1/2011
In today’s economic context, organizations are looking for ways to improve their business, to
keep head of the competition and grow revenue. To stay competitive and consolidate their
position on the market, the companies must use all the information they have and process
their information for better support of their missions. For this reason managers have to take
into consideration risks that can affect the organization and they have to minimize their
impact on the organization. Risk management helps managers to better control the business
practices and improve the business process.
Keywords: Risk Management, Security, Methodology
1 Introduction
Today’s economic context
characterized by a competitive environment
is
2 Risk management: definition and
objectives
The concept of the risk management is
which is permanently changing. To face this applied in all aspects of business, including
fierce competition, managers must take the planning and project risk management, health
correct strategic decisions based on real and safety, and finance. It is also a very
information. In order to maintain the common term amongst those concerned with
authenticity and the accuracy of the IT security. A generic definition of risk
information used in the decision process, any management is the assessment and mitigation
organization must use informatics systems to of potential issues that are a threat to a
process their information and for a better business, whatever their source or origin. [2]
support of their missions. For this reason, The concept of risk management is now
the management risk of the security fairly universally understood, having been in
information plays a very important role in the widespread use for a number of years. It is
organizational risk management, because it applied in all aspects of business.
assure the protection of the organization from To discuss the definition of the risk
the threatening information attacks, that management is necessary to explain in
could affect the business activity and advance the meaning of the three main
therefore its mission. concepts:
An effective risk management process is Risk is the potential that a chosen action or
based on a successful IT security program. activity (including the choice of inaction)
This doesn’t mean that the main goal of an will lead to a loss (an undesirable outcome).
organization’s risk management process is to Threat is the potential cause of an unwanted
protect its IT assets, but to protect the impact on a system or organization (ISO
organization and its ability to perform their 13335-1). Threat can also be defined as an
missions. Therefore, the risk management undesired event (intentional or unintentional)
process should not be treated primarily as a that may cause damage to the goods of the
technical function carried out by the IT organization.
experts, who operate and manage the IT Vulnerability is a weakness in system
system, but as an essential management procedures, architectural system, its
function of the organization and its leaders. implementation, internal control and other
[1] causes that can be exploited to bypass
security systems and unauthorized access to
information. Vulnerability represents any
weakness, administrative process, act or
Informatica Economică vol. 15, no. 1/2011 229
statement that makes information about an approach may be an effective response to the
asset to be capable of being exploited by a security risks that have already occurred
threat. through creating security incidents. The
Risk management is a process consisting on: analysis of the causes of producing security
- identifying vulnerabilities and threats to the incidents could help the organization to
information resources used by an prevent their repetition and be prepared for
organization in achieving business any possible problems. Companies that
objectives; respond to security incidents in a calm and
-risk assessment by setting the probability rational way, meanwhile they determine the
and impact of its production, following causes that have allowed the incidents to
threats by exploiting vulnerabilities; occur, will be able to respond in a shorter
- identify possible countermeasures and time to similar problems arising.
deciding which one could be applied, in There are six steps that an organization
order to reduce the risk to an acceptable should take into consideration when the
level, based on the value of information reactive approach is applied:
resource to the organization. [3] 1. Protecting human life and safety
The goal of performing risk management is It's the most important and most active of
to enable the organization to maintain at the the six. Organizations have to respect laws
highest values the activity results. This that protect the employers and that require
process should combine as efficient as protection measures to prevent work
possible, all factors which can increase the accidents. Development of computerization
probability of success and decrease of the production process has led many of its
the uncertainty of achieving objectives. Risk activities in an organization so they often can
management should be an evolving process. arise where production risks and security of
Particular attention should be given to the their information systems is likely to
implementation of the strategies for endanger human life and health.
eliminating or reduce the risk and their 2. Controlling damage
appliance, to the analysis of the past It is an activity that consists on stopping or
evolution of risks and to the controlling the spread of the damage
present and future prediction of the produced through the risks fulfilled. In case
events. Management process should of a cyber-attack, organizations should take
be implemented at the highest management actions to protect information, important
level. application and the hardware components, as
In IT&C, one of the most important goal of soon as possible, and minimize the time
risk management is to accomplish by better when the system is not working properly.
securing the informatics systems that store, Sometimes maintaining the system available,
process, or transmit organizational during such an attack, may increase the
information; by enabling management to damages.
make well-informed risk management 3. Damage assessment
decisions to justify the expenditures that are Damage assessment will be done by restoring
part of an IT budget and by assisting activity and after reinstatement of all systems
management in authorizing (or accrediting) affected by risk. If cyber damage assessment
the IT systems, on the basis of the supporting involves conducting detailed investigations
documentation resulting from the on the incident, immediately proceeded to
performance of risk management. [1] restore or replace hardware, reinstall the
software used and recovery affected data.
