Professional Documents
Culture Documents
David Baccarini, Geoff Salm, Peter E.D. Love, (2004),"Management of risks in information technology projects", Industrial
Management & Data Systems, Vol. 104 Iss 4 pp. 286-295 http://dx.doi.org/10.1108/02635570410530702
Stefan Fenz, Johannes Heurix, Thomas Neubauer, Fabian Pechstein, (2014),"Current challenges in information security
risk management", Information Management & Computer Security, Vol. 22 Iss 5 pp. 410-430 http://dx.doi.org/10.1108/
IMCS-07-2013-0053
Access to this document was granted through an Emerald subscription provided by emerald-srm:404409 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.
Respondents who report environment as insecure but • Automated cost/benefit. This refers to the
continue to process critical systems in the environment
amount of automated cost/benefit support
provided by the system.
• Degree of automation. This refers to the
Figure 2 amount of work the system does. A low
Risk analysis and management degree of automation means that a lot of
work needs to be done by the analyst.
Risk analysis scope
• Gathering of input information. It is impor-
tant that the system models threats and
Assets
assets in such a way that it is possible for
Threats Risks Counter-measures the user to find accurate information.
Vulnerabilities
• Degree of completeness. This refers to the
number of aspects of computer security
which are covered by the system. Some
Risk analysis Risk management systems concentrate more on a specific
aspect of computer security.
Table I provides a comparison of the named
methodologies.
has been made easier by formal methodolo-
gies that implement the theory of risk analy-
sis and management. These methodologies Difficulties with the application of
consist of a set of specific phases and guide- conventional risk analysis and
lines to be followed by an organization. management methodologies
Many of these methodologies are available
The term “conventional” is used to refer to
in the form of a software package. The
many of the risk analysis and management
methodology chosen by an organization will
methodologies that exist today. One com-
depend on the size of the organization as
monality between these methodologies is
well as on the decision about how much
that they are all based on the traditional
effort and time is going to be spent in the
asset/threat/vulnerability model. The focus
area of computer security.
of this model is mainly within the IT
department and does not take into account
business issues. Because of the nature of
Review of current methodologies conventional risk analysis methods, which
This section will provide a brief are mostly bottom-up (i.e. driven from a
comparison of several of the most well- technology assets perspective), such
known and respected risk analysis and man- reviews tend to become time-consuming,
agement methodologies, namely LRAM, especially in medium to large organizations.
LAVA, CRAMM and MARION. These The simplest framework for a risk analysis
methodologies have been widely accepted is based on extensive threat and asset check-
and implemented in countries all over the lists[6, p. 91]. Unless reviews can be more
world. Although many basic concepts are focused on the critical parts of the business
similar, they vary widely in terms of scope, and completed within a limited period of
analytical depth, costs and resource require- time, much value will be lost and a danger
ments. will exist that the risk analysis will become
[ 20 ]
Sharon Halliday, Table I
Karin Badenhorst A comparison of reviewed methodologies
and Rossouw von Solms
A business approach to LRAM LAVA CRAMM MARION
effective information
technology risk analysis and Background Military Government Government Consulting insurance
management Type of system Quantitative Both Both Both
Information Management & Supported by method Medium High High High
Computer Security Size of system Medium Large Large Medium
4/1 [1996] 19–31 Automated cost/benefit Yes No No Yes
Degree of automation Low Medium Medium Medium
Gathering of input information Medium Low Medium Medium
Degree of completeness n/a High High High
were initially developed to address the secu- The terms “corporate approach” and “busi-
rity needs of large organizations such as ness-oriented approach” are used to define
military and government institutions. the proposed risk analysis and management
Although they can be tailored to suit the approach. This approach differs from conven-
needs of smaller organizations, to be able to tional methodologies in that it focuses on
do this and apply the modified methods identifying the risks that threaten the organi-
effectively, a certain amount of knowledge zation’s critical business processes instead of
and expertise is required. The skill level(s) the risks that threaten each individual IT
of the person(s) required to conduct an IT asset.
