Importance of IT Risk Management in Enterprise Risk Management

Question:

Discuss about the Sociological Versus Metascientific Risk Assessment.

IT risk management is a risk management method in which information technology is assessed to identify the risks it poses or exposes a company to while being utilized. In a business or firm IT risk can be considered as part of a full scale enterprise risk management system (Crockford, 1986). An information security management system which is present in a company which is continually updated and maintained is a sign that the company has setup the necessary resources in helping to identify, manage and assess information security risks. IT risk management involves the assessment of not only the negative effects of using technology in a company but also the benefits that may be accompanied with it (Verin & Trumper, 2007). Decision theory should be utilized when assessing risk because it is something that is comprised of a lot of uncertainty. IT risk management as with all forms of risk management should be done continuously to ensure that the information obtained is updated. This is because there are changes which are ongoing all the time that can affect a company and therefore for IT risk management to be effective the process of analysis of risk should be continuous to ensure the company can be able to avert a lot of risk when it faces a problem (Katsicas, 2009).

Organizations should have in place an enterprise risk management system (ERM) which is very comprehensive. There are four main categories which should be addressed when implementing an enterprise risk management system. They are operations which focuses on the effective use of resources in an organization, compliance which ensures the company is compliant with the legal regulations and laws that are applicable to it, strategy which ensures the systems support are in line with the mission of the organization and financial reporting which ensures financial records are reliable (Flyvbjerg & Budzier, 2011). IT risk management encompasses all these categories and therefore plays a critical role within an organization to ensure risk is kept at manageable level in a company. Risk sensitivity and risk appetite should be a guiding in factor within the IT risk management process (Taylor & VanMarcke, 2002).

Companies are now not being faced with lawsuits due to such cases because it has been stated in the law that all individuals including their employees are not to handle any handheld device while driving. If a company has blocked social media sites their employees can be able to access these sites using their personal devices. They can engage on social media as usual but if there is a case such as racial discrimination on social media which was instigated by an employee while at the work place the company is liable to any damages that may have been caused by the employee (Roehrig, 2006). An unknown device which is lost and found and used within a company can be a major risk factor. The device might contain unwanted information which might put the company at risk of having legal problems. These devices are also used by individuals who have malicious intent against the company or have purposed to carry out corporate espionage. It is therefore very important for the company to ensure that it has a strict policy which restricts employees from using their personal devices as they work (Antunes & Vincente, 2015). The personal devices pose a major risk factor and are best avoided when at the workplace to ensure the level of risk that may come from them is minimal or none at all.

Risks Associated with Personal Devices in the Workplace

Financial institutions such as Aztec usually have to adhere to the set industry or government compliance or regulation. This is mainly to ensure that such institutions operate within the law by acts such as ensuring they safeguard the data and finances of their clients Kasperson, Renn, Slovic, Brown, Emel et al., 1988). The presence of government or industry regulations ensure that any financial institution such as Aztec which may be in operation follows the set standards as it carries out its mandate. The regulations are created in a way that will reduce risks in which clients may have to face by setting up key standards in which the institution should adhere to while in operation. The regulations also ensure outsourced operations are evaluated before being given out to find out how much risk a financial institution can have when it gives out it work to a third party. Financial institutions such as Aztec handle a lot of sensitive information which belongs to its clients and shareholders. In the advent of various digital breaches and ransomware attacks governments and other regulatory bodies have had to enact stringent policies that ensure these financial institution invest heavily in keeping their data secure (British Standard Institute, 2006). It is a good approach both for the financial institutions and their clients.

Reviewing of the risks which are posed when individuals are allowed to bring and use their personal devices at Aztec will demonstrate the importance of the IT risk management process and the benefits it has to a company. It will also shed light on the security posture of Aztec. IT risk management includes a number of processes which are undertaken by a company to establish the potential risks they face and how they can be able to mitigate them (ISACA, 2006).  The first step involves establishing some context that can be used for the risk assessment. In this stage or process all the relevant information that pertains a company in our case Aztec is acquired followed by the scope, purpose, boundaries and basic criteria of the risk assessment being established (Technical Standard Risk Taxonomy, 2009). In this stage also the organization which will carry out the risk assessment is determined. The gathering of required information based on the scope and purpose of the risk assessment will help the individual performing the task to determine in which areas they are going to assess risk so that they may deliver on their mandate. Aztec has commissioned an IT risk analysis expert to assess the risk and impact which faces the company when employees are allowed to user their personal devices such as tablets, mobile phones and laptops as they work and carry out their mandate in the organization.

