Information security is the core issue in most of the organizations because development in distributed processing has made it easier to access information. As a consequence organizations want to assure the protection of their information. (Rossouw, et al., 1998, pp.174) Information security is needed because the technology applied to information creates risks. (Bob Blakley, et al., 2001, pp.97) Organizations try to protect their information by protecting their information technology environment. (Rossouw von Solms, 1999, pp.51)
In the beginning, mainframe computers were used with single processors, there was no shared database, and only one program was executed at a time. It was easy to secure such an environment. A few technical and physical mechanisms were enough to secure the entire information processing environment. Then the computing revolution and multi-processing computing turned in a number of additional technical security mechanisms. More technical and procedural mechanisms were required to secure such an environment. (Rossouw von Solms, 1999, pp.50)
In this modern era IT & IS involved almost each and every business and management activity, process and operation which give the organization efficiency, flexibility, quality, information sharing and decision making. Financial organization's are immensely demanding IT services and application to meet the today's business demands ,create the business values and gain the competitive advantage. In this modern era as IT services and applications are important, similarly IT&IS risk management is important to make sure that the organization's business is secure and safe from internal or external threats and capable to recover from any possible unknown threats.
Development in technology has given the opportunity to financial organizations to provide products and services online. The fast development in technology provides benefits but at the same time it contains risks too.
The purpose of this study is to address the information security operational risks and their impact on business with respect to financial organization. Information in financial organizations is very sensitive as most financial services are allowing customers to do online financial transactions through the internet and even mobile phones; this has introduced new questions in terms of information security and risks. Therefore a solution to improve the information security will be introduced in this research by using the different theories presented by different researchers and comparing them with primary data to reach on some concrete conclusion.
1.1 Problem statement
Information Security is important according to the dependency of an organization to its information technology. (Bob Blakley, et al., 2001, pp.97) Nowadays organizations are more technological dependent and therefore security risks have increased. Many organizations provide online services which involve new risks; outsourcing adds more information security risks. (Giovanni Lacello, pp.1), Now the main challenge for organizations is to secure their information and it is getting difficult day by day to provide proper security because there are new security challenges nearly each day.
Nowadays many financial organizations link their computer networks to the internet to provide services to their clients and to connect the computer networks of their business partners and therefore information can be lost to a great extent. Information security policy cannot regulate the users outside an organization because it dictates the behavior of users within an organization. Under these circumstances, it is required to have a secure IT community to ensure a secure IT environment. (Rossouw von Solms, et al., 1998, pp.174)
In this era of electronic commerce, proper information security is required among business partners. Technical security controls and proper operational controls are required together to implement a secure IT environment. These operational controls will be used to handle the actions and behavior of users when they are dealing with information. (Rossouw von Solms, 1999, pp. 51)
Information security plays the vital role in a financial organization. A financial organization needs to pay special attention to manage its information security in order to keep continuous flow of its daily operations consistent and reliable. There can be several types of operational risks in a financial organization for instance internal virus attacks, unauthorized access of resources, unauthorized use (beyond defined responsibilities), user error (intentionally or unintentionally) etc. which can affect the business of an organization to a great extent.
There are several types of risks in a financial organization but operational risks are the most important. If these risks are not handled properly, they can damage the business of an organization. These operational risks demand high level of consideration. So organizations must have knowledge about how these risks will be managed in order to enhance the information security.
1.2 Research Question(s)
What are the operational risks related to information security in financial organizations and how these risks can affect the business in the investigated area?
How these problems/issues can be solved to enhance the information security?
1.3 Objective and Purpose of the research
It seems that many people know about the risks involved in information security, but actually a few of them have real idea about these risks. It's because information security is multifarious which involves different aspects of technology, business processes, organizations and individual behavior. (Jorma Kajava, et al., 2006, pp.2091)
In this study, we intend to investigate the operational risks related to information security involved in financial organizations. After significant investigation identified operational risks will be analyzed in financial organization in order to provide a solution to enhance information security.
1. Information security has a wide spectrum and it requires lot of time to analyze it properly. Because of limited time frame authors were forced to narrow down their focus and effort.
