Cyber Security

*Information System:-A combination of hardware, software, infrastructure and trained

personnel organized to facilitate planning, control, coordination, and decision making in
an organization.
*Information system:- an integrated set of components for collecting, storing, and
processing data and for delivering information, knowledge, and digital products. Business
firms and other organizations rely on information systems to carry out and manage their
operations, interact with their customers and suppliers, and compete in the marketplace.
Information system is not simply about computers-it’s about how business can make the best use
of computer technology to provide the information needed to achieve their goals. In the same
way as your own needs and priorities are unique to you , each organization has different goals
and requirements, and the successful implementation of IS requires a thorough understanding of
the business issues involved, as well as the different technologies that are available.

History of Information systems:

Year Main Activities Skills Required

1970s *Mainframe computers were used Programming in

COBOL
*Data was centralized.

*Systems were tied to a few business functions:

Payroll, inventory, billing etc.

*Main focus was to automate existing processes.

1980 *PCs and LANs are installed

PC support ,Basic
*Departments set up own computer systems.
networking
*End-User computing with word processors and
spreadsheets makes departments less dependent on
the IT department.

*Main focus is automating existing processes.

A.K.Maurya Page 1
 Cyber Security

1990s *Wide area network (WANs) become corporate standards. Network support,
systems
*Senior management looks for system integration and data integration,
integration. No more stand-alone systems. Database
administration.
*Main focus is central control and corporate learning.

2000s
*Wide area Networks expand via the internet to include
global enterprises and business partners-Supply chain and Network support,
distribution. Systems
integration.
*Senior management looks for data sharing across
systems.

*Main focus is on the efficiencies and speed in inventory,

manufacturing, Distribution.

Need of Information System:-Computers are essential today. Information is the

lifeblood of any organization. Damage or lost data can cause disruptions in normal
business activities leading to financial losses, law suits etc. Information Systems
comprise hardware, software, data, applications, communication and people help an
organization to better manage and secure its critical corporate, customer and employee
data. Information system also improves integration and work processes, the benefits go
on and on.

Therefore we need systems that can organize, and serve information when people or
organization around the world requests it.

Importance of Information Systems:-Businesses make use of information systems

so that accurate and up-to date information will be available when it is required. Since it
is not always possible to predict what information will be needed at some future date,
most organization use computer to record and store the details of all their business

A.K.Maurya Page 2
 Cyber Security

transactions. When a query arises, a standard business report must be produced, this raw
data can be retrieved and manipulated to produced the required information.

*A business is an organizational system where economic resources (people, money,

material, machines, land, facilities etc) of (Input) are transformed by various
organization processes (processing) into goods and services (output).Information
System provide information (feedback) on the operation of the system to
management for the direction and maintenance of the system (control) .

*An information system can also be considered a semi formal language which
supports human decision making and action.

There are main reasons or objectives why business use information system:-

1. Operational excellence:-Business improves the efficiency of their operation in

order to achieve higher profitability. Information systems are important tools
available to managers for achieving higher levels of efficiency and productivity in
business operations.
2. New products, services, and business models:-Information system is a major
tool for firms to create new products and services, and also an entirely new
business models. A business model describes how a company produces, delivers
and sells a products or services to create wealth.
3. Customer/supplier intimacy:- When a business serves its customers well, the
customers generally respond by returning and purchasing more. This raise revenue
and profits..
4. Improve decision making:- Many managers operate in an information bank,
never having the right information at the right time to make an better decision.
These poor outcomes raise costs and loose customers. Information System made it
possible for the managers to use real time data from marketplace when making
decision.

A.K.Maurya Page 3
 Cyber Security

5. Competitive advantage:-When organization achieve one or more of this business

objectives (operational excellence, new products, services and business model,
improve decision making etc.) chances are they have already achieved a
competitive advantage. Doing thing better than your competitors, charging less for
superior products, and responding to customers and suppliers in real time all add
up to higher sales and higher profits.

Basics of Information System:- Information System depends on the resources of

people, Hardware, Software, Procedures, Data and Network to perform input,
processing, output, storage and control activities that convert Data resources into
information products.

Data:- Data are facts that are used by programs to produce useful information. Like programs,
data are generally stored in machine-readable form on disk or tape until the computer needs
them..

A.K.Maurya Page 4
 Cyber Security

Hardware:- A computer and its peripheral equipment: input, output and storage devices;
hardware also includes data communication equipment.

Software:- Sets of instructions that tell the computer how to take data in, how to process it, how
to display information, and how to store data and information.

People:- Information systems professionals and users who analyze organizational information
needs, design and construct information systems, write computer programs, operate the
hardware, and maintain software.

Procedures:- Rules for achieving optimal and secure operations in data processing; procedures
include priorities in dispensing software applications and security measures.

Networks:-The networking and communications infrastructure has recently been considered to

be a separate component of information systems. A network is a set of devices(often referred to
as a node) connected by media links. A node can be a computer, printer or any other device
capable of sending and/or receiving data generated by other nodes on the network.

Development of Information System

An Information System Development is a set of activities, methods, best practices, deliverables

and automated tools that every organization use to develop and continuously improve
information systems and its related software.

There are four steps which can be used to develop an information system. These are:

1. Define and understand the problems

The purpose of the first step is to find the scope of the problem and determine solutions. This
phase also includes and considered resources, time, cost, and other items for the requirements of
the information system.

2. Develop an alternative solution

The purpose of this steps is to find a path to the solution determined by system analysis. In this
phase some solution require modification in the existing system, some solution does not require
an information system, and some solution requires a new system.

3. Evaluate and choose the best solution

A.K.Maurya Page 5
 Cyber Security

The purpose of the third step is to evaluate the feasibility issues related to financial, technical,
and organizational. It measures the time and cost to design an information system. It evaluates
the business value of a system and finds the best solution for developing an information system.

4. Implement the solution

The purpose of the last step is to create the detailed design specification for an information
system. This phase provides complete implementations for-

o Hardware selection and acquisition

o Software development and programming
o Testing such as Unit, System, Acceptance testing
o Training and documentation (Online practice, step-by-step instruction)
o Conversion, i.e., Changing from Old to New System
o Production & maintenance (Review, Objectives, Modification)

TYPES OF INFORMATION SYSTEMS:- An information system is a collection of

hardware, software, data, people and procedures that are designed to generate information that
supports the day-to-day, short-range, and long-range activities of users in an organization.
Information systems generally are classified into four categories: transaction processing
systems, management information systems, decision support systems, and expert systems. The
following sections present each of these information systems.

1. Transaction processing Systems (TPS)

2. Management Information System (MIS)

3. Decision support Systems (DSS)

4. Executive information systems (EIS)

A.K.Maurya Page 6
 Cyber Security

1. Transaction processing Systems (TPS):-

(TPS) A transaction processing system (TPS) is an
information system that captures and processes data generated during an organization’s day-to-
day
day transactions. A transaction is a business activity such as a deposit, payment, order or
reservation.

Clerical staff typically perform the activities associated with transaction processing, which
include the following

1. Recording a business activity such as a student’s registration, a customer’s order, an employee’s

timecard or a client’s payment.
2. Confirming an action or triggering a response, such as printing a student’s schedule, sending a
thank-you
you note to a customer, generating an employee’s paycheck or issuing a receipt to a client.
3. Maintaining data, which involves adding new data, changing existing data, or removing
removin
unwanted data.

Transaction processing systems were among the first computerized systems developed to process
business data – a function originally called data processing.. Usually, the TPS computerized an

A.K.Maurya Page 7
 Cyber Security

existing manual system to allow for faster processing, reduced clerical costs and improved
customer service.

