technologies. Honeypots are most widespread and preferred due to many effective features like capturing and reporting actions even when in an encrypted state. Honey-tokens act as the pathways that direct insiders to the digital traps (honeypots). They exist in the form of hyperlinks and incorrect passwords and other login details. The extreme flexibility and ease of transformation are the major features that contribute to the efficiency of honey-tokens.
These technologies can, thus, be re-designed to match the desired environment. Honey nets are more enhanced ad sophisticated technologies, which involve several computer networks. Several honey-tokens and honeypots exist within honeynets. Honey nets can as well collect more data on detected intrusion. The technologies identify the insider, establish possible intentions, and evaluate the possibility of malice in the intruder’s behavior. Despite their usefulness, these technologies lack significance if insiders avoid interacting with them. Security staff has to make the technologies very attractive to entice the insiders. Again, the technologies may fail to achieve efficiency if insiders discover what they are. To improve on this, a few people should be aware of the existence of honeypot techniques. It is only in this context that honeypot mechanisms will successfully attract insiders without their awareness.
Installation of honeypots requires strategic placement all over the systems that need safeguarding to increase chances of intruder interaction while minimizing the likelihood of evasion. An alternative way of tapping benefits from technology use is the adoption of auditing, authorization, and logging actions of network users. In this approach, insider threat is revealed when security managers audit a network and relate it to recognized adversarial insider action. Additional technologies for insider threat mitigation include firewalls and scanners of a virus.
b) Risk Assessment
Insider threats can also be addressed through the identification of threats and hazard, and risk assessment. Waters (2016) refers to this as a process that gathers data and values to determine priorities, create and relate decisions, and guide the judgment of decisions. Testing of risks includes several capabilities the central objectives being preventing, safeguarding, resolving, responding, and recovering from threats. The process enables communities to discover capability selection and resource features that attract vulnerability to risks. The risk assessment process is flexible enough to fit different contexts. The inclusion of all concerned members in the assessment process defines its effectiveness.
The evaluation begins with the recognition of relevant hazards and threats and, a firm has to document the site-based hazards/threats with the potential of destroying assets. Research may be required to guide the company in identifying and listing threats, to ensure that only the hazards/threats with the greatest likelihood of occurrence are included. The focus should further be narrowed to incidents caused by intentional human activities, and the potential impact of unintentional insider actions. The accidental insider behavior should also be evaluated to discover the level of connection with an actual attack. After this, the threats/hazards should be allocated assigned a context. To effectively deal with variations in situations, a company needs to establish several context elaboration per threat.
The contexts describe the persons capable of conducting an attack, their most probable attack time, and the conditions which motivate their actions. The third aspect is the development of capability targets. Primary capabilities present the impact of hazards as well as the action that they are meant to accomplish. Regardless of the assessment method used (qualitative or quantitative), capability targets should possess measurability. The last step is the application of findings. At this point, the firm is required to note resources that will ensure it attains capability targets. Resource combinations that offer maximum security from insider threats and the most appropriate interventions should be indicated.
c) Threat Assessment
A threat, according to Waters (2016), could be a natural or technical activity that exhibits the likelihood of harming life or damaging assets. Threat assessment is, thus, concerned with the evaluation of entities and occurrences that have been found to possess the potential of being harmful. Estimation of possibility for insider attack through threat assessment is generally problematic. The process is very sensitive in political, social, and legal terms. Technical difficulty also emerges from the need to secure a company’s infrastructure against an individual (insider) that was once trusted.
The requirements for threat analysis indicate that quantitative and/or qualitative tools be applied to interpret or distinguish the rating of potential insider threats. This should be followed by an analysis of their less desirable results. The findings should enable a firm to identify the employee groups with the highest potential of harming the facility. It is essential to include all posts in threat analysis because even staff holding management positions or security workers may still be capable of posing insider threats.
d) Vulnerability Analysis
The assessment explains procedures for detecting operational/physical characteristics that increase the susceptibility of a network, system, or asset to hazards. Vulnerabilities inside an organization could be recognized and assessed by its security personnel or hired by an agency. Both physical and cybersecurity are crucial when dealing with insider threats. Mitigation and improvement of security are effectively attained after the acknowledgement and evaluation of vulnerabilities.
Application of documents and guidelines issued by the government alongside performing threat/vulnerability testing are important components of discovery and averting threats from insiders. Even then, organizations may find holistic methods to be more efficient. Holistic strategies enable companies to conduct policy updates, train employees, make the work environment more suitable, and departments (along with employees) remain aware and ready to deal with insider threats.
The general argument is that effective and complete security of a company’s assets cannot be achieved through a single approach (Waters, 2016). For instance, technology applications on its own cannot deliver satisfactory outcomes. The utilization of several computer programs, for example, is an important step to improve the security of information and minimize the probability of insider threat. It is also inappropriate for security personnel to sacrifice an insider threat countermeasure to empower a different form of protection.
A holistic approach shifts the focus of the assessor from technology to a specific individual, to check both technical and non-technical conduct. Managers and staff in charge of security should realize that a problem exists within the systems and prevention of such unpleasant occurrence requires the adoption of corrective measures. This means that the personnel has to resolve the major problems that hinder insider threat from being satisfactorily deal with. Major problems identified by Waters include denial that such type of threats exists, unavailability of a comprehensive guide, sophistications involved in insider threat identification and resolution procedures, and lack of information about the issue.
