**3.1 Vulnerability**

It is defined as a software and hardware level weakness in the entities of IT systems, which may allow an attacker to reduce the information assurance of the entities and the underlying network [14]. In other words, it is the source of a known problem that opens the door for a potential attack on the IT infrastructure system. For example, if the managers of an organization mistakenly do not disable the access to resources and processes such as logins to internal systems for an exemployee, then this leads to both unexpected threats to the IT infrastructure. In most cases, the vulnerabilities are exploited intentionally or unintentionally by inside or outside users of the IT systems and have a severe impact on the organizational assets. Hence, identifying weak points in the entities of IT systems is the first step to managing the risk of the IT infrastructure to ensure reliability, robustness, efficiency, and security of IT resources.

identifying vulnerabilities, determining exposure, determining threat as different phases in our work since these steps are equally important as compared to other phases. The risk assessment process follows a life cycle with these steps or phases as shown in **Figure 1** aiming to eliminate or minimize the level of risks in the IT

In this phase, the critical resources that may have potential vulnerability and have threats must be understood and identified. The critical resources include the process flows, enterprise information, and assets in the IT infrastructure that are important for the functioning and security of the business. This, in turn, helps in understanding the consequences of critical information loss and in decision making

In this phase, the inherent vulnerabilities in the entities of IT systems are reviewed, identified and listed that have potential threats to affect the organizational assets and business process. This includes both software and hardware-level vulnerabilities of IT infrastructure. The list of vulnerabilities must have detailed

In this phase, the exposure of the entities in the IT systems that may have a potential threat to different attacks is determined and reported. Generally, the exposure of an entity in the IT systems is computed as the ratio of the potentially

infrastructure.

**4.1 Step 1: Evaluation**

*Risk Assessment in IT Infrastructure*

*DOI: http://dx.doi.org/10.5772/intechopen.90907*

regarding the resources that need to be protected.

information such as type, impact, measure, etc.

unprotected portion of the entity to the total entity size.

**4.2 Step 2: Identifying vulnerabilities**

**4.3 Step 3: Determining exposure**

**Figure 1.**

**97**

*Risk assessment life cycle in IT infrastructure.*

## **3.2 Exposure**

It is defined as the state or condition of a system being unprotected and open to the risk of suffering the loss of information [15]. In general, exposure of an entity may be a malicious piece of code, commands, or open-source tools that may potentially cause system configuration issues. This, in turn, may allow attackers to track business process flow as well as to gather critical information and at far can lead to gain access to even whole IT infrastructure. Determining exposure is the primary objective of an attacker for discovering a vulnerability in the IT systems. Generally, the exposure of an entity in the IT systems is represented as the ratio of the potentially unprotected portion of the entity to the total entity size.

### **3.3 Threat**

Threats are potential events for vulnerabilities that might lead to exposure of the network and adversely impact the organizational assets [16]. A threat has the potential of causing small to even severe damage to the IT infrastructure of organizations. The source or root of threats can be natural, intentional or unintentional. Natural threats can be catastrophe such as floods, cyclones, earthquakes, etc. On the other hand, unintentional threats can be mistakes done by employees of organizations such as accessing the wrong resources. Intentional threats are created by attackers by flooding malicious codes over the network in the form of spyware, malware, worms, viruses, etc. Most recently, on Oct 24, 2019, Ransomware and DDoS attacks brought down major banks in South Africa including Johannesburg demanding a ransom of four Bitcoins that is equivalent to about R500,000 South African Rand or \$37,000 USD [17]. Vulnerability and exposure of an entity are used to determine its threat value.

### **3.4 Risk**

It is defined as an uncertain incident created as a result of a system malfunction and in turn has a severe impact on organizational assets and business objectives [18]. In general, the risk is a qualitative measure of potential security threat and its impact on the network [19]. In other words, the risk is defined as the potential for harm to organizations' resources when a vulnerability is exploited to threat. For example, the risk may include loss of privacy, financial loss, legal complications, etc. Hence, the overall risk of the IT systems is assessed by analyzing the vulnerability, exposure, and threat of different entities in the IT infrastructure.

Risk assessment plays a key role in making and implementing effective business decisions by proactively identifying potential problems at different managerial and technical levels. Risk management, therefore, can follow necessary remediation steps to overcome the severity of these problems [20].

### **4. Steps for IT risk assessment**

An effective IT risk assessment process in an organization comprises the following major steps or phases. These steps are similar to the steps illustrated in the work [21]. However, we have considered the sub-phases of the evaluation phase, that is,

identifying vulnerabilities, determining exposure, determining threat as different phases in our work since these steps are equally important as compared to other phases. The risk assessment process follows a life cycle with these steps or phases as shown in **Figure 1** aiming to eliminate or minimize the level of risks in the IT infrastructure.
