Discuss User
Discuss User

Posted on

Risk Management and Mitigation risks

Discuss and explain some of the steps organizations take to manage and mitigate the risks associated with security, identifying threats, assess vulnerabilities, and implementing controls.

This post was part of TyroCity discussion forum
Question asked by ganesh_shrestha

Top comments (6)

angel profile image
Angel Paudel

National Institute of Standards and Technology (NIST) in the year 2014 released a document titled "Framework for Improving Critical Infrastructure Cybersecurity” which contained guidelines, acceptable practices, and standards to manage and mitigate the risks associated with security, identify threats, assess vulnerabilities and implementing control. The five core functions NIST put forth where identify, protect, detect, respond and recover. Each of these has been explained a bit in the paragraph to follow:

Identify is key to any kind of security. Without identifying the possible threats, no solution can be devised. To oblige with this function, an organization must have a panopticon view of all the physical assets, their interlinkages and digital assets and their footprint (Kerfoot, 2012). They should also have a clear idea about the user types and their roles. Once that’s done, it’s more of identifying the threats - internal, external human-related and natural.

Once the threat(s) are identified, it’s important to protect against those threats by devising proper safeguards against it. The organization can run awareness program to its staff so they are aware of some standard protocols and what they should do in case they see suspicious email or message or link or anything else which is just not called for. Processes should be set to protect the data and keep the system updated. The organization must have full access to both physical and digital assets with proper policy in place to protect it.

Next is to detect the threats in the system. Under this, identification of the occurrence of cybersecurity takes place. Such that by continuous monitoring of the network and organizational structure helps anticipate cyber incident and hunt for threats in the system. This also provides a very effective way to analyze and to prevent cyber incidents in an organization.

Even with all the protection in place, in any case, if the security breach happens, the organization must respond to the incident to contain the impact. As part of it, an organization must be ready with appropriate plans for communication and workflow. After which, scan through the system for risks and perform all the activities to nullify the risk. Document the steps taken and lesson learned from the incident. Place all those into a revised response strategy (Tagarev, 2014).

Once the threat is nullified, it’s time to recover the system and restore it to the original state. During the cybersecurity incident, the system or service may be compromised, some functionality may not be working as it should. The organization now need to restore all those functionalities to its functional state. For this, an organization must have a proper restoration plan be with proper backup or with external assistance.


Kerfoot, T. (2012). Cybersecurity: Towards a Strategy for Securing Critical Infrastructure from Cyberattacks. SSRN Electronic Journal , 1-7.

Tagarev, T. (2014). Intelligence, Crime and Cybersecurity. Information & Security: An International Journal , 31 , 5-6.

ncitujjwal profile image

Threats are possible dangers that could compromise the confidentiality, Integrity, availability, accessibility and accountability of a computer system or service. Threats could be malicious (Alghazzawi, 2014), they could be intentional threat or they could be someone trying to hack the system or someone tries to damage a system or they could access the threat such as natural disaster like Food, earthquake. This threat may be external or in other words this could be in attractor coming over the internet and trying to attract a server or this could be internal threat this could be employee involve in fraud activity such as money laundering, theft is the another similar activity like that.

Vulnerabilities are weakness in a system that permits a threat to be realized, comprising the confidential, integrity, accessibility, accountability and availability of the system so the threat is a potential harm to the system. First it comes to the system, the potential force could attract the system. Basically the Vulnerabilities are weakness of the system that allows the threat to get in and materialized (Yadav & Puri, 2015). The critical Vulnerabilities are flaws and that can be exploited by an attracter with the correct tools or by the correct situation.

We have security control, which basically manage and mitigate the risk associate in our system. Basically security controls are safeguards implemented to close Vulnerabilities and mitigate threats in order to protect the confidentiality, Integrity, and availability, accessibility and accountability of the system. The control can be physical, the can be procedural and they can be technical. The very simple control is physical control for example our home door lock system is physical control system. The door denied access of simply opening the door unauthorized person. We have procedural control which is systematic control system. In a Bank has authority of entering in money store room in Bank manager and Khajanchhi only. They have authority to enter there at a time both person. So it is one of the suitable example of procedural control. In the security of information field or in the computer security this control can be technical. We can have systematic policies and place prevent certain actions.

We can required data to be encrypted so we in different control we can implement so we can try to protect the system. In order to identifying the control, we need to ask ourselves what kinds of Vulnerabilities is there are. What types of threat exists and how can be we mitigate the threat. What safeguards can be put in place to make a system less Vulnerabilities to a threat. What types of protective measure we take (Chou, 2013).

