Characteristics Of Good Risk Scenarios

Improved Essays
Characteristics of Good Risk Scenarios
It is very important for risk scenarios to be realistic and unbiased so that the management feel assured while taking decisions. According to COBIT (2014), a risk scenario should have the following characteristics to add real value to risk analysis.
• Relevance – Scenarios should be result in derivation of meaningful information that would help support decision making. The scenarios needs to be customized as per the market and industry in which the organization operates to improve the relevance of the scenario.
• Consistency – Each scenario must be complete and convincing by itself.
• Plausibility – The risk scenarios should be believable.
• Likelihood – There should be certain probability for the scenario
…show more content…
Reporting

The success of a security and risk metric framework is dependent on effective reporting of the measurement of various metrics. If these metrics are not clearly understood by the stakeholders involved then the framework is considered to be ineffective. Different stakeholders have different expectations from metrics gathered. Hence, it is important to customize the reports based on their expectations. This ensures effective utilization of the reports generated.

6.1 Tiered Reporting Model

Adopting a tiered reporting model would be an effective method to present the information to different audiences in an organization. For example, the senior leadership at the top tier of an organization would be more interested to know about costs and benefits associated with implementing information security controls, while a middle tier manager would be more concerned about the effectiveness of controls implemented (Pironti,
…show more content…
But, the constantly evolving information security landscape makes it challenging for organizational leaders to formulate strategies and rationalize investments needed to mitigate new risks and threats. Hence, it is critical for organizations to regularly re-evaluate the security metrics and measures that have been established to assess the effectiveness of the security controls and the information security program. Having a flexible and adaptable metrics and measures that will help organizations identify new threats and vulnerabilities and ensures effectiveness of their security

Related Documents

  • Improved Essays

    Nt1330 Unit 2

    • 369 Words
    • 2 Pages

    Based on the findings obtained from the analysis of security information then compiled recommendations for improvement of the condition of the company. Some recommendations are: 1. Describe in detail the confidentiality agreement and specifically including maintaining the confidentiality of the password 2. Reexamination of the access rights of each and updating access rights in case of transfer of part or advancement in accordance with their respective access rights. 3.…

    • 369 Words
    • 2 Pages
    Improved Essays
  • Decent Essays

    Upon determining what should be in the intranet, what risk is the organization willing to tolerate should be tackled. An assessment of the privacy controls and security controls can be determined by using NIST Special Publication 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations, Building Effective Assessment Plans as a guide along with NIST Special Publication 800-30, Rev-1, Guide for Conducting Risk Assessments (NIST SP 30-1, 800-53A). To truly understand this publication is prohibitive to fully explain; however, this step is critical and will impact your intranet dramatically. To simplify: you cannot always have the risk metric you desired because by doing so would make your system so slow and unusable you could not accomplish much.…

    • 428 Words
    • 2 Pages
    Decent Essays
  • Decent Essays

    Nt2580 Unit 7

    • 395 Words
    • 2 Pages

    Written Assignment – Unit 7- Ecommerce ________________________________________ Submit a written paper which is at least two pages in length, double spaced in Times New Roman (or its equivalent) font which is no greater than 12 points in size. After referring to Chapter 3 of Information Security for Non-Technical Managers, discuss the three main areas of accountability regarding information security. When discussing each area, provide an example from outside the textbook. Information security is about all that an organization can involve in, it comprises the data stored by the security center whether in an electronic machine or in a vast area room.…

    • 395 Words
    • 2 Pages
    Decent Essays
  • Improved Essays

    Ba501 Week 1 Assignment

    • 740 Words
    • 3 Pages

    II Abstract Security is a need that is increasing at a rapid rate especially with a large organization and constant changes seem to be the norm.…

    • 740 Words
    • 3 Pages
    Improved Essays
  • Improved Essays

    The vulnerabilities identified in part 1 assignment was mitigated by recommending the right solutions. In part2, the network security analyst identified and proposed solutions for the right network devices to protect the accounting firm's network from intruders and external cyber threats. In this final assignment section, the network security analyst of the accounting firm will propose the application/end-user security recommendation to protect the company’s sensitive information. The analyst will also ensure that the proper procedure and policies are in place to take care of network security and employees should be trained and aware of those policies from possible threats including cyber-attacks.…

