CIS 527, Information Technology Risk Management
Dr. Glen Hines
October 21, 2018
Many people would fear the uncertainty of risk. Some would also argue that taking risks is very risky, and they would not be wrong. Risks can be scary and harmful, but they can also be positive and rewarding. The biggest difference can be how risks are managed. Risk management is the practice of identifying, assessing, controlling and mitigating risks (Gibson, 2015, p. 13). It is widely accepted that without risk there is no gain. In order to be successful, risks must be taken. However, it is important to understand that effective risk management involves calculated risks along with thorough knowledge of risk catalysts, impacts and outcomes. If an organization does not take any risks, it is not going to do very well or improve very much. On the other hand, if risks are ignored, it can be detrimental to stability and prohibitive to progress. Risk plays a key role in success and failure. Informational technology (IT) systems play a part in the success of most companies and managing IT risks either properly or improperly can determine the fate of a company’s successfulness.
Risk, Threat ; Vulnerability
In risk management, it is vital to understand risks, threats and vulnerabilities. Knowledge of these security components will assist any entity or institution to effectively identify, discover and confront threats and vulnerabilities. In turn, this will also help to mitigate risk. When defining risk, it can be declared that risk is the probability that a loss will take place. Risk is the likelihood for damage or complete loss of an asset when a threat takes advantage of a vulnerability. When using an equation as a definition, risk can be stated as: Risk = Threat X Vulnerability. Some examples of risk include financial loss because of a disruption in business, damage to reputation, privacy infringement, and death. A threat is anything or any action that acts as a probable hazard or danger. Threats can also be anything that exploits vulnerabilities in order to obtain, damage, or destroy an asset. It is important to note that threats can be intentional or accidental. There are many kinds of threats, and three of which are considered to be the main and most common threat types. These types include natural, intentional and unintentional threats. Natural threats include events like hurricanes, wild fires, floods, earthquakes and floods. Unintentional threats include things such as computer malfunctions, victims of phishing or social engineering attacks, or an employee accessing the wrong information by accident. On the contrary, intentional threats include the actual phishing and social engineering attempts in addition to malware, adware and spyware. A disgruntled or resentful employee with malice intentions is also a common intentional threat. A vulnerability is a deficiency, weakness or an instability where a loss will jeopardize assets or functionality. The problem is that threats can take advantage of these vulnerabilities in order to get unapproved access to an asset. Losses happen when threats expose and exploit vulnerabilities. Vulnerabilities can leave organizations open to intentional and unintentional threats. This type of vulnerability-threat relationship could be exemplified as an employee resigning and the responsible personnel forgets to or delays disabling the former employees physical or network access.
Risk and Loss
The terms risk and loss are often confused or misused. A risk is a potential for a loss and the loss is the realization of that negative potential (Ingram, 2014). A loss is the result of an organization being compromised and a reduction or elimination of assets, functionality or continuity. It is imperative to note and understand that all risks do not result in losses and all losses do not result from risks (Ingram, 2014). A risk refers to combination of a threat’s probability and a threat’s loss, which translates to the following: risk = threat probability x potential loss (Muscat, 2017). Organizations and managers must determine how much loss is acceptable, which can then lead to determining how much and what type of risk is acceptable. The overall goal is to lessen the losses that can develop from risk (Gibson, 2015, p. 4).
Risk Management and Information Security
Risk management is meaningful and vital to information security. An information security risk management plan is crucial for cybersecurity preparedness. Loss is commonly lumped together with financial or physical assets. Although IT components include a variety of physical assets, data is a high priority asset when it comes to preventing loss. Securing information and IT infrastructure is complicated enough as it is, but with constant changes in technology, it makes it that much more challenging. With the rise of cyber threats, organizations and business leaders have become more focused on information security, including the incorporation of IT security as a part of risk management strategy. The National Institute of Science and Technology Cybersecurity Framework (NIST CSF) is one of the most popular security frameworks to help organizations improve critical infrastructure cybersecurity, in which it aims to provide direction on how to assess and improve an organization’s ability to prevent, detect and respond to cyberattacks (Kolodgy, 2017). There is no universal solution for IT security and risk management strategy. However, when using resources such as the NIST CSF, organizations can move from reactive efforts to proactive approaches towards risk management (Kolodgy, 2017).
Risks with Data
It is imperative and worthwhile for organizations to take risks with data. The demand for data is growing at an exponential rate and has become a part of everyday life for consumers and businesses alike. Therefore, risk management is important to information security and data risk is becoming a top priority. Policies and regulations help with control and enforcement by encouraging organizations to be clear about what type of data they gather, store, use and share.
Managing data is complicated and challenging. Even more is gaining and keeping the trust of individuals. It can be considered a risky practice to store customer information for repeat visits. The benefits might include better, faster service for customers and a more efficient workflow for businesses. Analytics can also be used for personalization, predictions and suggestions. All of this can result in positive customer experiences. However, if data is misused or stolen the loss can be detrimental from reduced customer trust levels. Data classified as high-risk is basically data that includes attributes about individuals and is commonly referred to as PII or personally identifiable information (Telford & Verhulst, 2016). The risk presents itself when this type of data is retrieved and shared without consent from an individual or organization; or when data is being used for purposes other than what was initially stated during collection (Telford & Verhulst, 2016). Many companies have learned that a favorable way to manage data risk is by improving data management. With strong data management combined with a good perception of the related risks, consumer and public trust with data can be much easier to manage.
Risk Management Plan
The simple fact that risks can either lead to success or detriment is reason enough to understand that risks need to be managed. A risk management plan is a specific type of project plan to identify and mitigate risk (Gibson, 2015). A good risk management plan advantages as it provides the benefit of lessened risk potential. Executives can achieve this advantage by designing, creating and implementing a risk management plan. The plan is a document that is prepared to anticipate risks, estimate impacts and specify responses to vulnerabilities and threats. The documented plan defines the process and techniques used to define risks and the actionable responses to those risks. There are several necessary components that should be included in any risk management plan. An important first step for a risk management plan is to establish objectives (Gibson, 2015). Other key components include the following: roles and responsibilities, budget, timeframe, thresholds, communication, tracking and auditing (“Seven Components to a Risk Management Plan,” 2014).
It is important to recognize that risk does not always generate reward, although proper risk management can increase probability and the size of rewards. A good quote to remember is from Greyson Change which states: “Bigger the risk, bigger the reward. But the higher the climb the harder the fall” (“Greyson Chance Quote,” 2018).
ReferencesGibson, D. (2015). Managing risk in information systems (2nd ed.). Burlington, MA: Jones & Bartlett Learning.
Greyson Chance Quote. (2018, October 13). Retrieved from https://www.azquotes.com/
Ingram, D. (2014, December 29). The Difference Between Risk and Loss. Retrieved from
Kolodgy, C. (2017, December 13). Cybersecurity Strategy, Risk Management and List Making.
Retrieved from https://securityintelligence.com/cybersecurity-strategy-risk-management-
Muscat, I. (2017, November 6). Cyber Threats vs Vulnerabilities vs Risks | Acunetix. Retrieved
Seven Components to a Risk Management Plan. (2014, October 6). Retrieved from
Telford, S., & Verhulst, S. (2016). Understanding Risk | A Framework for Understanding Data
Risk. Retrieved from https://understandrisk.org/a-framework-for-understanding-data-risk/