Risk management is an activity, which integrates recognition of risk, risk assessment, developing strategies to manage it, and mitigation of risk using managerial resources. Some traditional risk managements are focused on risks stemming from physical or legal causes. (For example, natural disasters or fires, accidents, death). It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. Objective of risk management is identifying the risks and finding solution to reduce them. The paper describes the different steps in risk management process which methods are used in the different steps [Reference 2].
Risk management is one part in information security. All managers are expected to play a role in the risk management process, but information security managers are expected to play the largest roles. Before studying risk management detail we should have some idea on risks and difference between hazard and risks. Hazard is any source of potential damage, harm or adverse health effects on something or someone under certain conditions at work. Basically hazard can cause harm or adverse effects. Risk is the chance of probability that a person will be harmed or experiences an adverse effect if exposed to a hazard.
Risk management is a process of identifying, analyzing, treating and monitoring the risks involved in any activity or process. This process is an expected responsibility for managers in all organizations. Risk management is carried out by mainly two components risk identification, risk control [Reference 1]. Risk identification: It is the process of identifying and documenting the risks. Following steps carries it out.
Identifying threats and vulnerabilities
Risk control: It is the process of applying controls to reduce the risks to an organization’s data and information systems.
This process carries out the following steps.
A risk management strategy calls on information security professionals to identify, classify and prioritize the organization’s information assets. Once that has been done, the threat identification process begins. Each information asset is examined to identify vulnerabilities, and when vulnerabilities are found, controls are identified and assed regarding their capability to limit possible losses should an attack occur. Asset identification and value assessment
The iterative process of identifying assets and assessing their value begins with the identification of the elements of an organization’s systems, people, procedures, data/information, software, hardware, and networks.
In addition to the identifying assets, it is advisable to classify them with respect to their security needs. For example, data could be classified as confidential data, internal data, and public data. No matter how an organization chooses to classify the components of its system, the components must be specific enough to allow the creation of various priority levels. The components then can be ranked according to criteria established by the categorization. The categories themselves should be comprehensive and mutually exclusive. Comprehensive means that all the information assets should fit in the list somewhere; Mutually exclusive means that each information asset should fit in only one category.
Identifying threats and vulnerabilities
After identifying and performing a preliminary classification of organization information assets, the analysis phase moves to an examination of the threats facing the organization. An organization faces a wide variety of threats. Each threat can be assessed using a few questions. Which threats present a danger to the organization’s assets in the given environment? Which threats present the most danger to the organization’s information? Which threats would cost the most to recover from if there was an attack? Which threats require the greatest expenditure to prevent?
Once you have identified the organization’s information assets and documented some criteria for assessing the threats they face, you should review each information asset and each threat it faces to create a list of vulnerabilities. Finally, you should list the organization’s assets and its vulnerabilities.
Risk assessment is a process of identifying the hazard, analyzing and evaluating the risk associated with that hazard and finding appropriate ways to eliminate or control the hazard. Risk assessment process is very important to remove hazard or reduce the level of its risk by adding precautions or control measures. By doing risk assessment we can create a safer and healthier workplace. A competent team of individuals who have a good working knowledge of the work place should do risk assessment. In most of the businesses like small and medium sized enterprises the following steps are used in risk assessment: [Reference 3] 1.Identifying the hazards and those at risk: Looking for those things at work that have the potential to cause harm, and identifying workers who may be exposed to the hazards
2.Evaluating and prioritizing risks: Estimating the existing risks (the severity and probability of possible harm) and prioritizing them in order of importance. 3.Deciding on preventive action: Identifying the appropriate measures to eliminate or control the risks 4.Taking action: Putting in place the preventive and protective measures through a prioritization Plan. 5.Monitoring and reviewing: The assessment should be reviewed at regular intervals to ensure that it remains up to date.
Risk control strategies
When management has determined that the risks from information security threats are unacceptable, or when laws and regulations mandate such action, they empower the information technology and information security communities of interest to control the risks. Once the project team for information security development has created the ranked vulnerability worksheet, it must choose one of the following five approaches for controlling the risks [Reference 1].
The defense approach attempts to prevent the exploitation of the vulnerability. This is the preferred approach and is accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to the assets and adding protective safeguards. This approach is sometimes referred as avoidance.
The transferal approach attempts to shift the risk to other assets, other processes, or other organizations. When an organization does not have the correct balance of information security skills, it should consider hiring or making outsourcing arrangements with individuals or firms that provide such expertise. This allows the organization to transfer the risks to other organization that has experience in dealing those risks.
The mitigation approach attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Acceptance is the choice to do nothing to protect an information asset and to accept the outcome of its potential exploitation. This may or may not be a conscious business decision.
Like acceptance, termination is based on the organization’s need or choice to leave an asset unprotected. However, the organization does not wish the information asset to remain at risk and so removes it from the environment that represents risk. Sometimes, it may be too difficult to protect an asset; compared to the value or advantage that asset offers the company [Reference 1].
Whitman, M., & Mattord, H. (2014). Principles of incident response and disaster recovery (Second ed.). Boston, MA: Course Technology, Cengage Learning. Berg, H., & Strahlenschutz, B. (2010). Risk management procedures, methods and experiences. 1. https://osha.europa.eu/en/topics/riskassessment/carry_out.