risk analysis review is often If the security of an organization’s com-
underestimated. Considerable demands are puter resources or the availability, integrity
placed on the reviewer’s expertise in the way and confidentiality of its information is
of subjective estimations and judgements violated or compromised in any way, it will
that are required to be made[7, p. 423]. The affect business continuity and, consequently,
risk analysis has to be supervised by experi- the whole company will be affected. Any part
enced IT security staff, trained in the of the business that relies on the company’s
methodology, or with at least a reasonable information systems for its daily functioning
knowledge of general computer security will be at risk.
principles[6, p. 103]. Rather than approaching the analysis and
It is also very important to keep the focus management of IT risks in the traditional
on a more comprehensive risk management manner, through rigidly considering domains
process, rather than limiting an exercise to such as hardware, software, the environment
the risk analysis/assessment part of the and personnel as done by conventional meth-
process, as is often the case. There is little ods, a corporate approach which focuses on
value in identifying and quantifying risk the critical business processes of the organi-
without implementation of cost-effective zation is proposed. Figure 3 illustrates the
security measures to counter the risk. An difference in focus of the proposed business-
important aspect of a risk analysis and man- oriented approach.
agement methodology is the provision of
some means by which risks can be prioritized
and countermeasures can be selected and Figure 3
implemented on a cost-effective basis. Focus of the business-oriented approach
The results from a conventional risk review
are normally not carried through to a busi-
ness impact analysis (BIA) which is required The business
in the development of a business continuity
plan. Added value can be achieved by an
organization if the risk review can be inte- Business Finance Sales Marketing
functions
grated with a BIA.
An alternative approach to effective IT risk
analysis and management will be proposed. Business Order Customer
processes processing relations Focus
The objective of the rest of this paper is to
discuss the formulation of the proposed
approach and to put into perspective, the Individual
concepts applied within it. tasks
[ 21 ]
Sharon Halliday, The business-oriented approach is con- computer technologies that support these
Karin Badenhorst cerned with identifying risks at the business information systems, are taken into account.
and Rossouw von Solms process level. Its objective is to ensure the They are considered in terms of the impact
A business approach to continuity of essential business functions that a loss of their availability, integrity and
effective information
technology risk analysis and and the organization as a whole through confidentiality will have on the business
management assessing the criticality of business processes that they support, and ultimately
Information Management & processes and determining the effect of their the organization. Figure 4 illustrates the
Computer Security unavailability or obstruction on the definition of IT as applied within this paper.
4/1 [1996] 19–31 organization’s day-to-day operations. The The proposed approach focuses on business
recording of the individual tasks within each dependence (the dependency of business
business process provides areas which are processes on IT and its impact on the organi-
significantly reduced to enable risks to be zation) instead of on computing vulnerability
easily identified. (the vulnerability of IT assets to threats).
The business-oriented approach focuses on Organizations need to look at the business
the critical business processes of the organi- functions being supported by computers and
zation from an IT perspective. ask questions about the information manipu-
lated in these processes. For example, “how
An information technology (IT) perspective valuable, sensitive or critical is the informa-
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
[ 22 ]
Sharon Halliday, firm consists of a collection of activities that • Systematic (functional) level. The main
Karin Badenhorst are performed in order to produce, market, activities (business functions and
and Rossouw von Solms deliver and support its products and services. processes) of the organization are per-
A business approach to formed at this level. It consists of a number
The value chain disaggregates a firm into its
effective information
technology risk analysis and strategically relevant activities in order to of business departments controlled by
management understand the behaviour of costs and the middle management.
