Information Security Risk Management - Case Study Example

Information Security Risk Management Introduction Information security is the protection of information for business continuity as it is fundamental for maximizing the business opportunities and return on investment. Information security and risk management has become a critical business discipline with sales, marketing, financial management and Human resource. 2. LiteratureRisk management and its role in the organizationRisk was called as a main cause for uncertainty in the business organizations.

Therefore, business companies focus upon the risk identification, and manage it before these risks impact the business decisions. Organizations having control over risk management can compromise confidently for future decisions. Organization face internal as well as external actor, which create uncertainty for organizations in achieving the objectives. Hall (2010) called that the risk management was a hybrid function that had bridged the number of disciplines to reduce or avoid loss for organizations.

Proactive activities are attempted to mitigate or prevent loss in the organizations.Risk management techniques to identify and prioritize risk factorsTavakkoli-Moghaddam et al., (2011) used the compromise ranking (VIKOR) and fuzzy entropy techniques in engineering, procurement and construction projects. Separate techniques for risk identification and risk prioritization are used. Qualitative assessment helps the management to prioritize the risks identified by calculating their impacts and impacts.

Except these techniques, Monte Carlo method is most significantly used for risk identification. This method is based on probability and their impacts. Monte Carlo method shows the correlation between the identified variables for a project.Assessment based on the likelihood of adverse events and its effectsIdentification of vulnerabilities and threats through risk assessment helps in determining the impacts of each risk. However, risk assessment becomes a complex undertaking when imperfect information is provided.

Value assignment to information system business processes including the costs, recovery and their impacts can be measured in indirect and direct costs.Exposure of sensitive information about a specific business area of the organization has wide consequences and impacts the reputation or regard of the organization. Attacker can falsify the information, which is important for future decisions. Both qualitative and quantitative risk assessment technique can be used (Carroll, 2009).The results of the risk identification processRisk identification requires the risk treatment.

Risk treatment is a range of options used for risk evaluation and plan preparation for risk treatment. Planning the risk treatment also requires plans’ implementation. In an organization, when risk about information security has been identified, it requires to mitigate the impacts of these risks. However, risk treatment options must be proportionate to the importance of risks and treatment cost. Risk treatment plan includes the risk acceptance, risk avoidance, reduce the risk, risk transferring and risk financing.

Finally, when risk treatment plan has been implemented, continuous monitoring and review process becomes the essential part of information security management (Carroll, 2009).3. ConclusionIn this paper, different aspects of information and risk management have been addressed. Organizations mostly focus on the information security to control over the confidentiality that support for future business decisions. In addition to the compromise ranking (VIKOR) and fuzzy entropy techniques, Monte Carlo method has been preferred for the risk identification and risk prioritization.

Risk assessment and outcome of risk identification process is also discussed.ReferencesCarroll R. (2009). Risk management handbook for health care organizations, Jossey-Bass Publishers.Hall S. (2010). The role of risk management in healthcare organizations, Available form http://www.psfinc.com/sites/default/files/print-pdfs/the-role-of-risk-management-in-healthcare-operations.pdf Accessed on 08/05/2014.Tavakkoli-Moghaddam R., Mousavi M.S., and Hashemi H. (2011). A fuzzy comprehensive approach for risk identification and prioritization simultaneously in EPC projects, Available from http://cdn.

intechopen.com/pdfs-wm/19863.pdf Accessed on 08/05/2014.