James D. Stewart
CIS 527, Information Technology Risk Management
Dr. Glen Hines
October 21, 2018
Risk management is the practice of identifying, assessing, controlling and mitigating risks (Gibson, 2015, p. 13). It is widely accepted that without risk there is no gain. Individuals and organizations must take some risks if they want to be successful. Risk management is about taking risks in a controlled environment with an understanding of the risks, their causes and their consequences. Risk management is important to the success of every company and a company that takes no risks doesn’t thrive. On the other hand, a company that ignores risk can fail when a threat is exploited. Informational technology (IT) systems contribute to the success of most companies and managing IT risks properly or ineffectively can determine whether a company is successful or not.
Risk, Threat ; Vulnerability
When discussing risk management, it is important to understand risks, threats and vulnerabilities. Understanding these security components helps any person or organization to effectively identify potential threats, discover and address vulnerabilities and mitigate risk. Risk is the likelihood or possibility that a loss will occur. It is the potential for loss, damage or destruction of an asset because of a threat taking advantage of a vulnerability. Risk can also be defined as Risk = Threat X Vulnerability. Examples of risk include financial losses because of business disruption, loss of privacy, reputational damage, legal implications and can even include loss of life. A threat is any activity that represents a possible danger. Threats can be anything that exploits a vulnerability to obtain, damage, or destroy an asset. It is important to note that threats can be intentional or accidental. There are three main types of threats: natural threats like tornados and floods, unintentional threats (such as an employee mistakenly accessing the wrong information) and intentional threats. Some types of intentional threats include malware, spyware, adware or the actions of a resentful employee. A vulnerability is a weakness, whereas a loss results in a compromise to functions or assets. These vulnerabilities can be exploited by threats to gain unauthorized access to an asset. Losses occur when a threat exposes a vulnerability. Vulnerabilities can leave organizations open to intentional and unintentional threats. For example, when an employee resigns, and someone forgets to disable their account access, or remove their name from company credit cards.
Risk and Loss
The terms risk and loss are often confused or misused. A risk is a potential for a loss and the loss is the realization of that negative potential (Ingram, 2014). A loss results in a compromise to business assets or functions. All risks do not result in losses and all losses do not result from risks (Ingram, 2014). A risk refers to combination of a threat’s probability and a threat’s loss, which translates to the following: risk = threat probability x potential loss (Muscat, 2017). Organizations and managers must determine how much loss is acceptable, which can then lead to determining how much and what type of risk is acceptable. The overall goal is to reduce the losses that can occur from risk (Gibson, 2015, p. 4).
Risk Management and Information Security
Risk management is important in information security. An information security risk management plan is crucial for cybersecurity readiness. Loss is often associated with financial or physical assets. Although information technology components include many physical assets, data is one of the most important assets to be considered in loss prevention. Securing information and computing structure is complicated enough as it is, but with ever evolving technologies, it is that much more complex. With the rise of cyber threats, organizations and business leaders have come to focus more on information security in its entirety and as part of risk management strategy. The National Institute of Science and Technology Cybersecurity Framework (NIST CSF) is one of the most popular security frameworks to help organizations improve critical infrastructure cybersecurity, in which it aims to provide direction on how to assess and improve an organization’s ability to prevent, detect and respond to cyberattacks (Kolodgy, 2017). There is no one-size-fits-all solution for cybersecurity strategy. However, using security frameworks such as the NIST CSF, organizations can shift from reactive efforts to a proactive approach to risk management (Kolodgy, 2017).
Risks with Data
Organizations must take risks with data. The demand for data is growing at an exponential rate and has become a part of everyday live for consumers and businesses alike. Therefore, risk management is important to information security and data risk is becoming a top priority. Policies and regulations help to control and enforce organizations being clear about what type of data they collect, store, use and share.
Managing data is complicated and challenging. Even more is gaining and keeping the trust of individuals. It can be considered a risky practice to store customer information for repeat visits. The benefits might include better, faster service for customers and a more efficient workflow for businesses. Analytics can also be used for personalization, predictions and suggestions. All of this can result in positive customer experiences. However, if data is misused or stolen the loss can be detrimental from reduced customer trust levels. High-risk data is generally understood as data that includes attributes about individuals and is commonly referred to as PII or personally identifiable information (Telford & Verhulst, 2016). The risk comes when this type of data is collected and shared without proper authorization from the individual or the organization acting as the data steward; or when the data is being used for purposes other than what was initially stated during collection (Telford & Verhulst, 2016). Many companies have learned that a good way to manage data risk is by improving data management. With strong data management and a good understanding of the related risks, trust with data can be easier to manage.
Risk Management Plan
The potential for risk can be reduced by creating and implementing a risk management plan. A risk management plan is a specific type of project plan to identify and mitigate risk (Gibson, 2015). The plan is a document that is prepared to anticipate risks, estimate impacts and specify responses to vulnerabilities and threats. The document defines the process and techniques used to define risks and responses. There are several necessary components in any organization risk management plan. An important first step for a risk management plan is to establish objectives (Gibson, 2015). Other key components include the following: roles and responsibilities, budget, timeframe, thresholds, communication, tracking and auditing (“Seven Components to a Risk Management Plan,” 2014).
It is important to recognize that risk does not always generate reward, although proper risk management can increase probability and the size of rewards. A good quote to remember is from Greyson Change which states: “Bigger the risk, bigger the reward. But the higher the climb the harder the fall” (“Greyson Chance Quote,” 2018).
ReferencesGibson, D. (2015). Managing risk in information systems (2nd ed.). Burlington, MA: Jones & Bartlett Learning.
Greyson Chance Quote. (2018, October 13). Retrieved from https://www.azquotes.com/
Ingram, D. (2014, December 29). The Difference Between Risk and Loss. Retrieved from
Kolodgy, C. (2017, December 13). Cybersecurity Strategy, Risk Management and List Making.
Retrieved from https://securityintelligence.com/cybersecurity-strategy-risk-management-
Muscat, I. (2017, November 6). Cyber Threats vs Vulnerabilities vs Risks | Acunetix. Retrieved
Seven Components to a Risk Management Plan. (2014, October 6). Retrieved from
Telford, S., & Verhulst, S. (2016). Understanding Risk | A Framework for Understanding Data
Risk. Retrieved from https://understandrisk.org/a-framework-for-understanding-data-risk/