IS or the information systems of private or government organizations are expose against numerous threats that can lead to significant data loss and damage (such as unintended exposure of sensitive data) of the stored data in it. Any threat can possibly make un-intended changes to the stored data in the information systems (Zhao, Xue & Whinston 2013). The threats may originate from various external and internal sources. They might be caused due to the deliberate actions that are intended to alter or access the data resources of an organization. On the other hand the some human activities which can unintentionally lead to the significant damage to the stored data.
The following report consist of discussion on the analysis of the different risks that may affect the proper functioning of the information security framework introduced and implemented by the Victorian government, classifications of the different risks that may impact the functionality of the framework. In addition to that, this paper also includes detailed analysis and comparative analysis of the deliberate and accidental threats to the framework.
The above diagram graphically depicts the distinctive threats identified for the Victorian Protective Data Security Framework. Victorian government’s principle concerns are about the data security framework with the goal that it can decrease the impact identified with developed data security framework.
The main components in the security risks incorporate malware infection to the information systems, intrusion through the fake sites, and sabotage by the users or the officials of the government and so on. (Galliers and Leidner, 2014). While surveying the threats or the risks to the data security framework of Victorian government, it considers a portion of the accompanying terms which are investigation of the risks, assessment and documentation of the risks.
The data security framework tries to control and alleviate diverse deliberate and accidental threats to the security framework. Both the threats contains both internal and externals risks to the framework. Some of these threats are discussed below,
Unauthorized access: This is one of the most important and well-known security threats to consider for any data security framework. As unauthorized access to the data security frameworks may lead to the exposure of the sensitive data .The fundamental concern originates from unintended intruders (hackers) to the framework, who utilize their skills and most advanced technology to break into the data security framework. The hackers or the intruders mainly intrude the frameworks to access and steal the data which they can use for their economical profit.
Sabotage by the internal users of the framework: While considering data security frameworks, the damage to the system can be intentionally carried out or it may be unintentional and completed as the part of internal sabotage. Internal users always have the knowledge about the loopholes in the security that give them the ability to make most impactful intrusion to the data security frameworks (Zhao, Xue & Whinston 2013). Examples incorporate changing the access levels, modification of the data in the frameworks, erasing data from the framework or, planting malwares in the frameworks etc.
Spoofing: Intruders or hackers who try to shroud their actual identity in the cyberspace frequently distort their identity or spoof the identity of themselves. They utilize fake email addresses to appear as another person identity in the cyberspace. Spoofing is about diverting a website link to another address that is not quite the same with the intended one, with the website taking on the appearance of the planned goal by the hacker or the intruder to the system (Nicho & Kamoun, 2014). For instance, the intruders can ask the user to access the fake site that looks precisely like the original one, through this site they can gather and process the inserted data to access the governments data security framework from which they can steal sensitive data.
While a sniffer is a kind of listening stealthily program that screens data going over a system .When utilized authentically ,sniffers can help distinguish potential system inconvenience spots or criminal movement on arrange ,however when utilized for criminal purposes ,they can be harming and extremely hard to identify
The deliberate threats can be likewise expressed as the manmade or artificial attacks to the data security framework. These type of attacks are primarily expected to damage any association or individual in various routes (change or deletion of sensitive information (Zhao, Xue & Whinston 2013). In the present scenario, intrusion through the fake sites and virus attacks are predominantly utilized for deliberately attack on the data security frameworks from outside of the organizations.
Again the unintentional or accidental threats are unsafe to the Victorian government because of the oversights of the internal users of the data administration framework. Operational errors, lack of proper knowledge about the utilizations of the data security framework are the primary reasons for these type of threats.