There is certain trade - off to implement the control these controls themselves can negative impact CIA triad’s compliances of system. Many types of security control actually reduce the availability of the system to authorize user. For example, if I take a system as server has confidential information and I decide to protect the confidential information on the server by unplugging the server and locking the system. Implementing a very strong security control interns of protecting the confidentiality however, we completely eliminate the availability and therefore I have really accomplish information security. These types of control reduces the availability too much.

CIA triads are one of the security control mechanism in information system. The NIST computer security handbook defines: "The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data and telecommunications)”. Beyond CIA triads, we have various technology which actually safeguards from different Vulnerabilities and threats, these are Cryptography, Protocols, Controls and Software like Firewall, Windows defender and antivirus system. In cryptography the sender’s password must be verified first then only receiver conform the message. So finally those controls must safeguards system to an acceptable level of risk while maintaining availability.

In conclusion, The control is safeguards and these safeguards implemented to Vulnerabilities and minimize the risk, threat, in order to protect the confidentiality, availability and accountability and integrity and accessibility in the system (WATTS, 2017).

Alghazzawi, D. (2014). Information Systems Threats and Vulnerabilities. International Journal of Computer Applications (0975 - 8887 .

Chou, T. (2013). SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 3 .

WATTS, S. (2017). IT Security Vulnerability vs Threat vs Risk. Journals of Computer Science and Information Security .

Yadav, S., & Puri, S. (2015). Threats and Vulnerabilities of BYOD and Android. Research Gate .

ujjwalpoudel profile image

Some of the steps organizations take to manage and mitigate the risks associated with security, identifying threats, assess vulnerabilities, and implementing controls are explained below:

  1. Information security encompasses the protection of important information and database which are the assets of the organizations. These should be highly protected from being misuse, disclosure, unauthorized access, or destruction. Both inside and outside the organizations could be threat on the issue. The threat are always there in a center where organization only can mitigate rather than concerned on fully elimination. A careful assessments would be a solution to manage them. For instance, Laws can play important role on mitigating threat, safely secure records could be next option, and governmental role on securing classified documents.

  2. Criminal gangs are always there with the threats barrage servers and malicious software designed to attack the computer system. For instance, today, this botnets has become one of the most significant threats to the Internet that makes machines under the control of an attacker (Grizzard, Sharma, Nunnery, Kang & Dagon, 2007). The gangs activate botnets, a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g. to send spam, to capture user IDs, passwords, credit card numbers, social security numbers, and other sensitive information. Surging habits and antivirus protection are solution to prevent from botnets.

  3. Vulnerabilities of risk assessment should also be examined properly in order to determine how effective its existing security measures are. This could be a solution finding the security gaps and the threats. This works on the matrix that the manger can identify the level of risk on confidentiality, company reputation, finances, system availability, and operations. For instance, cloud computing could be option to influence each risk factor by feed documentation mechanism/ format/ protocol (Grobauer, Walloschek & Stocker, 2011).

  4. Administrative security control helps on awry situation. Here, in order to enhance the information security the security controls through the process, policies, and the plans of the organizations. Employee will adhere only if there is a strict policies maintained. The system should also back up by the software which organization can resume business at any time (Guell, 2015).


Grizzard, J. B., Sharma, V., Nunnery, C., Kang, B. B., & Dagon, D. (2007). Peer-to-Peer Botnets: Overview and Case Study. HotBots, 7 , 1-1.

Grobauer, B., Walloschek, T., & Stocker, E. (2011). Understanding cloud computing vulnerabilities . IEEE Security & Privacy, 9 (2), 50-57.

Guell, Robert C. (2015). Issues in Economics Today , 7th edition- 2015 ISBN: 978-007802181

shantamilan profile image

Security when it come to an organization mainly deals with the valuable information that may be disclosed, misused, hacked, and wiped out. The security thus involves technology, processes, people and data. (Wallace, 2015) Organizations should be able to reduce this risk beforehand by setting up systems and protocols at place to identify threats, assess vulnerabilities and implement control. These have been discussed briefly below.

Identifying Threats

Threats in an organization can be both internal and external in nature. External threats are out of control such as natural calamities, war, fire, power failure, competition etc. On the other hand internal threats are more serious in nature as it involves individuals involved inside the organization who can misuse information, delete valuable data, leak out confidential information, sabotage, hack etc. One leading cause of inside threat results from unsatisfied employees.