2. We will analyze the primary data of two companies only.
3. Qualitative interviews will be conducted to get primary data.
1.5 Target Audience
The target audience in our mind for this paper consists of both, academic readers and professionals who have interest and some knowledge about information security. The reader will be able to know the in depth details regarding operational risks and threats to secure information within financial organization.
Choice of Topic
Collin Fisher (2007, p.31-33) states that the topic chosen for research should be interesting, relevant to your course and even excites you otherwise your motivation level reduce after a certain time and that will create problems to complete the project. Moreover the chosen topic should be durable, accessible and enough literature should be available to write a literature and make a detailed analysis. In this regard our topic is quite interesting, relevant to our program and demanding in the market both for researchers, business executives and IT Management students.
"As companies are increasingly faced a variety of information security threats, they are permanently forced to pay attention to security issues. Risk management provides an effective approach for measuring the security through risk assessment, risk mitigation and evaluation. Existing risk management approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment". (Andreas, Stefan & Thomas, 2009, pp.1)
According to Collin Fisher (2007, p.15) there are different methodological approaches for carrying out a management research i.e. Realist research, managerial autobiography, exploratory research, postmodernism, critical realism, standpoint research, hermeticism, action research, interpretivism and phenomenology etc.
Moreover, Fisher (2007, p.153-155) discusses two approaches in his book "Researching and writing a dissertation" for discovering new things e.g. Explorers (Qualitative) and Surveyors (Quantitative). Explorers have an open approach with a conceptual framework and have no preconception of what they will find. On the other hand surveyors's come up with the later stage of discovery, have a closed approach and are organized all the things before and know about what they are going to find out.
Qualitative research method will be used in this study because our research is of qualitative nature. The research will be carried out by reviewing the available literature about operational risk related to information security and factors to improve the information security in financial organizations. Authors will try to get deep knowledge and understanding of the selected topic.
Data collection and source
The sources of the information used in this report comprises of both primary and secondary data
There are different ways to conduct an interview. We will use informant and respondent interview techniques to do so. Respondent interviews are used to conduct interviews with individuals who are engaged and present in the investigated area. On the other hand informant interviews are used to get information from the individuals who are not involved in the investigated area but have adequate information to provide about the topic (Donald T. Campbell, 1995, pp. 1955).
Primary data is most valuable data for our work. Interview is an efficient way to collect primary information and for this thesis, primary data will be collected by conducting interviews. We intend to get primary data by using qualitative approach. The interviews will not be structured to a great extent because our main goal will be to carry out the questions with the interviewee, which can result in more discussions regarding the subject. Therefore we will not conduct a fully structured interview unless we get the answers of all required questions. The aim of interview will be to get valuable information related to the topic of the thesis.
Primary data will be collected from NCCPL (a financial company established in Pakistan) and CDC (Financial Company & Custodian of Stock Shares).
According to the problem definition and findings from the literature review, we came up with some interview questions. The intention to ask questions is to get better understanding and deep knowledge about the problem definition. The well structured list of interview questions can be found in Appendix 1.
After getting primary data from NCCPL & CDC, it will be used to compare this empirical data with secondary data in analysis part and based upon these comparisons we will come up with some conclusion/ recommendation and also the answers of our research questions.
Our second source of information will be secondary data. We will start our work by getting secondary data. The data will be gathered by using different articles, books, journals, online databases and MDH library like, Elin@Malardalen, Emerald, IEEE Xplore and Compendex etc. The keywords used are information security, information security risks, operational risks, operational risk management, operational risks in financial organizations etc.
Analysis of data is an ongoing and repetitive process, as a result of which latest components are introduced in a successful manner, comparison and analysis will be performed by using qualitative approach. Analysis of primary and secondary data will give solution to the defined research questions (Miles and Huberman, 1994).
Following are three parts of activities which elaborate analysis. (Miles and Huberman, 1994)
Data reduction: This process focuses on to select, simplify, abstract and to transform data. The process of data reduction goes on all the way through the research which uses qualitative data. The primary goal of this process is to form the data in an appropriate way in order to get and verify the conclusion.
