Information Management & Computer Security

A business approach to effective information technology risk analysis and management

Sharon Halliday Karin Badenhorst Rossouw von Solms
Article information:
To cite this document:
Sharon Halliday Karin Badenhorst Rossouw von Solms, (1996),"A business approach to effective information technology risk
analysis and management", Information Management & Computer Security, Vol. 4 Iss 1 pp. 19 - 31
Permanent link to this document:
http://dx.doi.org/10.1108/09685229610114178
Downloaded on: 30 January 2016, At: 14:38 (PT)
References: this document contains references to 14 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 3658 times since 2006*
Users who downloaded this article also downloaded:
Kakoli Bandyopadhyay, Peter P. Mykytyn, Kathleen Mykytyn, (1999),"A framework for integrated risk management in
information technology", Management Decision, Vol. 37 Iss 5 pp. 437-445 http://dx.doi.org/10.1108/00251749910274216
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

David Baccarini, Geoff Salm, Peter E.D. Love, (2004),"Management of risks in information technology projects", Industrial
Management & Data Systems, Vol. 104 Iss 4 pp. 286-295 http://dx.doi.org/10.1108/02635570410530702
Stefan Fenz, Johannes Heurix, Thomas Neubauer, Fabian Pechstein, (2014),"Current challenges in information security
risk management", Information Management & Computer Security, Vol. 22 Iss 5 pp. 410-430 http://dx.doi.org/10.1108/
IMCS-07-2013-0053

Access to this document was granted through an Emerald subscription provided by emerald-srm:404409 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

 A business approach to effective information
technology risk analysis and management
Suggests that a number of
difficulties are experienced by
organizations using conven-
tional risk analysis and man-
agement. “Conventional”
refers to those methodologies
which are based on the tradi-
tional asset/threat/vulnerabil-
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
ity model. Identifies a need for
an approach that is more
suitable for smaller organiza-
tions, as well as organizations
requiring a quicker, more
simplified and less resource-
intensive approach. In light of
this requirement, proposes an
alternative approach to
effective information technol-
ogy (IT) risk analysis and
management. This approach
has a business-oriented focus
from an IT perspective.
Information Management &
Computer Security
4/1 [1996] 19–31
© MCB University Press
[ISSN 0968-5227]
Sharon Halliday UNISYS, Port Elizabeth, South Africa
Karin Badenhorst Integrated Risk Consultants (IRC), Johannesburg, South
Africa, and
Rossouw von Solms Department of Information Technology, Port Elizabeth
Technikon, Port Elizabeth, South Africa
Introduction
We live in an unsafe world in which we
encounter threats against our safety and
security every day. This is especially true in
the information processing environment.
More and more companies are becoming
totally dependent on computer systems for
their day-to-day operations. Computer tech-
nology is developing at a dramatic rate and,
unfortunately, so are the techniques and
mechanisms utilized by computer criminals.
Fast developing issues, which provide
increased opportunities for computer crime
and which result in a greater demand for
security, include: increased computer access,
networks (Internet), open systems,
client/server, etc.
Crime usually does its ingenious best to
keep pace with technology[1].
Network security has become the most
important concern of organizations today.
Gary Jensen, Operations Manager, Scientific
Computing Division, National Centre for
Atmospheric Research, states: “If you have
telephone lines attached to your network, you
can’t be 100 per cent secure”[2, p. 6]. Based on
a US survey (1995) of respondents running
vital business systems on local area networks
(LANs), 50 per cent believe LAN security is
unsatisfactory. At larger organizations (over
2,500 employees), 55 per cent report unsatis-
factory security for mission critical systems
running on LANs (see Figure 1).
As organizations become more and more
dependent on their computer-based informa-
tion systems, which play a vital role and
important part in their business operations,
there needs to be a greater awareness and
concern about the security of these systems.
Information has become the key resource and
even the lifeblood of many organizations.
“Information is the glue that holds an organi-
zation together and that allows all other
resources to be managed”[3, p. 71].
Information security appears on the list of
critical success factors of most major organi-
zations today[4]. There are three fundamental
qualities of information which are vulnerable
to risk and which, therefore, need to be pro-
tected at all times, namely availability,
integrity and confidentiality. The successful
management of information security within
an organization is vital to its survival and
success. An organization needs to be able to
determine the current security status of its
information and computer resources and
raise it to a level that is acceptable to manage-
ment. To do this, the risks that threaten the
security of its information and computer
resources need to be assessed and the neces-
sary security controls need to be
implemented and managed effectively.
Risk analysis and management
Risk analysis and management provides an
organization with a means of identifying,
assessing and controlling the organization’s
risks. Risk analysis deals with the following:
• Which assets need protection?
• What is the value of these assets?
• What threats prevail?
• What is the probability of each threat?
• What is the vulnerability of the assets to
the threats?
• How much is the company at risk?
Once the risks have been identified, they need
to be reduced to an acceptable, low level by
introducing countermeasures. Risk
management involves the identification and
implementation of effective security controls
to mitigate, control and resolve the
organization’s risks. Cost-benefit analyses
need to be performed to determine which
controls are the most effective and justifiable
in terms of cost and protection provided.
Figure 2 provides an overview of risk analy-
sis and management.
The risk analysis and management
approach which has just been described can
be classified as “conventional”. It is based on
the conventional asset/threat/vulnerability
model which refers to the analysis of assets,
threats, vulnerabilities and outcomes to
determine risks, followed by the implementa-
tion of effective counter-measures.
Implementation of risk analysis
and management
The task of performing a risk analysis and
management review is a complex one which
[ 19 ]
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business approach to
effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
Figure 1 A list of some of the criteria that have been
Mission critical systems in an insecure used previously in a review of risk analysis
environment methods follows[5, p. 42]:
• Background. This refers to the type of
Per cent community in which the system was ini-
63 tially developed, e.g. military, government,
etc.
62 • Type of system. This refers to the type of
approach that the system uses, e.g. qualita-
61
tive, quantitative or both.
60 • Supported by a method. This refers to how
well the system is supported by a method.
59 A system which has little support will
place more demands on the reviewer.
58
Systems run on Systems run on • Size of the system. Size of the system means
department/business LANs how extensive the system is in terms of
unit minicomputer
number of questions, etc.