2. Management Information System (MIS):- A management information system, or MIS is

an information system that generates accurate, timely and organized information so managers
and other users can make decisions, solve problems, supervise activities, and track progress.
Because it generates reports on a regular basis, a management information system sometimes is
called a management reporting system (MRS).

An MIS generates three basic types of information: detailed, summary and exception. Detailed
information typically confirms transaction processing activities. A Detailed Order Report is an
example of a detail report. Summary information consolidates data into a format that an
individual can review quickly and easily. To help synopsize information, a summary report
typically contains totals, tables, or graphs. An Inventory Summary Report is an example of a
summary report.

3. Decision support Systems (DSS):-Tactical management occupies the next level in the
organizational hierarchy. These managers are responsible for ensuring that plans and targets set
by senior management are achieved. They tend to focus not on the progress of individual
transactions but on the bigger picture –for example the relative sales performance of different
sales areas in the organization. To achieve this they need to receive regular reports from the MIS
with summary totals and comparison between prior months and years or planned activity levels.

A Decision Support System can be seen as knowledge based system, used by senior managers,
which facilitates the creation of knowledge and allow its integration into the organization. These
systems are often used to analyze existing structured information and allow managers to project
the potential effects of their decisions into the future

4. Executive information systems (EIS):-The highest level in the organizational structure is

that of strategic management, and once again its information requirements are unique. These
managers are charged with the task of setting the strategy for the organization. They require an
information system that will enable them to identify problems, opportunities and trends that may
enhance or threaten their.

A.K.Maurya Page 8
 Cyber Security

A special type of DSS, called an executive information system (EIS), is designed to support the
information needs of executive management. Information in an EIS is presented in charts and tables that
show trends, ratios, and other managerial statistics.

To store all the necessary decision-making data, DSSs or EISs often use extremely large
databases, called data warehouses. A data warehouse stores and manages the data required to
analyze historical and current business circumstances.

Threats to Information System:-

Information System threats can be many like Software attacks, theft of intellectual property,
identity theft, theft of equipment or information, sabotage, and information extortion.

Threat can be anything that can take advantage of a vulnerability to breach security and
negatively alter, erase, harm object or objects of interest.
Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many users believe that
malware, virus, worms, bots are all same things. But they are not same, only similarity is that
they all are malicious software that behaves differently.
Malware is a combination of 2 terms- Malicious and Software. So Malware basically means
malicious software that can be an intrusive program code or a anything that is designed to
perform malicious operations on system. Malware can be divided in 2 categories:
1. Infection Methods
2. Malware Actions
Malware on the basis of Infection Method are following:
1. Virus – They have the ability to replicate themselves by hooking them to the program on
the host computer like songs, videos etc and then they travel all over the Internet. Ther
Creeper Virus was first detected on ARPANET. Examples include File Virus, Macro Virus,
Boot Sector Virus, Stealth Virus etc.
2. Worms – Worms are also self replicating in nature but they don’t hook themselves to the
program on host computer. Biggest difference between virus and worms is that worms are
network aware. They can easily travel from one computer to another if network is available
and on the target machine they will not do much harm, they will for example consume hard
disk space thus slowing down the computer.

A.K.Maurya Page 9
 Cyber Security

3. Trojan – The Concept of Trojan is completely different from the viruses and worms. The
name Trojan derived from the ‘Trojan Horse’ tale in Greek mythology, which explains how
the Greeks were able to enter the fortified city of Troy by hiding their soldiers in a big
wooden horse given to the Trojans as a gift. The Trojans were very fond of horses and
trusted the gift blindly. In the night, the soldiers emerged and attacked the city from the
inside.

