Abstract
In the current global environment, the emergence of technology and its availability throughout the world comes with significant advantages for the development of the business world, but also of the individuals’ life conditions. Technology creates an interdependency between the developed and developing or third world countries, in terms of request and demand for work force, which contributes to reducing the poverty levels and even the world hunger, due to business ventures such as outsourcing. While the rise of technology and communication allows for significant benefits for societies at a global level, it has also contributed to changing societies and the way people communicate or work. Nevertheless, this change also implies various risks and threats, driven precisely to the rapid development of the technology. This paper elaborates on security risks, focusing on how these risks might threat organizations in reaching their sought business performances. This writing presents a structured identification of risk, risk assessment, risk management in the context of security system. It also describes the nature of risks that might threaten security system within companies, as well as various measures for dealing with the identified risks in the security risk management process.
Key words: risk, technology, threats, risk assessment, risk management, security, security risk management.
Body of the paper
Benefits of technology
The rapid development of technology allows for a global communication and therefore facilitates a global economy in the current millennium. This brings considerable advantages for the business world and for the world in general, as it supports businesses’ goals and objectives and in the same time it brings the more isolated regions of the world in the business arena. This phenomenon is mostly visible in the global outsourcing environment, where corporations are looking for contracts with companies from disadvantaged or developing, even third world countries, for assuring their support activities, such as telemarketing or customer services activities. This satisfies both the economic agent that requires human resources, because it is cheaper than the one available in the developed countries, adjusting like this the corporation’s budgets, but it also satisfies the local employees of the disadvantaged countries and the local economies, as it opens the employment market and offers career prospects to local employees (Bornstein 11).
Similarly, technology allows individuals throughout the world to network among themselves, getting to know different cultures, different traditions and enrich their cultural diversity (Bornstein 8). Nevertheless, technological advancement has also contributed to making world realities visible to everybody. As such, people from all over the world can know about the conflicts from Syria, or other issues not entirely mediatized in the classical media (television, radio, printed press), from other channels such as YouTube, Facebook, Twitter, etc.. All these reveal that the emergence of technology and the development of social media has reshaped the social discourse, the way people communicate and do business, wherein viral is no longer a secret technology and virtual teams now define the current business context and the organizational model (Stroie & Rusu 228).
Threats and risks of technology affecting security
Looking at all these benefits, one cannot help to wonder what is the price for all these. And indeed, all these benefits come with various challenges, which most often take the form of risks and threats on the information security system. In other words, there are various aspects that threat the security of the information system and in the organizational context there must be developed strategies for coping with the risks, regularly applied under the form of security risk management.
Concepts and definitions
First, this paper will define the concepts of risk and threat, then apply them to the information system and identify the types of risks and threats that can impact the information system. Once identified the risks, the current paper will discuss about the strategies of coping with the risks upon the company’s security, discussing about security risk management.
Threat
Al-Zubi (39) defines threats as the intentions of causing physical, material, or other form of damage to both public and private interests. The scholar resembles threat to possible danger, linking it to the legal category of “harm”. It is the result of the violation of the rights on an entity (for instance disclosure or misusing the confidential information by an attacker). A threat implies possible damages or losses of properties, and expenses that must be made in order to restore all the lost items (Stroie & Rusu 228).
Risk
A risk situation supposes the existence of the danger factor, which is automatically leading to harm (Parsloe 9). However, Talabis and Martin (2) consider that there are various definitions for risk and for the definition to be consistent, risk should be defined in the proper context. In defining risk in the organizational information security context, Wheeler (23) advances the definition according to which risk is “the expected loss [or the probable frequency and probable magnitude of future loss] of confidentiality, integrity, availability, or accountability”.
For coping with the effects of the risks, organizations must recognize what kinds of risks might affect their information systems and if they can avoid or eliminate the risks. Therefore, in order to know the nature of the risk and how they can influence an organization, there must be applied risk assessment processes.
