**4.1 Step 1: Evaluation**

step to managing the risk of the IT infrastructure to ensure reliability, robustness,

It is defined as the state or condition of a system being unprotected and open to the risk of suffering the loss of information [15]. In general, exposure of an entity may be a malicious piece of code, commands, or open-source tools that may potentially cause system configuration issues. This, in turn, may allow attackers to track business process flow as well as to gather critical information and at far can lead to gain access to even whole IT infrastructure. Determining exposure is the primary objective of an attacker for discovering a vulnerability in the IT systems. Generally,

Threats are potential events for vulnerabilities that might lead to exposure of the

It is defined as an uncertain incident created as a result of a system malfunction and in turn has a severe impact on organizational assets and business objectives [18]. In general, the risk is a qualitative measure of potential security threat and its impact on the network [19]. In other words, the risk is defined as the potential for harm to organizations' resources when a vulnerability is exploited to threat. For example, the risk may include loss of privacy, financial loss, legal complications, etc. Hence, the overall risk of the IT systems is assessed by analyzing the vulnera-

Risk assessment plays a key role in making and implementing effective business decisions by proactively identifying potential problems at different managerial and technical levels. Risk management, therefore, can follow necessary remediation

An effective IT risk assessment process in an organization comprises the following major steps or phases. These steps are similar to the steps illustrated in the work [21]. However, we have considered the sub-phases of the evaluation phase, that is,

bility, exposure, and threat of different entities in the IT infrastructure.

steps to overcome the severity of these problems [20].

**4. Steps for IT risk assessment**

the exposure of an entity in the IT systems is represented as the ratio of the

network and adversely impact the organizational assets [16]. A threat has the potential of causing small to even severe damage to the IT infrastructure of organizations. The source or root of threats can be natural, intentional or unintentional. Natural threats can be catastrophe such as floods, cyclones, earthquakes, etc. On the other hand, unintentional threats can be mistakes done by employees of organizations such as accessing the wrong resources. Intentional threats are created by attackers by flooding malicious codes over the network in the form of spyware, malware, worms, viruses, etc. Most recently, on Oct 24, 2019, Ransomware and DDoS attacks brought down major banks in South Africa including Johannesburg demanding a ransom of four Bitcoins that is equivalent to about R500,000 South African Rand or \$37,000 USD [17]. Vulnerability and exposure of an entity are used

potentially unprotected portion of the entity to the total entity size.

efficiency, and security of IT resources.

*Security and Privacy From a Legal, Ethical, and Technical Perspective*

**3.2 Exposure**

**3.3 Threat**

**3.4 Risk**

**96**

to determine its threat value.

In this phase, the critical resources that may have potential vulnerability and have threats must be understood and identified. The critical resources include the process flows, enterprise information, and assets in the IT infrastructure that are important for the functioning and security of the business. This, in turn, helps in understanding the consequences of critical information loss and in decision making regarding the resources that need to be protected.
