# INTRODUCTION nformation is considered as an asset like other important business assets and Information Security (IS) is a way of protecting information from a wide range of threats in order to ensure business continuity, minimize risk, and maximize return on investments and business opportunities [1 and 2]. Over the years the usage of Information Technology (IT) has increased massively in organizations and in society and to cater the ever increasing requirement of information flow, information systems has become complex and multifaceted [4]. IT has made electronic communication and internet necessary in all organizations. This necessity has brought efficiency and threats of hacking and intrusion with it [5]. With all these advancements in the field of IT, dependency of organizational business fusnctionality on it has increased the requirement of securing organizational information from threats [3][4] [6] [8]. Information security is somewhat a hard task to achieve. One of the prime reasons is that not much data related to information security management and threats to organizations' About 1 -Department of Engineering Management Department, CASE, Islamabad, Pakistan About 2 -Department of Mechanical Engineering, HITEC University, Taxila, Pakistan information is available due to confidentiality [12]. Second, costs associated to information security restrict organizations from implementing information security management systems in organizations [13]. Third, information security is not just a technical issue, it is more a managerial issue, therefore it is also required to train employees about the information security without which attaining information security is impossible [6]. It is proposed implementing information security management policy in such a way that it calculates the assets values first and then predicts the losses associated to it [10].But so far available quantitative risk assessment methods and tools are either expensive or little information about their usability and performance are available [9]. Although operational risk management techniques are functional in many originations but it is not possible to handle information risks with the perspective of operational risk management. It is therefore advised combining information security management with operational risk management for a better economical solution [7]. More dependency of world on information technology systems and processes made management of information technology risk a practical necessity [14]. Organizations adopt information security product, services, processes and tools which range from complex mathematical algorithms to the expert risk management resources. Organizations are not sure about the optimal security quality and required a cost effective information security methods which can provide them optimal security with minimum cost.Knowledge sharing and collaboration of intra-organizational cross functional teams for risk management is required for proper risk management strategies [15]. Management vision towards information security risk and involving internal stakeholder in this task is the need of the time. A more pragmatic reason is that the development of information security methods within organisations is rather an ad hoc process than a systematic one. This process generates new knowledge about information security risk management by constituting valuable organizational intelligence. Therefore, it is very important to have a systematic process, which ensures that the acquired knowledge will be elicited, shared, and managed appropriately [12].Codification and personalization are two strategies for information security. Codification is the people to document strategy to ensure intranets and databases are loaded with best practices, case studies and guidance for people in their day-to-day work. Personalization is the people-to-people strategy to link people and grow network and information security culture [16]. These two strategies established the reusability of implemented processes in organization and information I sharing background in organization. A creditable and effective method for accessing current state of information security in organizations is desirable. Good information about the current system required for good decision. Assessment of current method would help in future improvement in the system traded by its implementation cost [17]. Information security of an enterprise was defined in term of tree structure [18]. Prioritized the structure on enterprise information security basis [19], to clarify the assessment scope and minimize the assessment cost. Finally, the credibility of the assessment results is addressed with a statistical approach combined with ideas from historical research and witness interrogation psychology [20]. II. # INFORMATION SECURITY RISK MANAGEMENT TOOL: COBRA TM A number of standards are available on information security management system like ISO 17799, ISO 27001, the Control Objectives for Information and related technology (Cobit), and National Institute of Standards and Technology (NIST). These standards describe the requirement of information security in the organizations. But so far experts for information security implementation are requires. Whose services are expensive and rely only on their judgment for information