Information security risk management essay

Information security risk management essay

Introduction

Information security risk management refers to the handling of risks associated with the use of information technology (Blakley, 2001). This comes in light of the global increase in cyber-crimes such as hacking, identity theft, copyright infringement, click fraud, advance fee fraud and computer viruses. The sole purpose of carrying out Information security risk management is to enable the business organization to handle these risks to the confidentiality and its informational integrity. However, these should be done considering the organization’s overall risk tolerance. (Bulgurcu et al, 2010)  The thesis of this paper is to analyze the subject of information risk management and its consequential effect on the organization assets.

Literature review

Through the years, numerous security approaches have been developed to help in managing information system security and ensuring the chances of a security breach are reduced. Sotnikov (2018) describes information security risk management as the identification and evaluation of risks to the organization’s information and data.

An information technology project would be considered successful if it satisfies stakeholder’s requirements such as efficiency, security, reliability, maintainability, functionality, and ease of integration (Powell & Kelin, 1996). According to Bandyopadhyay (1999), risk management involves a series of steps aimed at helping software teams to manage these risks. The steps focus on the following aspects of information security;

1. Identification

At this stage, the main aim is to develop an understanding of the cyber-security threats to the system’s assets including its data systems and any other asset whose impact will be great if the confidentiality, integrity, and availability interfered (Bulgurcu et al, 2010)  . It is also important to identify such as software vulnerabilities and strengths which would mitigate security tasks. During the identification stage, it is important to identify the various threats to the organizations’ system. This is referred to as threat modeling by Rapid7″(2018), It helps to add relevance to by relating risks to previously known threats  and the ways they would bring about risks .the last step in identification is the process of identifying the various controls measures in place against those risks.

2. Risk assessment

This process consists of establishing criteria under which the evaluation would take place. It is the process of gathering information about assets, the weaknesses, and controls that are in place to deal with the risks (Bulgurcu et al, 2010). The probability of the risk is then obtained which would help in proper risk treatment.

3. Treatment

This refers to the process of handling the threats that had been identified.in the treatment stage, possible countermeasures are identified. The organization will then be required to select the proper treatment options considering. This may include;

• Remediation

It is the implementation of measures aimed at fixing the underlying risks. This often aims at completely fixing the source of the risk.

• Mitigation

This often involves the steps taken to reduce the likelihood or the impact of a risk.it does not entirely fix the problem.

• Transference

It is advisable that the organization transfers the risk to a different entity so that the organization recovers from costs involved out of the risk being realized.This may include; employing insurance companies’ to supplement risk reduction.

• Risk acceptance

An organization may decide not to fix a risk. This may arise from cases of low risk and the duration and cost of fixing the risk is more than the cost the organization would incur if the risk were to occur. For instance, a complex vulnerability on a server containing less critical information would as well be left without fixing.

• Risk avoidance

This is the removal of all exposures to a certain risk. It can be done by transferring sensitive data to other servers. This will protect the sensitive data from getting compromised.

4. Communication

This stage involves the communication of the information concerning the risk and the measures that were taken against the risk. This would inform the stakeholders of the costs of treating and the resulting consequences if the risk was not solved. This would help in ensuring responsibility and accountability from the individuals and teams responsible for information security risk management.

5. Recovery

The process of recovery is often an ongoing process and always depends on the treatment plan that was adopted. If the kind of treatment plan adopted requires the implementation of a control which requires constant monitoring.

The following flowchart shows the different steps in information security risk management.

According to an article by Rapid7″(2018), various information security risks continue to arise every day and organizations may face various types of risks especially due to the dynamic changes in the world. It is because of these uncertainties that organizations are encouraged to properly manage these risks to avert the impact on the present and corporations of the future (Salm, 2004). It is also important to note that these risks may differ from the internal and external environment of the organization.

Discussion

In the management of risks effectively, organizations should evaluate the probability of the events that pose a threat to the Information technology environment and the potential impact of each risk (Kankanhalli et al, 2009). The best method of methodological approach to information security threats such as hacking or primarily unauthorized system access by internal personnel would be using a qualitative risk assessment strategy. This method is able to tell most risks in normal conditions (Alberts et al. 2002). To properly gather information about threats on information security, the data would be obtained by carrying out a quantitative. According to Leal (2018), this approach to risk evaluation emphasizes on facts and computable information. This is usually done by expressing the risk values in money terms. Because of this reason, quantitative risk analysis can be used out of the contexts of the assessment (Leal, 2018).

So, any control measures that could be implemented (e.g. Patch management and back-up) that would cost less would be profitable. (Zhang, 2010). However, quantitative assessments in most cases don’t get adequate data to be analyzed and the numerous variables make analysis unrealistic. From these findings, a program to guard against these threats should be developed.

The initial step in coming up with an effective information security risk management program, would be seeking to comprehend the business conditions of the organization such as budget considerations, the workers and the difficulty in business processes. It is important to take into account the business’s risk profile and the extent of risk the business is able to accept in the course of achieving its objective (Kankanhalli et al, 2009). This can be carried out by issuing a questionnaire. Sampling is done randomly to the members of staff in an organization.

Secondly, the organization needs to define the information security management program. This can be done by coming up with an annual plan (Maguire, 2002). The prescriptive annual plan should be adjusted annually so as to accommodate the constant changes in business conditions and activities.At this stage. It is important to clearly define the organization’s goals, regarding information security so as to understand the capabilities the organizations expect from the program once it is executed. Proper staffing also plays an important part in the execution of an risk management program.it is, therefore, essential to evaluate the availability of staff and with relevant qualifications to ensure all the objectives are met.

The next step would be to understand the functional capabilities and controls related to IT security and risk management (Bandyopadhyay et al, 1999. The governance model will determine the people responsible for each area of the information security strategy.

The following tools can be used to define the metrics used to access the suitability of the Information Security Risk Management (ISRM) approach. According to Sotnikov (2018), the ISRM strategy should comply with industry regulations including COBIT, International Organization for Technology (ISO) 2700 series and the National Institute of Standards and Technology (NIST) 800 series. This will ensure that the ISRM program has all the necessary functions and capabilities. KPIs should be used to measure the effectiveness of the functions and capabilities that will be achieved through the ISRM program (Humphreys, 2008). These KPIs should be based on the potential impact on the business and the point-of arrival guidelines. This is done by assigning monetary values where possible. According to Humphreys (2008), so as to express the risks as monetary values, the organization should make use of this formula,

RO (LE=SLE*RO)

Where SLE (loss expectancy) is the value of the expected losses to be incurred if the risk occurs

RO (rate of occurrence): the frequency of the risk occurring in a year.

LE (loss expectancy): money expected to be lost annually.

The method presents a very precise value of the risk value and the maximum input in the capital that would make risk management worth since it still remains profitable to the business. For instance, using a database whose value of USD 3.5 million  (Humphreys, 2008). Statistics by manufacturers predict that an attack on a database, say, due to cyber-crime happens once every  decade (RO=1/10=0.1).

Therefore LE=4.0*0.1 =US $ 400.

The shareholders need to be informed about the security posture of the security risk management strategy with the context of the business(Ernest et al, 2006). From this example, this means the organization has a risk of undergoing losses of up to USD 700K in the event of cases of attacks on its severs.

Conclusion

Some security risks are so inevitable and the ability to understand and manage these risks to the systems is important in the success of an organization. IT projects poses a high failure rate. These failures may be brought about by several factors which may arise from; personal shortfalls, unrealistic project schedules, and budget allocation, and reduced windows of opportunity due to late delivery of software. The significance of this study to identify the different risks to information security and come up with counter-measures aimed at solving them. In the future, it is recommended that organization ensure that suitable  measures that proper measures are there to safeguard the integrity, confidentiality, and accessibility to its information’s assets. This may include the recruitment of qualified professionals to handle the issues of information security.

References

Alberts, C. J., & Dorofee, A. (2002). Managing information security risks: the OCTAVE    approach. Addison-Wesley Longman Publishing Co., Inc..

Bandyopadhyay, K., Myktyn, P., & Myktyn, K. , “A framework for integrated risk management in information technology.,” Management Decision, pp. 437-444, 1999.

Blakley, B., McDermott, E., & Geer, D. (2001, September). Information security is information    risk management. In Proceedings of the 2001 workshop on New security paradigms (pp.         97-104). ACM.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an    empirical study of rationality-based beliefs and information security awareness. MIS    quarterly, 34(3), 523-548.

D., Salm, G., & Love, D. Baccarini, “Management of risks in information technology projects,”    Industrial Management & Data Systems, vol. 104, no. 4, pp. 286- 295, 2004

Ernest Chang, S., & Ho, C. B. (2006). Organizational factors to the effectiveness of          implementing information security management. Industrial Management & Data          Systems, 106(3), 345-361.

Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM    Transactions on Information and System Security (TISSEC), 5(4), 438-457.

G., Lane, S., & Bruton, C Schneider, “Monitoring risk in information.,” vol. 13, no. 1, pp. 63-67.,             2009

2. Havenstein, “IT execs seek new ways to justify Web 2.0,” Computerworld, vol. 41, no. 33, pp. 14-15, 2007.

Humphreys, E. (2008). Information security management standards: Compliance, governance       and risk management. information security technical report, 13(4), 247-255.

Information Security Risk Management (ISRI) | Rapid7. (2018). Retrieved from             https://www.rapid7.com/fundamentals/information-security-risk-management/

Kankanhalli, A., Teo, H. H., Tan, B. C., & Wei, K. K. (2003). An integrative study of       information systems security effectiveness. International journal of information   management, 23(2), 139-154.

Ko, M., & Dorantes, C. (2006). The impact of information security breaches on financial   performance of the breached firms: an empirical investigation. Journal of Information    Technology Management, 17(2), 13-22.

Leal, R. (2018). Qualitative vs. quantitative information security risk assessment. Retrieved from             https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-         assessments-in-information-security/

Meyer, A., De, C., Loch, H. and Rich, M.T., “Managing project uncertainty: from variation to      chaos,” MIT Sloan Manage. Review, vol. 43, no. 2, pp. 60-67, 2002.

1997. and Schneider, M. Levin, “Making the Distinction: Risk Management, Risk Exposure,” Risk Management, vol. 44, no. 8, pp. 36-42, 1997.

Narain Singh, A., Gupta, M. P., & Ojha, A. (2014). Identifying factors of “organizational             information security management”. Journal of Enterprise Information     Management, 27(5), 644-667.

Peltier, T. R. (2010). Information security risk analysis. Auerbach publications.

Powell, P. L., & Kelin, J. H., “Risk Management for Information Systems Development,”             Journal of Information Technology, pp. 309-319, 1996.

Sicotte, H. & Bourgault, M., “Dimensions of uncertainty and their moderating effect on new        product development project performance,” R&D Management, vol. 38, no. 5, pp. 468-      79, 2008.

Siponen, M., & Willison, R. (2009). Information security management standards: Problems and             solutions. Information & Management, 46(5), 267-270.

Software & Systems Engineering Standards Committee of the IEEE Computer Society, “Systems            and software engineering — Life cycle processes — Risk management ,” International             Organization for Standardization/International Electrotechnical Commission, ISO/IEC

Sotnikov, I. (2018). How to Create an Effective Information Security Risk Management   Program. Retrieved from https://blog.netwrix.com/2018/08/02/how-to-create-an-         effective-information-security-risk-management-program/

Smith, G. & Merritt, M. , Proactive Risk Management: Controlling Uncertainty in Product            Development.: Productivity Press., 2002.

Spears, J. L., & Barki, H. (2010). User participation in information systems security risk    management. MIS quarterly, 503-522.

Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Sp 800-30. risk management guide for      information technology systems.    16085 IEEE Std 16085-2006, ISO/IEC         16085:2006(E) IEEE Std 16085-2006, 2006.

2002. Maguire, “Identifying Risks during Information System Development: Managing the Process,” Information Management and Computer Security, vol. 10, no. 3, pp. 126-137, 2002.

Werlinger, R., Hawkey, K., & Beznosov, K. (2009). An integrated view of human,            organizational, and technological challenges of IT security management. Information     Management & Computer Security, 17(1), 4-19.

Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk         management framework for the cloud computing environments. In Computer and     Information Technology (CIT), 2010 IEEE 10th International Conference on (pp. 1328-          1334). IEE