Risk Management in Information Technology
Introduction: Organizations are human communities, which are formed by bringing people together to communicate, intact and build ties to help each other to create meaning together. Information plays an important role in building these societies and providing knowledge about the task people perform. The information networks created by the organizations help the people to adopt the environment.
Build and develop communication networks, improves learning process, develops sense of understanding and sharing between the people, provides a platform to discuss discoveries and innovations, provide the people with chance to learn after making mistakes. With the increasing use of Internet most of the business organizations are transforming their business online. The rising trend has made it essential for the businesses to analyze and assess the risk attached with the security of information systems. Despite enormous research in the field the appropriate steps for the security are not specified.
These security plans are often very expensive and require the knowledge of the IT systems as well as the business processes around them—even though the latter are generally not regarded explicitly. ” (Bauknecht & Oppliger, 2003) Risk is defined, as a bad notion is the most important stimulants for life. Adams (1995) defines risk as the “balancing act” in which the actors “balance the expected rewards of their actions against the perceived costs of failure” in a world in which both it and our perceptions of it are constantly being transformed by our effect on the world and its effect on us.
In a ISO/TMB Risk Management Terminology Paper (1999) risk is defined as combination of the probability of an event and its negative or positive consequences,” The royal Society (1983) defined risk as “a particular adverse event occurs during a stated period of time, or results from a particular challenge. ” The Royal Society also states that “as a probability in the sense of statistical theory risk obeys all the formal laws of combining probabilities”. In the definition mentioned above the statistical theory is used which is often dependent upon the approximation or guess.
There are no scientific or certain calculations to support the theory and its result. In order to effectively plan an IS project it is important to asses the risk attached with these projects. In order to calculate these risks and uncertainties, tools such as Risk Potential Assessment, Risk Potential Assessment guidance andRapid_Risk_Check_v02. 2. xls, The Rapid Risk Check sheet are available. According to (Boehm, 1991), there are ten risk factors, which occur most frequently. Risk factor and Preventive measures: 1.
Human error on part of staff: These risks can be eliminated by using the best management techniques such as employing the best people, increasing rewards; team formation; training; peer reviews; adapt process to available know-how. 2. Unrealistic schedule and budget: The management must undertake Business-case analysis. Incremental development and reuse of software can also be the possible solution of the problem. 3. Standard software: Benchmarking; prototyping; review of reference external components (inexperience, incompatibility, etc. ) installations; compatibility analysis; review of suppliers. 4.
Requirements and developed functions do not match. Win-win agreements between parties concerned; business-case analysis; prototyping; application description in early phases. 5. User interfaces do not fit needs: Prototyping; development of scenarios; description of users. 6. Inadequate architecture, performance, quality Simulation; benchmarking; modeling; prototyping; tuning 7. Constant alteration of requirements: Increased threshold for changes; information hiding; incremental development; change management process; change control board. 8. Problems with legacy systems: Design recovery; restructuring.
9. Problems with tasks performed externally Audits; parallel design or prototyping by several suppliers; team formation 10. Overestimation of own IT capabilities: Technical analysis; cost/benefit analysis; prototyping. According to Lawrence Gordon and Martin Loeb the increasing concerns regarding the security of the information is also increasing the security expenses of the companies. They state “The Economics of Information Security Investment,” there is a void in the research on creating a framework for an economic model that establishes the appropriate investment in security programs.
Gordon and Loeb say that most proposed methodologies favor too much spending on certain countermeasures. Information security Model: According to the Aqua Book of the American NCSC (1992) a security model “precisely describes important aspects of security and their relationship to system behavior”. Its main purpose is “to provide the necessary level of understanding for a successful implementation of key security requirements”. It may contain the following parts: • Data structures and storage items, • Processes and subjects,
• Users and user roles, • I/O devices, • Security attributes, • Non-disclosure levels, and • Unlabeled entities. In order to conduct a risk-management process in a systematic manner, it is important to have well-developed methods for each process step. Risk-Management Methods: The concept of Risk management was coined in the area of software development in the 1980s. Barry Boehm can be mentioned as the inventor of the process in the field of software development. He proposed the risk-driven spiral model (Boehm, 1988).
According to (Wall, 1999) risk management should be undertaken whereby the risk-management activities are conducted by the project team at the same as the cost-, time-, quality- and requirement-management activities. One of the most famous methods used for the identification of risk is the Riskit method. The Riskit method provides precise and unambiguous definitions for risks. It results in explicit definition of objectives, constraints and other drivers that influence the project. The method is aimed at modeling and documenting risks qualitatively and can use both ratio and ordinal scale risk ranking information to prioritize risks reliably.
It uses the concept of utility loss to rank the loss associated with risk. Different stakeholder perspectives are explicitly modeled in the Riskit method. The Riskit method has an operational definition and training support (Kontio & Basili, 1998). Most often the problems are caused by the insiders rather than from intruders to data and information. As noted by Ivan Arce and Elais Levy, there are many dimensions in which the problems can occur. The workstation offers the most opportunity for exposure in the information technology (IT) area.
If an organization has placed updated anti-virus and encryption software on the workstation, and then it has implemented a single-dimensional level of effort, note S. Liu, J. Ormaner, and J. Sullivan in “A Practical Approach to Enterprise IT Security. ” If the single-dimension solution were to significantly improve the security of a single component (in this case, the desktop), then something else may become the new weakest link. Therefore, the weakest link may continually shift from the technology area to the physical area, to the human resources area, to the policy area, and so on.
Arce and Levy also emphasize the temporal aspect of vulnerabilities. In particular, they suggest that the weakest link can shift from the desktop operating systems to the individuals operating them. It is important for an organization to plan its security program by determining the appropriate direction in which the countermeasures and monetary investment should be undertaken. Without a high-level view, an organization may over-invest in areas that are not the weakest links.
References Adams, J. , (1995). Risk. UCL Press Arce, Ivan and Elais Levy, (2003). “The Weakest Link Revisited. ” IEEE Computer Society. March/April 2003. B. W. Boehm, (1991). “Software Risk Management: Principle and Practices,” IEEE Software, Vol. 8, No. 1, January 1991, pp. 32-41. Giarini, Orio, (2000). “The Development of the Service Economy,” Progress, No. 31, July Gordon, Lawrence, and Martin Loeb, (2002). “The Economics of Information Security Investment. ” ACM Transactions on Information and Systems Security. November 2002 Jyrki Kontio and Victor R. Basili, (1998).
Riskit: Increasing Confidence in Risk Management July 4, 1998 available from www. softwaretechnews. com/technews2-2/riskit. pdf Kolodzinski, Oscar (2002). “Cyber-Insurance Issues: Managing Risk by Tying Network Security to Business Goals. ” The CPA Journal, November 2002. Liu, S. , Ormaner, J. , & Sullivan, J. (2001). “A Practical Approach to Enterprise IT Security. ” IT Pro. September/October 2001 National Computer Security Center. NCSC-TG-010: A Guide to Understanding Modeling in Trusted Systems (Acqua Book), October 1992.