security risk management process. Available tools are also expensive and generic. COBRA TM risk consultant is software which provides the following risk assessment: ? Compliance with the ISO information security standards BS7799 and 17799. # ? Support implementing Information Security Management System in organization and also assess risk associated with organization information. ? Quantitative risk assessment of information security threats. ? Supported with a built-in knowledge base which acts as a database for evaluating information security risks. ? Perform risk assessment and also suggest its mitigation approaches. ? Assess Business Continuity Plan of an organization against its profile. ? Provide comprehensive reports about the information security risk. Four knowledge base available to perform risk assessment are as follows and shown in Fig For the risk assessment a questionnaire have to be filled by a respondent which then generate a comprehensive report of its organizational risk. III. # RESEARCH METHODOLOGY This study was conducted to analyze quantitative risks associated with information of major banks operating in Pakistan and to study security control, which are implemented for protecting their critical information. Two separate questionnaires were designed for the analysis of information security and its controls. First questionnaire was developed by using built-in knowledge base from High Level Risk Assessment section of COBRA TM software. After reviewing the COBRA TM software analysis another questionnaire was designed to evaluate the management control in these banks.High Level Risk Assessment questionnaire was filled by the information security auditors and by higher management of these banks to get the response about their implemented security policies and its impact on their information security management. Second questionnaire was filled by the five persons of various management level of each bank to check the management vision toward the information security and awareness of information security in these banks. To perform information security analysis, threats to information confidentiality, integrity, and availability were checked against the information security controls like management, technical, and operational controls. IV. # QUANTITATIVE ANALYSIS OF COBRA TM # QUESTIONNAIRE COBRATM asked questions to evaluate potential threats and security policies in an organization. To determine the high level risk related to the information of the organization, questions were classified into the four categories: a. Availability b. Business Impact Analysis c. Confidentiality d. Integrity Few important questions of COBRATM software along with their assigned points are discussed bellow to observe its functionality. # 1) Availability Questionnaire In availability section the questions will the highest value are discussed in table 1 below: The questionnaire pertaining to Availability discussed the business continuity plan, business redemption, and disaster recovery plan. In this section maximum points were given to business continuity plan because it ensures the continuity of critical business functions by providing methods and procedures for dealing with long outages and disasters. It is a broader approach in which continuity of a business during any disaster is ensured until that disaster is either curtailed or business operation returns to its normal circumstances. Physical access controls were also evaluated because appropriate physical controls are necessary to eliminate potential losses and risks associated to information assets, weak physical access controls could not prevent intruder from causing any harm to information processing facility or information assets. Therefore, COBRA TM ask particular questions related to appropriate physical access control not only to evaluate these control for better analysis of security situation but also to create awareness in management for importance of these controls. 2) Business Impact Questionnaire Business Impact considered as a functional analysis in which a team collects data through interviews and documentary resources. In business impact analysis section the COBRA TM gave maximum points to questions which have direct and indirect impact on the stakeholders and customers. The confidence of customer and internal and external stakeholders on business products and business management process is essential for the success. All these questions are concerned on unavailability of critical information to business in term of customers and stakeholders confidence on the organization. COBRA TM also bifurcate impact of losing critical information with respect to time to establish minimum time when the organization would have maximum disadvantage of losing that information. The confidence of organization or management on its internal and external employees and stakeholders is considered as a key to establish proper information security checks. # Ideas Only Nothing COBRA TM gives emphasis on questions related to the physical and logical access controls because in the current scenarios when companies have threat over internet about the security breach and intrusion, lapses on these parts can harm the organization in term of market repute and profitability. Besides these other important questions are