Risk Identification and Assessment and its Relevancy in Managing Enterprise Information Security Issues

Risk Identification and Assessment and its Relevancy in Managing Enterprise Information Security Issues

Introduction to IT Risk Management

As enterprises become more and more dependent on their computer-based information systems, which play a vital role and important part in their business operations, there needs to be a greater awareness and concern about the security of these systems. Information has become the key resource of many enterprises. Information security appears on the list of critical success factors of most major organizations.

There are three fundamental qualities of information which are vulnerable to risk and which, therefore, need to be protected at all times, namely availability, integrity and confidentiality (Halliday et al, 1996). The risks that threaten the security of its information and computer resources need to be assessed and managed in proper way and the necessary security controls need to be implemented and managed effectively (Bandyopadhyay et al, 1999).

Big enterprises are constantly under pressure of different kinds of audits indicating its efficiency in the scope of fulfillment of different requirements concerning information security. Management of risk in the enterprise requires more complex, mutual dependencies embracing business partners, services and outsourcing activity, and also consultants, partners and contractors.

As it was mentioned, effective functioning of information systems depends on practices in the scope of security, and generally from management of IS security. One of the key processes in management of security is IT risk management, which is the process of achievement and maintenance of balance state between identified threats and activities undertaken in order to protect information resources [13].

The objective of IT risk management is to protect Information Technology assets such as data, hardware, software, personnel and facilities from all external (e.g. natural disasters) and internal (e.g. technical failures, unauthorized access) threats so that the costs of losses resulting from the realization of such threats are minimized. The purpose is to avoid or lessen losses by selecting and implementing the best combination of security measures [1].

Risk management involves the identification and implementation of effective security controls to mitigate, control and resolve the organization's risks (Halliday et al, 1996).

Four major components of risk management, indicated in the literature, are:

risk identification,

risk analysis,

risk-reducing measures,

risk monitoring.

Risk management for IT begins with the risk identification process, which allows enterprises to determine early the potential impact of the realization of internal and external threats on the entire IT environment [1]. Risk identification is the process of discovering, describing, documenting and communicating risks before they become problems and adversely affect the organization (Stoneburner & Goguen, 2002, Bandyopadhyay et al, 1999, Halliday et al, 1996).

Next phase, IT risk analysis is undoubtedly key element of the process of Information Systems security management and therefore management of risk. Several methodologies are currently available to comprehend the extent of losses of IT assets from the realization of internal and external threats identified in the previous stage. These methodologies are categorized as quantitative methods (where estimation of risk value is connected ...