Data display: After the data reduction process, here comes the data display process which is used to display the data in an organized manner in order to get conclusion easily.
Conclusion: In conclusion part, decisions are to be made; like what potential explanations and suggestions are to be made.
Component for data analysis: interactive model, source (Miles and Huberman 1994 P. 12)
Data analysis for this research will take into consideration the above model and it will concentrate more on comparing primary data gathering through interviews and secondary data (literature gather through different authentic databases).
Fig Framework of methodology, Source: Author's
The conceptual framework intended clearly elaborates the impact of Information Security operational risks on financial organizations. These are the forces, which character the organization towards success and failure, and the core purpose of this report is to analyze and evaluate the operational risks, its assessment and management from different perspectives and its affect on the business of the organization, which could drive an organization to achieve its goals and objectives in the long and short term. The mentioned factors are mutually dependent on each other with some intervening factors. Concepts from Applegate et al and Hedman and kalling will be used in the research as well as some concepts from the different articles, journals, and online materials, primary data gathering, we in tend to use.
3.0 Review of appropriate literature
Collin Fisher Book "Researching and writing a dissertation for Business Students" shall be used as a guideline to carry out the research study. Flow of our thesis report shall be in six steps as defined by Collin Fisher i.e. Topic selection, Critical Literature Review, Developing concepts, conceptual frameworks and theories, collection and analysis of the research material, interpreting Research material and finally writing up the dissertation.
Correct information is the integral part of the organization because on the basis of this information management is able to take any decision, wrong or ambitious information leads the management towards wrong decision.
Information Technology resources could be an application, data, hardware and the operating systems. IT-resources need to be protected from unauthorized access, alteration and damage.
Figure 1: Security Model, Source: Author's
Information Security Overview
Information Technology has become the crucial component for organizations because it deals with nearly all aspects of an organization. It manages and stores the information on which an organization depends for its survival. The most significant role of information technology governance is to secure the information - its availability, confidentiality and integrity- on which all other things depend. () **article 22** The objective of information security is to secure the information systems and data in them, in order to ensure availability, integrity and confidentiality. (Jorma Kajava, et al., pp.2092) Information security is the term that describes the need to protect information that based upon the fact that information is classed as a valuable asset. (Predrag mitrovic, 2005) **took it from pm1; put its reference** Many people consider that information security is an issue related to technology. They think that technology people secure the information and computer systems from various threats, which is not true. In reality it's the computer operator who is supposed to take decisions about which kind of risks must be secured from and what kind of risks he is ready to take over. () **article 22**
Information security is the term that describes the need to protect information that based upon the fact that information is classed as a valuable asset. (Predrag mitrovic, 2005), so the question raises here is that what type or form of information is considered as information that should be protected and the answer is simple that any medium that can hold information such as audio tape, a compact disc, a letter or a webpage is considered but the value of the information that sets the level of needed information security work.
Garry Geddes explains another aspect of information security: "every information security framework is centered on understanding the risks to the organization and managing them to an acceptable level." This statement describes the value of risk assessment that is the vital part of the information security.
Information security is no more an internal matter of an organization. In this modern era, information security of an organization affects its partners. In this respect business partners ask for a satisfactory point of information security from each end. Information security management standards have an important role in this respect. (Rossouw Von Solms, pp.50)
Information security has significant importance in financial organizations. As customer's information is considered very sensitive therefore financial organizations need to implement proper information security mechanisms in order to secure their customer's information. Financial organizations rely on the information; therefore it is crucial for them to keep this information secure.