Information Management & existing and potential sources of differentia- • Situational (support) level. This level con-
Computer Security tion. A firm gains competitive advantage by sists of the daily operations required to
4/1 [1996] 19–31 support the business functions and
performing these strategically important
activities more cheaply or better than its processes of the organization.
competitors. Every firm has a set of distinct business func-
Within this paper, Porter’s value chain is tions and processes which must be performed
used to define a model on which the frame- if it is to achieve its mission and objectives.
work of the business approach will be based. Every function employs purchased inputs,
human resources and some form of technol-
Definition of the organizational chain ogy to achieve its objectives. Figure 5 illus-
Definition of this model is necessary in order trates the organizational chain which is
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
to facilitate formation of a framework for the defined from Porter’s value chain.
business-oriented approach. Porter’s value With regard to the organizational chain,
chain is customized to fit the focus of the primary activities are referred to as business
business oriented approach, i.e. it is functions while support activities are
customized to define an organization as a referred to as support tasks.
hierarchy of levels consisting of different Business functions (primary activities)
business functions, processes and tasks. There are five generic categories of primary
Because of its sole purpose to represent the functions involved in competing in any indus-
structure and operation of an organization, try. Each category is divisible into a number
the term value chain is replaced with the of distinct functions that are determined by
term organizational chain for the purpose of the particular industry and firm strategy.
this paper. These categories can be applied to the busi-
The organizational chain of a company ness functions of any type of firm, e.g.
comprises the following levels: manufacturing, service providing, banking,
• Strategic level. This is the top level in the etc. The example organization used in the
organization, consisting of senior following explanation of the five categories is
management. It also represents what the characterized as having a production
business is all about (business type, function.
mission, focus, goals, customers and 1 Inbound logistics. Functions belonging
suppliers). to this category are associated with
Figure 5
The organizational chain
Systematic
level:
Business Inbound Operations Outbound Marketing Customer
functions logistics logistics and sales service
and processes
Procurement
Technology management
Human resource management
Firm infrastructure
Support
Situational level: Day-to-day support operations (tasks) activities
[ 23 ]
Sharon Halliday, receiving, storing and disseminating as raw materials, are purchased by the
Karin Badenhorst inputs to the product such as order receiv- conventional purchasing department, while
and Rossouw von Solms ing, material handling, returns, etc. other items, such as machines, are pur-
A business approach to 2 Operations. These functions are associated chased by plant managers.
effective information
technology risk analysis and with transforming the inputs into the final
The three levels in the organization, together
management product form, e.g. machining, packaging,
with the business functions, processes and
Information Management & assembly, etc.
support tasks discussed above, serve to define
Computer Security 3 Outbound logistics. This category consists
4/1 [1996] 19–31
the organizational chain from Porter’s value
of functions associated with collecting,
chain. The application of the organizational
storing and physically distributing the
chain in defining the framework of the pro-
product to buyers, e.g. finished goods ware-
posed business-oriented approach will be
housing, deliveries, scheduling, etc.
discussed in the following section.
4 Marketing and sales. Functions within this
category are associated with providing a
Definition of a framework based on the
means by which buyers can purchase the
organizational chain
product, and inducing them to do so, such
The business-oriented approach focuses on
as advertising, promotions, sales force, etc.
the organization as a whole (corporate focus)
5 Customer service. These functions are
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
Systematic
level:
Business Inbound Operations Outbound Marketing Customer
functions logistics logistics and sales service
and processes
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
Procurement
Technology management
Human resource management
Firm infrastructure
From an
IT
perspective
only
Corporate
focus
Strategic
Situational
(support)
Business-oriented
Business impact analysis approach
a top-down process in which each of the three model is used to model the business func-
levels in the organization are analysed but in tions into their component processes and
varying degrees of detail. tasks. Business functions are identified
within the primary categories discussed
Analysis at each organizational level earlier. Only those business processes that
Each of the three levels in the organization is are dependent on or related to IT are
analysed with specific aims in view. analysed.