Respondents who report environment as insecure but
continue to process critical systems in the environment
Figure 2
Risk analysis and management
Risk analysis scope
Assets
Threats Risks Counter-measures
Vulnerabilities
Risk analysis Risk management
has been made easier by formal methodolo-
gies that implement the theory of risk analy-
sis and management. These methodologies
consist of a set of specific phases and guide-
lines to be followed by an organization.
Many of these methodologies are available
in the form of a software package. The
methodology chosen by an organization will
depend on the size of the organization as
well as on the decision about how much
effort and time is going to be spent in the
area of computer security.
Review of current methodologies
This section will provide a brief
comparison of several of the most well-
known and respected risk analysis and man-
agement methodologies, namely LRAM,
LAVA, CRAMM and MARION. These
methodologies have been widely accepted
and implemented in countries all over the
world. Although many basic concepts are
similar, they vary widely in terms of scope,
analytical depth, costs and resource require-
ments.
[ 20 ]
• Automated cost/benefit. This refers to the
amount of automated cost/benefit support
provided by the system.
• Degree of automation. This refers to the
amount of work the system does. A low
degree of automation means that a lot of
work needs to be done by the analyst.
• Gathering of input information. It is impor-
tant that the system models threats and
assets in such a way that it is possible for
the user to find accurate information.
• Degree of completeness. This refers to the
number of aspects of computer security
which are covered by the system. Some
systems concentrate more on a specific
aspect of computer security.
Table I provides a comparison of the named
methodologies.
Difficulties with the application of
conventional risk analysis and
management methodologies
The term “conventional” is used to refer to
many of the risk analysis and management
methodologies that exist today. One com-
monality between these methodologies is
that they are all based on the traditional
asset/threat/vulnerability model. The focus
of this model is mainly within the IT
department and does not take into account
business issues. Because of the nature of
conventional risk analysis methods, which
are mostly bottom-up (i.e. driven from a
technology assets perspective), such
reviews tend to become time-consuming,
especially in medium to large organizations.
The simplest framework for a risk analysis
is based on extensive threat and asset check-
lists[6, p. 91]. Unless reviews can be more
focused on the critical parts of the business
and completed within a limited period of
time, much value will be lost and a danger
will exist that the risk analysis will become
 Sharon Halliday, Table I
Karin Badenhorst A comparison of reviewed methodologies
and Rossouw von Solms
A business approach to LRAM LAVA CRAMM MARION
effective information
technology risk analysis and Background Military Government Government Consulting insurance
management Type of system Quantitative Both Both Both
Information Management & Supported by method Medium High High High
Computer Security Size of system Medium Large Large Medium
4/1 [1996] 19–31 Automated cost/benefit Yes No No Yes
Degree of automation Low Medium Medium Medium
Gathering of input information Medium Low Medium Medium
Degree of completeness n/a High High High

more expensive than the acceptance of the

risks. A proposed business approach to
Many of the well-known methodologies risk analysis and management
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

were initially developed to address the secu-
rity needs of large organizations such as
military and government institutions.
Although they can be tailored to suit the
needs of smaller organizations, to be able to
do this and apply the modified methods
effectively, a certain amount of knowledge
and expertise is required. The skill level(s)
of the person(s) required to conduct an IT
risk analysis review is often
underestimated. Considerable demands are
placed on the reviewer’s expertise in the way
of subjective estimations and judgements
that are required to be made[7, p. 423]. The
risk analysis has to be supervised by experi-
enced IT security staff, trained in the
methodology, or with at least a reasonable
knowledge of general computer security
principles[6, p. 103].
It is also very important to keep the focus
on a more comprehensive risk management
process, rather than limiting an exercise to
the risk analysis/assessment part of the
process, as is often the case. There is little
value in identifying and quantifying risk
without implementation of cost-effective
security measures to counter the risk. An
important aspect of a risk analysis and man-
agement methodology is the provision of
some means by which risks can be prioritized
and countermeasures can be selected and
implemented on a cost-effective basis.
The results from a conventional risk review
are normally not carried through to a busi-
ness impact analysis (BIA) which is required
in the development of a business continuity
plan. Added value can be achieved by an
organization if the risk review can be inte-
grated with a BIA.
An alternative approach to effective IT risk
analysis and management will be proposed.
The objective of the rest of this paper is to
discuss the formulation of the proposed
approach and to put into perspective, the
concepts applied within it.
The terms “corporate approach” and “busi-
ness-oriented approach” are used to define
the proposed risk analysis and management
approach. This approach differs from conven-
tional methodologies in that it focuses on
identifying the risks that threaten the organi-
zation’s critical business processes instead of
the risks that threaten each individual IT
asset.
If the security of an organization’s com-
puter resources or the availability, integrity
and confidentiality of its information is
violated or compromised in any way, it will
affect business continuity and, consequently,
the whole company will be affected. Any part
of the business that relies on the company’s
information systems for its daily functioning
will be at risk.
Rather than approaching the analysis and
management of IT risks in the traditional
manner, through rigidly considering domains
such as hardware, software, the environment
and personnel as done by conventional meth-
ods, a corporate approach which focuses on
the critical business processes of the organi-
zation is proposed. Figure 3 illustrates the
difference in focus of the proposed business-
oriented approach.
Figure 3
Focus of the business-oriented approach
The business
Business Finance Sales Marketing
functions
Business Order Customer
processes processing relations Focus
Individual
tasks

