With the increasing security awareness of recent times, providing a rapid solution for the problems that suddenly come up in the information systems has also found its
place in the work being carried out regarding the field of security. The subtitles that come to the fore in the issue named as the emergency situation intervention are:
risk analysis, determining the prime measures and the stage of solution of the instant issue. On this paper firstly several risk analysis methods will be discussed and
later whatever will be needed for instant remedy, in case of problems that may show up in information systems, will be put forward. Pioneering measures, for the time
being, is not in the scope of our topic.
This method, which gained importance in the U.S. during work to estimate which points would be hit at a probable nuclear attack in the era of the cold war, has been
used in many fields from placing a satellite in orbit around the earth to economics. Recently, it is being tried to be adapted to the systems of informatics.
Risk analysis is founded upon the value of the entities and the probability of the realization of the threat concepts. Detailed information regarding these concepts is
plentiful in books and the Internet. However, one of the important aspects one has to be aware of is that the entities on the field of informatics are to be determined
and the values given to these entities need work which would be specific to the institution at hand. Furthermore, the threat and its probability to come to realization
also need work that is specific to the establishment.
Besides the special points specific to each and every institution, there are some rules generally applicable to all. Risk analysis, in the field of informatics, has
named the effect of threat under three headings.
Secrecy, covers the topics of establishment specific information and the privacy of the individuals that the establishment provides service for. Example: Personal e-mail
messages not accessed by everyone.
Wholeness, covers not being able to make unauthorized modifications on the assets the establishment has. Example: Not being able to make unauthorized changes on
Employability, covers the access of the authorized persons to the assets of the establishment. Example: The main page of the establishment being continuously accessible.
Three cases will be given, regarding the risk analysis in the field of Informatics, to be helpful to clarify the concepts.
For this case it is assumed that the effect of the threat to the asset is two way:
- the effects of threats that would end in seizing the full or limited authority of a user on the system.
- the functioning of the asset may be put out of service partially or all together.
This type of risk analysis method deals with specifically the user code issue on the central servers and does not cover the whole Informatics system. Furthermore, it
analyzes the effect of the threat in terms of secrecy, wholeness or employability.
With this case, the risk is put forth as the multiplication of the 'probability of the actuation of the threat' by the 'effect of the threat'. The 'probability of the
actuation of the threat' and the 'effect of the threat' are set by assigning values between 1 and 5.
|Probability of the Actuation of the Threat / Effect of the Threat
Very High (20)
Risk = Probability of the Actuation of the Threat * Effect of the Threat
Even though this analysis provides more coverage regarding informatics systems, it still conducts the analysis in view of the concepts of secrecy, wholeness or
With this case the risk for secrecy, wholeness or employability is calculated independently. The calculation involves the values of secrecy, wholeness or employability
for each asset (VDs, VDw, VDe) and the effect of the probable risk (TEs, TEw, TEa) to secrecy, wholeness or employability are considered separately. While calculating
the risk for each concept, the probability of the risk (To) to take place is also taken into account.
Rg, Rb, Rk
Rg = VDg*TEg*To
Rb = VDb*TEb*To
Rk = VDk*TEk*To
The level of risk is calculated by entering the risk values set for each concept into a formula, set by the establishment, (Example Formulae: Addition, Arithmetic Avg.,
Geometrical Avg. etc.).
The Interpretation of The Risk Analysis Results:
For the three cases given above the risk factor - the high effect of the risk to a highly valued asset - evaluated on the right bottom corner of the table to be
eliminated is crucial. The fields must not appear in the tables of analysis.
On the other hand, primarily the measures to be taken ought to be aimed at the risks in the mid-sections of the tables, bearing in mind that the results on the left top
corners are the risks that can be eliminated with minimum effort.
Furthermore, the attacks, recently, have been aiming from "minimum effect - frequent strike" to "maximum effect - less frequent strike" and that the risks on the right
bottom of the tables should be primarily attended to.
Compound Structure Approach:
The use of risk analysis for complex structures like informatics systems does not seem sufficient by itself due to the fact that it investigates the assets one by one.
When a threat materializes it not only effects the asset it aims at, but also all the other assets that are in relation with that asset. These side effects are not
taken into consideration during risk analysis. Hence, there is need to see the system in a compound structure and investigate the emergency approach in view of
Hanseth takes into consideration the number of components and the number of relations within these components in the theoretical system proposed in order to put forth
the compound structure of the informatics systems. McLean further improves this approach and uses the number of different types of components, the number of type of
relations among those components and their differentiation, in order to define the complexity of the system. One important point to be aware of is that the number of
different types of components are not the database unit or types of security units, but are calculated from components such as the platform on which the informatics
system is operating, technical structures as applications and organizational routines, habits and the interior design.
In McLean's approach it is prominent that the speed of the variations of the relations among the components is also of importance. The information we have of the
components and their relations is always lacking. The reason for this is that the increase rate of our knowledge of the relations being less than the change of speed of
the components / relations. It must be born in mind that when placing a new component into the system and forming a relation with other components only some of the
virtues of the component is being used.
Finding out about the features of a component and the topic of having knowledge is heeded by establishments. Learning through practice, however, is never the same as
verbal conveying. The second method, which reduces the interest in learning, hinders the increase in the knowledge level of the staff. As a result, those who have not
acquired the necessary knowledge (the administrators) are in a position to step in, in case of emergency.
Emergency Situation Intervention:
The situation of emergency intervention, which crosses the mind of the administrators only when staff who does not know what to do and who is in panic is encountered,
should receive attention while the systems are in running order. Regarding this issue, the evaluation of the results of the risk analysis going into the specifics of
the components mentioned above evolving from the system of compound structure approach is important, however, it should be noted that the purpose of forming the system
is utilization. Installation of secondary systems that supervise the utilization and tertiary systems to check if supervision is conducted properly becomes a necessity.
What is expected for the secondary systems to perform may be listed as:
- Control of the system
- Detection of the problem
- Elimination of the problem
At the stages of system control and problem detection foreseen and unforeseen issues may come up. Certainly, the best solution is to take precautions against probable
threats that the risk analysis has pinpointed, however, such precautions can pose two problems. One of them is the cost of taking measures being more than the value of
the asset itself and the other is solutions that would hinder the operation of the system. That is why, in some cases, it may be necessary to yield to solutions that
would overcome the problem as soon as possible when the threat materializes, instead of taking preliminary measures. In this path against the foreseen risks, the
necessity of a well prepared, updated documentation system and in service training is unquestionable. The solution for the issue of unforeseen risks is recruiting
well-informed and creative employees.
Hanseth, O. , Ciborra, C. (2007), *Risk, complexity and ICT *Cheltenham, UK; Northampton, MA : E. Elgar
İbrahim Çalışır - Suna Yılmaz