Posted: September 9th, 2022

Vulnerabilities and Risks in IT

Vulnerabilities and Risks in IT
Abstract
The study focuses on establishing various mechanisms that can be used in managing IT vulnerabilities in software and hardware, and the management of IT risks. Qualitative methodology is applied in the study to acquire information on topics associated with IT vulnerabilities and risks. The study’s findings lead to the discovery of three approaches that can be applied in managing risks and IT vulnerabilities. The approaches include information security standards and guidelines, governing bodies, and cybersecurity strategies.
Aims and objectives
1. To identify IT vulnerabilities in software and hardware
2. To evaluate how IT risks are associated with IT vulnerabilities
3. To establish IT risk management mechanisms
4. To establish IT software and hardware management mechanism
Chapter One
Introduction
With the rapid increase in technology use, a lot of pressure continues to pile on IT experts to ensure IT vulnerabilities and risks are at the lowest level and manageable. Most organizations and governments have taken smart approaches to manage vulnerabilities in hardware and software and their associated risks. The new technologies have proved to more risky and vulnerable to attacks as they are more exposed due to high connectivity. Having mechanisms and measures to deal with IT vulnerabilities and risks enables the IT services to be more transparent, accountable, efficient, and better accessible to the public services.
Research background
IT vulnerabilities and risks have long been a topic of focus security of information technology. This research focuses on identifying IT vulnerabilities in software and hardware and their associated risks. The study also aims to establish different mechanisms currently being deployed in the management of IT vulnerabilities and risks.
Research Problem
The increase in IT infrastructure has left many organizations, governments, and individuals exposed to various IT vulnerabilities and risks. The purpose of this study is to understand the IT vulnerabilities and risks and discuss various mechanisms that can be implemented in the effort of managing information technology vulnerabilities and risks.
Research Question
What are the current mechanisms applied to manage IT vulnerabilities and risks?
Chapter Two
Literature Review
Various researches have been conducted to identify hardware and software vulnerabilities in IT and the risks associated with them and the management of those vulnerabilities and risks. According to Ahmad et al. (2013), software vulnerabilities are the most critical in IT due to their impact on the system compared to hardware vulnerabilities. The root causes of software vulnerabilities are related to poor design and errors in programming that result in the system being vulnerable when triggered by users (Stoneburner et al., 2002). The common classes of software vulnerabilities include Java vulnerabilities, XSS, C/C++ overflow vulnerabilities, and SQLi vulnerabilities (Positive Research, 2012). Some of the common hardware vulnerabilities include backdoors, semiconductor doping, counterfeiting products, and eavesdropping.
ISO frameworks are being applied in the management of risks in IT. For instance, ISO 31000 is a framework that provides guidelines on how an organization can organize risk management in information security. The framework provides principles and terms of risk management, including planning, implementation, monitoring, and improving the risk management process (Proença et al., 2017). ISO 27001 framework is a standard used in describing how information should be organized based on risk management principles provided in the ISO 31000 framework to manage risks (Kosutic, 2014). Risk management in IT can be conducted through various processes, including identification of root causes of the risks, determining potential areas of improvement, selecting and implementing improvements, evaluating the effect of the improvements implemented, and addressing the causes of the selected outcome.
Chapter Three
Methodology
A qualitative methodology was applied in the study, whereby different materials were examined to obtain information relevant to the research topic. The primary topics in focus include the IT security, vulnerabilities in software and hardware, risks associated with IT, management of IT risks and vulnerabilities, and cybersecurity. The sources of information included journals, literature reviews, and field notes written by researchers.
Chapter Four
Findings
How the UAE government is dealing with software vulnerabilities and risk management.
UAE government has put mechanisms in place to ensure the vulnerabilities in software and risks are at the lowest in information security. The focus of the UAE government in IT is to ensure it achieves accountability for all its services, transparency, and integration of ICT in government services (Alkuwaiti, 2017). Therefore, the government has put in place standards to control information security, enhancing the ability to manage IT vulnerabilities and risks. The measures include information security policy, which provides guidelines on how institutions should organize their IT staff, the minimum level of information security that should be implemented, and how information should be gathered, stored, and distributed to maximize security (Pironti, 2010). The other standard is the communications and operations management, which guides and assess organization IT security, operational procedures, and ensuring the institutions have in place controls and well-defined responsibilities. The AUE government’s standard of information system acquisition, development, and maintenance are also used to establish boundaries, protocols, and IT infrastructure in terms of development, purchase, and maintenance. The other standard used in the management of IT vulnerabilities and risk is the information security incident management standards that require institutions to have measures in place that can identify, prevent, and mitigate IT problems. The government also implements the human resources security standards that require IT employees and contractors to be eligible for fulfilling their mandates through certifications provided by the government (Ijaz et al., 2016). Intuitions are also required to comply with various laws, regulations, and contractual standards of IT security policies, standards, and procedures stipulated by different government institutions.