One of the major damage to an organization is the leakage of confidential information. It is next to impossible to stop a disgruntled employee from spreading information to outside competitors so it is important to understand if an employee is disgruntled in the first place and understand the extent of the damage that can happen.

Access Vulnerability

The first step to access vulnerability is to understand the type of risks that could sprout. Based on these risks it is important to undertake its risk assessment to ascertain how well prepared the protocols are and how well it is implemented. (Wallace, 2015) Protocols and policies in my organization such as child protection policy, confidential policy, code of conduct etc are some standards that have been laid out to protect the organization from internal harm from such situations. Similarly policies for securing information of the organization needs to be assessed as there are no such policies.

Implementing Control

Protocols and policies must be refreshed and oriented to staffs and management alike from time to time. It is important to understand the value of information breach, sabotage of information in the organization from angry employees. Mechanisms to control and limit these employees access to delicate and confidential information should be planned.

One of the widely used technology is the email and so it is right to prepare control mechanisms to safeguard information through email. "The newly launched Internal Email Protect service can address these threats by enabling customers to detect and remediate security threats that originate from their internal email system. This could include emails from the unassuming compromised insider, thecareless employee inadvertently sending files and/or a malicious employee who wants to do harm to the company. (Channel, 2017)”

Another way to control threat is to hit it before it arises. "Organizations must address at least three critical areas in order to create a healthy work environment that stimulates productivity. Companies must hire the right people, reduce excessive pressures, and help employees better cope with stress. (Kamery, 2004)”

It is very important to address threats that are internal in nature as these are more dangerous and are risks that can be mitigated. External risks are also important. Fire, earthquake, flood, competitors are some external threats that also need to be looked into and standards maintained for such unforeseen situations.


Channel, N. O. (2017, February 13). Mimecast Combats Rise of Internal Email Threats with Industry-First Purpose-Built Cloud Security Service: 99% of Organizations Surveyed Impacted by Internal Email Threats. NASDAQ OMX’s News Release Distribution Channel; New York .

Kamery, R. H. (2004). ANGER, STRESS, AND VIOLENCE IN THE WORKPLACE: MANAGING EMPLOYEE INTERNAL THREATS. Allied Academies International Conference. Academy of Legal, Ethical and Regulatory Issues. Proceedings , 127-132.

Wallace, P. (2015). Information System in Action. In P. Wallace, Introduction to Information System (pp. 4-9). New Jersey: Pearson Education, Inc.

sachitabhattarai profile image

Risk does not comes by knocking at the door; it is uncertain and sweeps away the valuable assets of the organization if not tackle well. That results in the downfall of Organizational performance, sales, profit, goodwill and many others prestigious things. To avoid that, an organization adopts Information security to keep the organization information confidential, and safe from any other destruction. Following are the various steps to manage and mitigate the risk associated with security, identifying threats, assess vulnerabilities, and implementing controls (Wallace, 2013).

Identifying threats

The first step of an organization is to find all the possible threats that can affect the organizational performance and position. Threats arise both from internal and external. To identify the threat, the organization examine the sources and events of threat, their capabilities, intentions and their targeting information from all available sources (Gary Locke, 2011). The internal threat can arise from the negligence of the employees, loss of employees, vendors, misuse of information, theft my office employees or workers, any kind of spam, etc. While the external threats can arise from the occurrence of natural calamities like floods, landslide, volcano eruption, earthquake if you are in the country like China or Nepal, hurricanes, fire, war, industrial accidents etc. For example, the swift system hackers tried to steal money from NIC Asia Bank. If they would have been succeed then the bank would have been liable to the debt of hundreds of customers, clients, shareholders, trustees, etc. and could affect their credibility in the market. Therefore, the use of system security can help the organization in protecting them from all kinds of threats.

Examine vulnerability

The next step after identifying the threats would be examining the vulnerabilities to find out if the existing security that the company has adopted is effective or not and the vulnerabilities in the systems, processes or policies of the organization that can be exploited by the threat. The organization can look for all the possibilities like if any employee are ignoring the malwares, or responding to the mails sent by the hackers from which they can directly go to the company’s systems and leak all the confidential information. In addition, if the information system the company has adopted maintain a log of every attempt of access to the system.