3 Risk Management approaches: If the damage assessment takes too long,
Proactive and reactive approach contingency plans should be considered so
Risk management can be approached in two that the organization resumes normal activity
ways: reactive and proactive. The reactive without bigger damage.
230 Informatica Economică vol. 15, no. 1/2011
The result of the evaluation the risk, using the not very high to affect the objectives of
proper method chosen, must be interpreted in the company’s activities, so that the
order to determine the type of the risk (negligible, leading management could assume its
tolerable or intolerable): realization without implement all the
- The negligible risk does not need any countermeasures.
measure to be applied. It is monitored - If the risk has an intolerable level, then it
periodically. needs an immediate response. This means
- The tolerable risk does not need also any that the management team must identify
countermeasure to be implemented, but it and implement the right measure to reduce
is permanently monitored and whenever it or eliminate the risk (risk mitigation). In
is identified any growing of its value; it some cases, in which the risk management
will become the object of some team does not have the needed level of
supplementary actions, in order to reduce means, for implementing certain
its level. This means that the level risk is
236 Informatica Economică vol. 15, no. 1/2011
measures, the process of decision would made taking into consideration the risk
be transferred to higher forum of behavior of the organization and the
management. partner that support and control better the
For our hypothetical example, we could define risk.
the level very low for the negligible risk, the - Risk Assumption. Organizations can
level low for tolerable risk and the values choose to acknowledge the existence of
medium, high and very high for the intolerable risk and monitor it. They also can ignore
risk.
it, but this action can be very dangerous.
8. Results documentation The decision to assume a risk must be
After the threat sources and vulnerabilities well documented and analyzed by the
are identified, risk assessed and provided, the management team of the organization.
results should be written in an official report. - Risk Elimination. The goal of this action is
Risk Assessment Report is a report addressed to eliminate the risk, but most of the
to managers and owners that helps them to options tend to eliminate organization out
take decision concerning security policies of the market. An organization that
and procedures. A risk assessment report doesn’t prefer risk will not survive on the
presents in a systematic and analytical way market.
the existing risks and how these can be To reduce the risk, organizations should use
exploited in order to help managers to some tools like:
understand and allocate resources to reduce - Identify all the methods available for
or correct any losses reducing the risk and choose the optimal
ones.
6 Risk mitigation - Planning the appropriate activities for
After the risk assessment, any organization applying the method previously chosen. If
has to implement methods to reduce the level risks are related to activities deadline
of risk. Since it is almost impossible to using activity planning software can
eliminate all risks, top managers must reduce risks within reasonable limits.
implement the most effective measures to - Implementing the activities planned in
reduce risk to an acceptable level and to order to mitigate the risks. Some of the
minimize the negative impact of risk on the measures generally applied are:
organization’s mission and goals. Training the staff dealing with activities
There are several methods to reduce risks, at risk - many IT risks are connected to
which are applied depending on the type untrained personnel and this affects
of risk: productivity and work quality. Through
- Risk Avoidance. Where it is possible, training in security field, there can be
managers should choose not to implement reduced the likelihood of incidents and
some processes and procedures that can their effect.
generate a higher level of risk or Redesigning security measures -
complicates the organization’s activity. organizations should identify those
- Risk Limitation. Risk can be reduced by threats and vulnerabilities that generate
implementing security measures and risks with a strong impact on company’s
procedures. When implementing these activity and improve the security systems
measures it should be taken into account permanently.
