Cyber Security Risk Management: Explanations And Mitigations
VIC Government’s Cyber Security Strategy
The VIC government is aware of the potential of cyber security and that is why they are focusing on building a security framework to diminish the scope of cyber-attack all across Victoria so that everyone can enjoy the secure and risk-free internet service (Kumar, Pandey & Punia, 2014).
The report will showcase every risk correlated with the cyber security and also showcase VIC government to provide the proper mitigation process for the cyber security risks, the report also highlights the different levels of risks like low, medium-low, medium, high-risk exposure as well.
According to the Cyber Security Strategy, the core capabilities have been explained, the cyber operations, predictive strategy, a defensive strategy the three have been detailed. The cyber operations are divided into three categories architecture, risk management and capability enhancement, again the architecture is divided into conceptual and transition, the risk management is divided into mitigation plans with architecture, the capability enhancement is divided into roadmaps, details descriptions (Von & Van, 2013). The predictive strategy is divided into three categories- doctrine, capability maps, requirements and designs, the doctrine is divided into comprehensive and detailed view with respect to mapping, the capability maps are subdivided into capabilities, goals and objectives, the design is categorized into dynamic, mapped to strategy and outcomes (Bonaci et al., 2015). The defensive strategy is again divided into doctrine, capability maps and requirements or designs, the doctrine can be divided into comprehensive and detailed view with respect to mapping, again the capability maps can be categorized into goals and objectives, and the design implications are divided to dynamic, mapped to strategy and outcomes.
Analysing the Visio diagram VIC government takes the security measures and prepare a security model based on that. The elements associated with the framework are as follows-
Company words: The organisation must abide by the strong commitment assigned to every employee of the organisation.
A risk framework design on the basis of the companies’ words: The organisations should make a plan according to the words or policies of the companies (Thakur et al., 2015).
Risk management application: After the initial design is completed the organisations’ employees as well as the top management should work on to execute the plans.
Monitoring of the framework: The monitoring of the plan is required at most, the organisation while executing the plan must monitor as well that the plan is properly executing (Jouini, Rabai, & Aissa, 2014).
The objective of the organisation: The company have to have to clear aim or goal, they must explain the internal, external opportunities properly.
Risk detection: The risks must be detected that may cause disruption in their activities.
Risk treatment: The risks incurred must be mitigated at quick times, otherwise the project will stay halt or may fail (Razzaq et al., 2013). That is why proper risk management is necessary and VIC Government should keep into account all these details.
Monitoring: The organisation must keep their eye on and should monitor whether the activities are executing fruitfully or not mitigating the risks.
The risks can be divided into four categories-high, low, medium-low, medium based on the scenario and the risks occurring. The risks are increasing every day and on the basis of that, new strategies are emerging up.
Framework for Cyber Security Risk Management
The risks correlated to the organisation: The risks here in the organisation can be easily detected and verified and solve within a minutes (N?mec et al., 2014). The organisation has a fruitful plan from the start. Therefore, definitely, it is the low-level risk that can be solved very easily.
The risk within the organisation: The risks which are detected within multiple organisations and is solved by themselves. The organisations decide the best solution for the risks and they themselves mitigate the risks. Here one of the organisation plays the lead role and sometimes the Government plays the lead role. This is definitely the medium-low level risk.
The systematic risks: This kind of risks are only handled by the top management team of the company and the Government, the top level managers solve the risks for the company and sometimes the Government come into play (Van den Berg et al., 2014). This is medium level risk.
The State significant risks: The risks are handled by the Government. basically, these projects have high risks and create a huge impact on the state. The company who is dealing with the risk must give the responsibility to the Government and should allow them to take the critical decisions (Jang-Jaccard & Nepal, 2014). The organisation just help them on the go.
Comparative analysis of the Deliberate and Accidental Threats and rank those threats in order of importance
Deliberate threats
The attack involves the unauthorised access to one’s system and sabotages that system so that the authorized users can not gain access to the system. This attack is simple and basic attacks and take over the computer resources so that the users have no control over their system (Malhotra, 2015). They control the CPU utilisation, disk space and computer memory. This kind of attack generally occurs due to the firewall’s absence, lack of proper network management, and the use of outdated software and most importantly the use of the outdated operating system.
This kind of an attack involves the hacking of the network and listening to the personalized conversation of the users, this kind of attack occurs over the insecure network, the unencrypted network communications is a threat.
This kind of program codes involve the virus, worms and the Trojan horse, the intention is to exploit the computer system of individuals and the intruders steal the files, modify them and delete them as well, this kind of attack also lock one’s system (Abawajy, 2014).
This sort of destruction involves the deletion of data residing in the database and also the master files. This involves the hardware failure too (Nourian & Madnick, 2015). The attackers can make the whole system of the user to unstable and unusable at the same time.