[ 21 ]
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business approach to
effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
[ 22 ]
The business-oriented approach is con-
cerned with identifying risks at the business
process level. Its objective is to ensure the
continuity of essential business functions
and the organization as a whole through
assessing the criticality of business
processes and determining the effect of their
unavailability or obstruction on the
organization’s day-to-day operations. The
recording of the individual tasks within each
business process provides areas which are
significantly reduced to enable risks to be
easily identified.
The business-oriented approach focuses on
the critical business processes of the organi-
zation from an IT perspective.
An information technology (IT) perspective
Two very important aspects of IT that are
essential to the successful operation of the
organization are:
1 availability so that the organization can
perform its operations;
2 functionality so that the organization can
perform its operations correctly.
A problem in the past has been that senior
executives have separated the organization’s
technological and information-processing
activities from the business functions they
support. These activities are often seen as
trivial adjuncts to the business functions and
processes. Management needs to realize how
dependent the functions and processes are on
IT. Few end-to-end business processes can
exist efficiently without a computer[8, p. 6]. A
single failure in IT could have a dramatic
impact on many parts of the organization.
Therefore, management needs to pay extra
attention to its security. IT should be inte-
grated throughout the entire business opera-
tion and act as a full participant in perform-
ing the business mission. Terry Lamb of
Ernst & Young in Europe stated in January
1993: “Alignment of IT with organizational
needs is a top-down process that requires a
business driven approach”.
Within the scope of this paper, IT has been
defined as consisting of the following two
components:
1 the information systems (including related
information) on which the critical busi-
ness functions and processes depend;
2 the computer technologies (hardware and
software) which support the processing,
storage and distribution of the company’s
data and information.
The business-oriented approach has a
corporate or business focus, but from an IT
perspective. During the identification of
risks, the information systems (and associ-
ated information) on which the critical
business processes depend, as well as the
computer technologies that support these
information systems, are taken into account.
They are considered in terms of the impact
that a loss of their availability, integrity and
confidentiality will have on the business
processes that they support, and ultimately
the organization. Figure 4 illustrates the
definition of IT as applied within this paper.
The proposed approach focuses on business
dependence (the dependency of business
processes on IT and its impact on the organi-
zation) instead of on computing vulnerability
(the vulnerability of IT assets to threats).
Organizations need to look at the business
functions being supported by computers and
ask questions about the information manipu-
lated in these processes. For example, “how
valuable, sensitive or critical is the informa-
tion”[3, p. 202].
In the next section, the business oriented
approach will be further defined in terms of
its framework, the model on which the frame-
work is based and the differences in its
method of identifying and managing risks.
A framework for the proposed
approach
To be able to perform an analysis at the busi-
ness process level, all of the above and under-
lying levels need to be looked at. This is
because of the interdependence and commu-
nication between the various levels. The
framework of the business-oriented approach
is based on a model called the value chain
defined by Michael E. Porter[9].
Porter’s value chain
The value chain introduced by Porter
[9, p. 36], is defined as a tool for systematically
examining all the activities of a firm and the
way in which these activities interact. Every
Figure 4
The definition of IT as applied within this paper
Business function
Business processes
Stock control system Information
systems
= IT
Computer
MCB
technologies
Hardware Software
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business approach to
effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
firm consists of a collection of activities that
are performed in order to produce, market,
deliver and support its products and services.
The value chain disaggregates a firm into its
strategically relevant activities in order to
understand the behaviour of costs and the
existing and potential sources of differentia-
tion. A firm gains competitive advantage by
performing these strategically important
activities more cheaply or better than its
competitors.
Within this paper, Porter’s value chain is
used to define a model on which the frame-
work of the business approach will be based.
Definition of the organizational chain
Definition of this model is necessary in order
• Systematic (functional) level. The main
activities (business functions and
processes) of the organization are per-
formed at this level. It consists of a number
of business departments controlled by
middle management.
• Situational (support) level. This level con-
sists of the daily operations required to
support the business functions and
processes of the organization.
Every firm has a set of distinct business func-
tions and processes which must be performed
if it is to achieve its mission and objectives.
Every function employs purchased inputs,
human resources and some form of technol-
ogy to achieve its objectives. Figure 5 illus-
trates the organizational chain which is

to facilitate formation of a framework for the
business-oriented approach. Porter’s value
chain is customized to fit the focus of the
business oriented approach, i.e. it is
customized to define an organization as a
hierarchy of levels consisting of different
business functions, processes and tasks.
Because of its sole purpose to represent the
structure and operation of an organization,
the term value chain is replaced with the
term organizational chain for the purpose of
this paper.
The organizational chain of a company
comprises the following levels:
• Strategic level. This is the top level in the
organization, consisting of senior
management. It also represents what the
business is all about (business type,
mission, focus, goals, customers and
suppliers).
defined from Porter’s value chain.
With regard to the organizational chain,
primary activities are referred to as business
functions while support activities are
referred to as support tasks.
Business functions (primary activities)
There are five generic categories of primary
functions involved in competing in any indus-
try. Each category is divisible into a number
of distinct functions that are determined by
the particular industry and firm strategy.
These categories can be applied to the busi-
ness functions of any type of firm, e.g.
manufacturing, service providing, banking,
etc. The example organization used in the
following explanation of the five categories is
characterized as having a production
function.
1 Inbound logistics. Functions belonging
to this category are associated with

Figure 5
The organizational chain

The organizational chain

Strategic Business environment – type, mission,
level: strategy, goals, objectives, customers and suppliers, etc.
Primary
Strategic activities

Systematic
level:
Business Inbound Operations Outbound Marketing Customer
functions logistics logistics and sales service
and processes

Procurement
Technology management
Human resource management
Firm infrastructure
Support
Situational level: Day-to-day support operations (tasks) activities

