An Evaluation of Information Security and Risk Management Theories

1902 Words4 Pages
bulb-icon

Recommended: Principals of risk management

An abundance of information security and risk management theories are prevalent; however, it can be difficult to identify valid and applicable theories. In the reading to follow, several information security and risk management theories are evaluated. These theories are presented and employed via various frameworks, models, and best practice guidelines. An assessment of sufficient research pertaining to these theories is addressed, along with a consideration of the challenges that arise from a lack of research.

Theories

The evolution and understanding of the importance of information security and risk management originates from the awareness for the potential of IT in business functions and as a business enabler. This was then followed by the realization that the risks brought about by this boundless facilitator must be appropriately understood and addressed. The essence of information security and risk management is to identify low vs. high-risk systems and processes, followed by appropriately addressing those risks.

Risk Management Theory. The Risk Management Theory has been around for quite some time. According to Hong, Chi, Chao, and Tang (2003), risks pertaining to IT security can be measured and evaluated by means of assessing potential attack vectors, and susceptibilities to the organization’s systems and processes. The authors suggest that the outcome of this evaluation allows for the identification of essential security programs and the employment of IT security controls to mitigate these risks. The intended outcome of utilizing this theory is to manage risks until they are at a permissible state. The Risk Management Theory, while broad in nature, does not encompass enough of the information security and risk...

... middle of paper ...

...for-Information-Security-Introduction.pdf

ISACA (2012c). ISACA issues COBIT 5 governance framework [Press Release]. Retrieved from http://www.isaca.org/About-ISACA/Press-room/News-Releases/2012/Pages/ISACA-Issues-COBIT-5-Governance-Framework.aspx

Lalonde, C., & Boiral, O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management, 14(4), 272-300. doi:10.1057/rm.2012.9

Leitch, M. (2010). ISO 31000:2009 - The new international standard on risk management. Risk Analysis: An International Journal, 30(6), 887-892. doi:10.1111/j.1539-6924.2010.01397.x

Purdy, G. (2010). ISO 31000:2009 - Setting a new standard for risk management. Risk Analysis: An Official Publication of the Society for Risk Analysis, 30(6), 881-886. doi:10.1111/j.1539-6924.2010.01442.x

Winkler, V. (2011). Securing the cloud. Boston: Syngress. doi:10.1016/B978-1-59749-592-9.00001-4

Show More
Related

  • Pathophysiology Of Guillain-Barre Syndrome

    1220 Words  | 3 Pages

    Bernd C Kieseier, and Hans-Peter Hartung. Also used for this paper was the article “The risk of

    Read More

  • Case Study Of The Sprout Foundation

    2486 Words  | 5 Pages

    National Institute of Standards and Technology (NIST): Risk Management Guide for Information Technology Systems. Special Publication 800-30, 2002.

    Read More

  • The United States and Illegal Immigration

    1096 Words  | 3 Pages

    Rousmaniere, Peter. “Facing a tough situation.” Risk & Insurance 17.7 (June 2006): 24-25. Expanded Academic ASAP. Web. 23 March 2011.

    Read More

  • Homeland Security: The Mission Of Homeland Security

    1035 Words  | 3 Pages

    Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what

    Read More

  • Considerations for Risk Matrices

    517 Words  | 2 Pages

    Risk matrices are tools that allow the categorization of risk using either a two, three, or four dimensional risk scoring system. Although risk assessments remain to be the most systematic and effective methods of identifying risks and determining the best methods in minimizing or removing them they are still subjective even when risk assessments are presented in an objective manner that are often based on assumptions which are subjective themselves. Nonetheless, they are an essential part of any risk management program which incorporates the processes of risk analysis and risk evaluation by separating risk that is unacceptable from those that are acceptable, but no matter what type of matric is used, risks should always be evaluated in a consistent manner. When conducting risk assessments, they are analyzed by combining estimates of severity (consequence or outcome) with the probability (frequency or likelihood) of occurrence such as in the two dimensional risk scoring system. The simplest of the three different scoring systems, the two dimensional scoring system can be further clar...

