Information System Risk Management - Essay Example

Information System Risk Management Introduction Information Systems are important to synchronize the different tasks assigned to different groups within the organization. IS helps streamline business processes, guarantees efficiency, and makes the organization resilient to accept the internal and external changes smoothly. The situation today is such that organizations cannot manage without the IS. The value of the computers and the IS is well recognized not just by the managers and executives. It has also not escaped the attention of hackers and cyber-criminals who attempt to damage the system and the organization. Threats to an organization can be both from internal sources and external. While the motives may vary, the system is vulnerable to several risks. This paper will examine the vulnerabilities, the potential threats and the levels of security that could help mitigate the risks and allow uninterrupted workflow. Risks and principles of Risks Risk has been defined as the chance of exposure to the adverse consequences of future events (Egbuji, 1999). The likelihood and consequences have to be understood to provide for the right security measures. For a risk to be understandable, according to the Software Engineering Institute (SEI, 2006) of Carnegie Mellon University, it must be expressed clearly. This also implies that possible losses must be identified. Risks have to be assessed continuously and used for decision-making. In the field of computer technology and the information systems, technology enhancement is an ongoing process, which further necessitates continuous risk assessment. Besides, the losses due to lack of security controls could be in the areas of production, revenue, damaged reputation, and financial performance. Benefits of proper security measures could result in enhanced operational efficiency and competitive advantages (Kim, 2006). An organization must invest in IS security and know where to cut corners. They should be able to spell the difference between security success and disaster (Gupta and Hammond, 2006). According to SEI, seven principles provide the framework to establish effective risk management. These include having a global perspective, the system should be at par with the larger systems, forward-looking view that is identifying and anticipating uncertainties, open communication – information and communication at all levels should be free flowing, integrated – risk management should be a vital and an integrated part of management, continuous – regular upgradation and constant vigil, shared product vision – having common purpose, shared vision, teamwork – working collectively towards a common goal. These principles imply that proper identification, estimation and evaluation of the vulnerabilities and threats are essential and the result should be used for planning information security requirements and taking risk control measures. Maguire (2002) clarifies that just because a risk can be identified does not mean it can be controlled. Risk management is affected by organizational elements, including social and cultural aspects (Tsohou et al., 2006). Security measures have to vary from industry to industry and across organizations. Kokolakis and Kiountouzis (2006) emphasize that security tools and mechanisms have limited effectiveness as security is primarily a people’s issue and an organizational issue. Knowledge Management (KM) has a positive impact on the effectiveness of the IS security management (Kokolakis & Kiountouzis). KM system can capture, store and disseminate knowledge by means of information technology. Knowledge in this context refers to codified information and can be categorized into two types – tacit and explicit. Tacit knowledge is transferred through personal interaction, mental models, technical skills and experience while explicit knowledge is easy to communicate but requires regular update. Protection of data implies confidentiality, integrity and availability. Security refers to a set of principles, regulations, methodologies, measures, techniques and tools to safeguard the Information System from potential threats. The various risks that an organization is subject to once the information system is up and running include fire, fraud, computer failure and unauthorized access (Awad et al., cited by Maguire). Security measures are essential even during the development and implementation of the system. Many organizations have integrated systems that are linked with the customers and suppliers. The financial implications of a system failure in such instances can be even more disastrous in the case of business-process re-engineering projects. If the system can be easily copied by competitors then heavy financial investment is not justified. There is also the risk of adopting unproven or untested technology. Information systems need to be managed. It is possible to hack into the client’s computer system 98 percent of the time, says Krause (cited by Gupta & Hammond). It is now very easy to copy and distribute software through the internet. Growth in IT has also led to a new category called the ‘computer criminals’. These criminals can be both within and outside the organization. Messages can be intercepted and manipulated; personal data can be illegally collected while validity of documents can be denied (Gupta & Hammond). Financial damages in the USA have been caused due to theft of information, financial fraud, viruses, insider net abuse and sabotage. Even though the new US federal laws require thorough