In the financial sphere, the risk is associated with uncertainty (possibility of fluctuations in value, both in a positive and negative sense). In cybersecurity, the events of interest are always linked to losses of value, but maintain the character of uncertainty. We are therefore interested in the random events concerning the IT security of our organization. The final objective of risk management is to bring the risks of cybersecurity back into a quantifiable framework that can be considered in an overall economic analysis of the organization’s activity. The risk management activities are as follows: Identification of risks, Risk assessment, Monitoring, Definition of countermeasures for mitigation and coverage.
MAIN GOALS OF A “SECURE” SYSTEM are:
. Confidentiality: Ensure that information is not accessible to unauthorized user;
. Integrity: Ensure that information is not alterable by an unauthorized person;
. Availability: Ensure that a system is operational and functional at all time.
ADDITIONAL OBJECTIVES of a system are: Privacy; Ensure that users can control what data is collected, how it is used and by whom and for what purpose; Access control; Ensure that users have access to all the resources and services they are authorized to and only to them; No repudiation; Ensure that the sender of a message cannot deny having sent the message.
THE ATTACKS can be classified as follows:
. Passive attack: steal information without interfering with the system
. Active attack: interfering with the system for various purposes
Wanting to connect the CIA triad to the different types of attacks we can say that:
. Interruption is an Attack on availability
. Interception is an Attack on confidentiality
. Modification is an attack on integrity
. Falsification is an attack on authenticity