Information security Model
Security breaches are considered as unauthorized data, incorrect data and data unavailability. Unauthorized data reveals the data to unauthorized users. Incorrect data modification leads to an incorrect state of database and incorrect data can lead all organizations like healthcare or a financial organization to bear heavy losses from financial perspective as well as human perspective. When information is not available, means the information which is really significant for the smooth running of the organization is not available. So information security model is a complete solution to secure data from all above mentioned problems. (Elisa Bertino, et al., pp.2) The information security model is composed of availability, integrity, confidentiality and authentication. (Louis J. Bottino, et al., pp.3)
Availability is a wide concept which represents many concepts. It is defined as a computer resource which makes the information objects available. (Ole-Erik Hedenstad, pp.1). Or according to (Louis J.Bottino, et al., pp. 6B3-3), "It is the state of being ready to be used. The attribute of availability is specified as being approachable and prevents the denial of service issues". The main concept is that availability is related with necessities on throughput, redundancy and backups etc. (Ole-Erik Hedenstad, pp.1). In information security availability means to have information available for the valid user and if the information is not present then confidentiality and integrity have no use. (Robby S. Fussell, et al., pp.1)
The property of integrity defines that data is present in its original form. There is no change in the data. Integrity of data means, data has not been destroyed in any way and it maintains data without any modification from unauthorized users. (Louis J.Bottino, et al., pp. 6B3-3)
Integrity of data is collectively assured by applying some constraints and mechanism. When an unauthorized user attempts to change the data, at that time access control mechanism checks the rights for that user that whether he has sufficient rights to access and change the data, and semantic integrity subsystem checks the correctness of data. (Elisa Bertino, et al., pp.3)
Confidentiality ensures that data is only available to authorized users. (Louis J.Bottino, et al.,pp. 6B3-3) Confidentiality of data is assured by an access control mechanism. When a user attempts to get access of data, the mechanism verifies the rights for that individual. Confidentiality can be accomplished by hiding or preventing the data from unauthorized access. (Elisa Bertino, et al., pp.3)
Authentication is another parameter of information security which is used to authenticate the identity of the user. (Louis J. Bottino, et al., pp.3). It will allow the valid user to get access into the system.
Figure 2: IT-Resource Diagram, Source: Author's
Information Security Management System
Information security has significant importance in today's business. Information security management cannot be managed only with managing hardware and software. It demands a perfect end to end system and that system is called Information Security Management System (ISMS). (Manik Dey, pp.1) Information security management system performs a significant character in an organization's security implementation. (Azah Anir Norman, et al., pp.2) It covers all prospects in an organization which deals with making and keeping secure information environment in an organization. It can be used by management of an organization to manage their information security cost-efficiently. An organization can use the information security management system to check the quality of being reliable of another organization's information security system. (Jan H.P.Eloff, et al., pp.130) It needs particular involvement and contribution from all employees, starting from senior management to end users, to set up and implement such ISMS within an organization. ISO security related standards lead organizations about certain requirements and demands. (Manik Dey, pp.1)
An Information Security Management System is a combination of policies, standards, guidelines, technology, human, legal and ethical issues. It has different perspectives like strategic, human, technology and process perspective. Strategic perspective addresses issues related to management, policies, and governance and on the other hand human perspective addresses issues related to culture, awareness and ethics. Technology ISMS concentrates on software and hardware products. Process ISMS encourages the implementation of the controls which contained in a standard, for instance ISO17799. A Standard includes technical specifications which concern to the aspects like Information Technology network and access control etc. (Jan Eloff, pp. 130)
The purpose of Information Security Management System is to provide right information on right time to a right person at a right place.
