RISK MANAGEMENT, INCIDENT RESPONSE AND

DISASTER RECOVERY IN COMPUTER-BASED

SYSTEMS

Irrespective of how well designed a computer based system /

network may be, there is some risk associated with such a
system due to the presence of threats to the system and
certain vulnerabilities in the system (s). The management of
these risk becomes a high priority to preserve the CIA of the
system. Also, no matter how well managed the risks to the
system are, it is possible that a breach can still occur. It is
therefore very important that an incidence response and
disaster recovery plan be put in place for that system also.

RISK MANAGEMENT

Before we can understand the concept of risk management,

we need to study some fundamental terms, including Risk,
Vulnerability, Threat, and Damage.

What is a Risk? A risk, in Cyber Security, can be defined as

the possibility or probability that a given threat will take
advantage of the weaknesses or vulnerabilities in the
computer system or network to cause harm or damage to
the system (I.e. Causes an incident). Cyber risk can be
quantified using the relationship:

Cyber risk = Threat x Vulnerability x Information Value

A Vulnerability is an identified weakness in a computer

based system that can be explored to cause some damage.
It can be seen as a known issue that allows an attack to
succeed. For example, a system that saves or transmits
important data without encryption.

While a Threat is an event, a thing or an individual that may

have adverse effect on a computer system or network. We
can have natural threats, such as floods, hurricanes, and
lightening, we can also have Unintentional threats,such as a
staff erroneously accessing the wrong or confidential data,
and there is the Intentional threats,which includes spyware,
malware, adware etc, carried out by hackers, or the actions
of a disgruntled employee.

A Damage is a result or the outcome of a successful

exploitation of a system vulnerability by threat to the system.

WHAT IS RISK MANAGEMENT? In Cyber Security, Risk

management can be defined as the analyzing, evaluating,
and addressing of the threats to a system or network. By
analyzing the system, you determine the threats to the
system and the risk they pose. By evaluating, you determine
the capacities of the threats. By addressing, you put in place
a proactive plan to counter/or ameliorate the threats.

It can also be defined as the steps taken to identify, control

and minimize or eliminate the risk to a computer based
system or network.

RISK MANAGEMENT PROCESS

These are the steps one can take or put in place as a plan to
accomplish the management of risk to a defined system.

They include:

1. Risk Identification Identify the risk . Here you identify

the assets, classify them into groups, rank the assets in
terms of importance and usefulness.

2. Risk Assessment . In risk assessment, you identify

the threats and their agents, prioritize them, assess
the vulnerabilities and determine the risk of each
threat.

Threat agents (also called threat actors) are the

individuals or organizations behind threats including:
Cyber Terrorists,State-Sponsored (usually backed by
governments), and Hacktivists.
 3. RISK CONTROL this concerns what you want to do to
limit the threats to your system.

First determine what risk control strategies are cost

effect next determine the strategies that are feasible,
then implement the selected risk control strategy.

1. MONITOR AND REPORT RISK

This is concerned with documentation of the various
aspects of the management plan.

The diagram below illustrate a generic risk

management process.

Risk
Identifica
tion

Risk
Risk
Assessment
Monitoring /
Reporting

Risk Control

RISK CONTROL STRATEGIES

These are different strategies one can use to limit the
threats to a computer-based system. They
include:Defense, Transferal, Mitigation,Termination
and Acceptance.

1. Defense: This strategy is used when prevention of the

exploitation of system vulnerabilities is the goal.
Policies, training, access control ,and elimination of
 vulnerabilities are some measures implemented in this
strategy.
The disadvantage of this strategy is that it is expensive
and laborious. Advantage is that it is highly effective.

2. Transferal: here your shift the risk for another to

handle e.g
you can outsource the service to another organization
who now bares the risk. It is easy and effective.
Disadvantage is that the organization becomes
dependent on another.

3. Mitigation: in this strategy, you make plans to lessen

the
effect of damage to the system. Plans include incident
response plan (IRP), Disaster recovery plan (DRP) and
business continuity plan (BCP) .

4. Acceptance : In this strategy, you accept the risk and

do nothing about it. This is usually when the cost of
protection of assets is more than the cost to replace the
assets or probability of risk is low. This strategy is
cheap and easy.

5. Termination: Discontinue the use of the defined

system.

INCIDENT RESPONSE
In Cyber Security an incident can be viewed as an
event that can lead to loss or disruption of the services
rendered by a computer-based system or network. It is
the violation of an organizations IT policies, procedures
 or security practices that can lead to the tempering of
the core principles of Confidentially, Integrity and
Availability (CIA )of system.

Incident Response, therefore, can be defined as an

organized approach to addressing and managing the
aftermath of a security breach or Cyber attack.

Purpose of incident Response (Why Incident

Response?)

The following are some reasons for mounting an

incident response plan by an organization:

1. in order to respond quickly and effectively to security

breaches when they occur;

2. to be able to provide proper documentation of incidents and

the associated lessons experience or gained, for future
reference and application;

3. to deal properly with the legal issues that may arise while
incidents occur;

4. to provide stronger protection for system, data and system

resources

Steps In The Incident Response Plan

These are steps to take in designing an incident response

plan

1. Preparation: Here, the organization may establish a team

and train members, or in the case of a small organization,
train an individual and general members of staff on incident
response. The team or individual is equipped with necessary
tools and resources useful in managing incidents and trained
in the use of these tools.
2. Detection and Analysis: Here, the organization puts in
place measures that can be used to identify Cyber incidents
when they occur, analyze the incidents to better understand
them for further actions.

The first line of defense here are people. The users of

computer systems must have knowledge of Cyber incidents
so as to be able to raise alarm when they suspect an attack
is or going.

There are also Technology that can be used to detect and

analyze incidents. firewalls, intruder Detection and
Prevention systems (IDS and IPS) are examples of such
technology.

3. Containment: here you make provision to stop the further

spread of the Cyber incident to associate system or network
pending further action.

4. Eradication and Recovery: what to do to remove incidents

from system and initiate system recovery and restoration.
Usually, a cycle of detection, analysis and eradication is
carried out to ensure the incident is removed.

5. Post incident activity: Here documentation plan is initiated

for execution.

The incident Response life cycle

since Cyber attacks are not a once off occurrence, there is

need for security experts to be abreast with incident
management life cycle so as to be ahead of evolving threats
and be able to recover when attacks occur.

The incident response life cycle is a four phase cycle made

up off the preparation phase, Detection and analysis phase,
the containment, eradication and recovery phase and the
post incident activity phase.

Disaster Recovery
 In computer-based systems, several measures are put in
place to reduce or eliminate mishaps, but disasters can still
occur. It is therefore important that there should be a plan put
in place for system restoration and recovery after such
disasters .

Disaster recovery is concerned with regaining access to and

restoring computer system and network services after a
Cyber attack or natural disaster occurs that disrupts the
services.

Data backup and system redundancy are some important

principles that will be discussed that are relevant in disaster
recovery.

Disaster Recovery Plan (DRP)

A disaster recovery plan can be viewed as a documented

plan that shows what is expected by the recovery team to
keep computer- based services functional or restore such
services within reasonable time, in the event of a Cyber
Disaster that disrupts system operations. That is, the plan
contains steps to take to keep service running or to restore
services in the event of damage to the system.

Steps in Disaster recovery

1. Establish a disaster recovery team and assign roles

2. Review your risk/identify risk

3. Determine key components of your system critical

Applications /equipment etc.

4. Specify back-up procedures

5. Test and maintain the DRP.