related to security structure and culture of an enterprise. Information security is based mostly on culture of an organization. If in an organizations every employee is aware about the information security requirement, policies, and have good understanding of their responsibilities towards information security, organization will have less threats of losing information than. # 4) Integrity Questionnaire Integrity of information means protecting data and information resource from being altered in an unauthorized fashion. The questions in the integrity section are assigned the following scores as in table 4: In this section the COBRA TM asks management about their confidence on internal and external security checks which are implemented to save data from any unofficial changes. Organizations mostly have external and internal threats to their information. The internal threat can lead to more catastrophic impact than the external one. Therefore it is important for the organization to have a full confidence on the internal security controls and procedures on retrieving and adding data. If internal procedure and process of input and output of information has some loopholes then it is important to adjust and redefine these procedure and make it as firm as required for the integrity of information. As a result organizations assign different privileges to users so that only designated officials can alter or process information. These controls help organization in maintaining the security checks and also give sense of responsibility to the personals authorized for any changes. # 5) # Bifurcation of Information Threats in COBRA TM Besides the importance of some particular questions on others COBRA TM has given equal score to availability, integrity and confidentiality of information as shown in Fig 2 that all parts have given equal percentage of 33%. According to it, threat to information confidentiality is 51.23% showed that the information could be intruded. Whereas threat to integrity of information is 52.37% means information could be altered or in some cases a completeness of information was questionable for organization. Threat to availability of information in this bank was at 52.17% too. This software suggested implementing security checks on data warehouses and physical data places. The figure 5 shows the percentage of security controls in bank (A). It may be seen that the management control is lower being 26% against suggested 49.89%. The operational control is being at 59% where the suggested percentage at 31.76%. Technical control being lower than the suggested 18.44% was at 15%. This showed that the bank overall operational threats were catered properly whereas the implementation of information security policy was uncertain and lack of information security awareness in the management functions. The threats to confidentiality of information were at 50.08% showed an unauthorized access of data. The threats to integrity is maintained well which were at 1.32% only. Threats to availability of information were reported 51.05 % showed concern to information record keeping. Precise review of report showed that information integrity related to the information accuracy was well maintained in the bank. But other information security threats like confidentiality and availability were quite high. These high levels of threats showed that the availability of critical information to unauthorized and unwanted individuals or to the third-part. This can harm the reputation of the bank and ultimately can affect its business. It may be seen that the management control was lower being 13% showed a high threats related to it. The technical control and operational controls were optimal being at 18% and at 69%. This showed an improper management control in this bank. It led to a risk of improper information security policy and its implementation, information leakage by employees, unsecure risk culture in organization, and unawareness of information security. The threats to availability of information were highest at 54.67% followed by integrity at 52.20% and confidentiality at 51.17%. These high threats showed that availability of critical information were to unauthorized and unwanted individuals or to the third-part. This could harm bank reputation and ultimately to its business. These high threats also showed vulnerability to correctness, completeness, and protection of information from intrusion. It may be seen that technical and management controls were lower being at 11% and 30%. Operational control maintained properly as its being at 59%. Risks associated to management controls like policy establishment and information security culture could be higher in this bank. The threats to availability of information were highest at 52.15% followed by integrity at 50.28%. Threats to confidentiality of information were reported at 11.48%. The high threats of availability and integrity showed that critical information were accessible for unauthorized changes. On other hand information were not available at required time or were not managed properly. It may be seen that technical control is being at 17% than suggested 18%. Management control being at 23% is lower than suggested one. The operational control was being managed properly as it was at 69% against the suggested 31.76% by the