[ 23 ]
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business approach to
effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
[ 24 ]
receiving, storing and disseminating as raw materials, are purchased by the
inputs to the product such as order receiv- conventional purchasing department, while
ing, material handling, returns, etc. other items, such as machines, are pur-
2 Operations. These functions are associated chased by plant managers.
with transforming the inputs into the final
The three levels in the organization, together
product form, e.g. machining, packaging,
with the business functions, processes and
assembly, etc.
support tasks discussed above, serve to define
3 Outbound logistics. This category consists
the organizational chain from Porter’s value
of functions associated with collecting,
chain. The application of the organizational
storing and physically distributing the
chain in defining the framework of the pro-
product to buyers, e.g. finished goods ware-
posed business-oriented approach will be
housing, deliveries, scheduling, etc.
discussed in the following section.
4 Marketing and sales. Functions within this
category are associated with providing a
Definition of a framework based on the
means by which buyers can purchase the
organizational chain
product, and inducing them to do so, such
The business-oriented approach focuses on
as advertising, promotions, sales force, etc.
the organization as a whole (corporate focus)
5 Customer service. These functions are
with regard to IT security, as shown in
associated with providing service to
Figure 6. The business processes are the most
enhance or maintain the value of the prod-
important part of an organization and are
uct, e.g. installation, repairs, training, etc.
essential to its survival as they allow it to
Each of the above categories may be vital to continue functioning, carry out its mission,
the survival of the organization depending on achieve its goals and objectives and make
the industry type. Each of the business profit. Therefore, it is important that these
processes that compose a business function processes are protected from all possible
can be decomposed into a number of individ- disruptions. The risk analysis and manage-
ual tasks that support it. ment review is performed at the systematic
level in the organization. Figure 6 graphically
Support tasks (support activities)
illustrates the mapping of the organizational
The individual tasks performed at the situa-
chain to the framework of the business-
tional level support the business functions
oriented approach.
and processes and each other by providing
Figure 6 shows how the IT perspective of
purchased inputs, technology, human
the business-oriented approach is taken from
resources and various firm-wide activities.
the technology management entity in the
As with business functions, support tasks can
organizational chain. Other entities at the
also be divided into a number of generic cate-
situational level (firm infrastructure, pro-
gories applicable to any given industry type.
curement, etc.) are not considered. During
• Firm infrastructure. Firm infrastructure
the identification of risks, the information
consists of a number of tasks including
systems and computers on which the busi-
general management, planning, finance,
ness processes depend are taken into account.
legal and government affairs, quality man-
Figure 6 also shows how risk analysis can
agement, etc. Unlike other support tasks, it
be integrated with a business impact analysis
usually supports the entire organizational
(BIA). The author’s approach simplifies the
chain and not individual business
development of a business continuity plan
processes.
because the critical operations and business
• Human resource management. Human
processes of the organization, as well as the
resource management consists of tasks
computer technologies that support these
involved in the recruiting, hiring, training,
processes, will already have been identified in
compensation, etc. of all types of personnel.
the risk analysis. This information can then
• Technology management. The array of tech-
be carried through to the BIA and the organi-
nologies employed in most firms is very
zation does not have to spend additional time
broad, ranging from those technologies
and resources on a second analysis.
used in preparing documents and trans-
The next two sections discuss the differ-
porting goods to those technologies embod-
ences in the way the proposed business
ied in the product itself. Technology man-
approach deals with the identification, analy-
agement may support any of the numerous
sis and management of risks.
technologies embodied in support tasks,
including such areas as telecommunica-
tions technology or office automation.
Risk analysis
• Procurement. Procurement refers to the
purchasing of inputs used in the firm’s The business-oriented approach is concerned
organizational chain and not to the pur- with identifying risks for the critical busi-
chased inputs themselves. Some items, such ness processes in the organization. It follows
 Sharon Halliday, Figure 6
Karin Badenhorst Framework definition from the organizational chain
and Rossouw von Solms
A business-oriented approach The organizational
to effective information chain
Strategic Business environment – type, mission,
technology risk analysis and level: strategy, goals, objectives, customers and suppliers, etc.
management
Information Management & Strategic
Computer Security
4/1 [1996] 19–31

Systematic
level:
Business Inbound Operations Outbound Marketing Customer
functions logistics logistics and sales service
and processes
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

Procurement
Technology management
Human resource management
Firm infrastructure

Situational level: Day-to-day support operations (tasks)