Accidental threats to the data security framework prompt to the loss of information accessibility and classification of the information. Errors in the information transmission can expose the secured information to some unintended recipient.
|
Threat Type |
Impact of the threat |
Ranking |
|
Accidental |
The unintentional or the accidental threats can lower down the usefulness or the performance of the data security framework (Zhao, Xue & Whinston 2013). The effect of accidental risk can be relieved and data framework can be re-established to a past state by giving proper training to the users of data frameworks. |
Low |
|
Deliberate |
The deliberate threats are exploited with the aim of interruption to the specific framework and influence its usefulness. Notwithstanding this the attacks are carried out with the aim of taking full control over the system. |
Very high |
From the above analysis of the two threats it is quite clear that, unintentional or accidental threats are controllable since it is conceivable that officials and the employees of the Victorian government can be trained to maintain a standard procedure and to avoid frequent mistakes while utilizing the data security framework (Nicho & Kamoun, 2014). On the other hand the, deliberate threats or the risks are exploited with the specific intention to harm the framework and are caused by the outside attackers which cannot be controlled by Victorian government.
While making decision on the risk management process for the information system it is important whether to manage it in-house or outsource the total process if there is lack of expertise (Zhao, Xue & Whinston 2013). In case of outsourcing the, there are certain risks that needs to be taken into consideration while making the decision to outsource the risk management operations for the information system of the government.
Numerous researchers found in their researches that in most of the cases of outsourcing of risk management, the clients excessively depends on the service provider thus leading to the loss of valuable knowledge or data (Nicho & Kamoun, 2014). Along with this there are certain challenges that must be considered while taking decision on the outsourcing of the risk management process or managing it in-house. Some of this challenges are discussed below.
While outsourcing the security/risk management process for the information system following issues can impact on the performance of the risk management process.
Failure to meet concurred SLA (service level agreement): As the officials of Victoria government lacks of the knowledge that is required for assessing the nature and quality of Outsourced risk management process effectively (In case of unfavourable choice of outsourcing partner).
Hidden costs: Cost outside that are specified in the agreement or the contract is another issues that must be addressed while considering the outsourcing of the risk management process.
Lack/Poor performance estimation: absence of shared observing or controlling of the customer (Victoria government) and the selected outsourcing partner.
Poor cost administration of the outsourcing: Errors in the budgeting estimation, cost outrun, and wrong estimation of cost benefit relationship.
High moral risk of the outsourcing: Any organization acts in an irrational way if they does not bear the outcomes of their taken actions (Nicho & Kamoun, 2014). Therefore, the outsourcing partner selected for the risk management can act in an irresponsible way as it does not impact on their operations rather on the security of the data of their client Victoria government.
High resources specificity: overspending because of high exchange costs and few suppliers available.
In outsourcing, the outsourcing partner of the Victoria government will have the full access to the information system and thus will be fully responsible for the integrity, confidentiality of the stored data (Brender & Markov, 2013). Thus lack of expertise of the outsourcing partner with law and standards will lead to loss or exposure of sensitive government data. This is important for the organization to include the expertise clauses, renegotiation clauses, liability clauses within the outsourcing contracts. In addition to that, Legality of contract such as scope, compliance of outsourcing contract also should be included. Lack of customer expertise with law: customer experience regarding IT Outsourcing contracts.
In case of managing the risks related to the information system for the risk management process in house/internally, it is important for the government to upgrade their IT infrastructure which will help the government to implement new security mechanisms for the collected data by different organizations under the Victorian Government and secure them using the Victorian Protective Data Security Framework (Zhao, Xue & Whinston 2013). In addition to that, as Victorian government is going to implement a new risk management system in its framework; therefore it has to prioritize different action in order to successfully implement the risk management system.
Concept of Risk: The risk can be thought as the probabilistic estimate about an adverse event, that is how likely the adverse event can happen or exposure of the adverse event will be (Nicho & Kamoun, 2014). If the calculation of the risk can be calculated and the potential damage due to this risk or exposure of the adverse event, then the amount of effort can be estimated required to mitigate/control a specific risk.
Concept of Uncertainty: Uncertainty refers to a specific situation in which the future events and their consequences are not known. This happens due to the extensive range of probable outcomes with their complexity makes it next to impossible to define specific probabilities for a specific event (Brender & Markov, 2013). It is possible to assume, develop and utilize those scenarios in order to define the different possible paths that may happen, but in case of uncertainty it is not possible to know that which adverse event will actually happen and the extent of adverse impact due to that event.
