While human interaction with information technology systems is typically
thought of as the smallest threat, it is in fact the highest threat for attacks
against the conﬁdentiality and integrity of data. Reviews of the history of
system break-ins, security violation reports, incident reports, and interviews
with the business owner, systems support personnel, system users, and man-
agement during information gathering are imperative in identifying human
threats that have the potential to harm an IT system and its data. Once
potential threats have been identiﬁed, an inventory of motivation, resources,
and capabilities that may be required to carry out a successful attack should
be developed in order to determine the likelihood of a threat exploiting a
An analysis of the threat to an information technology system must include
an analysis of the potential vulnerabilities associated with the system. A list of
system vulnerabilities should be aggregated and paired with the threats iden-
tiﬁed during the threat assessment subprocess. A vulnerability characterizes the
absence or weakness of a control or safeguard that could be exploited.
Recommended methods for identifying system vulnerabilities include the
development of a security requirements checklist and system security testing.
Vulnerabilities vary based on the system’s phase in the systems development
life cycle. If a system is in the initiation phase, the search for vulnerabilities
should be in the organization’s application development/acquisition policies
and procedures. These should include, at a minimum, how data will be secured,
how duties will be segregated, and how the application will be maintained. If
the system is in the implementation phase, testing should be performed to
determine if data integrity is ensured. Finally, if the system is in the operational
or maintenance mode, a review of user permissions and tests of security con-
trols should be conducted to ensure they are operating as designed.
Much like the threat assessment, vulnerabilities can be discovered using the
information-gathering techniques discussed previously. For purchased appli-
cations, reviewing the vendor’s website and user forums will offer a great deal
of information concerning current vulnerabilities and available patches. This
information can be utilized to create interview questions or questionnaires.
Other sources include specialized websites like Carnegie Mellon’s Computer
Emergency Response Team (www.cert.org) and SecurityFocus (www.
securityfocus.com). Both of these are valuable resources that offer up-to-date
information on vulnerabilities for a multitude of systems.
To develop a security requirements checklist, security decision makers per-
forming the risk assessment must determine whether the security requirements
stipulated for the information technology system and collected during the
system characterization subprocess are being met by existing or planned secu-
rity controls. Each requirement is mapped to an explanation of how the
Information Technology Risk Management 143