Their purpose is to conceal themselves inside the software that seem legitimate and when
that software is executed they will do their task of either stealing information or any other
purpose for which they are designed.
They often provide backdoor gateway for malicious programs or malevolent users to enter
your system and steal your valuable data without your knowledge and permission.
Examples include FTP Trojans, Proxy Trojans, Remote Access Trojans etc.
Malware on the basis of Actions:
1. Adware – Adware is not exactly malicious but they do breach privacy of the users. They
display ads on computer’s desktop or inside individual programs. They come attached with
free to use software, thus main source of revenue for such developers. They monitor your
interests and display relevant ads. An attacker can embed malicious code inside the
software and adware can monitor your system activities and can even compromise your
machine.
2. Spyware – It is a program or we can say a software that monitors your activities on
computer and reveal collected information to interested party. Spyware are generally
dropped by Trojans, viruses or worms. Once dropped they installs themselves and sits
silently to avoid detection.
One of the most common example of spyware is KEYLOGGER. The basic job of
keylogger is to record user keystrokes with timestamp. Thus capturing interesting
information like username, passwords, credit card details etc.
3. Ransomware – It is type of malware that will either encrypt your files or will lock your
computer making it inaccessible either partially or wholly. Then a screen will be displayed
asking for money i.e. ransom in exchange.

A.K.Maurya Page 10
 Cyber Security

4. Scareware – It masquerades as a tool to help fix your system but when the software is
executed it will infect your system or completely destroy it. The software will display a
message to frighten you and force to take some action like pay them to fix your system.
5. Rootkits – are designed to gain root access or we can say administrative privileges in the
user system. Once gained the root access, the exploiter can do anything from stealing
private files to private data.
6. Zombies – They work similar to Spyware. Infection mechanism is same but they don’t spy
and steal information rather they wait for the command from hackers.

• Theft of intellectual property means violation of intellectual property rights like

copyrights, patents etc.
• Identity theft means to act someone else to obtain person’s personal information or to
access vital information they have like accessing the computer or social media account of a
person by login into the account by using their login credentials.
• Theft of equipment and information is increasing these days due to the mobile nature of
devices and increasing information capacity.
• Sabotage means destroying company’s website to cause loss of confidence on part of its
customer.
Information extortion means theft of company’s property or information to receive payment in
exchange. For example ransomware may lock victims file making them inaccessible thus forcing
victim to make payment in exchange. Only after payment victim’s files will be unlocked.

Information Security

Information Security: The protection of information and information systems from

unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure
confidentiality, integrity, and availability.

The term Information System is defined by 44 U.S.C., Sec. 3502 as “a discrete set of
information resources organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.”

Information: (1) Facts or ideas, which can be represented (encoded) as various forms of data;

A.K.Maurya Page 11
 Cyber Security

(2) Knowledge (e.g., data, instructions) in any medium or form that can be communicated between
system entities.

Security:- In general, security is “the quality or state of being secure—to be free from danger.”

The Committee on National Security Systems (CNSS) defines information security as the
protection of information and its critical elements, including the systems and hardware that use,
store, and transmit that information. Figure 1 shows that information security includes the broad
areas of information security management, computer and data security, and network security.
The CNSS model of information security evolved from a concept developed by the computer
security industry called the C.I.A. triangle. The C.I.A. triangle has been the industry standard for
computer security since the development of the mainframe. It is based on the three
characteristics of information that give it value to organizations: confidentiality, integrity, and
availability.

Components of Information Security

Information Security programs are builds around 3 objectives, commonly known as CIA –
Confidentiality, Integrity, and Availability.

A.K.Maurya Page 12
 Cyber Security

1. Confidentiality – The protection of data from unauthorized disclosure. For example if we

say I have a password for my Gmail account but someone saw while I was doing a login
into Gmail account. In that case my password has been compromised and Confidentiality
has been breached.
2. Integrity – Guarding against improper information modification or destruction, including
ensuring information nonrepudiation and authenticity. A loss of integrity is the
unauthorized modification of destruction of information.
3. Availability – .Data is accessible to authorized users whenever needed. Ensuring timely
and reliable access to and use of information. A loss of availability is the disruption of
access to or use of information or an information system.
Denial of service attack is one of the factor that can hamper the availability of information.
Although the use of the CIA triad to define security objectives is well established, some in the
security field feel that additional concepts are needed to present a complete picture. Three of the
most commonly mentioned are as follows:

