IT risk assessment and penetration test: Comparative analysis of IT controls verification techniques

Abstract

The ongoing digitalization in the business world has led to a situation where information technology security forms an integral part of all enterprises. The need for comparable and measurable methods has resulted in the development of numerous standardized activities that can be undertaken in order to estimate the exposure to existing threats. In this paper, we present various approaches to the verification, evaluation and confirmation of the operational effectiveness of security controls implemented in complex IT systems. Individual techniques are represented by IT risk assessments and penetration tests. We analyze them from a theoretical perspective, and present records of case studies conducted. As a result, we are able to verify how these activities can be applied in real-world IT environments. The results of our work mean we can conduct further investigation into finding the optimal approach to the problem of ensuring sufficient security whilst preserving an acceptable risk-business trade off.