SECURITY RISK MANAGEMENT MODEL

Worldwide there are many developed models for managing security risks. Within this thesis, the developed model with eight phases will be represented. The phase “Business System Identification” should identify all objects of a business system, the activities realized within it, and employees, because these potentially can be jeopardized by some threat. Therefore, it is necessary to make an estimation why and how a potential unpredictable event could influence a business system and all of its resources, as well as it should be determined whether potential unpredictable event, which could cause certain threat, represents the event which would cause damage which business system must not allow, or a specific potential event is irrelevant for it. In the phase “Threat Estimation” potential specific threats and situations in which these may occur are predicted. In this phase, the security risk estimation is not made, but the necessary information and instructions that will be used for the estimate are gathered. “Vulnerability Estimation“ is the phase of a security risk management model in which the strength and weakness of a business system should be recognized, related to security measures which protect the system from the surrounding influences. In the next phase, the security risk estimate is realized. All available, relevant (direct and indirect) security-related information are combined, in order to identify potential influence and the probability of the occurrence of a potential threat on the business system, i.e. to get the current level of security risk. In the phase “Security Measures and Strategies“ their development and creation are realized, in order to accomplish the reduction of probable occurrence of security risk and its harmful (dangerous) influence by their application. In the phase „Decision Making“ it is necessary to bring the decisions related to priorities, logistics support, timelines, financials, etc. This phase is realized in three steps, as follows: (1) Procedures for reducing the security risk to an acceptable level, (2) Priorities setting, and (3) Approving of financials and necessary resources. After this phase, the preparation and implementation of developed security measures are realized by this model. In the end, the evaluation of everything done is made, potentially, necessary corrections are realized, as well as the preparation for future modernization of security measures and strategies is made.