From my understanding of this question, I would say buy in from all departments of an organization is the biggest challenge. Understanding how all departments are utilizing the technology attached to the business is pretty important. Working from home has created many possible access points that should be properly evaluated and communicated. “Buy in” in this case refers to the ability for an employee to be compliant while doing the job and as well employee morale within the company.
The experience of the performer of the analysis is also very important. Also, consider the possibility of placing your security efforts in the hands of someone who turns out to be a malicious actor themselves.
Assuming all of the businesses’ I’s have been dotted and T’s have been crossed, if the above 2 are not completely in sync, and considering how advanced threats have become, all efforts are obsolete.
The challenges involved in performing a quantitative information security risk analysis is that it requires a what might be considered a significant effort. It can also be time consuming and expensive. It can be looking at pattens in the operations and seeing if there are changes which would be a potential risk. The quantitative aspect can be looked at with analysis using various tools. The organization needs to put preventive measures in place which they may not always choose to act upon. The company may choose to take more of a qualitative approach, which would be less expensive but may be harder to determine. The best course of action is a blend of the two.
I think you make a really good point here, Marc. Particularly your point on the organization acting on taking the proper preventative measures needed to secure the organization is interesting since you tied this to which approach an organization may choose. There can be instances where an organization answers to a Board and even though the money is there, the decision to invest appropriately may lie in the hands of people who are far away from the day-to-day realistic efforts of the organization. Good point here.
The challenges in performing quantitative information security risk analysis include overreliance on well-established data security systems with little down time. These systems only report (alerts) to a select group of individuals after a security event has occurred.
Secondly, the preponderance of “open innovation” concept which has become a new norm tends to lead companies to share resources with vendors, contractors, etc. This poses a huge challenge in performing accurate quantitative analysis because of large number of endpoints and human error.
You made a great point about systems reporting alert to a select group of individuals after event and information contained in such alert could be ignored.
One of the challenges that stood out for me is education or lack thereof. The principles of the analysis are not widely understood. As you go farther up the chain of command, the need for education starts to dwindle. Like I stated in the first question, it’s an all-around education that needs to be kept up with, in all aspects of business. As per the reading in Risk IT Framework, “cyberrisk, in particular, may not be well understood by key enterprise stakeholders- including board members and executives, who depend on technology to achieve strategic and operational and consequently, should be accountable for risk management.” The further up the chain the less they are informed of the risks that are there for every company but becomes very clear once there is an event that takes down part of the company. Another challenge is costs and proving to the shareholders the need for such risk analysis to be done. This is one concept that stood out for me while I applied to the program. For the past 10 years at Comcast, I had to effectively communicate technology to stakeholders and customers. Begina able to explain it in a way that selling it to C level executives and customers can be a challenge but also rewarding once the light bulb goes off for each party. One of many pieces of information that I gleaned from the reading this week is to take a constant approach that is standard, repeatable and aligned to strategy when doing a risk analysis, that way it doesn’t look like you are trying to put out fires constantly.
One of the challenges is that quantitative info cannot be perfect because is going to be influenced if it has been shared with people that are part of the company (vendors, clients, business partners). Or if the data has been updated or changed.
Another challenge is that the analysis can be subjective to different opinions, so maybe one employee can differ from another one. Or if we are talking on a big scale, the main office can think or appreciate the interconnected data in a different way than other offices.
There are various challenges involved in performing a qualitative information security analysis. Compiling accurate data, limited time, and limited scope are some of the challenges. When compiling data, different factors should be considered such as the privileges granted to the analyst, Analyst with limited access will most likely won’t be able to detect the risk analysts with full access can detect. With the time limit, analysts may not be able to complete their analysis before the expected time. Finally, the scope should be accurate. If an analyst is offered the wrong scope of network, the result will be inaccurate.
There are plenty of challenges to performing a complete analysis, here are some I’ve noted. Lack of informed/properly educated staff with proper security protocols and procedures; communicating as such can be difficult in establishing the true potential of risk as well as receiving appropriate resources to lower risks. Data availability; to get a good analysis you need to be able to receive truly accurate and reliable data about assets to be able to appropriately assess risk and losses without knowing a organizations architecture inside and out makes it hard to point out vulnerabilities and threats. Uncertainty: likely a challenge that’ll remain ever-present in the continually evolving field as it’s impossible to protect against threats and vulnerabilities you were unaware of being possible. Subjectivity: another big challenge when analyzing; you need not only a diverse internal security team to assess asset risk and value but also an outside evaluation team that can give a more objective view in their analysis. This is by no means an exhaustive list, there are plenty of other challenges such as Time/Monetary constraints, Risk model complexity, lack of historical data, architecture complexity and estimation of risk impact.
