Blog Startup & Dev

IT Risk Management

IT Risk Management : Obsolescence of current methods

Bertrand DAVID

The increase in data connectivity and data volumes makes Information Technology an essential need in today’s world.  It is known that our society depends more and more on these technologies, which in turn has industries transforming whole sectors of their core business to adapt.  These new sectors have emerged as E-Commerce. E-Commerce has dematerialized traditional sales channels and has created new ways of consumption.

This exponentially growing industry is not without its structural problems in business management. In our current Digital Revolution, our industries have had to adapt to this engorgement of information in a period of just a few years, just as the industrial revolution had to deal with intrinsic transformations during the 19th Century to survive.  This astronomical amount of information creates management problems and many other associated problems as these occurrences are still at an embryonic stage. This includes security.

In fact, the management of Information Security is still an area which is not well controlled. Many organizations are using obsolete and inefficient analytical models.  Many a times, these investments in Information Security are overlooked because companies are unable to see their gain from such measures.  These companies reserve the governing of Information Security to single experts, who isolate their ideas from new types of governing, and lead companies into failure.

The quantification of information assets is a problem almost unsolvable

IT Security is viewed as a new cost for our times as it is complicated to quantify the value added when investing in Security.  Raising the Level of Security in Information Asset will reduce the probability of occurrence in incidents. As incidents are contextual, it is extremely difficult to precisely quantify the costs of an incident on a given Information Asset.  It should be understood that the total cost of an Incident varies over a period of time and these associated costs should be taken into account:

  • Loss of revenue,
  • Recovery cost,
  • Insurance cost,
  • Loss of reputation,
  • Legal actions,
  • Etc…

To illustrate my point, we can take the example of Amazon, in which the financial impact will vary through the year depending on the period. If the website is down during Christmas, the financial loss will be greater compared to a similar problem in August. We developed a solution to best protect your e-commerce platform.

IT risk management is far from its maturity

The methods for classifying risks like MEHARI, OCTAVE or ISO27005 are risk-based with no financial aspects involved in the prioritization process of the risks treatment. Even standards like ISO27005 admit weakness regarding financially prioritized risks treatment.  It  assumes the decision power lies in their IT Expert’s hands and not in the top management’s hands (ISO27005, 9.1):

When large reduction in risks may be obtained with relatively low expenditure, such options should be implemented. Further options for improvements may be uneconomic and judgement needs to exercised as to whether they are justifiable.

Investing in these measures of security while taking into account only their critical points is not optimal because the number of risks and the associated budget are finite and limited. Therefore, it is highly unlikely that the budget allocated to Security have been evaluated correctly to cover the additional risks.

Take this simple situation as an example:

  • Risk R1: criticality is 6/10 for a treatment cost of 100,
  • Risk R2: criticality is 5/10 for a treatment cost of 50,
  • Risk R3: criticality is 5/10 for a treatment cost of 30,
  • Risk R4: criticality is 5/10 for a treatment cost of 20,
  • The allocated budget to IT security is 100 and the top management does not want any over budget.

Following a traditional IT Risk Management method of classifying according to criticality, only the R1 will be treated. It would have been more optimal to use the budget to handle more risks (R2, R3 and R4) and thus increase the overall security of the organization.

The polarization of traditional IT risk management is in adequate

The purpose of the traditional approach in IT Risk Management, regarding the criticality, is to define an acceptance threshold in order to divide risks in two groups: those which have to be addressed and those which do not need to be addressed. People who have already performed risk analysis know how arbitrary it is to define this acceptance threshold. Thereby, the traditional IT Risk Management process is completely polarized where the evaluation process is mostly arbitrary and approximate.
Conventional methods like MEHARI, OCTAVE or EBIOS achieve some effectiveness, but they lack maturity. This becomes an obstacle when trying to reach efficiency while trying to prioritize according to financially added value.

Good IT risk management involves an integrated governance

The growing popularity of ISO27001, a standard in managing IT Security, tends to put IT Security governance amongst the Top Management. As ISO27001 is top of the organization in standards choice, implementing IT Security as only a cost center is a major issue. Top Management is not composed of IT specialists.
Consequently, it is necessary to relate all IT Security management issues to financial issues and involve Top Management. For this purpose, it is very important to integrate concepts of financial quantification in the IT risk analysis process. My next posts will provide you more details on how to reach a process of IT Security management which will be efficient.

Tags: , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>