1 The strategic level in the organization is 3 Each business process is supported by a
analysed to determine the business envi- number of individual tasks which are
ronment (business type, focus, depart- performed at the situational (support)
ments, customers and suppliers, etc.). level. It has already been mentioned that
Analysing the business environment will the recording of individual tasks provides
help to identify those areas which are areas which are significantly reduced to
predominantly at risk and which, there- enable risks to be easily identified. The
fore, need to be concentrated on. This is concept of the delimitation of areas is also
necessary to determine the boundary and applied in MARION, in which the organi-
scope of the review. zation is divided into risk areas and the
2 The actual risk analysis and management
people responsible for each area are inter-
review is performed at the systematic level,
viewed.
during which the critical business func-
tions and processes in the organization are In the business-oriented approach, only the
analysed. A functional decomposition IT components of the situational level are
[ 25 ]
Sharon Halliday, focused on. The information systems and The concept of a “risk scenario” can also be
Karin Badenhorst computer resources are analysed in terms seen in LRAM and MARION which proves
and Rossouw von Solms of the impact on a business process caused that this concept is not totally foreign. In
A business approach to LRAM, the basic unit is a risk element which
effective information
by a loss of their availability, integrity and
technology risk analysis and confidentiality. A systems model can be refers to a risk scenario[10, p. 498]. A risk
management used to model the information systems and element consists of a threat initiator, poten-
Information Management & hardware and software used by each task in tial target asset and the consequences if the
Computer Security the business process. Through focusing on threat reaches the asset[5, p. 24]. These three
4/1 [1996] 19–31 entities, in effect, compose a risk. MARION
each task it is easy to determine at which
point the process becomes dependent on IT has an eight-step risk scenario instruction
and also on which systems it becomes process that follows a similar line of reason-
dependent. ing.
Figure 7 shows how a systems model can be Risk scenarios are constructed by deter-
used to model the individual tasks within a mining what could befall the information
systems and computer resources that support
business process together with the IT (infor-
each business process. Risks are classified
mation systems and computer technology)
according to their primary effect on one of
used by each task.
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
the following:
• availability of information systems and
Identification of risks
computer resources;
In the business-oriented approach, risks are
• integrity of information;
not the end result but instead are identified at
• confidentiality of information.
the start of the analysis. Risks are identified
by constructing “risk scenarios” which are In the case where a risk will affect more than
defined as undesirable situations that could one of the above, e.g. integrity and confiden-
disrupt a business process, e.g. unauthorized tiality, then the risk must be categorized
modification of debtors’ information. A risk according to its primary effect (the most
scenario comprises a risk description, likely critical effect) and any other effects are con-
causes (initiators of the risk), e.g. conspiracy sidered as secondary.
between employee and debtor, an expected For each risk, the following is recorded:
frequency and impact and a risk growth fac- • likely causes;
tor. The identification of risks is made easier • expected frequency;
by analysing one business process at a time • impact on a business process;
(including its component tasks and support- • growth factor.
ing IT). The reason for recording the likely If a risk has not occurred before, it is difficult
causes of a risk is that it simplifies the to estimate its expected future occurrence.
recommendation of counter-measures as the Therefore, to assist in the determination of
sources of the risk are known. frequencies, a certain amount of flexibility is
Figure 7
A systems model with supporting IT
Identify late/
Purchasing problem orders Materials
system Inquire or reconcile control clerk
Financial
system
File order copy
by vendor Mapper
Unix
Verify price Informix
and availability Verify receipts
against orders Unix
Identify items
and vendors
Invoice approval
clerk Create invoices and
Buyer send to accountant
[ 26 ]
Sharon Halliday, provided where reviewers can rely on their Prioritization of risks
Karin Badenhorst knowledge and understanding of the business Management needs to have some means of
and Rossouw von Solms as well as past experiences with risk events. determining the level of risk that is accept-
A business approach to There are two frequency measures available: able and the level of risk that needs to be
effective information
technology risk analysis and
1 frequency of past occurrences; addressed in the organization. High level
management 2 probability of future occurrences. risks, which pose the biggest threat to the
Information Management & critical business processes, should be
The risk growth factor can be seen as a third
Computer Security addressed first.