Several challenges present themselves in performing security risk analysis. Not only is the range of threats faced by companies and security specialists constantly advising, but, as Vacca writes, “there is no such thing as perfect security” and one of the primary drivers behind this is human error. Not only are humans unpredictable and prone to making common IT errors with their information, as well as overestimating their confidence with technology, many users as well as corporations themselves often view added security measures such as MFA and password change ups to be a hinderance to their work and may therefor be averse to using or cooperating with security recommendations in favor of sticking to what they are comfortable with
In terms of doing risk analysis, quantitative assessment is generally considered the way to go. However, it’s not without its challenges. For one, you have to deal with the risk of data integrity loss when the data you’re working with gets changed or corrupted. There’s also the issue of accidental errors. This is when someone messes up the use of data, but it’s a mistake rather than something done intentionally. You can’t overlook the possibility of computer viruses affecting your system, causing unexpected behaviors in the programs you use for the analysis.
Computer viruses affecting systems especially system running outdated software and applications running so long without patching which address security vulnerabilities within a program or product..
The challenges that are involved in performing a quantitative information security risk analysis is it is a very time consuming project. This also greatly depends on the information provided by the organization with respect to their current security practices. The opinions of the employees may differ from those of upper management because each has their own understanding of what information they think is at risk, and how that may be being shared with outside vendors or subsidiaries. It is also dependent on employee trainings, best practices at the company and how many people actually implement these security strategies. This also includes data loss or leaks that may be caused by human error. There is no accurate way to predict the exact risk that may or may not occur.
The challenge that comes to mind is the accuracy and reliability of data. Information security tools are not immune to errors, and it falls upon the information security team to solve these mistakes. For instance, many organizations conduct phishing exercises. An issue might arise where the anti-virus and secure web gateway could unintentionally block the phishing scenario and flag the associated URL as malicious. These types of issues distort the data and its accuracy which makes it difficult to collect. The idea of a perfect security solution is unrealistic as the presence of other concurrent security measures in place could potentially disrupt the data being gathered.
I think you are correct. Imagin a situation where a tool gives false information or inaccurate information due to calibration issues or malfunctioning. Also, certain tools are not compatible with other tools.
People first and foremost. We do not like change and one of the challenges is that this type of analysis is not widely understood. So, it is important that you have a full buy in from all you stakeholders. You must determine if there is a there is a risk plan in place and if not, you are starting from scratch and if there is, you need to figure out to utilize the existing framework to not stray too far away from what is already been established.
I think the biggest challenge in performing a quantitative information security risk analysis is the fact that the topic itself is challenging. Many people do not understand information security risk or how to quantify it. Many of those people are in charge of organizations today. With the threat of information security growing at such a fast pace, many people who are in charge of organizations are not well versed in the topic, and it’s not an easy topic to quickly understand. With this being the case, it’s hard for some people to put the necessary resources toward information security, and even if they do, it’s hard for them to understand if those resources are working.
I definitely agree that the topic of quantitative information security risk analysis is challenging. With the amount of precise data needed and complex calculations, it would be difficult to maintain a pace as the field of cybersecurity is continually evolving at a rapid rate. Even though there are resources/tools to assist with obtaining this information, it would be difficult to understand as it involves complex mathematical models and technical terminologies.
Conducting a quantitative information security risk analysis poses several significant challenges.
First, there is the complex task of accurately quantifying both the probability of potential threats and their potential impact. This involves the careful analysis of vast amounts of data and also requires a comprehensive understanding of the IT landscape and its inherent vulnerabilities.
Furthermore, the constant evolution of cyber threats generates the necessity of frequent re-evaluation, adding a further layer of complexity to this intricate task.
Lastly, the process often demands collaboration between departments or individuals who possess differing levels of understanding regarding the organization’s cyber security landscape- requiring skillful coordination and communication. Therefore, the execution of a robust quantitative information security risk analysis is a nuanced and demanding undertaking. It is a complex task.
Challenges that an organization may face when performing a quantitative risk analysis are include gaining a thorough understanding of the business , data, and information system if the business is complex. If you don’t understand the business process, you might have difficulty understanding the information system and the data that lives on the system and how to protect that data. Obtaining accurate current data to perform risk calculations is of the utmost importance as this data is necessary to conduct risk assessments. If a company is unable to access the data because of a complex information system structure it would prove to be even more difficult to identity and quantify emerging risks in an organization.