This procedure includes the techniques to hibernate the original identity of the user. The intruders here take away the personal information of the original user and communicate with others taking the name of the user, in this way the security is compromised (Cavelty & Balzacq, 2016).
The sensitive file information interchanged over the network must be made according to the agreement of the parties, if any party refuse the agreement that is a sort of repudiation.
Risk Categorization
The technique involves the bolt of one’s computer or any other organisations’ system forcefully
The data theft includes the loss of information and software. The intruders attack one’s system and steal the sensitive information.
The attack is typically carried over one’s computer and hacking and penetration of one’s computer system over an insecure network (Abomhara, 2015).
These threats include the following demolition it occurs
The communication service mishaps or failures can lead to the loss of information.
The operations due to the lack of availability, confidentiality and integrity can fail miserably.
The messages’ security, the messages’ confidentiality, integrity can be violated due to the accidental message directing (Abomhara, 2015).
The errors incurred at the time of installation of software can lead to the threatening of the reliability, confidentiality and integrity of the software.
Also due to faulty transmission of data can result in virus and all of the kinds of security breaches and also the reliability and the integrity of the data gets threatened.
VIC government going to face while deciding on whether security/risk management should be carried out internally or externally
Risks are of two types-internal and external. Internal risks include the risks related to software and hardware and also the IT support (Choo, 2014). The internal risks management includes the lack of production due to employee unavailability and the sickness, it also includes the termination of a particular employee, so basically, the internal risk management deals within the organisation and is relative to manage.
The external risks basically deal with the matters that are out of hand or out of control. This kind of risks associated the economic upheavals, bankrupt and crimes and wars. This kind of mishaps are controlled by the top level security management of the state that is the government (Choo, 2014). They take the critical decisions for the company.
VIC Government should take the approach or the responsibility to serve the people of Victori well, so they should take the vital critical decisions, in this case, to implement the security features to protect Victoria people from cyber attacks, they should take the initiative, that means they will have to consider the external risks here to implement the cyber security framework model.
The term risk means that a project should be conducted securely and safely mitigating all the risks so that the organisation or the Government can stay safe and secure from the failure and security breaches, if the risks are not analysed properly it can lead to project failure, he analysis will help to know whether the money invested in the project will return that means whether they can gain profit or not should be taken care of analyzing the risks. The risks are divided of two types-
Systematic Risk: The systematic risk includes the risks like interest risks, market risk and more.
Unsystematic Risk: This risk includes the financial, business risks associated.
Uncertainty basically involves the scenario where multiple alternates arise, it basically detects whether the project will be successfully executed or not, in this case, the possible outcome is not known, the risks can not be properly assigned (Bakeret al., 2013).
The external risks include the issues related to the economic upliftment, crimes, internet crimes should be handled by the government and in this case, the VIC Government deals with all the uncertainty correlated with the cyber security breaches that can infect the Victoria dwellers.
Comparative Analysis of Deliberate and Accidental Threats
The Chief Information Security Officer maintains the government’s approach towards cyber attack and cyber risk, it also provides the solutions, best practices to mitigate the risks. In this way, CISO facilitates the government.
The engagement approach includes
- commitment regarding the cyber threat security
- opportunities for joint effort manage cyber security operations
- investment related to cyber security status
- the implementation and the configuration of the cyber security resilience
- ii. Planning
It has been planned to prepare a development cycle based on the digital security. This approach will decide where to invest money and effort (Bandara, Ioras & MaherI, 2014). This step involves the proper development of the framework on which the whole cyber security risk mitigation procedures are underlying.
The Planned results or outcomes
- Proper roadway to handle the cyber security risks
- The investment choices included within the government that the government must undertake a thoroughanalysis of risks and requirements
- Deals with the enhanced data sharing and use of the internalcapabilities of the organisation via more safe and secured management risk management framework (Luiijf, Besseling & De Graaf, 2013)
- Improved the current status of the cyber threats on ICS/SCADA platform.
- Service Maturity
Here the service maturity is checked and the cyber security management procedures are analysed whether the risk management procedures are properly taken into consideration or not (Luiijf, Besseling & De Graaf, 2013). The government should be brilliant to provide all the benefits to the Victoria people.
- The long–term benefits are accessed in thebusiness model is area considering the in-house capabilities
- The better enhancement of the data and the investment choices can be made via cloudadministrations
- Providing advanced solution for mitigating the potential effect of the digitalsecurity breach.
- Multi-office risks are analysed (Czosseck, Ottis & Talihärm, 2013).
- Cost-benefits measures are undertaken.
- Capability
The government must check the framework design constantly to find out the capability of the work progress, should take advices from college, universities and experts
- This approach will help to gain the productivity of the workforce and whether the risks are diminishing or not.