The main differences between the uncertainty and risk in the context of the information system security off VIC government can be listed as given below,
|
Uncertainty |
Risk |
|
The amount of impact cannot measured on the information system. |
The Impact on the information system can be measured |
|
As the event is unknown thus the likelihoods of the outcomes are not known. |
The likelihood of the different outcomes are known on the system. |
|
Cannot be controlled |
Can be controlled with proper mitigation and controlling methods (Nicho & Kamoun, 2014). |
|
Probabilities of the outcomes cannot be assigned with the uncertainties. |
Probability of a risk can be assigned and thus can help in estimation of impact. |
|
Impact cannot be minimized |
Impact can be minimized |
Some of the approaches to control and mitigate the risks related to the information security framework are given by, technical approach and another is the operational approach.
This approach can be implemented through exceptionally easy to extremely complex processes and normally should be consolidated with a specific end goal to decide the data security frameworks usefulness (Brender & Markov, 2013). These measures are partitioned in three classes as per their purposes to mitigate the risks.
To begin with class incorporates the essential specialized measures that are utilized to help the usage of other safety efforts:-
Identification: distinguishing the users, different information resources as per their prioritization.
Use of Cryptographic keys: use of cryptographic keys, appropriation, stockpiling and upkeep.
Administration of different Security mechanisms: These are the measures that must be arranged to meet security framework prerequisites.
Operational security controls are utilized to find and correct operational insufficiencies that could emerge when a risk or threat is exploited by the attackers to the information security framework (Zhao, Xue & Whinston 2013). These incorporate preventive and issue detecting operational controls Preventive operational controls are as takes after: Controlling the access levels to the data stored in the system, limiting data distribution from the system or the framework, controlling the virus infections by using legitimate applications, making frequent backup of the stored data, Protect tablets, PCs, workstations in the organization against unauthorized access (Brender & Markov, 2013). In this approach, some other useful standards can also help like,
Strict policies for access control: By acquainting new strategies and tenets with control access to the data framework. It will limit the extortion and debasement of the system.
Examining the affectability of information: Since there are diverse sorts of information is put away in an information system which are not of same significance at that point, the authorities should direct an overview on the information to decide the affectability of information and organize the assurance of those information first(Nicho & Kamoun, 2014).
Conclusion
While using or implementing an information security framework it is obvious that, there are some risks or threat that can impact on the total process adversely. Therefore any organization or authority like Victorian government has to take calculated risks where the probability of loss is comparatively less, and the chances of gains are higher. On the other hand the uncertainty is inherent that cannot be avoided, and the responsible has no idea about the upcoming adverse events and its impact. Thus in order to lessen the adverse impact of the risks and have better outcome from the framework it is important to asses those risks and take proper mitigation and controlling mechanisms. In this context it is also important, in selecting the risk mitigation techniques that must ensure the confidentiality, integrity and availability of the data to its intended users.
References
Brender, N., & Markov, I. (2013). Risk perception and risk management in cloud computing: Results from a case study of Swiss companies.International journal of information management, 33(5), 726-733.
de Gusmão, A. P. H., e Silva, L. C., Silva, M. M., Poleto, T., & Costa, A. P. C. S. (2016). Information security risk analysis model using fuzzy decision theory. International Journal of Information Management, 36(1), 25-34.
Galliers, R. D., & Leidner, D. E. (2014). Strategic information management: challenges and strategies in managing information systems. Routledge.
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in information systems. Procedia Computer Science, 32, 489-496.
Nicho, M., & Kamoun, F. (2014). Multiple case study approach to identify aggravating variables of insider threats in information systems. Association for Information Systems..
Peltier, T. R. (2013). Information security fundamentals. CRC Press.
Qin, J., & Faber, M. H. (2012). Risk management of large RC structures within spatial information system. Computer?Aided Civil and Infrastructure Engineering, 27(6), 385-405.
Serpella, A. F., Ferrada, X., Howard, R., & Rubio, L. (2014). Risk management in construction projects: a knowledge-based approach.Procedia-Social and Behavioral Sciences, 119, 653-662.
Tsai, N., & Xiong, Y. (2016). An investigation of the information system security issues in Taiwan. International Journal of Business Information Systems, 21(3), 309-320.
Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems,30(1), 123-152.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download