    • 730 Words
    • 3 Pages
    Improved Essays
  • Improved Essays

    Any organization, including ABC healthcare Information technology (IT) infrastructures are exceedingly powerless against potential assaults or harm caused from internal and external threats. Meeting standardize compliance requirements developed by the Sarbanes-Oxley (SOX) Act and the Health Insurance Portability and Accountability Act (HIPAA) is critical to reduce potentials assaults to guarantee their infrastructures are secure to the best degree possible by substituting data frameworks regulations. Technical security recommendations to improve ABC Healthcare information security can enhance their information security without significantly increasing management or cause difficulty in the organization. Healthcare industries store and have…

    • 782 Words
    • 4 Pages
    Improved Essays
  • Improved Essays

    “Threat assessments are important decision support tools that can assist organizations in…

    • 626 Words
    • 3 Pages
    Improved Essays
  • Superior Essays

    Identify strategies to control and monitor each event to mitigate risk and minimize exposure Identify at least two types of security events and baseline anomalies that might indicate suspicious activity. One type of a security event that might indicate supicious activity is an authentication failures found in audit logs. Audit logs contain a high volume of events so particular attention on which events that should be specifically tracked and managed require consideration. An audit log can identify patterns of activity that can signal a security a potential breach. Whether the attack was successfull or not the audit information should be stored in a central respository for future forensic refernce if ever needed.…

    • 1084 Words
    • 5 Pages
    Superior Essays
  • Superior Essays

    In order to effectively identify risks and uncertainty a business must first simply identify them and then assess whether the probability of these risks and uncertain circumstances is high or not likely. In simply identifying the possibly negative outcomes, the business is able to learn what the risks are and also what the chances of them occurring are and this is a giant help in accessing whether or not they really need to invest the resources and time in managing the…

    • 1274 Words
    • 6 Pages
    Superior Essays
  • Great Essays

    Annotated Bibliography

    • 1797 Words
    • 8 Pages

    ENGINEERING TECHNICAL DEFINITION PAPER Name Institution Date Annotated bibliography Harknett, R. J. and Stever, J. A. (2011), The New Policy World of Cybersecurity. Public Administration Review, 71: 455–460. doi: 10.1111/j.1540-6210.2011.02366.x…

    • 1797 Words
    • 8 Pages
    Great Essays
  • Brilliant Essays

    (2006, February). Special Publication 800-18 REV 1: Guide For Developing Security Plans For Information Technology Systems. Retrieved October 30, 2015 from http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf NIST - National Institute of Standards and Technology. (2012, September). Special Publication 800-30 REV 1: Guide for Conducting Risk Assessments.…

    • 1450 Words
    • 6 Pages
    Brilliant Essays
  • Improved Essays

    PCI Compliance Paper

    • 555 Words
    • 3 Pages

    PCI compliance was first introduced in 1999 by Visa, Inc., in the form of the Cardholder Information Security Program (CISP). CISP was developed as Visa’s way to fight rampant cybercrime, which left credit card companies responsible for fraudulent purchases. (Search Security Staff, 2013) However, companies accepting credit transactions did not adopt the standards provided by CISP because they were quite different from the standards presented by other card companies like Discover, MasterCard, and American Express. In December 2004, the five major credit card lenders joined together to create a uniform set of standards called the Payment Card Industry Data Security Standard (PCI DSS).…

    • 555 Words
    • 3 Pages
    Improved Essays
  • Improved Essays

    How much information should be provided? The type of information and the level of detail to be provided will vary according to the level of governing. For example, at the program level in the health field, program managers may want to know hospital bed utilization rates; at the government level, legislators and taxpayers may want to know how the decision to locate a facility was made; and at the societal level, legislators and citizens may want to know what the health goals are for the Province. We believe the information needed to answer these and similar questions are the same as that required for effective management.…

    • 454 Words
    • 2 Pages
    Improved Essays
  • Improved Essays

    Identifying and managing risks is a critical responsibility of project managers. Risk is defined as the probability of a specified threat and the subsequent impact that the event produces (Vaidyanathan, 2013). Risks can also bring about either positive or negative outcomes for a project or organization. A project manager must identify potential risks and evaluate each one to determine the severity and likelihood of each event. Only by completing the risk management process, a project manager can determine what approach would work best to avoid, mitigate, and/or transfer the risk.…

    • 730 Words
    • 3 Pages
    Improved Essays
  • Great Essays

    In this paper I will discuss the pivotal role Risk Management plays in modern organisations. The organisation that I will discuss is Volkswagen. I will use their emission scandal to convey the importance of Risk management. Risk management can have numerous definitions, it can be perceived and interpreted by firms and industries in different ways. When dealing with the term management it is clear the concept of control is important.…

    • 1358 Words
    • 6 Pages
    Great Essays