Insider threats may as well be vaguely addressed due to the complexity of the concerned political and legal factors. The process of resolving insider threat begins with managers’ acceptance that a problem of that nature exists in the company, and is a common occurrence that must be hindered from taking place through the use of holistic methods. Mangers may update and post policies regarding the safety of the company to encourage the prevention of the occurrence of insider threats.
e) Use of Policies
If posted and explained properly, policies and processes of an organization can successfully control insider threats. Waters (2016) pointed out that an all-inclusive model is ineffective when handling security rules and regulations. Therefore, each company needs a sound identification of goals and infrastructure to produce a strong and relevant record of policies and practices. Employees should be made aware of all the recognized policies. Communication plays a vital role in this area. A company has to establish a robust communication platform that covers employees in all departments to make everyone aware of the programs set up to counter threats from insiders.
The idea of a holistic solution still applies here as policies should be known to every member of the organization. Apart from outlining the steps to be followed in controlling insider threat the policies’ list should highlight some severe and certain forms of punishment for policy violation. It is believed that knowledge of the serious punishment that results from a breach of policies is enough to stop employees from performing the prohibited activities. The effectiveness of this initiative can be boosted through the swift punishments of violators.
f) Education and training
Inadequate employee training is a major issue, which goes together with the absence of comprehensive policies and practices. According to Waters (2016), the most popular non-technical approach to security is education and training. Although employees learn the policies of a company through instructions, appropriate training is required to effectively instill the new required habits. Training is very complicated but it is an essential part of the anti-insider project.
During training employees learn the features that indicate the possibility of a person being capable of a criminal offense, terrorism, or dangerous. Trainees also learn ways of conducting the procedures that come after the identification and classification of malicious behavior. Training sessions should cover programs that enable detection of phishing along with various kinds of online threats. The skills set for managing insider threats, recognition of accidental threats, and awareness of best security tools should be part of the training.
Countermeasures for Terrorist Threats
MacKinnon et al. (2013) elaborated that several security initiatives for handling cyber terrorism are in existence. There is a need, however, to properly implement and manage the measures. The available alternatives include firewalls, which aside from installation require to be updated regularly. Others are software for checking virus, packet-sniffer, systems for verifying users, and registers for access control.
So far, humans pose the highest security threat to systems following forgetfulness, accidents, ignorance, or malicious violations of security policies. MacKinnon et al. (2013) noted that most cybercriminals or terrorists may not need complex tools to access systems if daily users do not uphold security measures. The fight against terrorism thus starts with the adoption of satisfactory cyber hygiene. This includes the adoption of clearly defined standards and policies, training of staff at all levels, and making security a core part of the company culture.
When all these basic steps are completed, the organization should shift to software alternatives that enable addressing increasingly complex threats. Here, diversionary techniques like honeypots, sandboxing for capturing malware, and bug traps (bounties), should be developed. Policy establishment is also essential. According to MacKinnon et al., more effective governance could have hindered several high-profile information violations within blue-chip organizations. The authors explained that corporate governance often lacks information security. It is, therefore, important to note that corporate governance should be strong if a firm intends to minimize threats and gain a quick response.
What organizations fail to realize is that addressing cybersecurity when a hurdle is encountered is not the best way to deal with cybersecurity. More often, the procedures and equipment are utilized too late. The appropriate situation is where companies stay proactive with effective controls, trained staff, and documented security policies. Management of all these requires sound principles for information technology governance and upholding standards that offer security assurance to an organization’s stakeholders.
An example of standards that guide the attainment of best performance is the International Standards Organization or ISO. An advantage of working with well-known standards is the proof of trustworthiness to concerned parties (such as regulators, policy-makers, suppliers, etc.). The popular standards also simplify the process of reassuring regulators about network or internet safety. Application of international standards is a form of compliance that also indicates commitment towards data safety, copyright, and the fight against improper use of the computer.
What security personnel must understand is that cybersecurity advances with changes like fraud, hacking, and concealing of attacks. Audit techniques are crucial and should be utilized to monitor access controls. Auditing is an accurate approach to ensuring the practical attainment of cybersecurity needs. In real life, a company’s technical and administrative controls might accidentally (or intentionally) be disregarded, completely eliminated, or experience a decline in its effectiveness. Auditing is the process that measures the efficacy of installed controls, their efficiency, and their economic status. This same process determines the need for new controls and the existence of a bridge within real and adopted standards.
The gap assessment indicates the points with flaws and the level of compliance with the concerned standard. As both an art and science, auditing cybersecurity requires cautious planning, operation, and documentation. Cyber terrorists pose a national threat to different governments. The damages and destruction they cause continue to increase because of the growing world reliance on information technology systems. MacKinnon et al. (2013) reported that previous attacks had been on governments, financial institutions, and utilities. These resulted in the massive political, economic, and physical destruction of crucial infrastructure.
The trend of past incidents has also shown the increasing coordination and sophistication of attacks that any computer with access to the internet has the potential to facilitate criminal activities. Given the extent of crime coverage, public education is required to enable people to safeguard the personal information contained in social media accounts and prevent the activity of malware in their electronic devices. To establish a solid culture of cybersecurity, training should be offered to both adults and school-going children.