Fig: Figurative description of Information security management system (isms), Source: Author's
In order to achieve the main purpose of ISMS, it is divided into two levels; System level ISMS and Process level ISMS. According to (BSI, Bundesamt fur Sicherheit in der Information-stechnik, 2004) "the process-level contains several sub processes such as development, planning, implementation, evaluation, and maintenance of IT security. The System-level in contrast is concerned with the orchestration of the Process-level's tasks. It contains matters like organizational structure, responsibilities, processes and resources." (Michael Huber, et al., pp.146)
Figure: Levels of ISMS (Michael Huber, et al., pp.146)
An Information Security Management System is used for establishing and maintaining a secure information environment. An Information Security Management System (ISMS) considers all aspects in an organization that handles with creating and maintaining a secure information environment. Management in an organization can use Information Security Management System to manage the information security cost effectively. ISMS can also be used to check the trustworthiness of information security arrangements of an organization by other organizations. An Information Security Management System is a combination of policies, standards, guidelines, technology, human, legal and ethical issues. Information Security Management has different perspectives like strategic perspective addresses issues related to management, policies, governance and human perspective addresses issues related to culture, awareness and ethics. The technology ISMS concentrates on software and hardware products. (Jan Eloff, pp. 130)
ISO Standards of info security management system
The process ISMS encourages the implementation of the controls which contained in a standard, for instance ISO17799. A Standard includes technical specifications which concern to the aspects like Information Technology network and access control etc. (Jan Eloff, pp. 130)
There are many different standards that can be used in ISMS, for instance ISO 9001, ISO 17799, BS 16000, ISO Guide 62, TR13335, Common Criteria etc. (Jan Eloff, pp. 131)
The international standards provide effective practices related to information security; for instance practices of effective management of information security, managing the problems related to portable devices, wireless technology and internet. ISO/IEC 17799 is the standard for information security management. It offers a common language for information security that makes it feasible for organizations to communicate with other organizations on same level. After ISO/IEC 17799 standard, the international standardization committee developed another standard for information security management named as ISO/IEC 27001 standard.(Jorma Kajava, et al., pp.2093)
In the respect of standardization, the 27000th series of ISO standards is considered as a dedication to information security management system. (Beatrix Barafort, et al., pp.7)
ISO 27001 is one of the most important standards in the series of ISO 2700x (Michael Huber, et al., and pp.146) which is transposed from a standard called BS 7799-2:2002 that present de facto the most recent progress in ISS organizations. (Beatrix Barafort, et al., pp.3) ISO 27001 defines the key requirements for planning, establishing and implementing information security management systems. (Michael Huber, et al., pp.146)
The recently developed ISO 27001 standard encourages the practice of processes. Nevertheless, it does not determine that what a process is and how the process has to be evaluated. (Beatrix Barafort, et al., pp.4)
ISO/IEC 27001 was developed to protect the information assets of all type of business. The information security management system (ISMS) standard was developed to secure the information cost effectively. Risk management is the main focus of this standard, which is achieved by using of risk methods which are built into the Plan-Do-Check-Act process model. The main functions of this risk based standard are to manage the information security prospects of an organization, secure the information assets, and secure the organization from broad chain of threats related to information systems and processes. (Ted Humphreys, pp.1-2)
There are various techniques which can be used to enhance information security. Access control is the one of these techniques which is extensively used to maintain the information and information systems secure and consistent. (Zeng Zhongping, et al., pp.210) Access control technique has been conceived as a most significant manner in order to secure the information for years. (Zhichao Wen, et al., pp.1) Access control is substantial to protect data from unauthorized modification. (Janne Merete Hagen, et al., pp.5)
An organizational structure frequently deals with the change of personnel; it results to change of access rights and information. It creates difficulties for administration of access authorization. (Zeng Zhongping, et al., pp.211)
An organization needs such systems that specify who can get access to particular information. To control these problems right access control measures are required. Access control measures are also significant against malevolent insiders which are described as substantial threats. (Janne Merete Hagen, et al., pp.3-5)
Access Control is a policy and assures that the request from authorized user is recognized and therefore accepted, and request from unauthorized users is recognized and rejected. (Zhichao Wen, et al., pp.1)
Organizations may be exposed to various types of threats because of the weaknesses in access control. Various described incidents could be countered by implementing right access control measures. (Janne Merete Hagen, et al., pp. 4-6)
There is huge amount of sensitive and confidential information in a financial organization, for instance credit card number, stock number, fund number and so forth. That is why in financial organizations high levels of information security are required. A right access control framework is required in order to achieve high levels of information security. A traditional access control framework has some drawbacks in it and it does not fulfill the requirements of a financial organization although it offers an effective access control model that can bound the operations of different users. So for financial organizations a Three Layer Role Based Access Control Framework (TL-RBAC) is suitable. TL-RBAC fulfills the requirements of a financial organization by implementing access control in three levels; web pages, operations, and data. In first layer, Coarse Grained Access Control is applied to filter out unknown attacks on web pages, for instance denial-of-service attack. In second and third layers, Fine Grained Access Control is applied on data and operations to restrict the user to his rights. (Zhichao Wen, et al., pp.1-4)
Plan Do Check Act Model
In an organization the purpose of Plan-Do-Check-Act Model is to establish, planning, operation and maintenance of the information security. The complete cycle of PDCA model comprises of four steps which are
The functions of this phase are to specify the information security management system and security polices of an organization, identification and evaluation of risks, selection of control objectives to get help in managing identified risks, and preparation the Statement of Applicability.
