Skip to main content
SpringerLink
Log in

Vulnerabilities, Threats and Risks in IT

  • Chapter
  • First Online:
IT Security Management

Part of the book series: Lecture Notes in Electrical Engineering ((LNEE,volume 61))

Abstract

In this initial part of the first chapter we define and explain, with the help of two very different examples, the three most important risk foundational concepts together with an introduction on present information risk management methodologies and their common steps.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    ISO (2002), pp. 1–16.

  2. 2.

    Adapted from NIST (2002a), pp. 1–F1.

  3. 3.

    ISO (2004), pp. 1–28.

  4. 4.

    A live CD is a CD-ROM with a self-contained operating system, usually a flavour of Linux, which provides an almost fully-fledged operating system platform from where to work on regardless of the operating system installed on the computer’s hard disk (e.g. Backtrack, Ophcrack, Helix, Ubuntu). See a list of live Linux CDs at http://www.livecdlist.com. Last accessed 8-11-2009.

  5. 5.

    The piglet could lose its house and its life.

  6. 6.

    Definition of impact from the web site www.wordreference.com. Last accessed 20-09-2009.

  7. 7.

    See Section 1.15.

  8. 8.

    See Section 1.16.

  9. 9.

    Adapted from ISO (2005), pp. 1–115.

  10. 10.

    ISO (2002), pp. 1–16.

  11. 11.

    NIST (2002a), pp. 1–F1.

  12. 12.

    ISO (2002), pp. 1–16.

  13. 13.

    NIST (2002a), pp. 1–F1.

  14. 14.

    Adapted from NIST (2002a), pp. 1–F1.

  15. 15.

    See also Section 1.13.

  16. 16.

    Traditional risk management methodologies can lead to a “permanently unfinished analysis” due to the rapid change of value in assets. Condensed from an interview in Spanish security magazine SIC to Santiago Moral, available at http://www.revistasic.com/revista62/entrevista00_62.htm. Last accessed 31-10-2009.

  17. 17.

    See Section 1.16.

  18. 18.

    See Chapters 5 and 7.

  19. 19.

    See Section 1.13.

  20. 20.

    Mike Poor, IT security professional and SANS trainer (2007). See http://www.sans.org/training/instructors.php#Poor. Last accessed 22-09-2009.

  21. 21.

    See Section 1.13.

  22. 22.

    See Chapter 2.

  23. 23.

    See reference in the presentation “risk perception and the problems we make for ourselves”, available at http://www.ramas.com/wttreprints/sranortheastReprint1.pdf. Last accessed 22-08-2009.

  24. 24.

    Professor at Harvard Department of Psychology. See http://pinker.wjh.harvard.edu/index.html. Last accessed 22-09-2009.

  25. 25.

    OECD (2003).

  26. 26.

    More than informing, sometimes IT security teams threaten organisations with their “apocalyptic” statements.

  27. 27.

    See an example of security incident news in Annex 2.

  28. 28.

    For example:

  29. 29.

    As an example, we can read this piece of news reporting on a hacked traffic digital sign, available at http://www.dallasnews.com/sharedcontent/dws/news/localnews/transportation/stories/013009dnmetzombies.1595f453.html. Last accessed 20-07-2009.

  30. 30.

    Gladwell (2000) p. 73. More on this topic in Chapter 7.

  31. 31.

    See Chapter 7.

  32. 32.

    See a comment on this respect from Richard Bejtlich, Director of Incident Response at General Electric, available at http://taosecurity.blogspot.com/2008/09/is-experience-only-teacher-in-security.html. Last accessed 13-10-2009.

  33. 33.

    See http://www.pcworld.com/businesscenter/article/147739/laptops_lost_like_hot_cakes_at_us_airports.html. Las accessed 22-09-2009.

  34. 34.

    Definition provided by http://www.investopedia.com. Last accessed 22-08-2009.

  35. 35.

    See Section 1.15.

  36. 36.

    See Section 1.15.

  37. 37.

    As we mention in Chapter 5.

  38. 38.

    See http://en.wikipedia.org/wiki/SMART_criteria. Last accessed 20-09-2009.

  39. 39.

    See Chapters 4 and 5.

  40. 40.

    Pareto principle definition from www.wikipedia.org. Last accessed 20-09-2009.

  41. 41.

    See Fig. 1.1 and Chapters 4 and 5.

  42. 42.

    Aabo et al. (2004), pp. 1–34.

  43. 43.

    See Chapter 4.

  44. 44.