From an
IT
perspective
only
Corporate
focus

Strategic

Systematic Risk analysis and

(functional) management

Situational
(support)
Business-oriented
Business impact analysis approach

a top-down process in which each of the three
levels in the organization are analysed but in
varying degrees of detail.
Analysis at each organizational level
Each of the three levels in the organization is
analysed with specific aims in view.
1 The strategic level in the organization is
analysed to determine the business envi-
ronment (business type, focus, depart-
ments, customers and suppliers, etc.).
Analysing the business environment will
help to identify those areas which are
predominantly at risk and which, there-
fore, need to be concentrated on. This is
necessary to determine the boundary and
scope of the review.
2 The actual risk analysis and management
review is performed at the systematic level,
during which the critical business func-
tions and processes in the organization are
analysed. A functional decomposition
model is used to model the business func-
tions into their component processes and
tasks. Business functions are identified
within the primary categories discussed
earlier. Only those business processes that
are dependent on or related to IT are
analysed.
3 Each business process is supported by a
number of individual tasks which are
performed at the situational (support)
level. It has already been mentioned that
the recording of individual tasks provides
areas which are significantly reduced to
enable risks to be easily identified. The
concept of the delimitation of areas is also
applied in MARION, in which the organi-
zation is divided into risk areas and the
people responsible for each area are inter-
viewed.
In the business-oriented approach, only the
IT components of the situational level are
[ 25 ]
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business approach to
effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
[ 26 ]
focused on. The information systems and
computer resources are analysed in terms
of the impact on a business process caused
by a loss of their availability, integrity and
confidentiality. A systems model can be
used to model the information systems and
hardware and software used by each task in
the business process. Through focusing on
each task it is easy to determine at which
point the process becomes dependent on IT
and also on which systems it becomes
dependent.
Figure 7 shows how a systems model can be
used to model the individual tasks within a
business process together with the IT (infor-
mation systems and computer technology)
used by each task.
Identification of risks
In the business-oriented approach, risks are
not the end result but instead are identified at
the start of the analysis. Risks are identified
by constructing “risk scenarios” which are
defined as undesirable situations that could
disrupt a business process, e.g. unauthorized
modification of debtors’ information. A risk
scenario comprises a risk description, likely
causes (initiators of the risk), e.g. conspiracy
between employee and debtor, an expected
frequency and impact and a risk growth fac-
tor. The identification of risks is made easier
by analysing one business process at a time
(including its component tasks and support-
ing IT). The reason for recording the likely
causes of a risk is that it simplifies the
recommendation of counter-measures as the
sources of the risk are known.
Figure 7
A systems model with supporting IT
Function: Purchase parts
Processes: Place order and monitor order receipt
Identify late/
Purchasing problem orders
system Inquire or reconcile
File order copy
by vendor
Verify price
and availability
Identify items
and vendors
Buyer
Create and mail order
The concept of a “risk scenario” can also be
seen in LRAM and MARION which proves
that this concept is not totally foreign. In
LRAM, the basic unit is a risk element which
refers to a risk scenario[10, p. 498]. A risk
element consists of a threat initiator, poten-
tial target asset and the consequences if the
threat reaches the asset[5, p. 24]. These three
entities, in effect, compose a risk. MARION
has an eight-step risk scenario instruction
process that follows a similar line of reason-
ing.
Risk scenarios are constructed by deter-
mining what could befall the information
systems and computer resources that support
each business process. Risks are classified
according to their primary effect on one of
the following:
• availability of information systems and
computer resources;
• integrity of information;
• confidentiality of information.
In the case where a risk will affect more than
one of the above, e.g. integrity and confiden-
tiality, then the risk must be categorized
according to its primary effect (the most
critical effect) and any other effects are con-
sidered as secondary.
For each risk, the following is recorded:
• likely causes;
• expected frequency;
• impact on a business process;
• growth factor.
If a risk has not occurred before, it is difficult
to estimate its expected future occurrence.
Therefore, to assist in the determination of
frequencies, a certain amount of flexibility is
Materials
control clerk
Financial
system
Mapper
Unix
Informix
Verify receipts
against orders Unix
Invoice approval
clerk Create invoices and
send to accountant
Vendor Accountant
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business approach to
effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
provided where reviewers can rely on their
knowledge and understanding of the business
as well as past experiences with risk events.
There are two frequency measures available:
1 frequency of past occurrences;
2 probability of future occurrences.
The risk growth factor can be seen as a third
dimension when recording risks. It is used to
describe the possible future developments of
a particular risk. For example, a major risk
with a low growth factor is typically a risk
that will disappear or diminish soon. This
may be due to various influencing factors
(e.g. introduction of legislation). On the other
hand, a small risk with a large growth factor
is a risk that could grow into a much larger
one in a very short time period. The growth
Prioritization of risks
Management needs to have some means of
determining the level of risk that is accept-
able and the level of risk that needs to be
addressed in the organization. High level
risks, which pose the biggest threat to the
critical business processes, should be
addressed first.
A tool called a bubble chart is proposed,
which can be used to plot the risks for each
business process once they have been identi-
fied and quantified. Risks can be grouped into
different levels according to their criticality,
as shown in Figure 9. These levels represent
the order in which the risks need to be
addressed and can be used to plan the
implementation of the necessary security
countermeasures. The lines dividing the

factor will have a large influence on the criti-

risks into addressable levels (shown as dotted
cality of a risk and thus also on the amount of
lines in the graph), can be positioned by man-
effort, time and resources spent on address-
agement depending on the level of risk that
ing the risk. Although a risk may currently
they are willing to accept (e.g. frequency < = 5
have a high value (determined by frequency
and impact < = 5) and the criticality of each
and impact), if it has a low growth factor, then
risk.
a large amount of effort should not be spent
A bubble chart is very similar to a scatter
on addressing it immediately, because of the
or XY graph. The difference is in the number
likelihood that it will diminish in the near
of variables required to plot an intersection
future. The differences with regard to risk
point. An XY graph requires two co-
identification between conventional
ordinates, namely an X-axis value and a
approaches and the business-oriented
Y-axis value. A bubble chart is a three-
approach are shown in Figure 8.
In the next section, a graphical tool is pro-
posed which will provide support in the risk
management process. Figure 9
The prioritization of risks using a bubble chart
Bubble chart
Risk management
Process : place order of function : purchase parts
The objective of the proposed tool is to
address the following two aspects of risk Frequency
management: 8

1 the prioritization of risks;

7 5
2 the recommendation and selection of Risk for
appropriate security controls. immediate attention
6

5 4
Figure 8 Risk to be
addressed
Conventional risk analysis versus business- 4 next
oriented approach
3 4 2

Traditional Business-oriented
methodologies approach 2 2 3

Risk • Availability 1
Threat • Integrity Acceptable
scenario • Confidentiality risk level
0
0 1 2 3 4 5 6 7 8
Frequency Likely causes
Vulnerability impact Vulnerability Frequency Impact
Impact
Growth factor Key
Asset Business Input error Calculation error
= process Incorrect Backup failure
Risk  Tasks  verification-price Printer failure
 Information
Computer technology (hardware 
systems
Failure of Unix
 and software)  machine