software. The management control at 23% showed that a risk on policy establishment, weak information security culture, and poor management vision towards information security. The Bank (E) provides microfinance services and act as a catalyst in stabilizing the country's newly formed microfinance sector. The risk assessment done by COBRA TM is shown in Fig 12 . The threats to availability of information were highest at 52.12% followed by integrity at 51.33% and confidentiality at 50.26%. The high threats showed that critical information were accessible for unauthorized change. Availability of information was at required time or was not managed properly. Threat of unauthorized changes and completeness of information were also present. The security controls implemented in all banks is being evaluated in Fig 14 . It is being seen that operational control in all banks was at 57% followed by management control at 23% and technical control at 20%. The COBRA TM suggested a percentage of 49.89% to management control, 31.76% to operational control, and 18.44% technical control for optimal information security. The comparative analysis of proposed and actual percentage of control showed that operational control in all banks was well maintained. The technical control was also maintained properly. The management control in all banks individually and in this consolidated report was at lowest percentage being at 23% shown that its not up-to the COBRA TM recommended mark that is almost 50%. Therefore the risk associated to management control must have to be high in all banks according to COBRA TM reports. Risk associated with the management control. ? Ineffective decision making ? Poor establishment of information security risk management policies/ procedures ? Unawareness of Information Security related risks ? Information secure culture ? Information Security not a part of overall business process. ? Fraudulent system usage ? Reputational damage ? Lack of business continuity planning ? Information security not a part of strategic planning # Consolidated Analysis of Management Contols The second phase of survery is accomplished by developing sepecific questionnaire to evaluate the COBRA TM results. The questionnaire was divided into two sections. First section was about the management vision towards information security. Second section was about the information security awareness and information security culture in banks. A specific value was assigned to all the questions to have a quantitave analysis of banks management control. To check the matuarity level of management control in these banks, overall score of the questinnaire was lied between -20 to 20. The maturity of management control was further classified into four levels shown in Fig 15. The management controls in all banks is being at the solid level with a range from 5.4 to 7.5. The maximum management control is being in bank (D) at 7.5 and lowest in bank (B) at 5.4. The bank (A) is being at 5.9 followed by bank(C) and bank (E) at 6.7 and 6. COBRA TM gave a comprehensive information security risk analysis report but few short coming of this tool are: ? Risk raiting is not established properly in the COBRA TM e.g Fire cause more demage to information/ infrastructre etc than malfunctioning of any hardware. COBRA TM has given the same score to such cases. ? For risk assessment it is recommended to do the asset evalution of all the tangible and intangible assets of the organization. COBRA TM doest not evaluate individual asset value of organization in high level risk assessment. Due to this in case of any loss the accurate financial loss can not be predicted through this software. ? In risk assessment process, the range of accepted risks in COBRA TM is very low, from 0-19 score. any score above than 19 will be treated as a high expectancy of threat to organization. One drawback of this hard coded low risk acceptancy is that the risk level of all organization mostly falls in between 50% and above which in real scenario is exceptionally high risk for any organization. Secondly, perdiction for which organization like to use quantitaive tools than qualitative assessment tool is not obtainable. ? COBRA TM risk assessment reports coveres lot of information security risk area and also inform the requirement of security improvement at the exact areas, but do not inform the exact measures to mitigate them. ? Awareness of information security requirement to all employees of organization is essence of information security management system. Since as per NIST [9], employees are the biggest threat to organization information than any other attack. COBRA TM ignores that High Level Risk Assessment domain. ? Re-assessment of COBRA TM results by conducting second survey showed substantial differences, for instance, in COBRA TM reports the level of the management control implementation in all banks was between 13% to 30% whereas in re-assessment survey this range was between 50% to 75%. ? Besides all these drawbacks COBRA TM still facilitate the management in identification of information security risks. # VII. FUTURE WORK Information security risk management framework which would cover the information security governance and show the results related to the information security controls so that organizations can focus and improve