Information Technology Security & Privacy (COSC 3796)

School of Computer Science and Technology

Algoma University, Sault Ste. Marie
Fall 2024

TITLE: RISK MANAGEMENT AND DATA PRIVACY

LECTURE NO. 4

INSTRUCTOR: DR. MUHAMMAD AZAM

 Module Objectives

 Define risk.
 Describe strategies for reducing risk.
 Explain concerns surrounding data privacy.
 List methods for protecting data.
  Managing risk is to create a level
of protection that mitigates the
vulnerabilities to the threats and
reduces the potential consequences
 It involves the following:
Managing Defining what it is
Risk Understanding risk types
Knowing different methods
of risk analysis
Realizing how to manage
risk
 An asset is any item that has a
positive economic value
The asset value is the relative worth
of an asset
Assets are continually under threat,
which is a type of action that has the
potential to cause harm
Defining Risk Risk is defined as a situation that
involves exposure to some type of
danger
Risk can also be described as a
function of threats, the consequences of
those threats, and the resulting
vulnerabilities
 Defining Risk
Threat category Description Example

Strategic Action that affects the long-term Theft of intellectual property, not pursuing a new
goals of the organization opportunity,
loss of a major account, competitor entering the market

Compliance Following (or not following) a Breach of contract, not responding to the introduction of
regulation or standard new
laws
Financial Impact of financial decisions or Increase in interest rates, global financial crisis
market factors
Operational Events that impact the daily Fire, hazardous chemical spill, power blackout
business of the organization
Technical Events that affect information Denial of service attack, SQL injection attack, virus
technology systems
Managerial Actions related to the management of Long-term illness of company president, key employee
the organization resigning
  Risk types can be grouped
into the following categories:
 Internal and external
Risk Types  Legacy systems
 Multiparty
 Intellectual property (IP)
 Software compliance and
licensing
  Risk analysis is a process to identify and assess the
factors that may jeopardize the success of a project
or reaching a stated goal
 Following a methodology for performing a risk
analysis is crucial
 Methodology
 Identifying risks can be difficult due to the
following:

Risk Analysis 
Risks can be elusive
Unconscious human biases
 A methodology helps to minimize human
factors in identifying risk by not relying on a
few employees in an organization but involves
many individuals in the process
 Risk Control Self-Assessment (RCSA) is an
“empowering” methodology by which
management and staff collectively work to identify
and evaluate risks
  There are two approaches to risk
assessment:
 Qualitative risk assessment uses an
“educated guess” based on
observation
 Typically assigns a numeric
value (1-10) or label (High,
Medium, or Low) that represents
the risk
Risk Analysis  Quantitative risk assessment
attempts to create “hard” numbers
associated with the risk of an
element in a system by using
historical data
 Can be divided into the
likelihood of a risk and the
impact of a risk being successful
  Risk Likelihood
 Several quantitative tools can be
used to predict the likelihood of the
risk:
 Mean Time Between Failure
(MTBF)
 Mean Time To Recovery (MTTR)
Risk Analysis  Mean Time To Failure (MTTF)
 Failure In Time (FIT)
 Historical data can be used to
determine the likelihood of a risk
occurring within a year
 Known as Annualized Rate of
Occurrence (ARO)
 Risk Analysis

Source Explanation

Law enforcement agencies Crime statistics on the area of facilities to determine the probability of
vandalism, break-ins, or dangers potentially encountered by personnel

Insurance companies Risks faced by other companies and the amounts paid out when these
risks became reality

Computer incident monitoring Data regarding a variety of technology-related risks, failures, and attacks
organizations
  Risk Impact
 Determining the impact of risk involves
comparing the monetary loss associated with an
Single Loss Expectancy asset in order to determine the amount of money
= Asset Value * Exposure Factor
that would be lost if the risk occurred
 Two risk calculation formulas are used to
Annulized Loss Expectancy
calculate expected losses:
= Single Loss Expenctancy * Annulized Rate of Occurance
 Single Loss Expectancy (SLE) is the
expected monetary loss every time a risk

Risk Analysis 
occurs
Annualized Loss Expectancy (ALE) is the
expected monetary loss that can be expected
for an asset due to risk over a one-year
period
 Representing Risks
 Risk register is a list of potential threats and
associated risks
 Risk matrix/heatmap is a visual color-coded
tool that lists the impact and likelihood of risks
Risk Analysis
Risk Register
Risk Analysis
Risk Matrix/Heatmap
  Risk appetite involves reducing risk to
a level that is considered acceptable for
the organization
 Managing risk involves using specific
strategies and control types, addressing
third-party risk, and incorporating user
training
Risk  Determining a Strategy
Management  There are four strategies for dealing
with risks:
 Acceptance
 Transference
 Avoidance
 Mitigation
  Risk acceptance involves
acknowledging the existence of a risk
and deciding to accept it without taking
any action to reduce its impact or
likelihood.