[ 27 ]
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business approach to
effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
[ 28 ]
dimensional graph and, therefore, requires Figure 10
three variables – an X-axis value, a Y-axis Recommendation and selection of counter-
value and a third value which is used to deter- measures using a bubble chart
mine the radius (size) of a bubble.
There are three measures used to plot risks. Bubble chart
The first two are impact and frequency (risk
value). The position of a risk in the graph is Process : place order of function : purchase parts
determined by the intersection of its impact Frequency
and frequency. The X- and Y-axes are used to Control risk Risk (reduce frequency
plot the impact and frequency values of a risk (reduce frequency) and impact)
respectively. The third mesaure is risk 8
growth factor. The growth factor of a risk
(shown as a number in the chart) determines 7 5
the radius (size) of its bubble.
A bubble chart is a very useful manage- 6
ment tool as it graphically illustrates all the
5 4
risks to a business process as well as the criti-
cality of each risk in relation to the others. Q4 Q3
4
Based on the size and position of the bubbles,
management can determine the level of risk 3 4 2
that is acceptable and the level of risk that
needs to be addressed in the organization. 2 2 3
Once the risks have been prioritized, man- Q1 Q2
agement needs to determine the type and 1
Accept/retain risk Transfer risk
amount of security that is needed for each (do nothing) (insure)
risk. 0
0 1 2 3 4 5 6 7 8
Impact
Recommendation and selection of security
controls Key
Decisions on the type and amount of security Input error Calculation error
required to address the identified risks will Incorrect Backup failure
be influenced by the criticality of each risk. verification-price Printer failure
The higher the level of exposure, the more Failure of Unix
important it is to counter the risk. The bubble machine
chart shown in Figure 10 can be used by man-
agement in the recommendation and selec- that the risk should be carefully monitored as
tion of a set of appropriate security counter- it could quickly move into another quadrant
measures. in the near future. Management should
The bubble chart in Figure 10 is divided refrain from spending a lot of time and effort
into four quadrants, Q1 to Q4. Each quadrant in addressing immediately this type of risk
has certain countermeasures which will best because of the likelihood that it will change
address the risks that fall within it. The very soon.
position of a bubble within a quadrant can be The following are recommended counter-
used as a guideline for selecting counter- measures for each quadrant:
measures for the risk which it represents. 1 First quadrant: accept/retain risks. The
The lines dividing the chart into quadrants risks within this quadrant normally have
may not be adjusted by an organization a very low frequency and impact. It may
because of the danger that some managers not be worthwhile to implement any secu-
may try to minimize the amount of effort, rity controls as the cost of doing so could
time and money that has to be spent on exceed the financial implications caused
addressing some of the risks. Depending on by the materialization of such risks. These
the level of risk that an organization is will- risks are generally just accepted.
ing to accept, each quadrant can be redefined 2 Second quadrant: transfer risks. These
into smaller quadrants to highlight those risks have a very high impact and a low
risks that are severe and that require extra frequency, e.g. fire, floods, terrorism. They
attention. are totally unpredictable and the losses
It is important to remember that it is possi- they cause are generally uncontrollable.
ble for a risk to move into a different quad- These risks are normally addressed
rant because of its growth factor. For exam- through some form of insurance or out-
ple, although the risk “calculation error” (in sourcing.
Figure 10) has a low frequency (3) and impact 3 Third quadrant: avoid/prevent risks. These
(3), its growth factor of 4 is fairly large in are the most critical risks as they have
comparison to the other risks. This implies both a high impact and high frequency,
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business approach to
effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
4 Fourth quadrant: control risks. These risks
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
and may be too expensive to insure
against. Examples are fraud, theft of hard-
ware or information, etc. The organization
needs to implement the necessary security
controls to reduce to an absolute minimum
the chances of such a risk materializing
(e.g. physical locks, access control, etc.).
These controls should also be able to detect
the materialization of such a risk and
ensure the effective and timely recovery of
business operations.
normally have a high frequency and a low
impact, e.g. errors and omissions, and
virus attacks, and are management prob-
lems. The organization needs to imple-
ment counter-measures to reduce the fre-
quency of these risks (e.g. modification
finance and administration). The branches
are usually connected via a network to each
other and the head office. It is not uncommon
for the branches to share information and
computer resources which can either be
situated locally or centrally. The business-
oriented approach can be used to perform a
risk analysis review for each branch or the
entire company. It makes no difference where
the information systems and computer
resources used by each business process are
located. Risks are still identified in terms of
the impact on a business process caused by a
loss of the availability, integrity and confiden-
tiality of the supporting information systems
and computer resources.