How the UAE government implements IT vulnerability protection
Protecting IT infrastructure against various types of vulnerabilities is one of the major focuses of the UAE government. The UAE government implements IT vulnerability protection through the National Electronic Security Authority (NESA), a body that protects information infrastructure and enhances cybersecurity. NESA implements IT vulnerability protection through standards and guidelines drawn from various security standards and guidelines, including ISO 27001 and ISO 31000 frameworks. The initiatives used by NESA to protect IT infrastructure from vulnerabilities include NESA IAS, which provides guidance on how IT components should be controlled and guidelines for protection (F-Secure, 2020). NESA also uses the Threat Based Approach (TBA), which provides IT threats and how to mitigate them. TBA also stipulates the management and technical control mechanisms that cover various activities used in protecting IT against vulnerabilities, including attack paths, identifying significant attacks, and providing detailed threat profiles. IT vulnerability protection is also implemented through audits and compliance processes. NESA enforces audits and compliance through various approaches, including maturity-based self-assessment, auditing, testing, and national security intervention.
How the UAE government cybersecurity strategy helps to combat IT vulnerabilities and risks
Cybersecurity strategy has proved to have a significant in dealing with IT vulnerability and risks. The UAE government’s cybersecurity strategy is based on five main domains. They include cyber-smart nation, which involves creating public awareness on cybersecurity importance. The domain ensures that the public is fully aware of the threats and risks of cybersecurity, including how to manage their IT infrastructure to control vulnerabilities and associated risks. The other domain is innovation, which involves innovation and scientific research towards the development of electronic security. The area of cybersecurity in the strategy ensures that the IT infrastructures are well secured to protect confidentiality, availability, privacy, and credibility of data (U.ae, 2020). The other domain is cyber resilience, which focuses on maintain cyberspace flexibility, continuity, availability of IT systems by enhancing IT vulnerability protection. The last domain, in the UAE cybersecurity strategy, is the national and international collaboration in cybersecurity. The domain involves establishing a partnership with local and global institutions in the development and interaction of security standards frameworks and guidelines to confront IT and cyber threats and risks.
Chapter Five
Research Discovery
The study aims at establishing current mechanisms that are applied in managing IT viabilities and risks. Based on the study’s findings, IT vulnerability and risk management can be implemented through various approaches, including the use of information security standards such as information security policy, communication, and operation management, information system acquisition, development, and maintenance, human resources security, and compliance. The study also reveals that the use of governing bodies such as the National Electronic Security Authority supports effective implementation of IT standards and guidelines that help combating IT vulnerabilities and risks. However, the guidelines and standards should incorporate already established security standards and guidelines such as ISO 27001 and ISO 31000 frameworks. The last approach that can be used in managing IT vulnerabilities and risks is through various cybersecurity strategies that enhance IT infrastructure security.
Conclusion
The study focuses on mechanisms that can be applied in managing IT vulnerabilities and associated risks by examining various information sources. The study findings provide the discovery of three approaches that can be used in managing risks and IT vulnerabilities. The approaches include information security standards and guidelines, governing bodies, and cybersecurity strategies.
References
Ahmad, N., Aljunid, S., & Manan, J., 2013. Vulnerabilities and Exploitation in Computer System – Past, Present, and Future. ResearchGate. Available at: . [Accessed on 25 Jun. 2020].
Alkuwaiti, S., 2017. Information security strategy for Smart Government in United Arab Emirates – Investigating future effectiveness, threats and vulnerabilities. Available at: . [Accessed on 25 Jun. 2020].
F-Secure, 2020. NESA – The New Standard of Information Security in the UAE. Available at: < https://www.f-secure.com/en/consulting/our-thinking/nesa-the-new-standard-of-information-security-in-the-uae>. [Accessed on 25 Jun. 2020].
Kosutic, D., 2014. ISO 31000 and ISO 27001 – How are they related? Advisera Expert Solutions Ltd. Available at: [Accessed on 25 Jun. 2020].
Ijaz, S., Ali, M., Khan, A. & Ahmed, M., 2016. Smart Cities: A Survey on Security Concerns. International Journal of Advanced Computer Science and Applications, 7(2), pp.612-625.
Pironti, J., 2010. Developing an Information Security and Risk Management Strategy. ISACA Journal, 2.
Proença, D., Estevens, J., Vieira, R, & Borbinha, J., 2017. Risk Management: A Maturity Model Based on ISO 31000. 2017 IEEE 19th Conference on Business Informatics (CBI). DOI: 10.1109/CBI.2017.40.
Positive Research, 2012. Vulnerability Statistics for 2011. Positive Technologies. Available at: < https://www.ptsecurity.com/upload/corporate/ww-en/download/Vulnerability-Statistics-for-2011.pdf>. [Accessed on 25 Jun. 2020].
Stoneburner, G., Goguen, A., & Feringa, A., 2002. Risk Management Guide for Information Technology Systems – Recommendation of the National Institute of Standard and Technology (Special Publications). National Institute of Standard and Technology (NIST).
U.ae, 2020. Dubai cyber security strategy. Available at: < https://u.ae/en/about-the-uae/strategies-initiatives-and-awards/local-governments-strategies-and-plans/dubai-cyber-security-strategy>. [Accessed on 25 Jun. 2020].

Order | Check Discount

Tags: Vulnerabilities and Risks in IT