From my understanding of this question, I would say buy in from all departments of an organization is the biggest challenge. Understanding how all departments are utilizing the technology attached to the business is pretty important. Working from home has created many possible access points that should be properly evaluated and communicated. “Buy in” in this case refers to the ability for an employee to be compliant while doing the job and as well employee morale within the company.
The experience of the performer of the analysis is also very important. Also, consider the possibility of placing your security efforts in the hands of someone who turns out to be a malicious actor themselves.
Assuming all of the businesses’ I’s have been dotted and T’s have been crossed, if the above 2 are not completely in sync, and considering how advanced threats have become, all efforts are obsolete.
The challenges involved in performing a quantitative information security risk analysis is that it requires a what might be considered a significant effort. It can also be time consuming and expensive. It can be looking at pattens in the operations and seeing if there are changes which would be a potential risk. The quantitative aspect can be looked at with analysis using various tools. The organization needs to put preventive measures in place which they may not always choose to act upon. The company may choose to take more of a qualitative approach, which would be less expensive but may be harder to determine. The best course of action is a blend of the two.
I think you make a really good point here, Marc. Particularly your point on the organization acting on taking the proper preventative measures needed to secure the organization is interesting since you tied this to which approach an organization may choose. There can be instances where an organization answers to a Board and even though the money is there, the decision to invest appropriately may lie in the hands of people who are far away from the day-to-day realistic efforts of the organization. Good point here.
The challenges in performing quantitative information security risk analysis include overreliance on well-established data security systems with little down time. These systems only report (alerts) to a select group of individuals after a security event has occurred.
Secondly, the preponderance of “open innovation” concept which has become a new norm tends to lead companies to share resources with vendors, contractors, etc. This poses a huge challenge in performing accurate quantitative analysis because of large number of endpoints and human error.
You made a great point about systems reporting alert to a select group of individuals after event and information contained in such alert could be ignored.
One of the challenges that stood out for me is education or lack thereof. The principles of the analysis are not widely understood. As you go farther up the chain of command, the need for education starts to dwindle. Like I stated in the first question, it’s an all-around education that needs to be kept up with, in all aspects of business. As per the reading in Risk IT Framework, “cyberrisk, in particular, may not be well understood by key enterprise stakeholders- including board members and executives, who depend on technology to achieve strategic and operational and consequently, should be accountable for risk management.” The further up the chain the less they are informed of the risks that are there for every company but becomes very clear once there is an event that takes down part of the company. Another challenge is costs and proving to the shareholders the need for such risk analysis to be done. This is one concept that stood out for me while I applied to the program. For the past 10 years at Comcast, I had to effectively communicate technology to stakeholders and customers. Begina able to explain it in a way that selling it to C level executives and customers can be a challenge but also rewarding once the light bulb goes off for each party. One of many pieces of information that I gleaned from the reading this week is to take a constant approach that is standard, repeatable and aligned to strategy when doing a risk analysis, that way it doesn’t look like you are trying to put out fires constantly.
One of the challenges is that quantitative info cannot be perfect because is going to be influenced if it has been shared with people that are part of the company (vendors, clients, business partners). Or if the data has been updated or changed.
Another challenge is that the analysis can be subjective to different opinions, so maybe one employee can differ from another one. Or if we are talking on a big scale, the main office can think or appreciate the interconnected data in a different way than other offices.
There are various challenges involved in performing a qualitative information security analysis. Compiling accurate data, limited time, and limited scope are some of the challenges. When compiling data, different factors should be considered such as the privileges granted to the analyst, Analyst with limited access will most likely won’t be able to detect the risk analysts with full access can detect. With the time limit, analysts may not be able to complete their analysis before the expected time. Finally, the scope should be accurate. If an analyst is offered the wrong scope of network, the result will be inaccurate.
There are plenty of challenges to performing a complete analysis, here are some I’ve noted. Lack of informed/properly educated staff with proper security protocols and procedures; communicating as such can be difficult in establishing the true potential of risk as well as receiving appropriate resources to lower risks. Data availability; to get a good analysis you need to be able to receive truly accurate and reliable data about assets to be able to appropriately assess risk and losses without knowing a organizations architecture inside and out makes it hard to point out vulnerabilities and threats. Uncertainty: likely a challenge that’ll remain ever-present in the continually evolving field as it’s impossible to protect against threats and vulnerabilities you were unaware of being possible. Subjectivity: another big challenge when analyzing; you need not only a diverse internal security team to assess asset risk and value but also an outside evaluation team that can give a more objective view in their analysis. This is by no means an exhaustive list, there are plenty of other challenges such as Time/Monetary constraints, Risk model complexity, lack of historical data, architecture complexity and estimation of risk impact.
