Cyber Security Risk Assessment Methods

Discuss about the Cyber Security Risk Assessment Methods.

Introduction

The competition between industries has grown substantially, and they use modern technologies while performing their business functions in order to gain a competitive advantage over others. The use of the internet is common in modern enterprises because it assists them in increasing the efficiency of their operations and improving overall productivity. As per Glantz, Landine, Craig & Bass (2014), while using online-based services, corporations face the risk of cyber-attack and data breaches which resulted in causing significant financial loss to the enterprises. In order to address these issues, companies are required to invest in improving their cyber security. Cyber security is referred to the body of processes, activities and technologies which are designed in order to protect computers, networks, data and programs from damage, attack, breach and unauthorised access. Buczak & Guven (2016) provided that the role of cyber security has increased between corporations along with the risk of cyber-attacks. However, companies face a number of challenges relating to cyber security. This report will analyse the challenges faced by enterprises relating to cyber security. This report will evaluate different ways through which cyber criminals attack corporations which increases their challenges relating to cyber security. Furthermore, this report will provide recommendations for companies that can be implemented by them for improving their cyber security.

The main objective of this report is to analyse the challenges face by companies relating to their cyber security. This report will evaluate different literatures to understand the role of cyber security in organisations and analyse different ways through which cyber criminals breach the data of organisations. The goal of this report is to provide recommendations for enterprises which assist them in improving their cyber security.

This report will evaluate a number of studies to understand the challenges faced by enterprises relating to their cyber security. This report will analyse the examples of many corporations that face the challenges relating to cyber security. This report will include recommendations for companies which they can use to improve their cyber security.

Literature Review

Ben-Asher & Gonzalez (2015) provided that cyber security is referred to a set of techniques which are used by enterprises to protect the integrity and security of their data, programs and networks form damage, attack and unauthorised access. The importance of cyber security has increased between organisations as the number of cyber-attacks increased. Fielder, Panaousis, Malacaria, Hankin & Smeraldi (2016) stated that the popularity of internet in the business had created new opportunities for enterprises, and they use them to perform various activities such as communication, market research, selling and others. However, along with the use of internet in corporations, the risk of cyber-attacks has increased as well. Cyber criminals use different ways to attack enterprises to access their data and collect confidential information to gain an unfair advantage. Due to increasing number of cyber-attacks, the investment in cyber security is increasing substantially, and it is expected to reach over $96 billion in 2018 (Hopping, 2017) (Figure 1). Large organisations are able to invest heavily in improving their cyber security however small and medium enterprises avoid investing in their cyber security which resulted in increasing cyber-attacks on them. The primary challenge relating to cyber security is lack of investment. Most organisations did not take their cyber security seriously, and they did not invest properly to secure their data from cyber-attacks. Cherdantseva et al. (2016) argued that it makes the process of hacking easier for cyber criminals because it reduces the number of barriers faces by them while hacking into the system of others. It is also the main reason due to which cyber-attacks on small and medium enterprises are increasing substantially.

Another challenge with cyber security is lack of awareness among organisations. Due to digitalisation, the number of enterprises using the internet for business has increased considerably; however, the awareness regarding security issues has not spread among corporations. Many large cyber-attacks such as Yahoo data breaches in which more than three billion people were affected have raised awareness regarding cyber security issues. As per Knowles, Prince, Hutchison, Disso & Jones (2015), corporations still not take their cyber security more seriously, and they avoid taking precautionary measure to protect themselves from cyber-attacks and data breaches. According to a study conducted by the government of the United Kingdom, around 73 percent of senior managers in micro/small organisations prioritise the importance of cyber security (Figure 2). On the other hand, around 39 percent of corporations think they are too small or insignificant for cyber security. It was provided in the study that 80 percent of the cyber-attacks could be avoided if businesses put simple cyber security measure to protect their data (Grant McGregor, 2017). Due to lack of security measures, cyber-attacks on micro/small enterprises are increasing because they are an easy target for cyber criminals. Furthermore, the challenges in cyber security have increased with the popularity of smartphones and social media sites. There are over 5 billion unique smartphone users in the world and more than 3.1 billion active social media users (Figure 3). The growth in the number of these services has increased the challenges of cyber security as well. Venkatesh (2016) argued that people share their personal information and data on social media sites and due to lack of awareness they did not take appropriate security measures to protect their data. Similarly, smartphones contain personal information of its users such as private photos, videos, addresses, banking information and others and cyber criminals target them to collect personal data of users in order to blackmail them or take unfair advantage.