the cost and benefits of the When control actions must be taken, the
implementation. If costs of the risk following rule applies: Address the greatest
reduction outweigh the benefits, accepting risks and strive for sufficient risk mitigation
risk should be preferred to implementing at the lowest cost, with minimal impact on
the expensive security measures. other mission capabilities. [1]
- Risk Transference. Risk can be shared The methodology of implementing security
with different partners or transferred to measures contains several steps:
insurance companies. This action must be
Informatica Economică vol. 15, no. 1/2011 237
- System protection: ensure the quality of least privilege, user computer access
IT system implementation in terms of registration and termination.
design and manner in which the - Technical training to ensure that end users
implementation was accomplished. and system users are aware of the rules of
Another category includes the measures for behavior and their responsibilities in
prevention that prevent the occurrence of protecting the organization’s mission.
events that have a negative impact on the Second category, detection management
organization’s activity: security controls, includes:
- Authentication: these measures verify user - Implementation of personnel security
identity. Mechanisms used are passwords, controls, including personnel
PINs, personal identification numbers. investigation, rotation of duties
- Authorization: verify if employees are - Periodic review of security controls to
authorized to make changes to the system. ensure that they are effective
- Protected communications: ensure - Periodic system audits
integrity, confidentiality, availability of - The existence of a continuous
sensitive data during their transmission. management process
- Transaction privacy: protect against loss - The third category, recovery management
of privacy of important information. security controls, includes:
The third category, detection and recovery - Provide continuity of support and
measures, detects an adverse event and/or develop, test, and maintain the operations
recovers lost information in case of an plans
adverse event: - Establish the system capacity to respond
- Intrusion detection: ensure the detection to the incident and return the IT system to
of possible events with negative impact in operational status
order to avoid them or reduce their Operational security controls
impact. Operational security controls are used to
- Restore secure state: these measures are correct operational deficiencies that could
capable of bringing the system to last arise when a threat is exercised. These
known security state after a security include preventive and detection operational
breach occurs. controls
- Virus detection and eradication: detect, Preventive operational controls are as
identify and remove viruses to ensure follows:
system and data integrity. - Controlling data access
Management security controls - Limiting external data distribution
These controls are implemented to reduce the - Control software viruses
level of risk and protect the organization’s - Ability to create backup copies
mission. They are focused on policies, - Protect laptops, personal computers,
guidelines and standards for information workstations
protection. Management security controls - Provide emergency power source
includes three categories: preventive, - Control the humidity and temperature of
detection and recovery controls. the computing
First controls, preventive management Detection operational controls include the
security controls include the following following:
controls: - Providing physical security (motion
- Development and maintenance of system detectors, sensors and alarms)
security plans in order to support of the - Ensuring environmental security (smoke
organization’s mission. and fire detectors, fire sensors and alarms)
- Implementation of personnel security
controls, including separation of duties,
Informatica Economică vol. 15, no. 1/2011 239
not only that will not disappear from the information security risk management”,
market, but it will develop and more easily International Journal of Information
obtain the targeted results. Management, pp. 413-414, 2008.
Available: http://www.sciencedirect.com
References [6] M. Howard, S. Lipner, “The security
[1] G. Stoneburner, A. Goguen, A. Feringa, development lifecycle”, United States of
Risk Management Guide for Information America: Microsoft Press, 2006, pp.
Technology System, 2002. 114-116.
[2] S. Southern, “Creating risk management [7] E. Humphreys, ”Information security
strategies for IT security”, Network management standards: Compliance,
Security”, 2009, pp.13-14. governance and risk management”,
[3] Information Systems Audit and Control Information Security Technical Report
Association, Certified Information I3, 2008, pp. 247-249. Available:
Systems Auditors, 2006, pp.85-89. http://www.sciencedirect.com
[4] The Department of Trade and Industry, [8] M. Siponen, R. Willison, “Information
“Achieving Best Practice in Your security management standards:
Business Information Security: Problems and solutions”, Information
Protecting Your Business Assets”, pp. 8- and Management, vol. 46, pp.269-270,
22, Available at: 2009. Available at:
http://webarchive.nationalarchives.gov.u http://www.sciencedirect.com
k/tna/+/http://www.dti.gov.uk/files/file9 [9] E. Burtescu, Securitatea datelor firmei,
985.pdf/ Editura Independenta Economica, 2005.
[5] R. Bojanc, B Jerman-Blazic, “An
economic modeling approach to