- Increased flexibility in cyber security embellishing the creating in-house digital security capabilities (Papp, Ma, & Buttyan, 2015).
- Partnering
The Government understand the requirements of joining with the private division to enhance the opportunity of mitigating risks, a joined key approach, test proposed researches can enhance the betterment of the services.
- Through the knowledge gain and the opportunities, basically through the shared insighta great deal of knowledge and opportunities can be achieved (Czosseck, Ottis & Talihärm, 2013).
- Better practice and service can be gained via cyber security within the government body, that is the Victoria Government.
- The methodologies help to find out more extensive capabilities that emergesfrom all the commitments.
Conclusion
It can be concluded from the above discourse that VIC government should considered the security risks mentioned in the report and based on that they should take necessary steps, they have prepared a security model based on which the security breaches can be mitigated. The high, low-medium, medium, low risk exposures have been discussed in details in this report. The accidental and the deliberate threats have been elaborated in this report in accordance to the priority. The challenges or the issues VIC government faced has been discussed in this report. The risks and the security concerns have been focused throughout the report. The risk control and mitigation have been well grandstand.
References
Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour & Information Technology, 33(3), 237-248.
Abomhara, M. (2015). Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility, 4(1), 65-88.
Baker, Y. S., Agrawal, R., & Bhattacharya, S. (2013, June). Analyzing security threats as reported by the united states computer emergency readiness team (US-CERT). In Intelligence and Security Informatics (ISI), 2013 IEEE International Conference on (pp. 10-12). IEEE.
Bandara, I., Ioras, F., & MaherI, K. (2014, November). Cyber security concerns in e-learning education. In Proceedings of ICERI2014 Conference, 17th-19th November.
Bonaci, T., Herron, J., Yusuf, T., Yan, J., Kohno, T., & Chizeck, H. J. (2015). To make a robot secure: An experimental analysis of cyber security threats against teleoperated surgical robots. arXiv preprint arXiv:1504.04339.
Cavelty, M. D., & Balzacq, T. (Eds.). (2016). Routledge handbook of security studies. Routledge.
Choo, K. K. R. (2014). A conceptual interdisciplinary plug-and-play cyber security framework. In ICTs and the Millennium Development Goals (pp. 81-99). Springer US.
Czosseck, C., Ottis, R., & Talihärm, A. M. (2013). Estonia after the 2007 cyber attacks: Legal, strategic and organisational changes in cyber security. Case Studies in Information Warfare and Security: For Researchers, Teachers and Students, 72.
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973-993.
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in information systems. Procedia Computer Science, 32, 489-496.
Kumar, V. A., Pandey, K. K., & Punia, D. K. (2014). Cyber security threats in the power sector: Need for a domain specific regulatory framework in India. Energy Policy, 65, 126-133.
Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen national cyber security strategies. International Journal of Critical Infrastructures 6, 9(1-2), 3-31.
Malhotra, Y. (2015). Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics, Operations, &, Intelligence: Enterprise Risk Management to Model Risk Management: Understanding Vulnerabilities, Threats, & Risk Mitigation (Presentation Slides).
Nourian, A., & Madnick, S. (2015). A systems theoretic approach to the security threats in cyber physical systems applied to stuxnet. IEEE Transactions on Dependable and Secure Computing.
Papp, D., Ma, Z., & Buttyan, L. (2015, July). Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In Privacy, Security and Trust (PST), 2015 13th Annual Conference on (pp. 145-152). IEEE.
PITAS, J., N?mec, V., & Soušek, R. (2014). Mutual Influence of Management Processes of Stakeholders and Risk Management in Cyber Security Environment. In The 18th World Multi-Conference on Systemics, Cybernetics and Informatics. Orlando, Florida: International Institute of Informatics and Systemics (Vol. 2, pp. 94-97).
Razzaq, A., Hur, A., Ahmad, H. F., & Masood, M. (2013, March). Cyber security: Threats, reasons, challenges, methodologies and state of the art solutions for industrial applications. In Autonomous Decentralized Systems (ISADS), 2013 IEEE Eleventh International Symposium on (pp. 1-6). IEEE.
Thakur, K., Qiu, M., Gai, K., & Ali, M. L. (2015, November). An investigation on cyber security threats and security models. In Cyber Security and Cloud Computing (CSCloud), 2015 IEEE 2nd International Conference on (pp. 307-311). IEEE.
Van den Berg, J., Van Zoggel, J., Snels, M., Van Leeuwen, M., Boeke, S., van de Koppen, L., … & De Bos, T. (2014). On (the Emergence of) Cyber Security Science and its Challenges for Cyber Security Education. In Proceedings of the NATO IST-122 Cyber Security Science and Engineering Symposium (pp. 13-14).
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.