James D. Stewart
CIS 527, Information Technology Risk Management
Dr. Glen Hines
October 21, 2018
Many people would argue that taking risks is very risky and they would not be wrong. Risks can be scary and harmful, but they can also be positive and rewarding. The biggest difference can be how risks are managed. Risk management is the practice of identifying, assessing, controlling and mitigating risks (Gibson, 2015, p. 13). It is widely accepted that without risk there is no gain. In order to be successful, risks must be taken. However, it is important to understand that effective risk management involves calculated risks along with thorough knowledge of risk catalysts, impacts and outcomes. If an organization does not take any risks, it is not going to do very well or improve very much. On the other hand, if risks are ignored, it can be detrimental to stability and prohibitive to progress. Risk plays a key role in success and failure. Informational technology (IT) systems play a part in the success of most companies and managing IT risks either properly or improperly can determine the fate of a company’s successfulness.
Risk, Threat ; Vulnerability
In risk management, it is vital to understand risks, threats and vulnerabilities. Knowledge of these security components will assist any entity or institution to effectively identify, discover and confront threats and vulnerabilities. In turn, this will also help to mitigate risk. When defining risk, it can be declared that risk is the probability that a loss will take place. Risk is the likelihood for damage or complete loss of an asset when a threat takes advantage of a vulnerability. When using an equation as a definition, risk can be stated as: Risk = Threat X Vulnerability. Examples of risk include financial losses because of business disruption, loss of privacy, reputational damage, legal implications and can even include loss of life. A threat is any activity that represents a possible danger. Threats can be anything that exploits a vulnerability to obtain, damage, or destroy an asset. It is important to note that threats can be intentional or accidental. There are three main types of threats: natural threats like tornados and floods, unintentional threats (such as an employee mistakenly accessing the wrong information) and intentional threats. Some types of intentional threats include malware, spyware, adware or the actions of a resentful employee. A vulnerability is a weakness, whereas a loss results in a compromise to functions or assets. These vulnerabilities can be exploited by threats to gain unauthorized access to an asset. Losses occur when a threat exposes a vulnerability. Vulnerabilities can leave organizations open to intentional and unintentional threats. For example, when an employee resigns, and someone forgets to disable their account access, or remove their name from company credit cards.
Risk and Loss
The terms risk and loss are often confused or misused. A risk is a potential for a loss and the loss is the realization of that negative potential (Ingram, 2014). A loss results in a compromise to business assets or functions. All risks do not result in losses and all losses do not result from risks (Ingram, 2014). A risk refers to combination of a threat’s probability and a threat’s loss, which translates to the following: risk = threat probability x potential loss (Muscat, 2017). Organizations and managers must determine how much loss is acceptable, which can then lead to determining how much and what type of risk is acceptable. The overall goal is to reduce the losses that can occur from risk (Gibson, 2015, p. 4).
Risk Management and Information Security
Risk management is vital information security. An information security risk management plan is crucial for cybersecurity preparedness. Loss is commonly lumped together with financial or physical assets. Although IT components include a variety of physical assets, data is a high priority asset when it comes to preventing loss. Securing information and IT infrastructure is complicated enough as it is, but with constant changes in technology, it makes it that much more challenging. With the rise of cyber threats, organizations and business leaders have become more focused on information security, including the incorporation of IT security as a part of risk management strategy. The National Institute of Science and Technology Cybersecurity Framework (NIST CSF) is one of the most popular security frameworks to help organizations improve critical infrastructure cybersecurity, in which it aims to provide direction on how to assess and improve an organization’s ability to prevent, detect and respond to cyberattacks (Kolodgy, 2017). There is no universal solution for IT security and risk management strategy. However, when using resources such as the NIST CSF, organizations can move from reactive efforts to proactive approaches towards risk management (Kolodgy, 2017).
Risks with Data
Organizations must take risks with data. The demand for data is growing at an exponential rate and has become a part of everyday life for consumers and businesses alike. Therefore, risk management is important to information security and data risk is becoming a top priority. Policies and regulations help with control and enforcement by encouraging organizations to be clear about what type of data they gather, store, use and share.
Managing data is complicated and challenging. Even more is gaining and keeping the trust of individuals. It can be considered a risky practice to store customer information for repeat visits. The benefits might include better, faster service for customers and a more efficient workflow for businesses. Analytics can also be used for personalization, predictions and suggestions. All of this can result in positive customer experiences. However, if data is misused or stolen the loss can be detrimental from reduced customer trust levels. Data classified as high-risk is basically data that includes attributes about individuals and is commonly referred to as PII or personally identifiable information (Telford & Verhulst, 2016). The risk presents itself when this type of data is retrieved and shared without consent from an individual or organization; or when data is being used for purposes other than what was initially stated during collection (Telford & Verhulst, 2016). Many companies have learned that a favorable way to manage data risk is by improving data management. With strong data management combined with a good perception of the related risks, consumer and public trust with data can be much easier to manage.
Risk Management Plan
The potential for risk can be reduced by creating and implementing a risk management plan. A risk management plan is a specific type of project plan to identify and mitigate risk (Gibson, 2015). The plan is a document that is prepared to anticipate risks, estimate impacts and specify responses to vulnerabilities and threats. The document defines the process and techniques used to define risks and responses. There are several necessary components in any organization risk management plan. An important first step for a risk management plan is to establish objectives (Gibson, 2015). Other key components include the following: roles and responsibilities, budget, timeframe, thresholds, communication, tracking and auditing (“Seven Components to a Risk Management Plan,” 2014).
It is important to recognize that risk does not always generate reward, although proper risk management can increase probability and the size of rewards. A good quote to remember is from Greyson Change which states: “Bigger the risk, bigger the reward. But the higher the climb the harder the fall” (“Greyson Chance Quote,” 2018).
ReferencesGibson, D. (2015). Managing risk in information systems (2nd ed.). Burlington, MA: Jones & Bartlett Learning.
Greyson Chance Quote. (2018, October 13). Retrieved from https://www.azquotes.com/
Ingram, D. (2014, December 29). The Difference Between Risk and Loss. Retrieved from
Kolodgy, C. (2017, December 13). Cybersecurity Strategy, Risk Management and List Making.
Retrieved from https://securityintelligence.com/cybersecurity-strategy-risk-management-
Muscat, I. (2017, November 6). Cyber Threats vs Vulnerabilities vs Risks | Acunetix. Retrieved
Seven Components to a Risk Management Plan. (2014, October 6). Retrieved from
Telford, S., & Verhulst, S. (2016). Understanding Risk | A Framework for Understanding Data
Risk. Retrieved from https://understandrisk.org/a-framework-for-understanding-data-risk/