Although there are many organisations which are not prioritising their cyber security, however, the number of cyber-attacks and data breaches is increases irrespective of the fact that most companies are taking appropriate action to protect their privacy. As per Gordon, Loeb, Lucyshyn & Zhou (2015), cyber criminals are finding new ways to attack and breach the data of companies. For example, Ransomware is referred to malicious software which is designed for blocking access to a company system until the user pays a ransom. Keogh, Gordon & Marinovic (2018) stated that Locky is a popular Ransomware which appeared in February 2016 and it has become most distributed forms of Ransomware. Troldesh, WannaCry, NotPetya, and Bad Rabbit are some popular Ransomware which is used by cyber criminals to control the computer of corporations and individuals. In 2017, a new Locky variant Ransomware hits over 20 million attacks in one day which affected a large number of people (Forrest, 2017). The distributed denial of service (DDOS) is another form of cyber-attack which is popular among cyber criminals, and they use it to make an online service unavailable by overwhelming it with traffic from multiple sources. For example, in December 2012 and January 2013, more than 26 banks in the United States were hit with overwhelming storms of internet traffic (Goldman, 2012). The purpose of these attacks was to stop their online services and making the US economy cripple.

Along with the popularity of the internet, the era of smart appliance and devices has increased as well which are called ‘internet of things’ IoT. As per Shukla (2015), the IoT devices are connected with each other on a single network, and they share the data of their users for providing them more personalised options. However, corporations that manufacture these devices are launching new products quickly without taking appropriate actions to protect them from cyber-attacks. Abomhara (2015) argued that the lack of security in one IoT devices can be used by cyber criminals to hack into others as well, and they can collect private data of users by controlling such devices. Folk (2016) stated that based on ethical principles, these devices could be dangerous because they work by collecting private data of their users which can cause serious privacy violations in case the data gets breached. The increase in the number of smart wearables such as Apple watch, Android watch, Fitbit and others and popularity of smart house appliances such as Philips Hue, smart refrigerators, Nest Security Cameras and others increases the challenges relating to cyber security because they increase the risk cyber-attacks. Moreover, the popularity of Hacktivism is growing between enterprises as well, and Hacktivists target large organisations for political and social reasons.

As per Tanczer (2016), the Hacktivism attacks are more dangerous than cyber-attacks because the primary objective of the hacktivists is to cripple the organisation both financially and socially. Anonymous is a popular hacktivists organisation which target large organisations due to political and social reasons. For example, in 2011, the organisation attacked Sony’s website due to their lawsuit against George Hotz and specifically because the company gained access to the IP addresses of people who visited the blog of Hotz which was considered as a breach of free speech and internet freedom. Other than Hacktivism, the mobile malware creates a potential threat to organisations as the number of smartphones increases. Ambore, Richardson, Dogan, Apeh & Osselton (2017) provided that cyber criminals target the smartphones of people because it contains their private information. Mobile malware is dangerous because a large number of people using smartphones are not aware of the risk of cyber security, and they did not take appropriate actions to protect themselves from cyber-attacks. It has become easier for cyber criminals to hack into the smartphones of people by creating a fake website, sending spam emails or using third-party applications which contains viruses in them. He, Chan & Guizani (2015) stated that in case of organisations, cyber criminals could hack into the smartphones of senior-level managers to collect confidential information about the company. The threat of mobile malware has increased along with the popularity of smartphones and the internet. These are different ways which are used by cyber criminals to breach the data of organisations resulted in increasing their cyber security challenges.

In order to address these issues, corporations are required to take precautionary measures which assist them in improving their cyber security. Primarily, the companies should prioritise their cyber security requirements and increase awareness regarding the same between enterprises.  Hussein & Khalid (2016) argued that they should provide training to employees and hire IT specialists who are able to handle issues relating to cyber-attacks. The senior-level executives should also increase awareness among employees so that they take cyber security more seriously. Physical security of database and computer system is also required because insiders cause over 60 percent of the cyber-attacks (Figure 4). Security guards should check whether an employee is carrying any storage device such as pen drive or memory card, and they should not allow people to take electronic devices near the computers. As per Carr (2016), a confidential agreement should be signed by current and former employees so that they did not leak information about the company’s cyber security infrastructure to cyber criminals. Furthermore, encryption is a key to protecting data while transferring it between two devices or systems. Mao, Zhang, Chen, Li & Zhan (2016), encryption is a process of encoding data in a way that authorised parties can only access it. This way, corporations should ensure that only the authorised party that possess specific key is able to decode the information. Backup of the important data is also necessary which protects it in case of a breach. Organisations should also increase their investment in cyber security by using firewalls and antiviruses to protect their data from outside breaches. These actions protect the enterprise from cyber-attacks and data breaches by improving their cyber security.