Protection against threats

Once the organization has examined the possible vulnerabilities, the company can evaluate controls that protects the organization against threats. The most important thing they can do is provide proper training to the staffs as well as the senior managers too. Like in the above example, the hackers first attacked in the computer system of the employee at that very time if the employees were trained to handle that situations then the hackers would not have been able to get access to the Swift systems. The another way is to keep all the software updated i.e. anti-virus software, operating systems ensure that they are updated as they fixes for security vulnerabilities. Similarly, firewall, IPS tracker, network segmentation, etc. can be used as protection.

Administrative Security Controls

This step includes the policies, processes, and the various plan of organization to improve the information security and ensure that they can be used at the time of danger to recover all the information stored in the system. For example, the organization where I earlier used to work restricted the employees from using USB drives, pen drives, mobile sharing, and the use of social Medias inside the office premises. In this way, they were trying to avoid any types of viruses in the system from the outside.

Response plan

It is not necessary that the security protection the company is using will save their systems from cyber-attacks or their system will not be hacked, to avoid this the organization should also adopt a response plan to implement at the time of crisis. “An incident response plan delineates what steps need to be taken, and by whom, when a breach or security crisis occurs in an organization” (Rapid7, 2018).

Recovery stage

At last, when all the steps has been followed by the organization, they can recover all the necessary information’s and the system that was attacked by the hacker or from any other sources.

Gary Locke, P. D. (2011). Information Security. National Institute of Standards and Technology , 34-35.

Rapid7. (2018). Incident Response Plan . Retrieved from rapid7.com: rapid7.com/fundamentals/incident-r...

Wallace, P. (2013). Introduction to Information Systems, Second Edition. New Jersey: Pearson Education Inc.

dipadhungana profile image

Information is the key asset for any organization. These days, most of the organizations are relying on the internet and other technologies for the managing the business information so they should be well known about the issues, risks and threats associated with these systems and ways to manage and mitigate them (Keller, Powell, Horstmann, & Crawford, 2005). The steps an organization can take to deal with the risks associated with information security are:

Identify Applicable Threats

Threats/risks must be identified before they are managed. Threat can be anything that could affect the confidentiality, accuracy and availability of the system or network. The threats can be from human environmental factors (Jenkins, 1998). The possible threats to an information system consists of malware, botnet, information leakage, phishing and distributed denial of service that may result from intentional, unintentional, natural or fabricated factors like hacking, spam, information theft, misuse of data, war, industrial accident and natural calamities (Wallace, 2015).

Assessing Vulnerability

After the identification of threats, the level of risk is measured by accessing the interrelationship between threats and vulnerabilities. Vulnerability is the condition of weakness that creates exploitation of the system by the threats. The assessment of vulnerabilities of the identified threats helps in determining the effectiveness of existing security system, identifying the security gaps and looking for ways to fill those gaps. Risk matrix is used to access the vulnerability. It provides idea about which system should be paid much attention to prevent the risks (Wallace, 2015).

Security Controls

After accessing the vulnerability, the administrative and technical security control measures are implemented to secure the system. Administrative security controls refer to the policies, processes and incidence response plans directed towards enhancing information security. It sets the control mechanism to avoid the potential threats possessed by the staffs, customers, vendors and suppliers. The detailed plan to identify the threats, determine the cause, preserve the evidence and recover the system are incorporated in the administrative security control. Technical security control is related with authentication strategies, encryption and intrusion prevention to limit data access. It aims on preventing the unauthorized parties from interacting with the system, accessing the business information and manipulating available data (Wallace, 2015). It is equally important to ensure that past employees or anyone who was related with the organization will no longer be able to access the data once they quit or leave the company.


The implemented security control measures are to be reviewed frequently to evaluate whether they are operating as expected or not. This will let the organization know about the necessary updates and changes they have to incorporate in the control measures to mitigate and manage the threats.

Since the major decisions are based on the available information, it is important to ensure information security. So the above mentioned steps can be followed to mitigate the threats/risks associated with information system and make business operations efficient by utilizing the secure information for properly.


Jenkins, B. D. (1998). Security Risk Analysis and Management. Countermeasures, Inc. Retrieved from nr.no/~abie/RA_by_Jenkins.pdf

Keller, S., Powell, A., Horstmann, B., & Crawford, M. (2005, March). Information Security Threats and Practices in Small Businesses. Information Systems Management, 22 (2), 7-19. doi:10.1201/1078/45099.22.2.20050301/87273.2

Wallace, P. (2015). Introduction to Information Systems (2nd ed.). New Jersey: Pearson Education, Inc.