Master Degree- Essays

Controlling cybersecurity issues

Posted by

Rodrigo Duarte Favarini Silva
EC-Council University
ECCU 516 – The Hacker Mind: Profiling the IT Criminal!

Controlling cybersecurity issues

Issues, problems and compromises are common words in cybersecurity (Stewart, Chapple & Gibson, 2015). Professionals and managers seek daily to identify these elements and take preventive or corrective actions to avoid damage caused by these events. Knowing that it is not possible to eliminate all threat vectors (Stewart, Chapple & Gibson, 2015), it is necessary to control the issues by balancing the costs of protection measures by applying them efficiently. This process is called risk management (Stoneburner, & Gougen, 2002).

Second Stewart, Chapple and Gibson (2015), risk management is an important artefact that helps sustain safe environments. To better understand this process, it is crucial to define what risk is. Bosworth, Kabay and Whyne (2014) affirm that risk is the possibility of suffering harm or loss. It’s a combination of the probability of an event happening with its impact.

The risk management proposes a detailed process of identifying factors that can cause damage to assets and evaluating these factors by comparing the value of what one wants to protect with the cost of their protection, having as one of its objectives to implement a cost-effective solution for mitigating or reducing risks (Stoneburner, & Gougen, 2002). Effective risk management attempts to control, as much as possible, the future results by acting proactively rather than reactively.

To control issues and risks, Bosworth, Kabay and Whyne (2014) proposes the risk management process with the following four steps:

  • IT Risk Assessment: processes to identify and assess the risks. This step also includes the creation of an asset inventory to support the risk assessment and key performance indicators to measure the efficiency program (Bosworth, Kabay, & Whyne, 2020, p.62.2).
  • IT Risk Mitigation: Identify and apply the best measures to mitigate the risks (Bosworth, Kabay, & Whyne, 2020, p.62.2)
  • IT Security Operations: This step compiles all activities for the effective functioning of the risk management process (Bosworth, Kabay, & Whyne, 2020, p.62.3)
  • IT Security Audit: Audits are activities to evaluate the effectiveness of the IT operations and to detect the need to adjust the mitigation measures (Bosworth, Kabay, & Whyne, 2020, p.62.3)

Risk management is an excellent process to mitigate organizational cybersecurity risks, but awareness programs should also be part of security-related problem control (Stewart, Chapple & Gibson, 2015). With the extensive use of Information and Communications Technologies (ICT), companies and governments noted that controls that force people to change their behaviour were not sufficient to control the cybersecurity problems to which they were exposed (Bada, Sasse, & Nurse, 2019). The cyber security-awareness campaigns have the mission to influence the adoption of specific and safe behaviour online, informing and teaching people about what they should and should not do (Bada, Sasse, & Nurse, 2019). Behaviour change is the success key for a cybersecurity awareness program and its possible to measure the performance through risk reduction and key performance indicators (KPI) established in the risk management program (Stewart, Chapple & Gibson, 2015).

References

Bosworth, S., Kabay, M. E., & Whyne, E. (2014). Computer security handbook. Hoboken, NJ: John Wiley & Sons.

Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour?. arXiv preprint arXiv:1901.02672.

Stewart, J. M., Chapple, M., & Gibson, D. (2015). CISSP: Certified Information Systems Security Professional Study Guide. Indianapolis, IN: Sybex.

Stoneburner, G., & Gougen, A. (2002). NIST 800-30 risk management. Guide for Information Technology Systems. Gaithersburg: National Institute of Standard and Technology.