4/1 [1996] 19–31
dimension when recording risks. It is used to
A tool called a bubble chart is proposed,
describe the possible future developments of
which can be used to plot the risks for each
a particular risk. For example, a major risk
business process once they have been identi-
with a low growth factor is typically a risk
fied and quantified. Risks can be grouped into
that will disappear or diminish soon. This
different levels according to their criticality,
may be due to various influencing factors
as shown in Figure 9. These levels represent
(e.g. introduction of legislation). On the other
the order in which the risks need to be
hand, a small risk with a large growth factor
addressed and can be used to plan the
is a risk that could grow into a much larger
implementation of the necessary security
one in a very short time period. The growth
countermeasures. The lines dividing the
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
5 4
Figure 8 Risk to be
addressed
Conventional risk analysis versus business- 4 next
oriented approach
3 4 2
Traditional Business-oriented
methodologies approach 2 2 3
Risk • Availability 1
Threat • Integrity Acceptable
scenario • Confidentiality risk level
0
0 1 2 3 4 5 6 7 8
Frequency Likely causes
Vulnerability impact Vulnerability Frequency Impact
Impact
Growth factor Key
Asset Business Input error Calculation error
= process Incorrect Backup failure
Risk Tasks verification-price Printer failure
Information
Computer technology (hardware
systems
Failure of Unix
and software) machine
[ 27 ]
Sharon Halliday, dimensional graph and, therefore, requires Figure 10
Karin Badenhorst three variables – an X-axis value, a Y-axis Recommendation and selection of counter-
and Rossouw von Solms value and a third value which is used to deter- measures using a bubble chart
A business approach to mine the radius (size) of a bubble.
effective information
technology risk analysis and There are three measures used to plot risks. Bubble chart
management The first two are impact and frequency (risk
value). The position of a risk in the graph is Process : place order of function : purchase parts
Information Management &
Computer Security determined by the intersection of its impact Frequency
4/1 [1996] 19–31 and frequency. The X- and Y-axes are used to Control risk Risk (reduce frequency
plot the impact and frequency values of a risk (reduce frequency) and impact)
respectively. The third mesaure is risk 8
growth factor. The growth factor of a risk
(shown as a number in the chart) determines 7 5
the radius (size) of its bubble.
A bubble chart is a very useful manage- 6
4
Based on the size and position of the bubbles,
management can determine the level of risk 3 4 2
that is acceptable and the level of risk that
needs to be addressed in the organization. 2 2 3
Once the risks have been prioritized, man- Q1 Q2
agement needs to determine the type and 1
Accept/retain risk Transfer risk
amount of security that is needed for each (do nothing) (insure)
risk. 0
0 1 2 3 4 5 6 7 8
Impact
Recommendation and selection of security
controls Key
Decisions on the type and amount of security Input error Calculation error
required to address the identified risks will Incorrect Backup failure
be influenced by the criticality of each risk. verification-price Printer failure
The higher the level of exposure, the more Failure of Unix
important it is to counter the risk. The bubble machine
chart shown in Figure 10 can be used by man-
agement in the recommendation and selec- that the risk should be carefully monitored as
tion of a set of appropriate security counter- it could quickly move into another quadrant
measures. in the near future. Management should
The bubble chart in Figure 10 is divided refrain from spending a lot of time and effort
into four quadrants, Q1 to Q4. Each quadrant in addressing immediately this type of risk
has certain countermeasures which will best because of the likelihood that it will change
address the risks that fall within it. The very soon.