Several challenges present themselves in performing security risk analysis. Not only is the range of threats faced by companies and security specialists constantly advising, but, as Vacca writes, “there is no such thing as perfect security” and one of the primary drivers behind this is human error. Not only are humans unpredictable and prone to making common IT errors with their information, as well as overestimating their confidence with technology, many users as well as corporations themselves often view added security measures such as MFA and password change ups to be a hinderance to their work and may therefor be averse to using or cooperating with security recommendations in favor of sticking to what they are comfortable with
In terms of doing risk analysis, quantitative assessment is generally considered the way to go. However, it’s not without its challenges. For one, you have to deal with the risk of data integrity loss when the data you’re working with gets changed or corrupted. There’s also the issue of accidental errors. This is when someone messes up the use of data, but it’s a mistake rather than something done intentionally. You can’t overlook the possibility of computer viruses affecting your system, causing unexpected behaviors in the programs you use for the analysis.
Computer viruses affecting systems especially system running outdated software and applications running so long without patching which address security vulnerabilities within a program or product..
The challenges that are involved in performing a quantitative information security risk analysis is it is a very time consuming project. This also greatly depends on the information provided by the organization with respect to their current security practices. The opinions of the employees may differ from those of upper management because each has their own understanding of what information they think is at risk, and how that may be being shared with outside vendors or subsidiaries. It is also dependent on employee trainings, best practices at the company and how many people actually implement these security strategies. This also includes data loss or leaks that may be caused by human error. There is no accurate way to predict the exact risk that may or may not occur.
The challenge that comes to mind is the accuracy and reliability of data. Information security tools are not immune to errors, and it falls upon the information security team to solve these mistakes. For instance, many organizations conduct phishing exercises. An issue might arise where the anti-virus and secure web gateway could unintentionally block the phishing scenario and flag the associated URL as malicious. These types of issues distort the data and its accuracy which makes it difficult to collect. The idea of a perfect security solution is unrealistic as the presence of other concurrent security measures in place could potentially disrupt the data being gathered.
I think you are correct. Imagin a situation where a tool gives false information or inaccurate information due to calibration issues or malfunctioning. Also, certain tools are not compatible with other tools.
People first and foremost. We do not like change and one of the challenges is that this type of analysis is not widely understood. So, it is important that you have a full buy in from all you stakeholders. You must determine if there is a there is a risk plan in place and if not, you are starting from scratch and if there is, you need to figure out to utilize the existing framework to not stray too far away from what is already been established.
I think the biggest challenge in performing a quantitative information security risk analysis is the fact that the topic itself is challenging. Many people do not understand information security risk or how to quantify it. Many of those people are in charge of organizations today. With the threat of information security growing at such a fast pace, many people who are in charge of organizations are not well versed in the topic, and it’s not an easy topic to quickly understand. With this being the case, it’s hard for some people to put the necessary resources toward information security, and even if they do, it’s hard for them to understand if those resources are working.
Hey Robert,
I definitely agree that the topic of quantitative information security risk analysis is challenging. With the amount of precise data needed and complex calculations, it would be difficult to maintain a pace as the field of cybersecurity is continually evolving at a rapid rate. Even though there are resources/tools to assist with obtaining this information, it would be difficult to understand as it involves complex mathematical models and technical terminologies.
Conducting a quantitative information security risk analysis poses several significant challenges.
First, there is the complex task of accurately quantifying both the probability of potential threats and their potential impact. This involves the careful analysis of vast amounts of data and also requires a comprehensive understanding of the IT landscape and its inherent vulnerabilities.
Furthermore, the constant evolution of cyber threats generates the necessity of frequent re-evaluation, adding a further layer of complexity to this intricate task.
Lastly, the process often demands collaboration between departments or individuals who possess differing levels of understanding regarding the organization’s cyber security landscape- requiring skillful coordination and communication. Therefore, the execution of a robust quantitative information security risk analysis is a nuanced and demanding undertaking. It is a complex task.
Challenges that an organization may face when performing a quantitative risk analysis are include gaining a thorough understanding of the business , data, and information system if the business is complex. If you don’t understand the business process, you might have difficulty understanding the information system and the data that lives on the system and how to protect that data. Obtaining accurate current data to perform risk calculations is of the utmost importance as this data is necessary to conduct risk assessments. If a company is unable to access the data because of a complex information system structure it would prove to be even more difficult to identity and quantify emerging risks in an organization.