the deficient area regarding information security management. VIII. 1![Fig 1: COBRA TM front-end](image-2.png "Fig 1 :") 2![Fig 2: Bifurcation of C.I.A in COBRA TM](image-3.png "Fig 2 :") 3![Fig 3: Bifurcation of security controls in COBRA TM](image-4.png "Fig 3 :") 4![Fig 4: Bank(A) information security risk report](image-5.png "Fig 4 :") 5![Fig 5: Bank(A) information security controls report](image-6.png "Fig 5 :") 6![Fig 6: Bank(B) information security risk report](image-7.png "Fig 6 :") 7![Fig 7: Bank(B) information security controls report](image-8.png "Fig 7 :") 8![Fig 8: Bank(C) information security risk report](image-9.png "Fig 8 :") 9![Fig 9: Bank(C) information security controls report](image-10.png "Fig 9 :") 10![Fig 10: Bank(D) information security risk report](image-11.png "Fig 10 :") 11![Fig 11: Bank(D) information security controls report](image-12.png "Fig 11 :") 12![Fig 12: Bank(E) information security risk report](image-13.png "Fig 12 :") 13![Fig 13: Bank(E) information security controls report](image-14.png "Fig 13 :") 14![Fig 14: Information security control in all banks](image-15.png "Fig 14 :") 15![Fig 15: Maturity line for management control](image-16.png "Fig 15 :") 1Media/OtherPower Failure20Software Error20InfectionBy Computer20: Availability questionnaireVirusNo AvailabilityAnswerScrIntroOfIs there a formal and workableYes0Malicious201 2 3 4 5Business Redemptions Plan in place? How confident are you that the plan is adequate to ensure a controlled recovery and continuance of business within the time frames specified as significant/critical: When the Business Continuity Plan was last tested? Are the contingency arrangements for all key components reasonable and appropriate? How confident are you that the contingency arrangements and Business Continuity Plan would enable continuance and eventual recovery from the loss of a key building (due perhaps to serious fire, flooding, explosion, etc) without serious or critical impact on the business? How confident are you that the contingency arrangements andNo 100 Confident % Fairly Confident Comfortable Concerned Not Confident Within the 12 months 1-2 years 2-3 years 4-5 years more than 5 years ago Yes No 100 % confident Fairly Confident Comfortable Not Really Confident Concerned 100 confident %50 0 0. 5 1 20 50 0 0. 5 1 20 50 0 50 0 0. 5 1 20 50 08 9 10Ignoring the recovery element of the Business Continuity Plan, to which of the following (if any), is the exposure level significant? Are specific back-up and recovery measures in place to handle both loss of critical data and serious software error in a timely and appropriate fashion? Are physical access controls/practices for areas that may hold sensitive/confidential information appropriate?Coding Hacking/Elect ronic Sabotage Loss Of 3rd Party Service Loss of Comm/ Network Service Operator Error /Sabotage Industrial Action by Key Staff Other Threat Yes No Certainly Adequate Generally OK A cause for concern A major problem20 20 20 20 20 20 0 20 0 0. 5 20 50Business Continuity Plan wouldFairly0.enable continuance and eventualConfident56recovery from the loss of keyComfortable 1personnel (due perhaps to serious accident, industrialNot Really Confident20action, etc) without serious or critical impact on the business?Concerned50Fire/Flooding/ Explosion20Hardware/Equipment20MalfunctinHardware/ Equipment/207Ignoring the recovery element of the Business Continuity Plan, to which of the following (if any), is the exposure level significant? 2In the worst case scenario means no backup, how quickly could2 hours15unavailability SIGNIFICANT impact in terms result in24 hours 7daysof current/future revenues and1 monthother direct financial losses?NeverIn the worst case scenario, how2 hoursquickly could unavailabilityThan developing hierarchy of business functions and applies a classification scheme to indicate each individual function critical level. Question from the Business Impact Analysis are shown bellow in16have a SIGNIFICANT impact in terms of customer, shareholder, public or departmental confidence?24 hours 7days 1 month Nevertable 2.Howquicklycould2 hoursNoBusiness ImpactAnswer Less ThanScr17unavailability SIGNIFICANT impact in terms have a of contractual, regulatory, or legal obligations?24 hours 7days 1 month Never11 12What was the total revenue for this business function/service during the last financial year? What is the highest likely financial value throughout per10,000,000 0 10,000,000 to 100,000,000 1 100,000,000 to 500,000,000 5 More than 500,000,000 20 Less than 500,000 0 500,000 to 5,000,000 1 5,000,00018 19If confidential/key information was disclosed to one or more competitors, what is the worst impact that could result: If confidential/key information was disclosed, what could be the worst impact in terms of current/future revenues and other direct financial losses?None Moderate Significant Substantial Critical None Moderate Significant Substantial Criticalday :to 50,000,000 5If confidential/key informationNoneMore than 50,000,000 2020was disclosed, what could the worst impact be in terms ofModerateFinancialcustomer, shareholder, public orSignificantAccounting 5departmental confidence?SubstantialTrading/Critical13Which of the following types of function are directly performed :Dealing Payroll Management info/ Support Research5 