    Read More

  • The Importance Of Cyber Risk Management

    2313 Words  | 5 Pages

    The phrase ‘cyber risk’ means jeopardizing an organization’s financial status and revenue due to the advancement in technology (IRM, 2014). The concern with the increase growth in technology, it causes a high risk in security and privacy. Cyber risk may not only occur in big or small organizations, but also data breach in high-profile personnel’s or release of government documents. While businesses and society continue to engage in the use of technology, the potential cyber threat is really underestimated. Cyber risk management will help prevent the release of confidential and personal information to the attackers. Some examples of recent cyber attacks are the massive data breach at Target and the leak of confidential information in Panama.

    Read More

  • Script Kiddies

    1081 Words  | 3 Pages

    In the contemporary world, organizations are increasingly under pressure to secure their systems against cyber-attacks that could cripple their operations. While advancements in information technology have enhanced business efficiency and profitability, they have also exposed businesses to new and emerging threats. Currently, they allocate millions of dollars to purchase and maintain programs aimed at preventing virus and malware attacks against their systems. Inevitably, technology-dependent organizations should embrace security awareness as part of their corporate culture. In the modern context, security lapses could cost organizations lots of money, valuable data, and crippled operations.

    Read More

  • Cyber Crime Case Study

    1142 Words  | 3 Pages

    Almost every business deploys the traditional security based, methods to combat the threats of cybercrime; however, this is not sufficient to fully erase the threats. Any risk based method must look at what is leaving the IT environment, as well as the data inflowing, because, what is going out holds possibly greater significance than the traditional bastion based security methods (Peltier, 2010). Organizations must comprehend how visible they are to online criminal in regard to, targets of interest, attack routes, and possible process vulnerabilities. So to better defend against attack, a simple equation provides the underpinnings of the numerical system for rating risks and is expressed by the following: Risk = consequence × (threat × vulnerability) (Peltier, 2010). This equation is superior to the standard equation that only factors in threat and vulnerability and should be used for calculating

    Read More

  • HIPAA, CIA, and Safeguards

    1633 Words  | 4 Pages

    Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.

    Read More

  • Primary Responsibilities of a Private Security Manager

    1019 Words  | 3 Pages

    Principle of Security Management by Brian R. Johnson, Published by Prentice-Hall copyright 2005 by Pearson Education, Inc.

    Read More

  • Information Security: The John McCumber Model

    1132 Words  | 3 Pages

    There are number of different models proposed as framework for information security but one of the best model is McCumber model which was designed by John McCumber. In this model the elements to be studied are organized in a cube structure, in which each axis indicates a dissimilar viewpoint of some information security issue and there are three major modules in each axis. This model with 27 little cubes all organized together looks similar like a Rubik's cube. There are three axes in the cube they are: goals desired, Information states, and measures to be taken. At the intersection of three axes you can research on all angles of an information security problem.

    Read More

  • Operations Management Case Study

    891 Words  | 2 Pages

    Data breaches have gone up significantly and hackers are coming up with innovative techniques of breaching the data security network. There are several challenges associated with cybersecurity management as there are a multitude of threats arising from various sources. Cybersecurity threat can have different levels of impact on an organization or a business and varies based on the industry type. According to the Securitas USA survey, manufacturing, healthcare and insurance, finance, information, and utilities saw cybersecurity as the topmost threat for their businesses (Securitas USA,

    Read More

  • The Five Steps Of Risk Management In Coca-Cola

    965 Words  | 2 Pages

    As the first step, identify potential risks plays a crucial role in the risk management process. The core purpose of identifying risk is to figure out causes of risk and analyze result caused by the risks and its probability . Hence, risk identification can begin with the source of problem, or with the problem itself. The chosen method of identifying risk may depend on culture, industry practice and compliance. The identification

    Read More

  • Effective Physical Security

    2468 Words  | 5 Pages

    Johnson, B. R. (2005). Principles of Security Management. Upper Saddle River, NJ: Pearson Prentice Hall.

    Read More

  • Information Security

    2693 Words  | 6 Pages

    The first thing that we must consider about Information Security is that there is not a final destination at which we can arrive. IT Security is an ongoing set of processes and activities that requires attention and expertise on a daily basis. It is important to understand that systems are not secured by themselves and it is our responsibility to maintain and improve them periodically as required. It is of vital importance to establish the appropriate mechanisms and requirements in order to support the company’s CIA triad. The following report will provide you guidance about auditing and hardening techniques applied though the 7 Domains by utilizing IT Security Best Practices.

    Read More

More about An Evaluation of Information Security and Risk Management Theories

Open Document