Quantitative and Qualitative Risk Assessment

The purpose of establishing context is to ensure that all the legal procedures and requirements are followed and evidence of this should be provided so that the whole IT risk assessment can be certified as a legitimate and trustworthy process (IEEE, 2006). Context establishment is also done to bring strategic value to the business from the information which will be acquired. This means that the risk assessment should be of benefit to the strategic plan of the business by indicating what kind of risks they can take and those that they cannot afford to take. Stakeholders and shareholders in an organization are the people who own the company. The company may have employees and a chief executive officer but these employees all work for the shareholders. The shareholders have invested their money in the organization because they believe in their mission and vision (Lacey, 2011). They also want to turn a profit from their investment. The shareholders invest in the company with the expectation of making a profit but with investments come risks. The risk assessment will give the shareholders more insight on the risks the company might face. It will also give the shareholders confidence in the company being able to bring them a profit or dividends while growing their share value (Korstanje, 2014). A risk assessment also enables an organization to establish a baseline which can help them determine the negative consequences which can befall them and to what extent their reputation can be damaged (Verin & Trumper, 2007).

Information technology being known as a critical resource within any organization helps in running most of the systems in a company. IT risk assessment is therefore a key factor while doing a risk assessment because it is an underlying factor in most of the operations of an organization. The constraints in which an organization faces are also documented and collected for use in guiding the risk assessment process (Spring, Kern & Summers, 2015). The constraints may include cultural, technical, political or budgetary constraints. Risk management deals with continuously analyzing, controlling, implementing, monitoring and planning of the measures that a company has implemented to ensure that the security policy is maintained and enforced within a company. Risk assessment is usually carried out on demand or once a year until a clear view of assessed risk can be established. The risk assessment as established was to determine the risk factors that come with employees bringing their personal devices to the workplace and using them in work related tasks. After the risk to be assessed has been identified the next step is to perform a risk estimation. Risk assessment in relation to information security field can be done through two methods. These methods are the qualitative and quantitative method.

Quantitative risk assessment is the act of performing mathematical calculations that are solely about the security metrics of an application or a system (Lieberman, 2009). In quantitative risk assessment each risk scenario that is being assessed is based on a collection of risk factors which lead to the establishment of a single loss expectancy (SLE). After the single loss expectancy is established the annual loss expectancy can be known by finding the product of the annual rate of occurrence and the single loss expectancy based on the probability of a certain event occurring in a set period such as in a year which is the annual rate or occurrence (ARO). When performing a quantitative risk assessment it is a key factor to note that the total value of all the assets of a company are considered rather than the specific resource which was affected by a problem. From the risk assessment being done at Aztec we can demonstrate quantitative risk assessment by understanding that when employees bring their own devices to the work place they not only expose their devices to risk but they also expose any company or relating data that has passed through their device. The company can be legally liable for any damages such as loss of confidential data or any other issues that pertain to the use of the employees’ personal devices as they work (Hubbard, 2009).

Qualitative risk assessment is a risk assessment process which is utilized when an organization needs a risk assessment to be performed based on some certain constraints in which they may have. These constraints may include the company having a small budget to perform the risk assessment, the company needing the risk assessment to be performed in a short period of time, when the individuals performing the risk assessment are not equipped with the necessary skills such as financial, mathematical or risk assessment experience to perform a conclusive risk assessment or there is an absence of a significant amount of data which may be crucial in performing a comprehensive risk assessment. The main difference between a qualitative and quantitative risk assessment is that a qualitative risk assessment can be accomplished with the use of less data and shorter time periods as compared to the amount of data and time needed to accomplish a quantitative risk assessment (Hallenbeck, 1986). Qualitative risk assessment are implemented through holding interviews with the involved stakeholders. In our case interviews can be performed on individuals or employees who use their personal devices at the work place as they do their mandated tasks (O’Brien, 2002). Qualitative risk assessments are usually compared based on the description versus its measurable extent. In a risk assessment process a qualitative classification is performed which is later followed by a quantitative evaluation between the costs incurred in implementing security measures compared to the highest risks present.

Risk estimation comprises of assessing the consequences of how a risk or problem has impacted an organization. This can be done through valuing the assets in which the company holds. It is also done through assessing the chances in which a risk might occur through vulnerability and threat valuation (Flyvbjerg, 2003). Lastly the chances of a risk occurring are recorded in the measured estimates and the consequences which are accompanied with the risk occurring. A risk registry is a document which contains information on all the risks discovered and the value levels of these risks. Risk evaluation is the process of comparing the risk levels obtained from the risk assessment process against the risk acceptance criteria which the company has specified and prioritizing the risks identified with risk treatment indications (Mayo, 2011).