The functions of this phase are to develop and apply risk mitigation plan, and apply the selected controls to encounter control objectives.
Main objectives of Check phase are to manage reviews on regular intervals to check the strength of information security management system, revaluate the degree of acceptable and residual risks, and to manage internal information security management audits on regular intervals.
Purpose of this phase is to formalize improvements, maintenance of the communication with stake holders, to adopt suitable actions, and to implement previously identified improvements. (Rene saint-Germain, pp 64)
Fig - PDCA Model (Manik Dey, pp.3)
What is risk?
According to (Neill & Leaney, 2001) Risk is an event that has unwanted consequences and losses.
Characteristics of risks
Taylor describes the characteristics of risk into three parts.
1- The event (i.e. any negative or positive event occur in the system)
2- The probability of event occurrence (i.e. what is the possibility of happening that event)
3- The impact to the project (when at last the event occurs what would be its consequences, negative or positive)
A risk analysis shall identify everything that could go wrong in an organization, what the probability are of it occurring and what consequences it might create. Douglas J. Landoll states: "Within the core of best practices is the security risk assessment." and this is a valid statement that if one understands that without the knowledge of the risks no one can take action against them.
Operational Risks and its Types
"Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk". Philip H. Martin (2009, pp.2)
According to Hussain (2000) there are various types of operational risks such as:
Business Continuity Risk Change Management Risk
Personal Risk Regularity Risk
Organizational Risk Portfolio Risk
Strategic Risk Legal Risk
Reputation Risk Operation Risk
There are various risks in the financial organizations but operations risks considers the most important of them because it can destroy a company, either as a result of loss of reputation or loss of operation capability of company. Philip H. Martin (2009, pp.2)
Saunders (2000) also advocates about operational risk that internal sources of operational risk are customer relationships, employees, technology and capital assets destruction. External sources are natural disaster and fraud etc.
Operational risks are further divided into two areas, operational failure risk and operational leverage risk. An operational failure risk is the risk that losses earnings, as a result of failure in information systems, processes and peoples. The risk factors in these types of risks are primarily internal. On the other hand Operational leverage risk is the risk when the firm's operations will not generate the profit as expected because of external factors involved such as changes in political, legal environment or in the nature of the competition.(Finance Wise, 1999)
Bessis (1998) consider operational risk in another way, According to his views operational risk are divided into two levels; first level is technical level that consists of issues such as when information system or risk measure have some deficiency, the second level consists of more organizational characteristics having monitoring and reporting of risk and all related rules, regulations and procedures. Bessis (1998) definition also implies that a lot of operational risks evolve from information technology.
Figure: Operational Risk (FinanceWise, 1999)
Operational Risks in financial organizations
Within financial organizations operational risk can be defined as "the entire process of polices, procedure, expertise and systems that an institution needs in order to manage all the risks resulting from its financial transactions. (Hussain, 2000)
According to (Elke Wolf, 2003, pp.927), operational risks related to information security in financial organizations have been categorized into two main categories.
Internal risks are that risks that can occur within an organization, further sub-divided into three categories.
External risks are the risks that affect the organization from outside.
