The paper "Comparison and Contrast between a Security Threat Assessment and a Security Risk Assessment " is an excellent example of a literature review on information technology. For many people, risk and threat are two similar concepts and are used interchangeably. This is not a correct assumption, and in the security industry, risk and threat do not mean the same thing; so what is the difference between risk and threat? Langham (2013 para. 2) notes that even among professionals, the risk is mistaken for threat and vice versa. Nonetheless, these two concepts cannot be mistaken for one another.
There is a need to distinguish between risk and threat; hence, it is important to conduct an extensive literature review on the topics. A literature review is a critical exercise because it is an opportunity to improve one’ s knowledge on the topic (Brocke et al. , 2009). The information gathered is helpful in identifying the differences between risks and threats. The similarities and differences between risk and security management are one of the topical areas covered in this paper. The objective of the discussion is to highlight the reasons for conducting a risk or security threat assessment.
This is one of the approaches that was selected undertaken to better understand why risk is not similar to a threat. The last section explores how the risk and security threat assessment informs decision-making. Security experts and risk analysts constantly have to make decisions with respect to a perceived threat or risk. Such a critical function cannot be performed without the correct know-how and skills. The right Intel, assumptions, and factors must inform decisions. Therefore, the objective of this section will be to explore how the different assessment tests, models, and frameworks contribute to the final decision. Literature Review The impact of threats and risks on organizations has made risk and security management a multi-disciplinary subject.
Ahlan and Arshad (2014) suggest that this subject can be applied to every field. Moteff (2005) points out that risk and threat management has become an important aspect of business and government activities. Over time, governments and organizations have developed comprehensive management processes to help them mitigate losses or avoid damages. Descriptive research by Ophoff et al.
(2014) reveals that the businesses face multiple information threats and traditionally most information system experts focussed more on internal threats rather than insider threats. According to Summer (2009), it is important to manage both risks and threats due to their criticality and cost implications. In most of the literature reviewed, it appears that there is unanimous admission that because risk and threat are used interchangeably, most companies and individuals seem not to distinguish the two. According to the Threat Analysis Group (2010, para 2), this confusion can be resolved if people understand the different definitions of terms used in the industry.
To begin with, a risk is a potential loss due to estimated, perceived, or real threats (Williams, 2008). Borghesi, Gaudenzi, and Borghesi (2013) define risk as an occurrence or activity that threatens to compromise assets while Li et al. (2011) note that risk is a probability that an event or activity will negatively or positively influence an objective.
Ahlan, A. R., & Arshad, Y. (2014). Information Technology Risk Management: The case of the International Islamic University Malaysia. Journal Of Research And Innovation In Information System, 6(2), 58-66.
Australian Standards. (2009). Australian Standard ISO31000:2006 Risk Management. Sydney: Author
Borghesi, A., Gaudenzi, B., & Borghesi, A. (2013). Risk management: How to assess, transfer, and communicate critical risks. Milan: Springer.
Brocke, J. V., Simons, A., Niehaves, B., Niehaves, B., Reimer, K., Plattfaut, R., & Cleven, A. (2009). Reconstructing the giant: on the importance of rigor in documenting the literature search process. Retrieved from http://my.uni.li/i3v/publikationen/00065700/04046767.PDF
Broder, James F. (2006). Risk analysis and the security survey. Amsterdam: Butterworth-Heinemann.
Burgess, A. G., Ressler, R. K., Douglas, J., & Burgess, A. W. (2013). Crime classification manual: A standard system for investigating and classifying violent crime. Hoboken, N.J: Wiley.
Cox Jr, L. A. T. (2008). Some limitations of “Risk= Threat× Vulnerability× Consequence” for risk analysis of terrorist attacks. Risk Analysis, 28(6), 1749-1761
Denardo, E.V. (2002). The science of decision making: A problem-based approach using Excel. John Wiley & Sons, Inc.
Dworken, J. T. (2008). Threat assessment training module for NGOs operating in conflict zones and high-crime areas. Office of Foreign Disaster Assistance/InterAction PVO Security Task Force. Np.
Ezell, B. C., Bennett, S. P., Von Winterfeldt, D., Sokolowski, J., & Collins, A. J. (2010). Probabilistic risk analysis and terrorism risk. Risk Analysis, 30(4), 575-589.
Fischer, R. J., Halibozek, E. P., & Walters, D. (2013). Introduction to security. Waltham, MA: Butterworth-Heinemann.
Jackson, B. A., & Frelinger, D. (2009). Emerging threats and security planning: How should we decide what hypothetical threats to worry about? Santa Monica, CA: RAND.
Koller, G. R. (2005). Risk assessment and decision making in business and industry: A practical guide. Boca Raton, FL: Chapman & Hall/CRC.
Landoll, D. J. (2006). The security risk assessment handbook: A complete guide for performing security risk assessments. Boca Raton, FL: Auerbach Publications.
Langham, G. (2013, February 20). Threat v's Risk. Retrieved from http://intelmsl.com/insights/other/threat-vs-risk/
Li, Z., Ma, Y., Wang, L., Lei, J., & Ma, J. (2011). A novel real-time aggregation method on network security events. Kybernetes, 40(5), 912-920.
McEntire, D., Crocker, C. G., & Peters, E. (2010). Addressing vulnerability through an integrated approach. International Journal of Disaster Resilience in the Built Environment, 1(1), 50-64.
Moteff, John D. (2005). Risk management and critical infrastructure protection: assessing, integrating, and managing threats, vulnerabilities, and consequences. Washington, D.C.: Congressional Research Service, Library of Congress.
Ophoff, J., Jensen, A., Sanderson-Smith, J., Porter, M., & Johnston, K. A Descriptive
Literature Review and Classification of Insider Threat Research. Proceedings of Informing Science & IT Education Conference (InSITE) 2014
O'Toole, M. E., & National Center for the Analysis of Violent Crime (U.S.). (2006). The school shooter: A threat assessment perspective. Quantico, Va: FBI Academy.
Peltier, T. R. (2005). Information security risk analysis. Boca Raton: Auerbach Publications.
Smith, C. L., & Brooks, D. J. (2013). Security Science: The Theory and Practice of Security. Waltham, MA: Elsevier.
Sumner, M. (2009). Information security threats: a comparative analysis of impact, probability, and preparedness. Information Systems Management, 26(1), 2-12.
Talbot, J., & Jakeman, M. (2009). Security risk management: Body of knowledge. 2 ed. Hoboken, New Jersey: John Wiley & Sons, Inc.
Threat Analysis Group, LLC. (2010, May 3). The threat, vulnerability, risk - commonly mixed up terms | Threat Analysis Group, LLC. Retrieved from http://www.threatanalysis.com/blog/?p=43
Umeh, J. C., & British Computer Society. (2007). The world beyond digital rights management. Swindon: British Computer Society.
Vellani, K. H. (2007). Strategic security management: A risk assessment guide for decision-makers. Burlington, MA: Butterworth-Heinemann.
Vose, D. (2008). Risk analysis: a quantitative guide. John Wiley & Sons.
Williams, M. J. (2008). NATO, Security, and Risk Management: From Kosovo to Khandahar Contemporary Security Studies. New York: Routledge.
Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799-2816.