InformationWeek

November 6, 2000

Printer ready

How Much Risk Is Too Much?

Risk management helps companies balance risk of inaction vs. the cost of action to cut risks

By Brooke Paul, reprinted from Network Computing

More on risk:

Tele.com: Verisign Offers Security Blanket (9/18/00

InternetWeek: Financial Services Bank On BITS (8/21/00)

TechWeb: Security Vendors Ride The Merger Wave (8/7/00)

Send Us Your Feedback

ll business decisions in IT or elsewhere are an exercise in the evaluation of the risk of inaction vs. the cost of action to reduce risks.

Risk management is helpful in answering questions such as whether failing to upgrade your file-and-print server will affect the ability of users to do their jobs properly; whether implementation of the latest intrusion-detection technology will reduce the likelihood of someone breaking into your E-mail server; and whether a firewall is necessary to protect your Web server or if simple router access-control lists will suffice. Furthermore, a risk-management process will help you prioritize these issues should you lack the resources necessary to address them all immediately.

In today's hypercompetitive world, the use of risk management is vital to the long-term success of all businesses. Not all risks can be eliminated--the cost in resources and time would be prohibitive. In fact, most businesses need to take some risks to gain a competitive edge. Therefore, you must decide when and where educated risks can be taken and how finite resources should be allocated to reduce risk and support business strategies.

Risk management enables sound judgment when taking risks and affords a level of contingency planning should a risk become a reality. Understanding the risks to company assets is the starting point of a risk-management process. Once you understand the risks to your business, you'll be able to make sound decisions on whether to accept, mitigate, or transfer those risks.

In addition, risk management pulls together data from other security areas, such as vulnerability analysis, to provide an overall view of business risk. The focus of this article is the application of techniques for risk management and risk assessment to modern information-security practices.

Risk management can be loosely defined as a systematic process for the identification, analysis, control, and communication of risks. In the business world, these risks can vary from the mundane (for example, the risk of an accounting error) to the esoteric (say, the risk of a cracker taking advantage of a little-known application bug). Risk management should be integrated into the life cycle of any process or project that's important to a business. The use of a risk-management methodology lets a company make informed decisions about the allocation of scarce resources to areas that are most at risk.

Risk management should be an ongoing activity that includes phases for assessing risk, implementing controls, promoting awareness, and monitoring effectiveness. At the heart of risk management is the evaluation of the potential impact of threats on the ability of a company to continue providing products or services to customers. This evaluation phase of the process is risk assessment.

Risk assessment--often confused with vulnerability assessment or analysis, which is a critical phase in any security-risk assessment--is widely used in the public and private sectors to support decision-making processes. Employing risk-assessment methodologies to drive decision-making processes around security and associated technology allows for consistent and effective use of decision-support data, as well as removal of technical bias from what are essentially business decisions.

Risk assessment is a process for tying together information gathered about business assets, their value, and their associated vulnerabilities to produce a measure of the risk to the business from a given project, implementation, or design.

Of the many risk-assessment methodologies used, the most common is ad hoc--someone believes a risk exists and convinces management that the risk should be addressed. Although this type of qualitative risk assessment works sometimes for small companies, it doesn't scale for large businesses; often, the reasoning behind the assessment is a recent incident that has received wide news coverage. Clearly, a more systematic methodology is necessary to properly identify and categorize risks.

An analysis of the numerous risk-assessment methodologies is beyond the scope of this discussion, but it's important to note that each methodology has been developed to meet specific needs, each has strengths and weaknesses, and each may or may not apply to a given situation.

Regardless of the methodology you choose, risk assessments generally follow a five-phase approach. The critical aspect of any risk assessment is that it ties a threat or vulnerability to a business asset or process. The analysis method provides the probability measure, whether it's based on a formal methodology (as in tree analysis) or on past experience (historical analysis).

Risk assessment plays a vital role in any information-security program, ensuring that resources are being allocated in the most effective way to support the business. Because resources are always limited, controls should be applied to areas that represent the biggest risks.