Risk Management – What Is Risk Management?
Essay Preview: Risk Management – What Is Risk Management?
Report this essay
Risk Management
Abstract
This paper talks about Risk management, and the importance of implementing risk management in an organization, how organizations can implement risk management for the information systems and how it will be effective in reducing the impact of cyber-attack.
What is Risk Management?
The main goal of Information systems is to support the mission of the organization. Organizations have a negative impact when exposed to uncertainties. IT security professionals should be able to help the organization in understanding and managing the uncertainties. However, it is not an easy task. It has become very difficult to mitigate all the possible risks with the limited resources and the ever changing threats and vulnerabilities that are faced by the organizations. It has therefore become imperative for the IT security professionals to have a toolset that will help them in having a better understanding of the potential impacts of Information technology security threats to the mission of the organization. And the toolset has to be consistent, repeatable and should be able to reduce the risks to a reasonable level. Risk is a function of the likelihood of a given threat-sources exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization i. Risk can be defined as a potential harm that might crop up because of a current process or from some event or process in future. From the IT security perspective, risk management is the process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system ii. Information technology security risk can be described as harm to a particular process or data caused by a purposeful or accidental event that impact the process or data in a negative way.
Why is risk management important?
The main reason for implementing risk management is to protect the assets and the mission of an organization. Hence, Risk management can be treated more like a management function than a technical function. It has become a crucial task to manage the risks to a system. Understanding the specific risks associated to a system will allow the organization to protect its information systems. However, the risk can never be reduced to a zero, as organizations will have limited resources. So the understanding of risk will help organizations to prioritize the scarce resources. This is something that is not limited to Information technology alone. It is the responsibility of the head of an organization to make sure that the organization has the capabilities needed to accomplish its mission. They must also determine the security capabilities that their systems must possess to support the mission of the organization against the threats. In most of the cases, Organizations cannot not allocate enough budgets to IT security. Therefore, a well defines Risk management methodology will help and guide the organization to identify appropriate controls for ensuring and providing essential security capabilities to support the mission of the organization.
Implementing Risk Management in an Organization
The main purpose of implementing a risk management process for the IT system is to minimize the negative impact of risk on an organization. Risk management has to be done in the following 3 steps.
Risk assessment would be simply an academic exercise without the process of risk mitigation. Risk mitigation is a strategic plan to prioritize the risks identified in risk assessment and take steps to selectively reduce the highest priority risks under the constraints of an organizations limited resources. The third process is effectiveness assessment. The goal is to measure and verify that the objectives of risk mitigation have been met. If not, the steps in risk assessment and risk mitigation may have to be updated. Essentially, effectiveness assessment gives feedback to the first two processes to ensure correctness. Also, an organizations environment is not static. There should be a continual evaluation process to update the risk mitigation strategy with new information.
Risk Assessment
Risks are based on any uncertainties that result in a negative outcome. Hence, risk depends on the likelihood of a threat. Also, a threat is not much of a risk if the protected system is not vulnerable to that threat or the potential loss is not significant. Risk is also a function of vulnerabilities and the expected impact of threats. Risk assessment involves a number of steps to understand the value of assets, system vulnerabilities, possible threats, threat likelihoods, and expected impacts.
System characterization: It is obviously necessary to identify the information to protect, its value, and the elements of the system (hardware, software, networks, processes, people) that supports the storage, processing, and transmission of information. This is often referred to as the information technology (IT) system. In other words, the entire IT environment should be characterized in terms of assets, equipment, flow of information, and personnel responsibilities.
Threat assessment: It is not possible to devise a defense strategy without first understanding what to defend against. A threat is the potential for some damage or trouble to the IT environment. It is useful to identify the possible causes or sources of threats. Although malicious attacks by human sources may come to mind first, the sources of threats are not necessarily human.
Vulnerability analysis: Threats should be viewed in the context of vulnerabilities. Vulnerability is a weakness that might be exploited. A threat is not practically important if the system is not vulnerable to that threat
Impact analysis: The impact of each threat on the organization depends on some uncertain factors: the likelihood of the threat occurring; the loss from a successful threat; and the frequency recurrence of the threat. In practice, these factors may be difficult to estimate, and there are various ways to estimate and combine them in an impact analysis. The impact analysis can range from completely qualitative (descriptive) to quantitative (mathematical) or anything between. It would be ideal to estimate the exact probability of occurrence of each threat, but a rough estimate is more feasible and credible
Risk determination: For each threat, its likelihood can be multiplied by its impact to determine its risk level: