Risk Management Processes - Literature review Example

Security & Risk Management Intersection Student’s Name Institution Security & Risk Management Intersection Introduction Security breaches cause major threats to a reliable accomplishment of distinctive corporate strategies. It might also lead to significant levels of negative effects on the existing business values, which are directly linked to company image, profits and shareholder values. In this regards, most of the companies today engage in improvising the amount of resources needed for securing notable corporate resources (Baker &Wallace, 2007). For instance, the international level of revenues for security related products and services increases significantly to about $21.1 billion as par the statistics of 2005. Notwithstanding, the number of business ventures, both domestic and international, increased their spending to at least $1 million on matters related to security (Baker &Wallace, 2007). Despite the fact that most organisations perceive security as being one of the most crucial aspects of their operations most of them however; fail to comprehend the level of money they spent on security or whether their security plans are effective. Risk management is an important factor that ensures that most business enjoy long-term success in their operations. This is because it offers an effective platform for measuring security through elements of identification and valuation of existing resources, threats, vulnerabilities while still offering effective techniques for risk assessment, mitigation and evaluations (Baker &Wallace, 2007). The focus of this paper thus rests in examining the fact that security and risk management intersect at the point where protection of resources is made a priority. Body Today, there exists a greater number of ways for conducting appropriate risk management strategies. In fact, most of organisations opt for best practices and policies, information security standards or in other cases employ experts whenever executing risk assessment and mitigation processess. Risk management processess help curtail possible issues that might arise due to poor level of security. The process can be expounded into three phases as mentioned above; risk assessment, mitigation and evaluation. D’Arcy, Hovav &Galletta (2009) notes that risk-assessment is a process that helps identify possible levels of risks and their respective impacts. It is crucial in security management because it provides recommendations on effective preventive and risk-reducing countermeasures. Risk mitigation prioritises the already recognised risks and thereafter, provides a countermeasure for implementation and maintenance purposes. Subsequently, risk evaluation ensures that post-implementation counter-measurement process is effective in reducing security risks and whether further level of controls are needed to contain the situation at hand. In security management, threat identification is a process used for the determination of possible threats and their immediate threat origins. There are numerous origins of threats that might affect the level of security; whether psychically or virtually within an organisational setting (D’Arcy, Hovav &Galletta, 2009). These threats include; natural threats for which security managers have no control over. Perfect examples are floods and earthquakes. Human threats are facilitated by man and might be intentional in nature. A good example of these types of threats includes unauthorised data access and introduction of malicious software or it might be unintentional like in case of accidental deletion of information. Another important threat type is environment threat, which includes such misfortunes as power failures and chemical spillage. Threat identification stage is considered crucial because it helps compile a distinctive and all-inclusive list of all possible threats (D’Arcy, Hovav &Galletta, 2009). This facilitates an effective risk assessment and mitigation processess since their outcomes help define input required for security risk mitigation strategies. Significant threat information that might also involves threat possibilities focuses on the immediate physical location of an organisation, and can be derived from the OWL-based systematic security knowledge (Bodin, Gordon & Loeb, 2005). Each and every possible threat should be treated with utmost care and thus, should undergo intensive risk analysis to determine their respective security infringement capacities. An organisations’ security attributes, which might be affected immensely, prioritises the level of confidentiality, integrity or even availability at any given moment in time. According to Bodin, Gordon & Loeb (2005), a risk manager, in an information technology environment, faces lots of threats that might be determined independently. IT based systems are affected by threat catalogue sizes. For instance, a GSTool utilizes an all-inclusive threat catalogue in order to access informative natural languages relating to popular information security threats. Considering that there are greater levels of generic structures of knowledge models, it is possible for security management to integrate comprehensive information security knowledge bases. Vulnerabilities are systematic weaknesses within the system security processess, formulation and implementation. They can either be intentional or accidentally instigated. In most cases, they result to security incidents like involuntary disclosure of important information. In security, vulnerability identification is deemed useful for evaluating possible vulnerabilities present in both physical and information-based systems (Bodin, Gordon & Loeb, 2005). This involves the review of vulnerabilities present in management security that is characterised by lack of responsibilities, operational-level security, which does not support aspects related to labeling as well as technical-focused security, which is characterised by a lack of cryptography as well as possible intrusion in all system places. In information security environment, control of such vulnerabilities requires prerequisite natural languages. With the functions set in place, the security analyst is able to prevent possible threat invasions (Alberts & Dorofee, 2003). This can be achieved by way of mitigating possible vulnerabilities through immediate implementation of distinctive recommendations controls. This is a distinctive phase that provides awareness to an organisation in relation to the underlying systems, possible threats as well as subsequent vulnerabilities that facilitates activation of threats. This phase ensures that the best controls that might include non-technical controls like security policies are set in position (Alberts & Dorofee, 2003). They also ensure to provide a recommendation on the controls, which are planned to mitigate the possibility of having a threat exploit certain vulnerabilities in the course of risk management. In an effort to ensure that the element of automatic compliance verifies distinctive mitigation controls, each of the aforementioned control integrates formal implementation strategies. The assessment of existing security measures in relation organisation systems also provides a basis for intersection of security and risk management. The assessment of existing security measures is emphasised as it helps minimise or rather phase-off risks completely (Alberts & Dorofee, 2003). For example, vulnerabilities cannot be triggered by a given threat in case