5 6 521If confidential/key information was disclosed, would there be any implications in terms of contractual, regulatory, or legal obligations?None Moderate Significant Substantial CriticalManufacturing 5 Infra-structure Support 5 Retail 5 Other 522If the data/information lost its integrity (through error, deliberate unauthorized alteration, fraud, etc), what could be the worst impact in terms of direct financial loss?None Moderate Significant Substantial Critical14How many other systems or business units internal to this enterprise have a dependency upon this one?Minor Dependency Significant Dependency Total1 223If the data/information lost its integrity, what could the worst impact be in terms of customer, shareholder, public orNone Moderate Significant SubstantialDependency3departmental confidence?Critical 4NoIntegrityAnswerScr100%34How confident are you that there is no significant risk of serious ERROR being introduced during the input of important data/information?confident Fairly Confident Comfortable 1 0 0. 5 Not Really Confident 20Concerned 50Consider the situation with respect to INTENTIONAL unauthorized manipulation of input data/information, by both100 confident Fairly Confident%0 0. 535internal and external parties. How confident are you that there is no significant risk of serious breach during the input of important data/information?Comfortable Not Really Confident Concerned 50 1 20100%confident0How confident are you that thereFairly36is no significant risk of serious error being introduced viaConfident Comfortable 1 0.5program error or malfunction?Not ReallyConfident20Concerned 50Certainly0Are the controls in place toOkay0.537prevent modification of program source the unauthorizedCause of Concern20code appropriate?MajorProblem50Are logical access controlsNo38sufficient to protect sensitive data/information fromweakness Minor0unauthorizedEXTERNALWeakness0.5 2. Management controlof all banks lied at the solid level. It was not in superiorlevel in any of the banks.At solid level organizationachieved the following management control:? Information security policy is being rolled out? Supporting standards and procedures are beingdeveloped? * ISO/ IEC FDIS 17799 -Information Technologysecurity techniques-Code of practice for information security management? 2005 * (E) -I nformation Technology-Security techniques-Information Security Management Systems-Requirements? ISO/ IEC FDIS 27001:2005 * Thomas Nowey and Hannes Federath -Collection of Quantitative Data on Security Incidents? 0-7695-2775-2 2007 IEEE * Department of Information Technology Management, University of Hawaii -Strategic Planning for Information Security and Assurance? DanielPort RickKazman AnnTakenaka 978-0-7695-3126-7/ 2008 IEEE * Liu -C onstructing Enterprise Information Network Security Risk Management Mechanism By Using Ontology? 0-7695-2847-3 Fong-Hao 2007 IEEE * Ching-JiangChen Ming-HwaLi -Secconfig 978-0-7695-3322-3 2008 IEEE A Pre-Active Information Security Protection Technique? * Gereon Strauch and Christian Buddendick? Applications for IT-Risk Management -Requirements and Practical Evaluation? GrobHeinz Lothar DOI 0-7695-3102-4 2008 IEEE * HWade LindaBaker Wallace Is Information Security Under Control? Investigating Quality in Information Security Management? IEEE 2007 * R isk Management: Implementation principles and Inventories for Risk Management/Risk Assessment method and tools? 2006 ENISA (European Network and Information Security Agency * Ryan -Per formance Metrics for Information Security Risk Management? 1540-7993 JCJulie Ryan JDanel 2008 IEEE * Inf ormation Security Risk Assessment Based On Analytic Hierarchy Process and Fuzzy Comprehensive? 978-0-7695-3402-2 XiaoLong QiYong LiQianmu 2008 IEEE * -Towards a systematic approach for improving information security risk management methods? KPapadaki DPolemi Proc. 18th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communication (PIMRC) 18th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communication (PIMRC) 2007 * Institute for Advance Management System Research(IAMSR) -A DSS for Information Security Analysis: Computer Support in a Company's Risk Management?0-7803-3280-6 1996 IEEE Thomas Finne, Abo Akademi University * IT Risk Management Report 2: Myths and Realities? Symantec 2008 * Know ledge and organization: A social-practice perspective? JBrown PDuguid Organization Science 12 2001 * KCDesouza YAwazu P. -MBaloh Anaging Global Software Development Efforts: Issues and Practices? 2006 23 * MEkstedt C onsistent Enterprise Software System Architecture for the CIO -A utility-Cost Approach?, Proceedings of the 37th annual Hawaii International Conference on System Sciences (HICSS) 2004 * Assess ment of EIS -An ATD Definition? EJohansson the Proceedings of the 3rd Annual Conference on Systems Engineering Research (CSER) March 23-25, 2005 * Asse ssment of Enterprise Information Security -The Importance of Prioritization? EJohansson the Proceedings of the 9th IEEE International Annual Enterprise Distributed Object Computing Conference (EDOC) Enschede, The Netherlands September 19-23, 2005 * The Need for Critical Thinking in Evaluation of Information? BEdvardsson Proceedings of the 18th International Conference on Critical Thinking the 18th International Conference on Critical ThinkingRohnert Park, USA 1998