In today’s environment, Risk Management is considered a core management issue in modern corporate governance. We have been discussing this concept in several areas of finance. Now, we are considering the subject as it pertains to the area of Information Security (IS). This is an important consideration since, in the past thirty years, IS systems have grown to be a core component among many other operations within the corporate structure.

In order to understand Risk Management, some basic terms related to risk management should be understood. They are: Vulnerabilities, Threats, and Exposure.

Vulnerability refers to the inherent weakness of an IS system. (“Inherent” simply means something that is internal to the system that you can’t easily eliminate completely.) The fact is, there is no system that is totally free from defects. No one-hundred-percent “bullet-proof” system can exist, simply due to the fact that a system is only as strong as its weakest point. There is no system in the world that is without weaknesses. One could not possibly be developed without unlimited resources to build, verify, and test the system.

Threats are certain incidents that exploit the vulnerability of a system. Threats can be natural (such as a thunderstorm or earthquake), environmental (such as temperature or humidity), or intentional (such as hacking or virus spreading).

Exposure refers to the damage that can be done if and when a threat successfully exploits the vulnerability of a system.

When there is a chance that a threat could exploit a system’s vulnerability, there is risk. In the field of information management, risk refers to the possible attack on an IS system by the threats made possible by its inherent vulnerabilities.

Risk includes the following properties:

  • Risk cannot be totally eliminated.
    When a system possesses vulnerability, and it always does, there is risk.
  • You can reduce the risk, but not completely eliminate it.
    However, risk can only be reduced by carefully planned countermeasures.
  • You can deal with residual risk by insuring the system.
    We call this process Risk Mitigation.

Information Security Management is the art of dealing with risk using systematic and consistent management principles. This is not merely a technical issue—it is more likely a management issue. Therefore, Information Security Management is best achieved with the proper deployment of carefully planned corporate strategies to deal with Information Security risk.

Computer Security, Information Risk Management