    So that they can quickly apply corrective measures if an incident happen.

  45. 45.

    Dillon and Paté-Cornell (2005), pp. 15, 17, 18 and 24.

  46. 46.

    Rinnooy (2004), pp. 26–31.

  47. 47.

    Idea coming from a conversation with Santiago Moral, IT security professional (2007).

  48. 48.

    Adapted from Glen (2003), p. 16. Useful reference to lead IT geeks.

  49. 49.

    See Section 1.8.

References

  • Aabo, T., Fraser, J.R.S., Simkins, B.J.: The rise and transformation of the chief risk officer: a success story on enterprise risk management, version of December 10, 2004. Revised version available in J. Appl. Corporate Finance, Winter 2005, pp. 1–34. http://www.gloriamundi.org/detailpopup.asp?ID=453057237 (2009). Accessed 15 Sept 2009

  • Dillon, R.L., Paté-Cornell, M.E.: Including technical and security risks in the management of information systems: a programmatic risk management model. In: Systems Engineering, 8. 1, Regular paper, p. 15, 17, 18 and 24 (2005)

    Google Scholar 

  • Gladwell, M.: The Tipping Point: How Little Things Can Make a Big Difference, p. 132. Little Brown, Boston (2000)

    Google Scholar 

  • Glen, P.: Leading Geeks: How to Manage and Lead People Who Deliver Technology, p. 16. Wiley, New York (2003)

    Google Scholar 

  • Harding, S., Long, T.: MBA Management Models. Gover, England, pp. 84, 181 and 187 for Chapter 1, pp. 105–108 and 109–112 for Chapter 2, pp. 161–163, 197–199, 59–63 and 73–76 for Chapter 4, pp. 17–20 and 21–24 for Chapter 5, pp. 101–103 and 121–124 for Chapter 6, pp. and 191–194 and 95–98 for Chapter 8, pp. 149–153 and 169–172 for Chapter 9 and pp. 211–214 and 173–176 for Chapter 10 (1998)

    Google Scholar 

  • ISO: ISO Guide 73 – Risk Management – Vocabulary – Guidelines for use in Standards, Reference: ISO/IEC GUIDE 73:2002(E/F), pp. 1–16 (2002)

    Google Scholar 

  • ISO: ISO/IEC 13335-1 Information technology – Security techniques – Management of information and communications technology security. Part 1: Concepts and models for information and communications technology security management, Reference: ISO/IEC 13335-1:2004(E), pp. 1–28 (2004)

    Google Scholar 

  • ISO: ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements, First edition, Reference: ISO/IEC 27001:2005(E), pp. 1–115 (2005)

    Google Scholar 

  • NIST: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology NIST (Technology Administration, U.S. Department of Commerce), Recommendations, Special publication 800-30 by Stoneburner, G., Goguen, A., Feringa, A., pp. 1–F1 (2002a)

    Google Scholar 

  • OECD, Organisation for Economic Co-operation and Development: Implementation Plan for the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, Working Party on Information Security and Privacy, 2 July 2003, pp. 1–6 (2003)

    Google Scholar 

  • Poor, M.: SANS training in 2007 – 503: Intrusion Detection In-Depth (GCIA), see http://www.sans.org/training/description.php?mid=43, retrieved 23-4-2009 (2007)

  • Rinnooy Kan, A.H.G.: IT governance and corporate governance at ING. Inform. Syst. Control J. 2, 26–31 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technical University of Madrid Universidad Politécnica de Madrid (UPM), Madrid, Spain

    Alberto Partida GIAC, CEH, CISSP, CISA, CGEIT, MBA (Information Security Expert)

  2. Grupo de Automatización en Señal y Comunicaciones, Technical University of Madrid Universidad Politécnica de Madrid (UPM), Madrid, Spain

    Diego Andina

Authors
  1. Alberto Partida GIAC, CEH, CISSP, CISA, CGEIT, MBA
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Diego Andina
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alberto Partida GIAC, CEH, CISSP, CISA, CGEIT, MBA .

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer Netherlands

About this chapter

Cite this chapter

Partida, A., Andina, D. (2010). Vulnerabilities, Threats and Risks in IT. In: IT Security Management. Lecture Notes in Electrical Engineering, vol 61. Springer, Dordrecht. https://doi.org/10.1007/978-90-481-8882-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-90-481-8882-6_1

  • Published:

  • Publisher Name: Springer, Dordrecht

  • Print ISBN: 978-90-481-8881-9

  • Online ISBN: 978-90-481-8882-6

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation