Saturday, October 9, 2010

Academic Research on Information Security Risk Management and Business Impact Analysis

Information Assets are very critical for success of modern IT enabled businesses. In the modern world, information assets are exposed to threats that are emerging almost daily. The threats to information assets result in "Risks" with potential impact to businesses. The potential damage against an impact classifies the "Criticality" of the Risk. The key to information Security of an organization is to know the assets, to know the threats to the assets, assess the probability and impacts to business, accurately measure the associated risks, and finally establish appropriate mitigation strategies to reduce, avoid or transfer the risks. I recommend that Information Risk Management should be an integral part of an organization's corporate governance such that adequate executive attention to the risks can be invited and mitigation strategies can be formulated. In many countries, it is a legal requirement if the organization is managing critical public systems or data.
To manage Information Risks it is mandatory to know ALL the critical information assets of the organization. Every system that creates, processes, transfers or stores information is an information asset - like, file/folders, databases, hard copy storage areas, desktops, laptops, shared network resources, employees' drawers/lockers, or the employees' own memory (tacit knowledge). The primary requirement of Risk Management is to have an "Information Asset Register" which is a secured database that needs to be updated regularly as and when new assets are added, modified or deleted.
Every organization can have their own definitions of "Confidentiality", "Integrity" and "Availability" parameters related to an Information Asset. These parameters should translate into metrics that should be assigned to EVERY critical information asset identified in the Information Asset Register. The outcome is known as an "Asset Value" tagged against every asset entered in the Asset Register.
The next important step is to assess the "Threat Value" by virtue of an in-depth analysis of the possible causes, the impact value (a function of multiple impacts like Financial or Reputational impact), and the probability of an impact. Every organization can have their own parameters for calculation of Threat Value because it largely depends upon the exposure factors (like Legal, Competition, Environmental, etc) that the organization is facing or can potentially face in future.
The subsequent step is to assess the "Loss Event Value" which is a function of the possible events of asset compromization that the organization can face. Again every organization can have their own loss event descriptions and the assessment methodology that are normally categorised under the known vulnerabilities in the organization.
The final step is to arrive at the "Risk Value" which is a function of the Asset Value, the Threat Value and the Loss Event Value. The calculation of Risk Value can be carried out differently for different organizations depending upon how many levels of escalation is feasible within the organization. Information Assets with high Risk Values have high "Vulnerabilities" and hence appropriate controls need to be applied urgently.
Business Impact Analysis is the next step after completion of the Risk Assessment. Risk Assessment process will ensure that all the Information Assets of the organization are identified and the corresponding "Risk Values" are assessed.
The scale of the Risk values can be defined depending upon the number of escalations feasible within an organization. A large organization may like to keep a larger scale of Risk Values leading to more levels of escalation such that minor risks are not un-necessarily escalated to senior levels. However, a small organization may like to implement smaller scale of Risk Values such that the visibility of risks to the senior/top management is better.
At every level of Risk, a mitigation strategy is mandatory. The mitigation strategy may include extra investments or extra precautions depending upon the potential Business Impact of the risk. Some organizations may like to accept the Risks up to a certain levels because the cost to mitigate the risk is higher than the business impact. Example, an organization may like to accept risks causing a financial impact of up to $500,000 because the cost of risk mitigation may be higher than this value. Such decisions are possible after thorough "Business Impact Analysis" in various round table discussions at the top management/board level. Please be aware that business impacts are different from the asset impacts that have been analysed during the risk assessment. Business impact analytics are applied to the entire business and not only to the information assets. These decisions are critical to ensure that an accurate investment plan can be approved such that the organization does not over-invest in low critical areas or under-invest in high critical areas.
The Business Impact Analysis should result in a list of Mitigation Actions that needs to be taken. Whenever an action is completed, the Risk Value can be "Normalized" to a lower value such that the impact is within acceptable limits. Examples of Mitigation actions are: addition of CCTV surveillance, better verification of visitors, visitors allowed up to visitor rooms only where CCTV cameras and microphones are installed, thorough analysis of surveillance data by security experts, offsite data storage, transition of backup tapes allowed in secured metallic boxes via Bonded Couriers, Backup system ensuring data encryption before writing on tapes, addition of clustering, fail-over, etc. to single Server installations, and so on.
Although such mitigation actions can always be accomplished to reduce the Risk Values, a sound approach of keeping Risk Values in control is to have a sound Information Security Management System (ISMS) within the organization supported by Disaster Recovery Strategy, Business Continuity Planning, Service Support & Service Delivery Processes.
Although a number of academic researches have been conducted on these areas, they are largely inadequate because these areas have evolved and grown many times faster than the pace of researches by academicians and students. I suggest that students should undertake new topics for dissertations and theses in these areas given that a lot remains unaddressed by the academic community in the fields of Information Security Risk Management and Business Impact Analysis and Management.
Please view the research areas of ETCO India at: and the research topics delivered at