Risk assessment and risk management
Risk assessment is defined as the evaluation of the occasions when the jeopardy factors are supposed to occur, to an uncertain degree of probability, therefore, risk assessment implies gathering data about the possible successes and in the same time about the potential failures. (Carson and Bain 45).
The risk assessment is supposed to identify the risk determinants and their probability of turning into harmful situations. Measuring and controlling the estimations of risks to lead to unwanted directions represents the risk management. However, risk management is directly and permanently related to risk assessment in the informational technology security context, given the fact that technology advances rapidly and once with its advancements there are new risks that might threat the IT security system (Longstaff et al. 45).
Studies identify that there are four stages in the risk management process: (1) risk identification; (2) quantification; (3) treatment; (4) evaluation (Ackerman 16). Therefore, there can be observed that risk management includes risk assessment or analysis.
Managing security risks
Focusing on security objectives
For managing the security risks, there must be identified the nature of the risk, but in the same time, there must be set clear organizational goals and objectives, for achieving unthreatened performances. In this respect, Brotby (36) observes that regularly organizations consider security management as a tool for meeting the business goals and in this context, the security risk management needs to prudently follow the business requirements, priorities and objectives and assure a smooth development of the business processes, without allowing security risks to threaten the business processes’ smooth development. Calder and Watkins (45) state that the objective of risk management is to limit the risks to acceptable levels for all information security risks, so that to ensure a proper balance of safety for coping with the risk that threatens the business objectives.
Calder and Watkins (49) further notice that the information security management needs to be based both on informed opinion, but also on a systematic and reproducible risk assessment that is business oriented, which requires a relevant investment, for reaching an optimum return of investment, for obtaining a consistent balance “between the confidentiality, integration and availability (particularly to business users) of information”.
Strategies for managing the security risks
This approach implies a discussion about risk treatment, which is a stage of the risk management process, in which decisions are being made regarding how to deal with the identified risks, such as risk reduction, risk avoidance or risk transfer (Ackerman 19). However, there are other strategies for managing the risk, which will be further defined.
Avoidance of risks is a strategy that supposes to manage the risks by deciding not to move into a new direction if it presents risky perspectives. According to specialists this strategy is not the most utilized one in risk management procedures, but it is a viable one, that must be considered. (Business Link, “Managing Risk in e-Commerce”).
Mitigation of risks implies the totality of efforts undertaken to reduce the possibility of a risk to produce and to diminish the outcomes of its consequences. The mitigation can be achieved by applying different types of measures: from physical measures (protective fences) to financial ones (insurance). (Risky Thinking. “Risk Mitigation”).
Transference of risks can be realized in two ways, according to s Link: by insurance, quantifying the possible losses that may be produced, and the contract aspects. Applying this second transference possibility, there are contractual stipulation for transferring the risky affairs to another entity. (Business Link “Managing Risk in e-Commerce”). Such an entity can be an insurance company (Ackerman 19).
Embracing or accepting the risk is another risk management strategy, in fact there are companies and situation that are risk – embracing oriented. The condition is, however, that the risks must be identified. Their occurrence is accepted and utilized in the benefit of the situation, or of the business (Wheeler 20).
The purpose of applying these managerial strategies for coping with the risk is to diverge any potential risk from the path of the organizations’ effective performance. As such, Wheeler (21) theorizes that once the unnecessary risks are reduced from people, processes, and technology, companies head towards increased business opportunities.
Defining the nature of the risk
Regarding the nature of the risks, scholars observe that knowing the type of security threat of risk determines a viable risk assessment, meaning an accurate examination of the risks’ outcomes and impacts upon the organization’s security, and implicitly allows the firm to develop a strategy for coping with the identified security risks (Ackerman 40).
Regarding the evaluation (or assessment) of risks, Talbot and Jakerman (n.p.), advice for organizations to dispose of a security risk register form, which to gather information about the nature of the risk, defining what can happen and how can it happen, its consequences, its likelihood to occur, the risk level and priority, as well as available resources to control the risk.
The types of security risks are aligned with the security safety objectives, which seek to assure confidentiality, integrity, availability, accountability or maintainability; therefore, the nature of the risks in security system classifies in these five groups: confidentiality, integrity, availability, accountability and maintainability (Ackerman 44).