• Non repudiation – means one party cannot deny receiving a message or a transaction nor
can the other party deny sending a message or a transaction. For example in cryptography it
is sufficient to show that message matches the digital signature signed with sender’s private
key and that sender could have a sent a message and nobody else could have altered it in
transit. Data Integrity and Authenticity are pre-requisites for Non repudiation.
• Authenticity – means verifying that users are who they say they are and that each input
arriving at destination is from a trusted source. This principle if followed guarantees the
valid and genuine message received from a trusted source through a valid transmission. For
example sender sends the message along with digital signature which was generated using

A.K.Maurya Page 13
 Cyber Security

the hash value of message and private key. Now at the receiver side this digital signature is
decrypted using the public key generating a hash value and message is again hashed to
generate the hash value. If the 2 value matches then it is known as valid transmission with
the authentic or we say genuine message received at the recipient side
• Accountability – The security goal that generates the requirement for actions of an entity
to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault
isolation, intrusion detection, and prevention, and after-action recovery and legal action.
System must keep records of their activities to permit later forensic analysis to trace
security breaches or to aid in transaction disputes.
At the core of Information Security is Information Assurance, which means the act of
maintaining CIA of information, ensuring that information is not compromised in any way when
critical issues arise. These issues are not limited to natural disasters, computer/server
malfunctions etc.

Thus, the field of information security has grown and evolved significantly in recent years. It
offers many areas for specialization, including securing networks and allied infrastructure,
securing applications and databases, security testing, information systems auditing, business
continuity planning etc

Information assurance (IA)

Information assurance (IA) is the practice of assuring information and managing risks related
to the use, processing, storage, and transmission of information or data and the systems and
processes used for those purposes. Information assurance includes protection of the integrity,
availability, authenticity, non-repudiation and confidentiality of user data.[1]It uses physical,
technical, and administrative controls to accomplish these tasks. While focused predominantly
on information in digital form, the full range of IA encompasses not only digital, but also analog
or physical form. These protections apply to data in transit, both physical and electronic forms,
as well as data at rest in various types of physical and electronic storage facilities. IA is best
thought of as a superset of information security (i.e. umbrella term), and as the business outcome
of information risk management.

A.K.Maurya Page 14
 Cyber Security

“ Information assurance measures that protect and defend information and information systems
by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.
These measures include providing for restoration of information systems by incorporating
protection, detection, and reaction capabilities.”

Process:-

The information assurance process typically begins with the enumeration and classification of
the information assets to be protected. Next, the IA practitioner will perform a risk
assessment for those assets. Vulnerabilities in the information assets are determined in order to
enumerate the threats capable of exploiting the assets. The assessment then considers both the
probability and impact of a threat exploiting a vulnerability in an asset, with impact usually
measured in terms of cost to the asset's stakeholders. The sum of the products of the threats'
impact and the probability of their occurring is the total risk to the information asset.

With the risk assessment complete, the IA practitioner then develops a risk management plan.
This plan proposes countermeasures that involve mitigating, eliminating, accepting, or
transferring the risks, and considers prevention, detection, and response to threats. A framework
published by a standards organization, such as NIST RMF, Risk IT, CobiT, PCI DSS or ISO/IEC
27002, may guide development. Countermeasures may include technical tools such
as firewalls and anti-virus software, policies and procedures requiring such controls as regular
backups and configuration hardening, employee training in security awareness, or organizing
personnel into dedicated computer emergency response team(CERT) or computer security
incident response team (CSIRT). The cost and benefit of each countermeasure is carefully
considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but
to manage them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, often by means of
formal audits. The IA process is an iterative one, in that the risk assessment and risk management
plan are meant to be periodically revised and improved based on data gathered about their
completeness and effectiveness.