 Context in Information Security:

Risk  Organizations may accept risks if the
cost of mitigating the risk outweighs the
potential impact of the risk itself.
Acceptance
 Example:
 A company may accept the risk of
occasional minor data breaches because
the cost of implementing advanced
security measures is too high relative to
the potential damage.
  Risk transference involves shifting the risk
to a third party, often through contracts or
insurance.

 Context in Information Security:

 This is commonly done by purchasing
Risk cybersecurity insurance or outsourcing
certain security functions to specialized
Transference vendors.

 Example:
 An organization may transfer the risk of a
data breach by purchasing cyber liability
insurance that covers the financial losses
associated with a breach.
  Risk avoidance involves taking actions to
completely avoid the risk, often by not
engaging in activities that could lead to risk
exposure.

 Context in Information Security:

Risk  Organizations may choose to avoid certain
technologies, practices, or business
Avoidance activities that are deemed too risky.

 Example:
 A company may decide not to store
sensitive customer data on their servers,
thereby avoiding the risk of data breaches.
  Risk mitigation involves taking steps to
reduce the impact or likelihood of a risk.

 Context in Information Security:

 This includes implementing security
measures such as firewalls, encryption,
Risk regular software updates, and employee
training.
Mitigation
 Example:
 An organization might mitigate the risk
of malware attacks by implementing
robust antivirus software and conducting
regular security audits.
  Using Controls
 A security control is a safeguard or
countermeasure employed within an
organizational information system to
protect the confidentiality, integrity, and
availability of the technology system and
Risk its data
 A security control attempts to limit
exposure to a danger
Management  There are three categories of control (see
the following slide)
 Specific types of controls are found
within the three broad categories of
controls (see next slides)
 Control Description Phishing example
category
Managerial Controls that use Acceptable use policy that
administrative specifies users
methods should not visit malicious
websites.
Operational Controls implemented Conducting workshops to
Risk and executed by
people
help train users to
identify and delete
Management phishing messages.

Technical Controls incorporated Unified threat

as part of hardware, management (UTM)
software, or firmware device that performs
packet filtering,
antiphishing, and web
filtering
 Risk Management
Control type Description When it occurs Example
Deterrent control Discourage attack Before attack Posting signs indicating that the area is under
video surveillance
Preventative control Prevent attack Before attack Providing security awareness training for all
users
Physical control Prevent attack Before attack Building fences that surround the perimeter

Detective control Identify attack During attack Installing motion detection sensors

Compensating control Alternative to normal During attack Isolating an infected computer on a different
control network
Corrective control Lessen damage from attack After attack Cleaning a virus cleaned from an infected
server
  Implement Third-Party Risk Management
 There are several risks associated with using third
parties:
 It can be difficult to coordinate their diverse activities
with the organization

Risk  Almost all third parties today require access to the

organization’s computer network to provide them the
ability to perform their IT-related functions
Management  Risks of third-party integration:
 On-boarding and off-boarding
 Application and social media network sharing
 Privacy and risk awareness
 Data considerations
 Risk Management

 One of the means by which all parties can reduce risk is to reach an understanding through
interoperability agreements
 Interoperability agreements are formal contractual relationships as they related to security policy and
procedures

 Agreements that should be regularly reviewed to verify compliance and performance standards
include:
 Service Level Agreement (SLA) is a service contract that specifies what services will be provided and
the responsibilities of each party
 Business partnership agreement (BPA) is a contract used to establish the rules and responsibilities of
each partner
 Memorandum of Understanding (MOU) – describes an agreement between two or more parties
  Agreements that should be regularly
reviewed to verify compliance and
performance standards include (continued):
 Nondisclosure agreement (NDA) is a legal
contract between parties that specifies how
confidential material will be shared between the
parties but restricted to others
Risk  Measurement system analysis (MSA) uses
scientific tools to determine the amount of
Management variation that is added to a process by a
measurement system
 End of life (EOL) is a term used by a
manufacturer to indicate that a product has
reached the end of its “useful life”
 End of service (EOS) indicates the end of
support
  Provide User Training
 Training results in risk awareness, which is
the raising of understanding of what risks
exist, their potential impacts, and how they
are managed
 Training can make users aware of common
Provide User risks and how they can become a “human
firewall” to help mitigate risks
Training (operational)  To view different traits of learners, see Table
15-8 (on the following slide)
 Training styles also impact how people learn
 To see a list of different approaches to
learning, see Table 15-9 on one of the
following slides)
 Risk Management

Year born Traits Number in U.S. population

Prior to 1946 Patriotic, loyal, have faith in institutions 75 million

1946-1964 Idealistic, competitive, question authority 80 million

1965-1981 Self-reliant, distrustful of institutions, adaptive to technology 46 million

1982-2000 Pragmatic, globally concerned, computer literate, media 76 million

savvy
 Risk Management

Subject Pedagogical approach Andragogical approach

Desire Motivated by external pressures to Motivated by higher self-esteem, more
get good grades or pass on to next recognition, desire for better quality of life
grade

Student Dependent on teacher for all learning Self-directed and responsible for own learning

Subject matter Defined by what the teacher wants to Learning is organized around situations in life or
give at work