Risk mitigation is the process of evaluating, implementing and prioritizing the necessary steps or actions which are recommended to reduce risks which have been identified in the risk assessment process (Lerche & Glaesser, 2006). The removal or elimination of risk is a task which is not practical or is hard to achieve. Senior management and other top management within an organization should utilize the least cost approach to have in place the controls which will be appropriate in controlling or reducing the risks which have been identified to reach a level that is minimal or acceptable such that it does not have any adverse impact on the mission or resources of an organization. In an organization such as Aztec there are measures in place to control which employees have access to what kind of information. The problem is that for any employee to play their needed role in carrying out their mandate within the company they needed to be given access to the resources and assets of the company. If an employee used their personal device to login to the company database or system they might put the company at risk. This is because their personal device has not undergone any form of screening or testing to establish whether it is safe for use within the company (Simon & Hillson, 2012).

Data security is a key aspect in any organization because their data is a valuable resource to them. Data in an organization which is a financial institution such as Aztec is very important and if this data it tampered with or accessed by unauthorized personnel it can become a great risk to the company because they might incur a lot of costs and legal problems (Rob, 2016).. The equipment used by an organization is usually prescreened and continually patched and updated to ensure that it does not pose a risk which can be capitalized upon by malicious individuals in order for them to gain access to the data in a company. Personal devices which are used by employees have not been prescreened to ensure that they are secure for use in an organization. An employee poses a data risk when they come with their personal devices to use in the company. As soon as they gain access to the company data malicious individuals can use this loophole to again access to company data and demand for a ransom for it or tamper with the data which will cost the company being attacked immensely. Devices in which employees do not know of their origin should also not be used in the company. A device such as a flash disk may contain a virus which affects the computer or system in which it is plugged into. The company can reduce risks concerning data security by having a backup of their data such that when their primary database is attacked they can utilize their backup and continue their operations. The company can also instill a policy which bans employees from using their devices while they do their work (Shrader & Westra, 1997). This will go a long way to ensure that the level of risk which might be posed by these devices is reduced immensely.

The company should also have a firewall in place to ensure that even when employees use their personal devices as they work any malicious software can be blocked from accessing the company system and its resources. The firewall will keep the company system protected and will ensure that the data which is stored on the company database is valid and can be used by the employees effectively as they carry out their duties. The company should also implement vulnerability scanners within their system to ensure that they can detect any risks before they become too severe (Caballero, 2009). Vulnerability scanners are built to regularly check a system for any vulnerabilities present. Unlike a firewall the vulnerability scanner is purposes with checking the system periodically for any suspicious software or vulnerabilities. Vulnerability scanners are important because they enable a company to find any malicious software or system which might have embedded itself within the company system. When employees come with their own devices and use them as they work a vulnerability scanner comes in handy in reducing the risk of the company being affected by any vulnerability or malicious software. The vulnerability scanners can scan their devices and block them from accessing the system to ensure that the risk of affecting the company is reduced.

Risk assumption is when a company accepts the potential risks it may face and continue with their business operations as they work on ways to lower their level of risk. Most companies when they encounter a risk usually follow this path because they can work on the problem at hand and still serve their clients (Commoner, 2010). It may however be a risky venture because if the risk gets out of hand they might get into more problems than if they had stopped their operations initially to focus all their resources on fixing the issue. Risk avoidance can be practiced by a company if they deal with the cause of the risk and eliminate it. Risk limitation is the reduction or limitation of risk by having in place controls which can reduce the impact a risk may have on a company. Risk planning is when a company manages risk by coming up with a plan to take care of the risk. Research and acknowledgement is when a company or organization accepts that they are being faced with a risk and they research on methods which can help them correct or rectify the risk.

