About this sample
About this sample
Words: 1477 |
8 min read
Published: Jul 15, 2020
Words: 1477|Pages: 3|8 min read
Risk mitigation is a salient issue in risk management. With the ever-changing technology, treats and breaches are unavoidable especially when there is vulnerability. There are various risk mitigating techniques. This paper reviews various literatures and evaluates two basic approaches to mitigating information risks, specifically in the Bring Your Own Device environment. The BYOD system is seen as productive, flexible and efficient for employees. And the organization see it as cost effective, but BYOD is a treat inviting system to the organization’s data. According to this paper, one of the risk mitigation techniques explained is the Information Security Awareness System. Security awareness programs or trainings in many organizations are not continuous, but when a system is put in place it makes the security awareness a routine for the system management. Another one is the Device Management which makes the management supervise the compliance to the corporate policies of devices used by employees in an organization. After describing the two different techniques, the paper tends to bring out gaps, limitations and implications of these techniques. The evaluation shows that both these two approaches are good for an organization but has their ugly side of the story. The employees are key to any of the techniques, as they are affected in some cases and dangerous in some other. Keywords: risk mitigation, bring your own device, information security, awareness, device.
Risk mitigation is one element of risk management, and its implementation will differ by organization. Risk mitigation focuses on the inevitability of some disasters and is used for those situations where a threat cannot be avoided entirely. Rather than planning to avoid a risk, mitigation deals with the aftermath of a disaster and the steps that can be taken prior to the event occurring to reduce adversity, and potentially long-term, effects. Currently, most researchers focus on risk assessment but tend to ignore the risk mitigating aspect. This makes risks in Information Security get assessed but not mitigated or reduced since risk mitigation is quite complex and full of uncertainty. Therefore, it is crucial to address risk mitigation techniques or strategies used by organizations in information security, probably to maintain their competitiveness, eliminate the risk of being compromised or to reduce this risk to an acceptable level. This paper tends to critically evaluate two common mitigating techniques of risk in a Bring Your Own Device (BYOD) environment. The BYOD concept really enhances the employee’s functionality and makes the corporate information and organization’s data readily available to them on their personal devices.
The National Institute of Standards and Technology (NIST) defines information security “awareness” in the Special Publication 800-16 as follows: “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance”.
This definition explains the difference in awareness and training program, as the conveyed information targets different kinds of audience, who would use it at different levels. Because of the limitations of the awareness program, a sound ISAS (Information Security Awareness System) needs to contain interactive learning materials. Transmitting information about security breach incidents is not enough, because a user needs to be able to respond to the incidents as doing so can facilitate improving the security awareness of a user and transferring security knowledge. The literature explains that there should be five components in the structure of an ISAS and they are;
It is suggested that an Information Security Awareness System (ISAS) can be built to enhance electronic learning (e-learning) methods to deliver security awareness concepts. The literature explains that in terms of actual learning delivery, e-learning includes strategies such as computer-based learning, web-based learning, and distance learning. Although, many believed that the e-learning is efficient, has a low cost and a short amount of time for workers to learn, so, organizations should be more concerned on the effectiveness of what the e-learning delivers. In terms of security awareness, the concept of information security is a multidimensional one that includes authorization, authentication, confidentiality, data integrity, availability, and recovery.
ENISA used inputs and comments from a group of experts from industry and academia and public organizations. The experts have been selected according to their engagement around security in emerging technologies, security in Bring Your Own Device (BYOD) and Consumerization of IT (COIT). Although, the ENISA approach to mitigating risks in information security is proposed and not tested.
The MDM might be a very good mitigating technique in data security but would also be a very big privacy issue for the employees. A very big truth is that MDM offers significant insights into employees’ device activities at any given time. IT teams are also given the authorization to perform various actions on employee devices such as wiping data remotely, locking devices, monitoring employee locations for corporate security reasons and lot more. Incentive and rewards could be a good way of motivating an employee to adhere to the corporate policies and standards, but not everyone see things alike – “the use of rewards is individual: what may work as reinforcement for one person may not work for another person Considering employees’ attitude and intention toward actual compliance”. Habit is a usual or way of behaving. Habit is an unconscious and automatic act, habits affect an employee’s intention to comply with IS security policies. Too many security standards and policies could affect employee’s behavior and productivity which could also be risky to the organization. A generic problem of information security is compliance with standards and policies. Insider threat to information security could be another big problem. Giving an employee too much knowledge about data security could be dangerous. Although these techniques could use a trust and verify approach, the trust could be impossible to measure.
Information of an organization is a great asset which should be safe and secure. The paper as described the gaps in these techniques as basically employee’s compliance and trust, therefore organizations could make device available for employees or corporate network users. This would make device compliance the organization’s responsibility and take the employee’s device compliance problem out of the book. Truly, everyone needs to be security aware as it would help have knowledge of what you should and should not concerning security. But, organizations could use more of technology to mitigate risks as human’s attitude towards awareness might not be quantifiable or reliable.
Browse our vast selection of original essay samples, each expertly formatted and styled
Where do you want us to send this sample?
Be careful. This essay is not unique
This essay was donated by a student and is likely to have been used and submitted before
Download this Sample
Free samples may contain mistakes and not unique parts
Sorry, we could not paraphrase this essay. Our professional writers can rewrite it and get you a unique paper.
Please check your inbox.
We can write you a custom essay that will follow your exact instructions and meet the deadlines. Let's fix your grades together!