position of a bubble within a quadrant can be The following are recommended counter-
used as a guideline for selecting counter- measures for each quadrant:
measures for the risk which it represents. 1 First quadrant: accept/retain risks. The
The lines dividing the chart into quadrants risks within this quadrant normally have
may not be adjusted by an organization a very low frequency and impact. It may
because of the danger that some managers not be worthwhile to implement any secu-
may try to minimize the amount of effort, rity controls as the cost of doing so could
time and money that has to be spent on exceed the financial implications caused
addressing some of the risks. Depending on by the materialization of such risks. These
the level of risk that an organization is will- risks are generally just accepted.
ing to accept, each quadrant can be redefined 2 Second quadrant: transfer risks. These
into smaller quadrants to highlight those risks have a very high impact and a low
risks that are severe and that require extra frequency, e.g. fire, floods, terrorism. They
attention. are totally unpredictable and the losses
It is important to remember that it is possi- they cause are generally uncontrollable.
ble for a risk to move into a different quad- These risks are normally addressed
rant because of its growth factor. For exam- through some form of insurance or out-
ple, although the risk “calculation error” (in sourcing.
Figure 10) has a low frequency (3) and impact 3 Third quadrant: avoid/prevent risks. These
(3), its growth factor of 4 is fairly large in are the most critical risks as they have
comparison to the other risks. This implies both a high impact and high frequency,
[ 28 ]
Sharon Halliday, and may be too expensive to insure finance and administration). The branches
Karin Badenhorst against. Examples are fraud, theft of hard- are usually connected via a network to each
and Rossouw von Solms ware or information, etc. The organization other and the head office. It is not uncommon
A business approach to needs to implement the necessary security for the branches to share information and
effective information
technology risk analysis and
controls to reduce to an absolute minimum computer resources which can either be
management the chances of such a risk materializing situated locally or centrally. The business-
Information Management & (e.g. physical locks, access control, etc.). oriented approach can be used to perform a
Computer Security These controls should also be able to detect risk analysis review for each branch or the
4/1 [1996] 19–31 the materialization of such a risk and entire company. It makes no difference where
ensure the effective and timely recovery of the information systems and computer
business operations. resources used by each business process are
4 Fourth quadrant: control risks. These risks located. Risks are still identified in terms of
normally have a high frequency and a low the impact on a business process caused by a
impact, e.g. errors and omissions, and loss of the availability, integrity and confiden-
virus attacks, and are management prob- tiality of the supporting information systems
lems. The organization needs to imple- and computer resources.
ment counter-measures to reduce the fre-
quency of these risks (e.g. modification
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
focus first on these processes which form biggest challenge facing IS managers[14].
the basic core of the company, and then on The importance of IT within BPR is
the technologies that support these emphasized by the following statement “IS
processes. managers identify the two enablers to the
• It supports an integrated IS environment. reengineering process, IT and human
Nowadays, the information systems resources”[14]. Because the development
within many organizations are becoming of information systems logically follows
more integrated. It is becoming increas- the re-engineering of business processes,
ingly difficult to define a particular com- the approach proposed in this paper is
puter system separately from the physical very applicable to BPR where the focus is
bounds within which it is contained, also on the business process first and then
because of the dissipation of the comput- IT.
ing function throughout the organization,
Figure 12 shows the three ways in which a
and networks abound[12].
risk analysis can be performed together with
Figure 11 shows the total interdependency BPR. A risk analysis review can be
and integration of business departments and performed prior to BPR to identify the risks
information systems within an organization. that threaten the business processes. The
Business processes are no longer situated number of risks identified for a process can
within one department but may cut across serve as an indication as to whether the said
several organizational units. Because of the process should be re-engineered or scrapped.