Risks main relevance
Damage through programming bugs, viruses, infections
Inappropriate operational procedures
Dependency on external personnel for maintenance
Network damages, Power breakdown
Backup failure, loss of data
Unauthorized use(beyond defined responsibilities)
Insufficient organizational personnel embedding
Unauthorized access, destructive hacks
Shortcomings/defect of human -machine-interfaces
Workflow interdependencies during transactions processing
User error (intentionally or unintentionally)
Table: Operational Risk Model, Source: Author's, Inspiration: (Elke Wolf, 2003, pp.927)
Operational Risks Management
Risk management is about identifying the risk, assessing the impact on business and taking the right financial decision that how to tackle this situation with minimum loss. Risk management is not a onetime process; it's an ongoing activity. (Tom olzak, 2007)
It should be noted that, no matter complex to deal with the risky situation, human judgment plays an important role somewhere in the decision making process and decisions regarding to risk and uncertainty cannot always be made in a complete objective manner, political and physiological issues are also present. (Edward & David, 2007, pp.15)
Rebecca Herold states: "Prevention is much less expensive than response and recovery" in the book "Information Security Management Handbook". This statement summarizes the thoughts behind risk analysis and information security.
Approaches mentioned in below above like; controlling of information systems, risk management for IS, software process improvement and process model and project management are considered to minimize the risks somehow but do not cover the whole field of Operational Information Security and in reality these approaches only discuss risks only in some specific perspective. Recent ideas for the management of Operational risks are casual modeling or stochastic processes are not common in market, so the conclusion of this problem is those industry requirements need to be accessed first and based upon this a new risk management model will be developed. (Elke Wolf, 2003, pp.931)
Figure: Operational IS Risk Management, Source: Author's, Inspiration: (Elke Wolf, 2003, pp.929)
General Risk Management Approach
As discussed earlier, almost all organization's faced risks, whether they are operational risks, financial risks or information risks. A general procedure to manage risks, consists of five stages as shown in below figure; risk identification, risk estimation, risk evaluation, risk response and risk monitoring.
Controlled Risk Environment
Figure: Risk Management risk cycle, source: (Baker et al, 1998)
The two steps identify threats that comprise risks to the organization and then estimate the risk constitute the important risk analysis, which every organization need to put time and effort. Next phase is the risk evaluation phase, which evaluate to what extent the risk might affect the business of the organization. The last two phases are about risk control and include risk monitoring and risk response. Now it's upon the organizations need to decide how to manage these risks and then monitor the preventing actions. (Baker, et al, 1998)
It is not affordable for companies to address every threat to the availability and security of IT Infrastructure with same hostility. Even if they want to do that it would not make any business sense. So risks must be categorized and addressed according to their probability to occur and their priorities. Management actions to alleviate risks must be prioritized with an eye to their cost and impending benefits. (Applegate, D.Austin and McFarlen, 2007, P. 326)
In spite of, how complex the risks within the organization are, there are four possible approaches to manage risks are: risk avoidance, risk reduction, risk transfer and risk retention. The first two approaches are referred as risk control because they minimize the organizations overall exposure to risk. The other two approaches are considered as risk financing and the goal is to ensure that the funds are available to recover the losses. (Shimpi, 1999)
We will briefly describe each approach below:
"A firm can elect to abstain from investments with payoffs that are too uncertain" (Shimpi, 1999). All of the activities that create risk can be avoided or by substituting less risky processes (Doherty, 2000). (reference in bottom missing). Each organization have different requirements and needs and on the basis of this they will draw line between acceptable and unacceptable risks and the decision concerning where to draw the lines depend upon the internal and external factors, so risk avoidance reflects each organization need to maintain its focal point and choose its battle (Shimpi, 1999).
Organization can limit its downside risk of processes by monitoring its progress, through continuous inspections and regularly evaluate its efficiency, which is also a loss control technique as well (Shimpi, 1999).
"Risk reduction occurs through loss control, diversification and loss prevention. Loss prevention seeks to reduce the likelihood of a given type of loss occurring and example of loss prevention measure include safety devices like burglar alarms and smoke detectors" (Doherty, 2000).
Risk can also be transferred from one party to another party that is better equipped or more willing to bear it (Shimpi, 1999).For example, the risk can also be transferred to another party by purchasing insurance policy or outsource your critical part (Doherty, 2000).
In some cases organizations also retain a variety of risks, voluntarily or involuntarily. Voluntarily risk retention means a conscious decision to absorb the risks, because it is the most effective way to addressing the risk. Involuntarily risk retention occurs when the business fails to recognize the exposure of upcoming risk (Doherty, 2000; Shimpi, 1999).