Willingness to Students are informed about what A change triggers a readiness to learn or students
learn they must learn perceive a gap between where they are and where
they want to be
  Different techniques employed
for user training:
Risk  Computer-based training (CBT)
Management  Role-based awareness training
 Gamification
 Phishing simulations
Risk Management
 Privacy is defined as the state or condition of
being free from public attentions, observation,
or interference to the degree that the person
chooses
Data is collected on almost all actions today
Through web surfing, purchases, user
surveys, and questionnaires
As technology devices gather data on user
behavior, users are becoming increasingly
Data Privacy concerned about how their private data is being
collected, used, and stored
Understanding data privacy includes the
following:
Knowing the reasons for user concerns
Understanding the consequences of a
data breach
Identifying data types
  User concerns revolve around
the risks associated with the
use of private data and fall
User into three broad categories:
 Individual inconveniences and
Concerns identity theft
 Association with groups
 Statistical inferences
 User Concerns
Issue Explanation
The data is gathered Users have no formal rights to find out what private information is being gathered, who gathers it, or how
and kept in secret. it is being used.
The accuracy of the Because users do not have the right to correct or control what personal information is gathered, its
data cannot be verified. accuracy may be suspect. In some cases, inaccurate or incomplete data may lead to erroneous decisions
made about individuals without any verification.
Identity theft can Victims of identity theft often have information added to their profile that was the result of actions by the
impact the accuracy of identity thieves, and even the victims have no right to see or correct the information.
data.
Unknown factors can Ratings are often created from combining thousands of individual factors or data streams, including race,
impact overall ratings. religion, age, gender, household income, zip code, presence of medical conditions, transactional purchase
information from retailers, and hundreds more data points about individual consumers. How these
different factors impact a person’s overall rating is unknown.

Informed consent is Statements in a privacy policy such as “We may share your information for marketing purposes with third
usually missing or is parties” is not clearly informed consent to freely allow the use of personal data. Often users are not even
misunderstood. asked for permission to gather their information.
Data is being used for Private data is being used on an ever-increasing basis to determine eligibility in significant life
increasingly important opportunities, such as jobs, consumer credit, insurance, and identity verification.
decisions.
  The consequences to an
organization that has
suffered a data breach
Data Breach include the following:
Consequence Reputation damage
IP theft
Fines
Data Types
Table
  Different technologies can be used to enhance the
protection of privacy data including the following:
 Data minimization is limiting the collection
of personal information to that which is
directly relevant and necessary to accomplish a
specific task
 Data masking involves creating a copy of the
original data but obfuscating (making
Protecting unintelligible) any sensitive elements such as a
user’s name or Social Security number

Data 
Also called data anonymization
Data masking is one way to perform data
sanitization, which is the process of
cleaning data to provide privacy protection
 Tokenization obfuscates sensitive data
elements into a random string of characters
(token)
 Data sovereignty is the country-specific
requirements that apply to data
  The information life cycle is the flow of an
information system’s data from data creation to
the time it becomes obsolete
 Once data is no longer useful it should be
destroyed
 Paper media can be destroyed by burning,
shredding, pulping, or pulverizing
 In electronic media, data should never be erased
Data using the OS “delete” command

Destruction Data could still be retrieved by using third-party
tools
 Data sanitation tools can be employed to
securely remove data
 Wiping can be described as overwriting the disk
space with zeros or random data
 Degaussing permanently destroys the entire
magnetic-based drive
 By reducing or eliminating the magnetic field
 Summary

 A risk is a situation that involves exposure to some type of danger

 It is important for an organization to regularly perform a risk analysis, or a process to identify
and assess the factors that may jeopardize the success of a project or reaching a stated goal
 There are two approaches to risk calculation: qualitative risk calculation and quantitative risk
calculation
 Several approaches are used to reduce risk
 A security control and modifying the response to the risk instead of accepting the risk

 Several risks are associated with using third parties

 An often-overlooked consideration in risk management is the importance of providing training
to users
 Summary

 Privacy is defined as the state or condition of being free from public attention,
observation, or interference to the degree that the person chooses
 Once a data breach occurs, an organization must take specific, actionable steps
 Different data types require protection besides customer data, financial information, and
government data
 Once data is no longer useful, it should be properly destroyed
 References

Some Contents were derived from the following Text.

 CompTIA Security + Guide to Network Security Fundamentals, 7th Edition

 Principles of Information Security , 7th Edition (Michael E. Whitman; Herbert J. Mattord)

 Ukeje, N., Gutierrez, J., & Petrova, K. (2024). Information security and privacy challenges of
cloud computing for government adoption: a systematic review. International Journal of
Information Security, 1-17.
 Ali, A. S., Zaaba, Z. F., & Singh, M. M. (2024). The rise of “security and privacy”:
bibliometric analysis of computer privacy research. International Journal of Information
Security, 23(2), 863-885.
 Farayola, O. A., Olorunfemi, O. L., & Shoetan, P. O. (2024). Data privacy and security in IT: a
review of techniques and challenges. Computer Science & IT Research Journal, 5(3), 606-615.