effective and efficient security measurements are set in place. Farquhar (1991) argues that security measures formulated for the purpose of reducing or even eliminating the possibilities of risks vary greatly among covered organisations. For small and medium-sized organisations, security controls are far much concentrated within their immediate operational environments. They also tend to possess fewer variables like employees and even information systems (Alberts & Dorofee, 2003). This is a mitigation move meant to limit its decision –making capacities to manageable variables in the course of safeguarding the entire operations. The output of this phase should lead to documentation of possible security measures, which a covered organisation utilises in order to safeguard its operations. The immediate next step should establish whether the given security measures as recommended by overall Security Rule have all been prioritised. It is crucial to understand that whenever threats trigger certain vulnerabilities there might result to a significant number of possible outcomes. For all covered entities, these outcomes might vary from loss of financial cash flows, physical resources and even unauthorised access to crucial information (Farquhar, 1991). Consequently, these outcomes might possibly affect the confidentiality of the security measurement tools created to safeguard operations. Thus, their immediate impacts should be measured in order to help the secured organisation to emphasise risk mitigation strategies. The process of measuring the exact impact of a given threat that takes root in an already secured organisation can be done using a wide variety of techniques (Mattord, & Want, 2008). These techniques might include; either qualitative or quantitative methods. Both of these techniques would provide fair platforms for measurement of risks. Qualitative approach is used to measure the exact magnitude of the likely impact the threat might cause. Thus, it measures the vulnerability in scales categorised as either being high, low or even medium. It is the most common approach utilized in the process of measuring impacts of given risks and their effect on security (Peltier, 2005). All possible impacts can be measured using this scale so that both tangible and intangible variables are effectively assessed at any given moment. On the contrary, the quantitative approach help measure only the tangible variables related to possible impacts of a given threat. The method provides a perfect platform to gather valuable data for a cost-benefit-analysis, which is connected to the underlying risks (Peltier, 2005). Following this line of argument, it can be ascertained that the process of assessing security risks should adopt both of these methods as way of ensuring perfect safeguard measurement of an organisation. Equally important, an organisation that seeks to intersect security management with risks management effectively should be ready to devise ways of establishing underlying risks. A given level of risk is established by evaluating the numbers apportioned to a possibility of a threat happening and thereafter, causing significant impacts on this threat occurrence (Peltier, 2005). Determination of these risks level might be conducted by apportioning them on their averages. A perfect tool that can be used exclusively for this purpose is a risk level matrix. Identification and later categorisation of risks into small, medium and high level would help avail an overall timeline and a given mode of response useful for reasonably minimising the levels of risks to acceptable limits (Peltier, 2005). The process of apportioning action descriptions on risks avails the secured organisation with substantial information in order to uphold and improve their existing risk management efforts. In the event that a safeguarded organisation successfully ensures that all risks are identified and apportioned to certain levels then it should move forward to recognise actions needed for managing the underlying risk. The process ensures a start of identification of security measures, which can be utilized in order to minimise or eliminate the level of risks to either reasonable or manageable levels (McAdams, 2004). During the identification of specific security measures to adopt, it is crucial for the organisation to evaluate such facets as effectiveness, regulatory requirements for implementation purposes as well as conditions set to ascertain an organisation’s policy and procedures. Any possible security measures that are needed for risk management should ensure its way into documentation. Risk management is the final step a secured organisation embarks and it is performed in relation to the Security Rule (McAdams, 2004). The rules requires that implementation of all security measures be done in order to minimise risks to manageable levels, and ensure full protection of operations from anticipated threats or even hazards to the underlying security. This phase is conducted by way of ensuring successful creation of an implementation risk management plan, security measures, and evaluation as well as sustenance of possible security measures. Conclusion From this analysis above, it can be established that risk analysis and risk management are the fundamental platform for any given safeguarded entity. Security Rule requires all covered organisations to comply with the efforts of performing intensive risk management. The intersection of risk and security management occurs because the latter offers an effective platform for measuring security through elements of identification and valuation of existing resources, threats, vulnerabilities while still availing effective techniques for risk assessment, mitigation and evaluations. Risk management is an important factor that ensures that most business enjoy long-term success in their operations and thus, review of these two management strategies go hand-in-hand to bring about effective and efficient results altogether. References Alberts, C & Dorofee, A. (2003). Managing Information Security Risks: The Octave Approach, Upper Saddle River, NJ: Addison-Wesley. Baker, W &Wallace, L. (2007). “Is information security under control? Investigating quality in information security management,” IEEE Security and Privacy, 5(1), 36–44. Bodin, L., L. A. Gordon & Loeb. M, P. (2005). Evaluating Information Security Investments using the Analytic Hierarchy. Communications of the ACM, 48(2), 78-83. Cavusoglu, H., Mishra, B& Raghunathan, S. (2004). “The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers,” International Journal of Electronic Commerce, 9(1), 69–104. D’Arcy, J., Hovav, A & Galletta, D. (2009). “User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach,” Information Systems Research, 20(1), 79-98. Farquhar, B. (1991). “One approach to risk assessment,” Computers and Security, 10 (10), 21–23. Gordon, L.A., Loeb. M, P & Lucyshyn. W (2003). Sharing Information on Computer Systems: An Economic Analysis. Journal of Accounting and Public Policy, 22(6), 461-485. Mattord, H. J & Want, T. (2008). “Information System Risk Assessment and Documentation,” in Information Security: Policy, Processes, and Practices, D. W. Straub, S. Goodman, and R. L. Baskerville (eds.), Armonk, NY: M. E. Sharpe, Inc.69-111. McAdams, A. (2004). “Security and Risk Management: A Fundamental Business Issue,” Information Management Journal, 38(4), 36-44. Peltier, T. R. (2005). Information Security Risk Analysis, 2nd ed. Auerbach Publications. Read More