In security, its assessment is an attempt to assess or measure
the likelihood that a cracker
will successfully exploit system or network vulnerabilities. In its 2004 Global
Security Survey, Deloitte reported that 83% of respondents confirmed that their
companies’ systems had been exploited in some way in 2003—and the percentage is
likely higher because of respondent underreporting. These compromised systems
cost companies money. For example, in 2002, NetworkITWeek in the United Kingdom
noted that KMPG consultants estimated that security breaches cost businesses an
average of $108,000.
The underlying principle behind risk assessment considers
three critical elements: assets, threats, and vulnerabilities. Assets include
tangible items having value, such as computer systems, as well as intangible
items having value, such as the company’s reputation. Thus, a primary step in
risk assessment is to determine the items of value and their approximate value
amounts—just as homeowners would determine their items of value and their
approximate value amounts in order to buy the appropriate amount of insurance.
Threats are defined as the means that could be used by
crackers or company insiders to compromise the company’s computer systems. An
action plan and appropriate security devices should be employed to counter
Vulnerability assessment indicates the likelihood that an
exploit could occur, including where in the system and how. Questions that
typically need answering include, for example, the following: Are passwords
produced properly and amended regularly? Are systems locked-down and are
networks adequately secured?
A major challenge facing system administrators is to
consider the threats to which valued company assets are vulnerable and
determine what security efforts are required—and in what priority—to not only
stop possible exploits from occurring but also to be able to quickly and
effectively recover from these exploits should they occur.
Administrator; Cracking; CSI/FBI Survey; Exploit; Vulnerabilities of Computers.
McLean, D. Companies Neglect IT Security At Their Peril. The Globe and Mail, May 12, 2005, p.
B9; Schell, B.H. and Martin, C. Contemporary
World Issues Series: Cybercrime: A Reference Handbook. Santa Barbara,
CA: ABC-CLIO, 2004.