Licensing agreements that accompany software downloads some-
times warn the user that a spyware program will be installed along
with the requested software. Nevertheless, though, the licensing
agreements may not always be read completely because the notice of
a spyware installation is often couched in obtuse, hard-to-read legal
An individual with a great deal of technical knowledge about com-
puter systems and their security is known as a hacker. Originally, the
term had no negative connotations; in fact, it was a compliment in
recognition of a great deal of technical prowess. Today, the term is
frequently applied to cyber criminals, to the dismay of legitimate
hackers. Hackers prefer to call criminal hackers “crackers’’ and wish
that the press would do the same.
The most publicized threat to enterprise security are hackers.
Hackers make great headlines and companies have spent millions of
dollars improving existing security programs or creating new ones in
reaction to the threat. Although malicious outsiders are a risk to an
enterprise, in comparison to other risks faced by an organization, it
is less likely that an outsider will compromise network assets.
Focusing entirely on hackers may lead an organization to over-
look a more likely threat, that of an insider compromising security
intentionally, due to mistakes, or through negligence. Even in cases
where an outsider actually penetrates network security, more often
than not, someone within an organization has enabled the attack
intentionally or through negligence. Adding additional layers of
security that complement firewalls and virus protection will allow an
organization to mitigate internal risks.
14.3 Organizational risk assessment
Most companies would privately admit that their IT security is not
as comprehensive as it should be. Security policies and procedures
are often far behind technological advances, and adequate staff edu-
cation is rare. In fact, many organizations only develop or update
policies and procedures in reaction to a security compromise. As a
result, many companies are vulnerable, despite spending large sums
on security products and consultants. A more proactive approach
236 14.3 Organizational risk assessment
involves identifying risks specific to your organization, regularly
auditing, addressing known risks, and dealing with new risks proac-
tively rather than reactively.
An organization has to know that it is at risk before it can pro-
tect something. It is impossible to plan for the security of assets if
you do not know the threats against them. Risk analysis is a process
of identifying assets that need protection and evaluating the threats
against those assets. Risk analysis can be simplified and broken
down into five steps:
1. Identify assets.
2. Determine the value of each asset and identify the cost
associated with its loss.
3. Identify threats to the asset.
4. Determine the vulnerability to those threats.
5. Prioritize assets by level of importance.
By following the preceding steps, you can identify assets that are
at risk and plan for their protection. You should also not overlook
the possibility of threats from within your organization. Too often,
organizations emphasize external threats, specifically hackers and
viruses, and ignore the more likely threats from within an organiza-
tion. Most threats come from within a company, and recent trends
Malicious action, negligence, disdain of security practices, and
ignorance of security policy and practices are sources of insider secu-
rity problems. Misuse of computer systems by employees may result
in liability if they use internal systems to access illegal or offensive
material or to commit computer crime. Intentional or accidental
public dissemination of sensitive information can result in lawsuits
or loss of revenue. Laws concerning protection of privacy data make
monitoring employee behavior more important than ever before.
How is internal network security addressed by your organization?
What is the liability involved if your organization’s data are
compromised? Your level of exposure to internal risks will dictate
the steps you must take to mitigate the risks. A security policy and
program must include steps to mitigate the risks from disgruntled
14.3 Organizational risk assessment 237