safeguards to protect the security and confidentiality of non-financial data, the cyber attacks by terrorists and criminals are growing, which destroys the communications network and the computer system. Today virtually every employee has access to the system which has made the security issue more critical. Threats could be from internal sources or external. Threats to security can arise from hardware, software, people, external sources and physical security. Companies incorporate employee internet management (EIM) system which blocks the users from accessing inappropriate sites and contents (Kim, 2006). This helps to remain focused on the business goals and avoid legal liabilities. Filtering mechanisms help to prevent the employees from accessing the risk points. Business-to-business (B2B) e-commerce face risks to a very great extent. Investigations have revealed that several organized hacker groups from Russia and Ukraine have accessed several e-commerce computer systems in the USA by exploiting the known vulnerabilities (McCrohan, 2003). Microsoft had reported these vulnerabilities and subsequently also publicized how these could be fixed but many firms did not pay heed to it. As a result, the hackers could access proprietary information, customer database and credit card information. Apart from this e-commerce is also subject to hackers. Worms can be attached to emails that copy itself to all types of shared network resources. Senior managers do not lay serious emphasis on security measures. McCrohan insists that one of the main reasons why senior executives do not lay stress on security measures because they are unable to link it to profitability. Expenses on managing the risk of the information system are not considered essential. Implications and solutions Cyber crimes and hacking have increased to such an extent that consumers and commercial users do not have the confidence in the security of the basic systems. Private sector does not report the attacks making identification and tracing down the hackers difficult. As the need for information grows, so does the criminal’s methodology in manipulating the data and information being held in computers (Forcht & Pierson cited by Kundu, 2004). Computer disasters are a regular occurrence and they have an impact on the information management. While virus and hardware faults are very common, human negligence and communication problems occur moderately. Computer breakdown especially due to virus attacks are the most common crises. Computer disasters affect the collection and assimilation of internal and external data which results in failure in converting useful data in to information and knowledge. Smaller firms are vulnerable to attacks as they lack the financial resources and capability to develop a comprehensive information security system. If no procedures and policies are laid down the organization becomes susceptible to attacks even from insiders who have direct access to all information and information system (Gupta & Hammond). It is also common for companies to outsource internet-based work and these new relationships can create problems if not properly controlled and managed. A survey of firms in USA showed that there was no difference in the levels of abuse carried out by internal or external criminals. Every organization should foster appropriate training and awareness and develop its own unique security culture. Security functionalities may be built in the products but very often the users are unaware of it. Surveys have revealed that viruses top the area of concern followed by power failure, software problems, data integrity, and transaction integrity and data secrecy. Unless a business is actually hacked or faces any other form of disaster, they do not perceive a threat to security. It is generally observed by all researchers that organizations do not invest in information system security requirements as they are unable to relate it to performance and profitability. Top management intervention is essential because proprietary knowledge, database and valuable information are at stake. The information system is vulnerable to attacks and risks both from internal and external source; they can again be unintentional or purposefully done. Whatever be the motive, the ultimate outcome is the loss in terms of time, finance and information. Management must invest in IS security to prevent abuses even by the insiders leading the company to competitive disadvantage. This should be an ongoing process as technology tools continually evolve to meet the challenges of the network security. References: Egbuji, Angel. (1999), Records Management Journal, vol. 9, no. 2, August 1999, pp. 93– 116 Gupta, Atul. & Hammon, R. (2006), Information Management & Computer Security, Vol. 13 No. 4, 2006. pp. 297-310 Kim, Sangkyun. (2006), The Bottom Line Managing Library Finances, Vol. 19 No. 3, 2006 pp. 124-138 Kokolakis, Spyros. Belsis, Petros. & Kiountouzis, Evangelos (2006), Information Management & Computer Security, Vol. 13 No. 3, 2006. pp. 189-202 Kundu, Subhash. C (2004), Industrial Management & Data Systems, Vol. 104 No. 2 2004 pp. 136-143 Maguire, Stuart. (2002), Information Management & Computer Security, Vol. 10 No. 3, 2006. pp. 126-134 McCrohan, Kevin. F (2003), Journal of Business and Industrial Marketing, Vol. 18 No. 2. 2003. pp. 133-145 SEI (2006), Risk Management, Carnegie Mellon, 18 Sep 2006 Tsohou, Aggeliki. Karyda, Maria. Kokolakis, Spyros. & Kiountouzis, Evangelos . (2006), Information Management & Computer Security, Vol. 14 No. 3, 2006. pp. 198- 217 Read More