A.K.Maurya Page 15
 Cyber Security

Information assurance vs Information security

How They Are Similar

In many regards, information assurance can be described as an offshoot of information security,

as both fields involve safeguarding digitally stored information. At a deeper level, professionals
in both fields use physical, technical, and administrative means to achieve their objectives.

For instance, information assurance and information security professionals both seek the most
secure physical data infrastructure possible to protect an organization’s information. They both
leverage advanced technical safeguards, such as cutting-edge firewalls. An assessment of
information assurance vs. information security also reveals a similarity in the threats they face.
Both fields are concerned with privacy issues and fraud, malicious hackers, and the strategic
defense and recovery of information systems before and after catastrophic events.

Core Function Differences

Information assurance is a broader discipline that combines information security with the
business aspects of information management. Information assurance work typically involves
implementing organization-wide standards that aim to minimize the risk of a company being
harmed by cyber threats. To achieve this, an information assurance team may do something like
overhauling login authentication systems or performing routine backups of important company
data. Thus, information assurance professionals are more concerned with addressing the overall
risk to an organization’s information, rather than dealing with an individual, exterior threats.

Information security is a more hands-on discipline. It prioritizes developing tools, technologies,

and other countermeasures that can be used to protect information, especially from exterior
threats. The subtle difference between the two fields means earning a degree featuring both
disciplines can offer students a well-rounded skill set, which can potentially help graduates
qualify for senior positions in the information security and assurance industries.

A.K.Maurya Page 16
 Cyber Security

Cyber Security

Cyber security consists of technologies, processes and controls designed to protect systems,
networks, programs, devices and data from cyber attacks. Effective cyber security reduces the
risk of cyber attacks and protect against the unauthorized exploitation of systems, networks, and
technologies.

We can also define cybersecurity as the set of principles and practices designed to protect our
computing resources and online information against threats. Due to the heavy dependency on
computers in a modern industry that store and transmit an abundance of confidential and
essential information about the people, cybersecurity is a critical function and needed insurance
of many businesses.

Cyber security is also associated with the technical term, information security, which is
explained in federal law as protecting information and information systems from illegal access,
use, disclosure, disruption, modification, or damage in order to provide integrity, confidentiality
and availability.

Why is cybersecurity important?

We live in a digital era which understands that our private information is more vulnerable than
ever before. We all live in a world which is networked together, from internet banking to
government infrastructure, where data is stored on computers and other devices. A portion of that
data can be sensitive information, whether that be intellectual property, financial data, personal
information, or other types of data for which unauthorized access or exposure could have
negative consequences.

Cyber-attack is now an international concern and has given many concerns that hacks and other
security attacks could endanger the global economy. Organizations transmit sensitive data across
networks and to other devices in the course of doing businesses, and cybersecurity describes to
protect that information and the systems used to process or store it.

A.K.Maurya Page 17
 Cyber Security

As the volume of cyber-attacks grows, companies and organizations, especially those that deal
information related to national security, health, or financial records, need to take steps to protect
their sensitive business and personal information.

Types of cybersecurity threats

Ransomware:- Ransomware is a type of malicious software. It is designed to extort money by

blocking access to files or the computer system until the ransom is paid. Paying the ransom does
not guarantee that the files will be recovered or the system restored.
Malware:- Malware is a type of software designed to gain unauthorized access or to cause
damage to a computer.
Social engineering:- Social engineering is a tactic that adversaries use to trick you into revealing
sensitive information. They can solicit a monetary payment or gain access to your confidential
data. Social engineering can be combined with any of the threats listed above to make you more
likely to click on links, download malware, or trust a malicious source.
Phishing:- Phishing is the practice of sending fraudulent emails that resemble emails from
reputable sources. The aim is to steal sensitive data like credit card numbers and login
information. It’s the most common type of cyber attack. You can help protect yourself through
education or a technology solution that filters malicious emails.