total integration of business processes across Also, operational activities will be
different departments, and their dependence highlighted which may underline any opera-
on IT, a business approach will be more suit- tional inefficiencies and overlapping func-
able. tions, both of which could represent security
• It empowers process owners. The managers problems. Alternatively, the risk analysis can
of each business function need to be be performed during BPR to simultaneously
involved in the review. They are identify the risks to obsolete processes as well
provided with increased control, decision as the risks to those processes that require
Figure 11 Figure 12
Total integration of departments within the IS Risk analysis and BPR
environment Option 1 Risk analysis
Interdependent Business processes
and risks
business departments
BPR Or
Simultaneously
IT requirement Business Option 2 identify risks and
processes and Risk analysis re-engineer
IT functions of
business processes
department
Or
Communication Re-engineered business
processes
between Option 3
departments Risk analysis
[ 30 ]
Sharon Halliday, re-engineering. Lastly, a risk analysis can be and success. Rather than approaching the
Karin Badenhorst performed after BPR to identify the risks that analysis and management of risks in the
and Rossouw von Solms threaten the re-engineered business traditional manner through a detailed analy-
A business-oriented approach processes. sis of IT assets such as hardware, software,
to effective information
technology risk analysis and • It provides a logical link to business conti- communications, etc., a corporate approach,
management nuity planning (BCP). Traditionally, a risk which focuses on the critical business
Information Management & analysis and business impact analysis processes of the organization, is proposed.
Computer Security (BIA) were performed as two totally sepa- The approach is concerned with ensuring the
4/1 [1996] 19–31 rate analyses because of their different continuity of essential business processes
focus. In the business oriented approach, and, ultimately, the whole organization. It
the critical business areas are identified focuses on business dependence instead of
up front. Current developments in BCP computing vulnerability. If this approach
follow a similar top-down approach where becomes part of the business operations of an
the business processes are identified first, organization, it can serve as a value-added
and then IT. The method proposed will tool in ensuring the company’s survival and
therefore concurrently benefit the busi- success.
ness continuity planning process.
• It is adaptable to other focus areas. The References
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)
business oriented approach also opens the 1 Forcht, K.A., Computer Security Management,
door for risk analysis and management Boyd & Fraser, Danvers, MA, 1994, p. 296.
reviews from other focus areas. This paper 2 Butler, J., “Hackers beware!”, The EDP Audit,
looked at risk analysis and management Control and Security Newsletter, Vol. XV No. 9,
from an IT perspective. The same princi- March 1988, pp. 6-8.
ples will apply if this approach had to be 3 Wood, C.C., Effective Information Security
used from any other perspective, e.g. finan- Management, Elsevier Advanced Technology,
cial or business risk analysis, etc. Oxford, 1991.
4 Eloff, J.H.P., Labuschagne, L. and Badenhorst,
K.P., “A comparative framework for risk
Concluding remarks analysis methods”, Computers & Security,
Vol. 12 No. 6, 1993, pp. 597-603.
Information has become one of the most 5 Wahlgren, G., “Survey of computer aided risk
important resources in many organizations analysis packages for computer security”,
today, and the importance of, and need for, its DSV, Department of Computer and Systems
security must be realized by management. Science, Stockholm University, 1990.
Information security needs to become totally 6 Caelli, W., Longley, D. and Shain, M., Informa-
integrated into the operations of the busi- tion Security Handbook, Macmillan,
ness. Risk analysis and management pro- Basingstoke, 1991.
vides a company with a means of assessing 7 Clark, R., “Risk management – a new
and managing the risks that threaten the approach”, IFIP Conference, Elsevier Science
security of its information and computer Publishers, North-Holland, 1989, p. 423.
resources. 8 Currid, C., “Rapid development tools – one of
Formalized methodologies were developed 18 top technologies for reengineering”, Profiles
to provide a structured approach to IT risk Magazine, Winter 1995, pp. 6, 7 cont. 58.
analysis and management. Each one differs 9 Porter, M.E., Competitive Advantage – Creating
in terms of its approach, degree of complete- and sustaining Superior Performance, The
Free Press, New York, NY, 1985.
ness, size, complexity, classification and valu-
10 Guarro, S.B., “Principles and procedures of the
ation techniques used, etc. There are a num-
LRAM approach to information systems risk
ber of difficulties experienced by organiza-
analysis and management”, Computers &
tions applying conventional risk analysis and
Security, Vol. 6, 1987, pp. 493-504.
management theory. Many of these problems
11 Hunt, D.V., Reengineering – Leveraging the
have become characteristic of the methodolo- Power of Integrated Product Development,
gies that implement this theory. Also, many of Omneo, Essex Junction, VT, 1993, p. 14.
the existing methodologies are considered 12 Smith, M.R., Commonsense Computer Security
unsuitable by smaller organizations or orga- – Your Practical Guide to Preventing Accidental
nizations requiring a quicker and more sim- and Deliberate Electronic Data Loss, McGraw-
plified approach. This prompted a search for Hill, London, 1989, p. 5.
an alternative approach to effective risk 13 Conger, S., The New Software Engineering,
analysis and management. Wadsworth, Belmont, CA, 1994, p. 113.
IT security should be addressed as a corpo- 14 Daniel, D., “A whole new way of thinking –
rate issue, as a failure in IT will have a dra- business process re-engineering”, Computing
matic impact on the organization’s survival Canada, Vol. 20 No. 7, March 1994, p. 17.
[ 31 ]
This article has been cited by:
Text] [PDF]
10. Nik Zulkarnaen Khidzir, Azlinah Mohamed, Noor Habibah Arshad. 2013. ICT Outsourcing Information Security Risk
Factors: An Exploratory Analysis of Threat Risks Factor for Critical Project Characteristics. Journal of Industrial and Intelligent
Information 1:10.12720/jiii.1.4, 218-222. [CrossRef]
11. Kuo-Hsiung Liao, Hao-En Chueh. 2012. Medical Organization Information Security Management Based on ISO27001
Information Security Standard. Journal of Software 7. . [CrossRef]
12. Yu Zhiwei, Ji Zhongyuan. 2012. A Survey on the Evolution of Risk Evaluation for Information Systems Security. Energy
Procedia 17, 1288-1294. [CrossRef]
13. Piya Shedden, Rens Scheepers, Wally Smith, Atif Ahmad. 2011. Incorporating a knowledge perspective into security risk
assessments. VINE 41:2, 152-166. [Abstract] [Full Text] [PDF]
14. Tao Zhang, Weimin Lin, Yufei Wang, Song Deng, Congcong Shi, Lu ChenThe design of information security protection
framework to support Smart Grid 1-5. [CrossRef]
15. Xiaoling Hao, Nan YangIT operational risk assessment and control model based on Bayesian Network 1105-1109. [CrossRef]
16. Rua‐Huan Tsaih, Wan‐Ying Lin, Ada Chen. 2008. Safeguard gaps and their managerial issues. Industrial Management &
Data Systems 108:5, 669-676. [Abstract] [Full Text] [PDF]
17. Neil Lategan, Rossouw von Solms. 2006. Towards enterprise information risk management – a body analogy. Computer
Fraud & Security 2006, 15-19. [CrossRef]
18. Shaun Posthumus, Rossouw von Solms. 2004. A framework for the governance of information security. Computers & Security
23, 638-646. [CrossRef]
19. Jacques Botha, Rossouw Von Solms. 2004. A cyclic approach to business continuity planning. Information Management &
Computer Security 12:4, 328-337. [Abstract] [Full Text] [PDF]
20. Syed Irfan Nabi, Ghmlas Saleh Al-Ghmlas, Khaled AlghathbarEnterprise Information Security Policies, Standards, and
Procedures 67-89. [CrossRef]
21. Syed Irfan Nabi, Ghmlas Saleh Al-Ghmlas, Khaled AlghathbarEnterprise Information Security Policies, Standards, and
Procedures: 750-773. [CrossRef]
22. Bao-Chyuan Guan, Chi-Chun Lo, Ping Wang, Jaw-Shi HwangEvaluation of information security related risks of an
organization - the application of the multi-criteria decision-making method 168-175. [CrossRef]