rights to users, etc.) and to detect their The correct approach

occurrence (e.g. error detection and cor-
rection procedures).
During the selection of counter-measures,
management must take into account the costs
(development, implementation, operation
and maintenance) of the counter-measures.
Other issues of consideration
There are two important issues that always
seem to be raised with regard to risk analysis
and management methodologies, namely
their applicability to future or planned IT
systems, and their suitability for distributed
organizations.
Future IT systems
The business-oriented approach can be used
to identify risks to an organization with
future or planned IT systems. In this case,
risks will be identified with regard to the
development and implementation processes
of information systems. This is possible as
the business-oriented approach does not
focus on identifying risks to IT systems per se,
but instead focuses on identifying risks to the
business processes that will rely on these
systems. The impact caused by errors in, or
disruptions to, the development and imple-
mentation of an information system on which
various business processes will depend must
be taken into account during the identifica-
tion of risks. The continued operation of a
business function without these IT systems
in place is often, in itself, a major risk.
Distributed organizations
Distributed organizations normally consist of
a head office in one location and a number of
branches separated geographically. Some
functions are performed locally at each
branch while other main functions are
performed centrally by the head office (e.g.
An existing danger with any risk analysis
and management exercise is one where peo-
ple become involved in too much detail. More
is spent on gathering information and per-
forming evaluations and computations than
on what is actually at risk. This results in
people finding themselves at a dead end
where they have become mired in too much
detail, lost their focus and forgotten what is
that they are trying to achieve. The key is to
use a technique which is sufficiently inexact,
permitting the study to be focused and ade-
quately performed in a reasonable time. The
author’s approach does not focus on excessive
detail, but rather focuses on the organization
from a higher level (i.e. top-down). Even
though the business oriented approach repre-
sents a different way of performing a risk
analysis and management exercise, it does
ensure that the primary objective of such an
exercise is achieved – which is to identify the
organization’s risks and to reduce them to an
acceptable, low level. The approach is defi-
nitely a management-driven one; this does
not mean that management is responsible for
performing all the tasks in the analysis, it
merely suggests that management should be
involved and give their full support in the
review.
Benefits of the business approach
There are a number of benefits offered by the
business-oriented approach.
• It encourages management’s involvement.
A methodology that adopts a corporate
approach based on generality, and which
focuses on the business processes of the
organization rather than on the computer
technologies that support these processes,
will be much more understandable to all
management in the organization. This will
[ 29 ]
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business-oriented approach
to effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
[ 30 ]
help to encourage their support and
involvement in the review.
• It is effective in terms of cost, time and
resources. The business-oriented approach
saves time and resources, as it does not
require a detailed analysis of all assets, all
possible threats, the vulnerability between
each threat and asset and all possible out-
comes. It is also less complex as its focus is
at a much higher level, namely on the
company’s business processes.
• It has a mission focus. The business
processes are the most essential part of the
organization and are vital to its survival.
Any organization, whether a manufactur-
ing firm, a service organization or a con-
sulting firm, accomplishes its mission via
processes[11]. Therefore, it makes sense to
focus first on these processes which form
the basic core of the company, and then on
the technologies that support these
processes.
• It supports an integrated IS environment.
Nowadays, the information systems
within many organizations are becoming
more integrated. It is becoming increas-
ingly difficult to define a particular com-
puter system separately from the physical
bounds within which it is contained,
because of the dissipation of the comput-
ing function throughout the organization,
and networks abound[12].
Figure 11 shows the total interdependency
and integration of business departments and
information systems within an organization.
Business processes are no longer situated
within one department but may cut across
several organizational units. Because of the
total integration of business processes across
different departments, and their dependence
on IT, a business approach will be more suit-
able.
• It empowers process owners. The managers
of each business function need to be
involved in the review. They are
provided with increased control, decision
Figure 11
Total integration of departments within the IS
environment
Interdependent
business departments
IT requirement Business
processes and
IT functions of
department
Communication
between
departments
making, authority and discretion in identi-
fying and addressing risks. This involve-
ment provides managers with a sense of
“ownership” and responsibility, and hence
they will take extra pride and care in
ensuring the protection and continuous
operation of their business functions. By
encouraging communication between
enterprise functions, people are empow-
ered to work as part of multifunctional
teams.
• It supports business process re-engineering
(BPR). The business-oriented approach fits
together well with BPR. Companies need
to re-evaluate what they do and how they
do it[13, p. 113]. According to a survey by
Computer Sciences Corporation, business
process re-engineering through IT is the
biggest challenge facing IS managers[14].
The importance of IT within BPR is
emphasized by the following statement “IS
managers identify the two enablers to the
reengineering process, IT and human
resources”[14]. Because the development
of information systems logically follows
the re-engineering of business processes,
the approach proposed in this paper is
very applicable to BPR where the focus is
also on the business process first and then
IT.
Figure 12 shows the three ways in which a
risk analysis can be performed together with
BPR. A risk analysis review can be
performed prior to BPR to identify the risks
that threaten the business processes. The
number of risks identified for a process can
serve as an indication as to whether the said
process should be re-engineered or scrapped.
Also, operational activities will be
highlighted which may underline any opera-
tional inefficiencies and overlapping func-
tions, both of which could represent security
problems. Alternatively, the risk analysis can
be performed during BPR to simultaneously
identify the risks to obsolete processes as well
as the risks to those processes that require
Figure 12
Risk analysis and BPR
Option 1 Risk analysis
Business processes
and risks
BPR Or
Simultaneously
Option 2 identify risks and
Risk analysis re-engineer
business processes
Or
Re-engineered business
processes
Option 3
Risk analysis
 Sharon Halliday,
Karin Badenhorst
and Rossouw von Solms
A business-oriented approach
to effective information
technology risk analysis and
management
Information Management &
Computer Security
4/1 [1996] 19–31
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
re-engineering. Lastly, a risk analysis can be
performed after BPR to identify the risks that
threaten the re-engineered business
processes.
• It provides a logical link to business conti-
nuity planning (BCP). Traditionally, a risk
analysis and business impact analysis
(BIA) were performed as two totally sepa-
rate analyses because of their different
focus. In the business oriented approach,
the critical business areas are identified
up front. Current developments in BCP
follow a similar top-down approach where
the business processes are identified first,
and then IT. The method proposed will
therefore concurrently benefit the busi-
ness continuity planning process.
• It is adaptable to other focus areas. The
business oriented approach also opens the
door for risk analysis and management
reviews from other focus areas. This paper
looked at risk analysis and management
from an IT perspective. The same princi-
ples will apply if this approach had to be
used from any other perspective, e.g. finan-
cial or business risk analysis, etc.
Concluding remarks
Information has become one of the most
important resources in many organizations
today, and the importance of, and need for, its
security must be realized by management.
Information security needs to become totally
integrated into the operations of the busi-
ness. Risk analysis and management pro-
vides a company with a means of assessing
and managing the risks that threaten the
security of its information and computer
resources.
Formalized methodologies were developed
to provide a structured approach to IT risk
analysis and management. Each one differs
in terms of its approach, degree of complete-
ness, size, complexity, classification and valu-
ation techniques used, etc. There are a num-
ber of difficulties experienced by organiza-
tions applying conventional risk analysis and
management theory. Many of these problems
have become characteristic of the methodolo-
gies that implement this theory. Also, many of
the existing methodologies are considered
unsuitable by smaller organizations or orga-
nizations requiring a quicker and more sim-
plified approach. This prompted a search for
an alternative approach to effective risk
analysis and management.
IT security should be addressed as a corpo-
rate issue, as a failure in IT will have a dra-
matic impact on the organization’s survival
and success. Rather than approaching the
analysis and management of risks in the
traditional manner through a detailed analy-
sis of IT assets such as hardware, software,
communications, etc., a corporate approach,
which focuses on the critical business
processes of the organization, is proposed.
The approach is concerned with ensuring the
continuity of essential business processes
and, ultimately, the whole organization. It
focuses on business dependence instead of
computing vulnerability. If this approach
becomes part of the business operations of an
organization, it can serve as a value-added
tool in ensuring the company’s survival and
success.
References
1 Forcht, K.A., Computer Security Management,
Boyd & Fraser, Danvers, MA, 1994, p. 296.
2 Butler, J., “Hackers beware!”, The EDP Audit,
Control and Security Newsletter, Vol. XV No. 9,
March 1988, pp. 6-8.
3 Wood, C.C., Effective Information Security
Management, Elsevier Advanced Technology,
Oxford, 1991.
4 Eloff, J.H.P., Labuschagne, L. and Badenhorst,
K.P., “A comparative framework for risk
analysis methods”, Computers & Security,
Vol. 12 No. 6, 1993, pp. 597-603.
5 Wahlgren, G., “Survey of computer aided risk
analysis packages for computer security”,
DSV, Department of Computer and Systems
Science, Stockholm University, 1990.
6 Caelli, W., Longley, D. and Shain, M., Informa-
tion Security Handbook, Macmillan,
Basingstoke, 1991.
7 Clark, R., “Risk management – a new
approach”, IFIP Conference, Elsevier Science
Publishers, North-Holland, 1989, p. 423.
8 Currid, C., “Rapid development tools – one of
18 top technologies for reengineering”, Profiles
Magazine, Winter 1995, pp. 6, 7 cont. 58.
9 Porter, M.E., Competitive Advantage – Creating
and sustaining Superior Performance, The
Free Press, New York, NY, 1985.
10 Guarro, S.B., “Principles and procedures of the
LRAM approach to information systems risk
analysis and management”, Computers &
Security, Vol. 6, 1987, pp. 493-504.
11 Hunt, D.V., Reengineering – Leveraging the
Power of Integrated Product Development,
Omneo, Essex Junction, VT, 1993, p. 14.
12 Smith, M.R., Commonsense Computer Security
– Your Practical Guide to Preventing Accidental
and Deliberate Electronic Data Loss, McGraw-
Hill, London, 1989, p. 5.
13 Conger, S., The New Software Engineering,
Wadsworth, Belmont, CA, 1994, p. 113.
14 Daniel, D., “A whole new way of thinking –
business process re-engineering”, Computing
Canada, Vol. 20 No. 7, March 1994, p. 17.
[ 31 ]
 This article has been cited by:

1. Ali Mohammad Padyab, Tero Päivärinta, Dan Harnesk 1237. [CrossRef]

2. Nik Zulkarnaen Khidzir, Azlinah Mohamed, Noor Habibah ArshadEvaluation of Vulnerability Risk Factor: Critical ICT
Outsourcing project characteristics 1-5. [CrossRef]
3. Palaniappan Shamala, Rabiah AhmadA proposed taxonomy of assets for information security risk assessment (ISRA) 29-33.
[CrossRef]
4. Priya Seetharaman, Ambreen Alam Sajjad. 2014. Ashok Leyland. Journal of Cases on Information Technology 14:10.4018/
JCIT.20120701, 57-74. [CrossRef]
5. Xiaoling Hao, Songqiao Han. 2014. Measurement and Control of Operational Risk of Banking Industry based on Complex
Network. Journal of Software 9. . [CrossRef]
6. Lotto Kim Hung Lai, Kwai Sang Chin. 2014. Development of a Failure Mode and Effects Analysis Based Risk Assessment
Tool for Information Security. Industrial Engineering and Management Systems 13, 87-100. [CrossRef]
7. Ali Mohammad Padyab, Tero Paivarinta, Dan HarneskGenre-Based Assessment of Information and Knowledge Security
Risks 3442-3451. [CrossRef]
8. Mario Silic, Andrea Back. 2013. Factors impacting information governance in the mobile device dual‐use context. Records
Management Journal 23:2, 73-89. [Abstract] [Full Text] [PDF]
9. Stefan Taubenberger, Jan Jürjens, Yijun Yu, Bashar Nuseibeh. 2013. Resolving vulnerability identification errors using security
requirements on business process models. Information Management & Computer Security 21:3, 202-223. [Abstract] [Full
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

Text] [PDF]
10. Nik Zulkarnaen Khidzir, Azlinah Mohamed, Noor Habibah Arshad. 2013. ICT Outsourcing Information Security Risk
Factors: An Exploratory Analysis of Threat Risks Factor for Critical Project Characteristics. Journal of Industrial and Intelligent
Information 1:10.12720/jiii.1.4, 218-222. [CrossRef]
11. Kuo-Hsiung Liao, Hao-En Chueh. 2012. Medical Organization Information Security Management Based on ISO27001
Information Security Standard. Journal of Software 7. . [CrossRef]
12. Yu Zhiwei, Ji Zhongyuan. 2012. A Survey on the Evolution of Risk Evaluation for Information Systems Security. Energy
Procedia 17, 1288-1294. [CrossRef]
13. Piya Shedden, Rens Scheepers, Wally Smith, Atif Ahmad. 2011. Incorporating a knowledge perspective into security risk
assessments. VINE 41:2, 152-166. [Abstract] [Full Text] [PDF]
14. Tao Zhang, Weimin Lin, Yufei Wang, Song Deng, Congcong Shi, Lu ChenThe design of information security protection
framework to support Smart Grid 1-5. [CrossRef]
15. Xiaoling Hao, Nan YangIT operational risk assessment and control model based on Bayesian Network 1105-1109. [CrossRef]
16. Rua‐Huan Tsaih, Wan‐Ying Lin, Ada Chen. 2008. Safeguard gaps and their managerial issues. Industrial Management &
Data Systems 108:5, 669-676. [Abstract] [Full Text] [PDF]
17. Neil Lategan, Rossouw von Solms. 2006. Towards enterprise information risk management – a body analogy. Computer
Fraud & Security 2006, 15-19. [CrossRef]
18. Shaun Posthumus, Rossouw von Solms. 2004. A framework for the governance of information security. Computers & Security
23, 638-646. [CrossRef]
19. Jacques Botha, Rossouw Von Solms. 2004. A cyclic approach to business continuity planning. Information Management &
Computer Security 12:4, 328-337. [Abstract] [Full Text] [PDF]
20. Syed Irfan Nabi, Ghmlas Saleh Al-Ghmlas, Khaled AlghathbarEnterprise Information Security Policies, Standards, and
Procedures 67-89. [CrossRef]
21. Syed Irfan Nabi, Ghmlas Saleh Al-Ghmlas, Khaled AlghathbarEnterprise Information Security Policies, Standards, and
Procedures: 750-773. [CrossRef]
22. Bao-Chyuan Guan, Chi-Chun Lo, Ping Wang, Jaw-Shi HwangEvaluation of information security related risks of an
organization - the application of the multi-criteria decision-making method 168-175. [CrossRef]