Conclusion

To conclude, the role of internet is growing among enterprises, and they use it to maintain and sustain their competitive advantage. Along with the use of the internet, the risk of cyber-attacks and data breaches has increased as well. The companies are required to invest in improving their cyber security in order to address the threat of cyber-attacks. However, they face many challenges relating to their cyber security such as lack of awareness and inadequate investment in security software. Cyber criminals use different methods to attack their targets which increase the security challenges for enterprises such as Ransomware, DDoS attack, insider threat and others. In order to address these issues, companies can take appropriate actions to improve their security such as physically securing computer and database systems, encryption of data, training employees, use of antivirus and firewalls. These factors assist in improving the cyber security of enterprises which protects them from data breaches and cyber-attacks.

References

Abomhara, M. (2015). Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility, 4(1), 65-88.

Ambore, S., Richardson, C., Dogan, H., Apeh, E., & Osselton, D. (2017). A resilient cybersecurity framework for Mobile Financial Services (MFS). Journal of Cyber Security Technology, 1-23.

Atlantic Council. (2018). Overcome by cyber risks? Economic benefits and costs of alternate cyber futures. Retrieved from http://publications.atlanticcouncil.org/cyberrisks//.

Ben-Asher, N., & Gonzalez, C. (2015). Effects of cyber security knowledge on attack detection. Computers in Human Behavior, 48, 51-61.

Buczak, A. L., & Guven, E. (2016). A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys & Tutorials, 18(2), 1153-1176.

Carr, M. (2016). Public–private partnerships in national cyber?security strategies. International Affairs, 92(1), 43-62.

Chaffey, D. (2018). Global social media research summary 2018. Retrieved from https://www.smartinsights.com/social-media-marketing/social-media-strategy/new-global-social-media-research/.

Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & security, 56, 1-27.

Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., & Smeraldi, F. (2016). Decision support approaches for cyber security investment. Decision Support Systems, 86, 13-23.

Folk, C. W. (2016). The Internet of Things and Cybersecurity: What Does a Lawyer Need to Know. Syracuse Sci. & Tech. L. Rep., 33, 48-170.

Forrest. C. (2017). New Locky variant ransomware attack hits 20M attacks in one day. Retrieved from https://www.techrepublic.com/article/new-locky-variant-ransomware-attack-hits-20m-attacks-in-one-da.

Glantz. C.S, , Landine. G.P, , Craig. P.A, & Bass. R.B, (2014). Lessons Learned in Over a Decade of Technical Support for US Nuclear Cyber Security Programmes. International Conference on Nuclear Security: Enhancing Global Efforts.

Goldman, D. (2012). Major banks hit with biggest cyberattacks in history. Retrieved from http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html.

Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Zhou, L. (2015). Externalities and the magnitude of cyber security underinvestment by private sector firms: a modification of the Gordon-Loeb model. Journal of Information Security, 6(1), 24.

Grant McGregor. (2017). You’re Not Too Small to Be a Victim: The Obvious IT Security Fails Small Businesses Can Avoid. Retrieved from https://www.grantmcgregor.co.uk/2017/youre-not-too-small-to-be-a-victim-the-obvious-it-security-fails-small-businesses-can-avoid/.

He, D., Chan, S., & Guizani, M. (2015). Mobile application security: malware threats and defenses. IEEE Wireless Communications, 22(1), 138-144.

Hopping. C. (2017). Cyber security spending will hit $96bn in 2018. Retrieved from http://www.itpro.co.uk/cyber-security/30122/cyber-security-spending-will-hit-96bn-in-2018.

Hussein, N. H., & Khalid, A. (2016). A survey of Cloud Computing Security challenges and solutions. International Journal of Computer Science and Information Security, 14(1), 52.

Keogh, K., Gordon, C., & Marinovic, P. (2018). Cyber security: Global developments in cyber security law: is Australia keeping pace?. LSJ: Law Society of NSW Journal, (42), 82.

Knowles, W., Prince, D., Hutchison, D., Disso, J. F. P., & Jones, K. (2015). A survey of cyber security management in industrial control systems. International journal of critical infrastructure protection, 9, 52-80.

Live Safe. (2017). Using your employees to prevent insider cyber threats. Retrieved from https://www.livesafemobile.com/safetalk/prevent-insider-threats/.

Mao, Y., Zhang, Y., Chen, M. R., Li, Y., & Zhan, Y. (2016). Efficient attribute-based encryption schemes for secure communications in cyber defense. Intelligent Automation & Soft Computing, 22(3), 397-403.

Shukla, S. K. (2015). Big Data, Internet of Things, Cybersecurity—A New Trinity of Embedded Systems Research. ACM Transactions on Embedded Computing Systems (TECS), 14(4), 61.

Tanczer, L. M. (2016). Hacktivism and the male-only stereotype. new media & society, 18(8), 1599-1615.

Venkatesh, A. (2016). Social Media, Digital Self, and Privacy: A Socio-Analytical Perspective of the Consumer as the Digital Avatar. Journal of the Association for Consumer Research, 1(3), 378-391.