Cyber Security Risk Analysis

Risk analysis refers to the review of risks associated with the particular action or event. The risk
analysis is applied to information technology, projects, security issues and any other event where
risks may be analyzed based on a quantitative and qualitative basis. Risks are part of every IT
project and business organizations. The analysis of risk should be occurred on a regular basis and
be updated to identify new potential threats. The strategic risk analysis helps to minimize the
future risk probability and damage.

Enterprise and organization used risk analysis:

o To anticipates and reduce the effect of harmful results occurred from adverse events.
o To plan for technology or equipment failure or loss from adverse events, both natural and
human-caused.

A.K.Maurya Page 18
 Cyber Security

o To evaluate whether the potential risks of a project are balanced in the decision process
when evaluating to move forward with the project.
o To identify the impact of and prepare for changes in the enterprise environment.

Benefits of risk analysis

Every organization needs to understand about the risks associated with their information systems
to effectively and efficiently protect their IT assets. Risk analysis can help an organization to
improve their security in many ways. These are:

o Concerning financial and organizational impacts, it identifies, rate and compares the
overall impact of risks related to the organization.
o It helps to identify gaps in information security and determine the next steps to eliminate
the risks of security.
o It can also enhance the communication and decision-making processes related to
information security.
o It improves security policies and procedures as well as develop cost-effective methods for
implementing information security policies and procedures.
o It increases employee awareness about risks and security measures during the risk
analysis process and understands the financial impacts of potential security risks.

Steps in the risk analysis process

The basic steps followed by a risk analysis process are:

Conduct a risk assessment survey:

Getting the input from management and department heads is critical to the risk assessment
process. The risk assessment survey refers to begin documenting the specific risks or threats
within each department.

Identify the risks:

This step is used to evaluate an IT system or other aspects of an organization to identify the risk
related to software, hardware, data, and IT employees. It identifies the possible adverse events
that could occur in an organization such as human error, flooding, fire, or earthquakes.

A.K.Maurya Page 19
 Cyber Security

Analyse the risks:

Once the risks are evaluated and identified, the risk analysis process should analyse each risk that
will occur, as well as determine the consequences linked with each risk. It also determines how
they might affect the objectives of an IT project.

Develop a risk management plan:

After analysis of the Risk that provides an idea about which assets are valuable and which threats
will probably affect the IT assets negatively, we would develop a plan for risk management to
produce control recommendations that can be used to mitigate, transfer, accept or avoid the risk.

Implement the risk management plan:

The primary goal of this step is to implement the measures to remove or reduce the analyses
risks. We can remove or reduce the risk from starting with the highest priority and resolve or at
least mitigate each risk so that it is no longer a threat.

Monitor the risks:

This step is responsible for monitoring the security risk on a regular basis for identifying, treating
and managing risks that should be an essential part of any risk analysis process.

Types of Risk Analysis

The essential number of distinct approaches related to risk analysis are:

1. Qualitative Risk Analysis

2. Quantitative Risk Analysis

1. Qualitative Risk Analysis

o The qualitative risk analysis process is a project management technique that prioritizes
risk on the project by assigning the probability and impact number. Probability is
something a risk event will occur whereas impact is the significance of the consequences
of a risk event.
o The objective of qualitative risk analysis is to assess and evaluate the characteristics of
individually identified risk and then prioritize them based on the agreed-upon
characteristics.
o The assessing individual risk evaluates the probability that each risk will occur and effect
on the project objectives. The categorizing risks will help in filtering them out.
A.K.Maurya Page 20
 Cyber Security

o Qualitative analysis is used to determine the risk exposure of the project by multiplying
the probability and impact.

2. Quantitative Risk Analysis

o The objectives of performing quantitative risk analysis process provide a numerical

estimate of the overall effect of risk on the project objectives.
o It is used to evaluate the likelihood of success in achieving the project objectives and to
estimate contingency reserve, usually applicable for time and cost.
o Quantitative analysis is not mandatory, especially for smaller projects. Quantitative risk
analysis helps in calculating estimates of overall project risk which is the main focus.

A.K.Maurya Page 21