This paper examines risk and vulnerability analysis within the context of the U.S.-VISIT program, a Department of Homeland Security initiative that collects and manages biometric data for border security purposes. The paper defines core concepts of risk and vulnerability, outlines a four-category threat identification framework, and compares threat identification to cause analysis processes. It then presents best risk management practices using the Prevention, Preparedness, Response, and Recovery (PPRR) model, a risk probability matrix for prioritizing threats, and a set of mitigation measures including encryption, personnel training, authentication controls, and policy reform.
Risk can be defined as a prediction of future events and their outcomes and consequences. Initially, as these predictions are being made, there is no guarantee that the events will actually occur. At this point, it becomes vital to apply probabilities in order to determine the likelihood of an event occurring. Risk analysis, therefore, is a process of describing the risks involved in any situation or organization. Vulnerability, on the other hand, tends to focus more on the consequences an event will have on the organization if it does occur. It combines the aspects of uncertainty of the event and the consequences that come with it (Lewis, 2006).
U.S.-VISIT is a program within the Department of Homeland Security (DHS) that enhances the department's mandate of providing security to the citizens of the United States. U.S.-VISIT's main objective is to provide biometric services to other departments and institutions at the federal, state, and local government levels. These biometric services include digitized photographs and fingerprints. This information is primarily retrieved from entry points into the country, such as airports, and from visa-issuing offices around the world. With this information at hand, immigration offices can determine the eligibility of international travelers to be issued an American visa. This process is important in preventing identity theft and denying criminal elements access to the U.S. Moreover, it becomes easier to identify individuals who may be staying in the U.S. illegally or have overstayed beyond the time they were granted permission to remain. The U.S.-VISIT program is therefore crucial, as the information it provides to various departments assists in decision-making and the development of relevant policies (Homeland Security, 2012).
Since this program holds sensitive and private information, it is highly susceptible to privacy-related risks (DHS, 2004). These threats have been identified and categorized into four major groups, as shown in the table below.
Table 1: Risks to the Privacy of Information at U.S.-VISIT
Unintentional threats (posed by insiders): These may include mistakes in the design of information systems, their development, configuration, and operation. Errors are also committed by employees of the various institutions that store this information. This may occur physically — for example, when an employee leaves documents in a visible location, allowing confidential information to fall into the wrong hands.
Intentional threats (from insiders): Actions involving the incorrect use of authority and disregard of regulations. These may include browsing for confidential information or deleting information from a workstation.
Intentional and unintentional threats from authorized outsiders: These threats include misuse of authority to access confidential information with malicious intent, and circumventing procedures to gain access to information systems without proper authorization. Flaws in policies and system errors can also lead to unintentional access to confidential information.
Intentional threats from unauthorized outsiders: Threats may be electronic, personnel-based, or physical in nature. These include theft of information equipment, hacking, tapping of communications, and social engineering.
Source: U.S.-VISIT Program, Increment 2: Privacy Impact Assessment; In Conjunction with the Interim Final Rule of August 31, 2004.
The threats indicated in Table 1 were identified through the process of the information life cycle. At all stages of the cycle — collection, use, processing, and destruction — issues are analyzed and threats to privacy identified (DHS, 2004).
Operational risks mainly focus on failures within an organization that are intentionally committed. For example, a hacker can cause an interruption in the ICT system within an organization, leading to losses and security threats. Intertwined with this is cause analysis, which is closely related to the threat identification process. Figure 1 below provides a comparison of the two processes.
Figure 1: A Comparison of the Threat Identification Process and the Cause Analysis Process
Threat identification process: Discussion of uncertainties → Discussion of probabilities → Probability assignment → Identification of scenarios
Cause analysis process: Discussion of causes → Discussion of scenarios → Uncertainty assessment → Information gathering
It is also crucial to analyze the resources at an attacker's disposal. This should include the resources needed by the attacker to carry out a specific attack, an in-depth intelligence profile of who the most likely attackers are, what motivates them, and the knowledge and technical expertise necessary to execute the attack. For the risk analysis team responsible for U.S.-VISIT, this information would be helpful in effectively allocating the required measures to avert any leakage of classified information. Finally, it is important for an organization to analyze its internal structures and operations with the aim of identifying the measures in place to prevent attacks and assessing the preparedness of personnel and systems to respond to possible threats (Aven, 2008).
Risk management, if carried out properly, can help reduce the occurrence of undesirable events. This can be achieved through four distinct steps: Prevention, Preparedness, Response, and Recovery (PPRR). The first two steps involve the actions an organization takes before a crisis occurs in order to prevent it from happening in the first place. The response phase encompasses the actions taken by the organization during a crisis to ensure that its processes return to normalcy. Finally, the recovery process involves the steps taken to ensure operations return to their previous state — or an even better one (Johansson, 2007).
Figure 2: Risk Management Using PPRR
Prevention: Actions to prevent a risk event — taken before a risk event occurs.
Preparedness: Measures set in place to prepare for a risk event — taken before a risk event occurs.
Response: Steps taken to deal with the occurrence of a risk event — taken during a risk event.
Recovery: Actions to ensure a return to normalcy — taken after a risk event.
"Grading threats by impact and probability matrix"
"Controls, encryption, training, and policy reforms"
Always verify citation format against your institution’s current style guide requirements.