Some key points to consider for an effective information security risk management program include understanding the business risk associated with information security, incorporating human factors and being cautious of the 'low likelihood and high consequence' events.
Written by Lisa Rajbhandari, KPMG.
Advancement in information technology has altered and eased the way organizations manage their business operations. However, with these advances, organizations are facing complex challenges to secure their information systems. Cyber attacks are becoming more effective as they leverage the increasing amount of information available in social media to combine social engineering with technical exploits.
In the current threat landscape, organizations need to be proactive in identifying, assessing and managing risks to their information systems. ISO Guide 73 defines risk management as the set of systematic activities used to direct and control an organization with regard to risk*. Accurate risk assessment provides valuable insight into the risks that organizations face and is essential to a successful risk management program. Although an effective program to assess and manage information security risk is the result of many factors, in this post I would like to highlight the following three key points: understanding the business risk associated with information security, incorporating human factors and being cautious of the ‘low likelihood and high consequence’ events.
When conducting risk assessment, it is important to keep in mind that one needs to account for business functions that depend on information systems. The stakeholders should understand the impact of security breaches on the organization in business terms such as finances, reputation, operations, and health and safety. Another important point to consider is proper risk communication and keeping in mind that people might have different perceptions of risk.
It is clear that insiders–intentionally or unintentionally, play a significant part in the risks that organizations face today. Humans are often considered the weakest link in the security chain but they are also the last line of defense. However, when it comes to solutions, the focus is more often on technological factors, while human and organizational factors are considered less important**. As security practitioners, we need to consider all three factors–human, technological and organizational. We need to look into security culture of an organization, focus on how we can balance usability vs. security and provide employees with training that will help them make good security decisions.
Many organizations prefer risk assessment methods where risk is determined as a combination of likelihood and consequence. However, it is often difficult to verify likelihood estimates. When depending on a risk assessment method that includes likelihood estimates, ‘low likelihood and high consequence’ events might be overlooked. The likelihood of such an event may actually be greater than estimated and may increase over time as the number of threats, their capabilities and resources increase. Failing to prepare adequately for a major incident because of an inaccurate likelihood estimate may be catastrophic to an organization. Therefore, when conducting information security risk assessment, we should pay careful attention to how likelihood is estimated.
*ISO/IEC GUIDE 73. Risk management – Vocabulary. ISO, 2009.
**WERLINGER, R., HAWKEY, K., AND BEZNOSOV, K. An integrated view of human, organizational, and technological challenges of IT security management. Information Management & Computer Security 17, 1 (2009), 4–19.