Conclusion

A company such as Aztec can transfer risks to its insurers. Transferring risk in such a case to an insurer will ensure that any risk the company is exposed to the insurer can cover them (Dorfman, 2007). This is however a costly venture because the insurer has to be paid hefty premiums depending on the kind of cover the company has taken. Although it may be expensive it can help the company to save its reputation if there is a problem. The insurer will simply step in on behalf of the company and cover any damages the company has been imposed on (Costas, Gritzalisa, Petros, Athsnasois & Sokratis, 2005). For a company such as Aztec risk assessment and management should be an activity which is carried out regularly to ensure that the company is always alert of any potential risk that may affect their business. When such a company implements a policy which ensures their employees do not use their personal devices for work related activities or at the work place they can be able to mitigate a lot of risks and vulnerabilities before they become adverse and impact the company largely in a negative way. It is therefore very important for such a company to carry out risk assessment regularly so that they are confident in the integrity of their database. It will also give them confidence to operate in the financial industry since they adhere to the legal requirements concerning risk assessment and mitigation.

References

Anderson K. (2005). Intelligence Based Threat Assessments for Information Networks and Infrastructures: A White Paper.

Antunes R. & Vincente G. (2015). A Production Model for Construction. A Theoretical Framework. Buildings. 5(1): 209 – 228.

British Standard Institute. (2006). ISMSs-Part 3: Guidelines for information security risk management.

Caballero A. (2009). Computer and Information Security Handbook. Morgan Kaufmann Publications Elsevier Inc. p. 232.

Commoner B. (2010). Comparing apples to oranges: Risk of cost/benefit analysis. From Contemporary moral controversies in technology. Pp 64 -65.

Costas L., Gritzalisa S., Petros H., Athsnasois N. Y. & Sokratis K. (2005). A formal model for pricing information systems insurance contracts. Computer Standards & Interfaces. p. 531 -532.

Crockford N. (1986). An Introduction to Risk Management. Woodhead-Faulkner. p.18.

Dorfman M. S. (2007). Introduction to Risk Management and Insurance. Englewood Cliffs, N.J: Prentice Hall.

Flyvbjerg B. & Budzier A. (2011).Why Your IT Project May Be Riskier Than You Think. Harvard Business Review. 89(9): 601 – 603.

Flyvbjerg B. (2003). Megaproject and Risk: An Anatomy of Ambition. Cambridge University Press.

Hallenbeck W. H. (1986). Quantitative risk assessment for environmental and occupational health. Lewis Publishers

Hubbard D. (2009).The Failure of Risk Management: Why Its Broken and How to Fix it. John Wiley & Sons. p.46

IEEE (2006). Systems and software engineering – Life cycle processes – Risk management.

ISACA (2006). CISA Review Manual 2006. Information Systems Audit and Control Association. p.85.

Kasperson R. E, Renn O., Slovic P., Brown H. S., Emel J. et al. (1988). The social amplification of risk: A conceptual framework. Risk Analysis. 8(2): 177 -187.

Katsicas S. K. (2009). Computer and Information Security Handbook. Morgan Kaufmann Publications Elsevier Inc. p. 605.

Korstanje M. E. (2014). Why risk research is more prominent in English speaking countries in the digital society. International Journal of Cyber Warfare and Terrorism. 4(1): 8 -18.

Lacey P. (2011). An Application of Fault Tree Analysis to the identification and Management of Risks in Government Funded Human Service Delivery. Proceedings of the 2^nd International Conference on Public Policy and Social Sciences.

Lerche I. & Glaesser W. (2006). Environmental risk assessment: quantitative measures, anthropogenic influences, human impact. Springer

Lieberman D. (2009). Using a Practical Threat Modelling Quantitative Approach for data security.

Lock G. (2017) Public Safety Driving Dynamic Risk Assessment. PS Driver Magazine.

Mayo D. G. (2011). Sociological versus metascientific views of technological risk assessment.

O’Brien M. (2002). Making better environmental decisions: an alternative to risk assessment. MIT Press

Rob A. (2016). 3 Types of Security Assessments. Threat Sketch

Roehrig P. (2006). Bet On Governance To Manage Outsourcing Risk. Business Trends Quarterly.

Shrader F. K. & Westra L. (1997). Technology and values. Rowman & Littlefield.

Simon P. & Hillson D. (2012). Practical Risk Management: The ATOM Methodology. Management Concepts.

Spring J., Kern S. & Summers A. (2015). Global adversarial capability modelling. 2015 APWG Symposium on Electronic Crime Research (eCrime) 1- 21.

Technical Standard Risk Taxonomy. (2009). Published by The Open Group.

Taylor C. & VanMarcke E. (2002). Acceptable Risk Processes: Lifelines and Natural Hazards.

Verin L. & Trumper M. (2007). Project Decisions: The Art and Science. Management Concepts.

Verin L. & Trumper M. (2007). Project Think: Why Good Managers Make Poor Project Choices. Gower Pub Co.