Briefly, confidentiality and integrity risk in security management refers to maintaining the information contained in the IT-system available solely to authorized users (Ackerman 44; Wheeler 76). As far as the availability risks go, this type of risk refers to the available time and resources for processing different IT-related functions, which can impact the performance of businesses if the availability is threatened by the slow-run of the internet connection (Wheeler 76). Accountability risks refer to the threats that the authentication of users using a specific service or data can be identified and utilized by another user (Ackerman 47). The maintainability risks imply the threat of not having the required resources for keeping the system updated so that it does not conflict with its availability, nor with its security or integrity (IT Governance Institute 43).
Security interventions
In order to keep organizations safe from these types of security risks, there must be applied security interventions, meant to improve the firm’s security, to prevent security breaches, to effectively face security inspections, to comply with international standards or to guarantee the information protection (Wagner & Bode 68).
The security risk prevention strategies should be aligned with the corporate security outcomes, defining clear security treatments that need to be implemented, what is desired to be achieved, in what time, how it will be achieved and who is responsible for this treatment (Talbot & Jakeman, n.p.).
Treating risks is also a matter of combining the risk treatment strategies, such as reducing, embracing, avoiding or transferring the risk, but when deciding upon what strategy to go with, there should be considered the costs involved, as well as the likelihood that the risk might be expected to happen again, and if so, with what frequency, the attitude of the organization toward the identified risk, the ease of implementing a certain security risk measure for managing the risk, the available resources and the organization’s corporate priorities or the managerial politics (Vacca 612).
This structure indicates the decision factors that organizations need to follow when deciding upon what risk management measures to approach when dealing with security risks. However, for an appropriate intervention, Talabis and Martin (193) consider that security risk managers should prepare clear and concise recommendations for how to handle the risk situation, but again, the recommendations for intervention or treatment depend on the type of risk threating the company’s security.
Conclusion
While defining strategies and measures of procedures for dealing with the risk and maintaining it in a tolerance level, organizations are in fact pursuing risky activities, as they might make the difference between a traditional organizational culture and a transformational one, or in other words, between a standard company and a visionary company, which achieves significant business performances, due to the risks took. Nevertheless, as Wheeler (21) recommends, companies should make risky decisions in a conscious manner, assessing the nature and the consequences of the risks that they might be dealing with. While businesses might pursue corporate risks, which are defined by other types of risks than the security risk types identified in this paper, the security risks follows the corporate objectives and if corporate objectives imply venturing in risky activities, the security system should be aligned to the business objectives, implicitly to the risky activities, defining what kind of security risks might appear as a result of the corporate risky ventures undertook, how they might impede the business objectives to be achieved and how they can be stopped, reduced or limited.
Works Cited
Ackerman, Tobias. IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing. Darmstadt, Springer Gabler. 2013. Print.
Bornstein, David. Outsourcing Is Not (Always) Evil. Accessed on 7 November 2013, retrieved from http://opinionator.blogs.nytimes.com/2011/11/08/outsourcing-is-not-always-evil/?_r=0. 2011. Web.
Brotby, Krag. Information Security Governance: A Practical Development and Implementation Approach. New Jersey, John Wiley & Sons.
Business Link, Managing risk in e-commerce. Accessed on 6 November 2013, retrieved from <
http://www.businesslink.gov.uk/bdotg/action/detail?itemId=1075386209&r.i=107538621
2&r.l1=1073861197&r.l2=1073866263&r.l3=1075386080&r.s=sc&r.t=RESOURCES&t
ype=RESOURCES> n.d. Web.
Calder, Alan & Watkins, Steve, G. Information Security Risk Management for ISO27001/ISO27002. Cambridgeshire, IT Governance Publishing. 2010. Print.
Carson, D. & Bain, A. 2008, Professional Risk and Working with People. Decision-Making in Health, Social Care and Criminal Justice Jessica Kinsgley Publishers, London.
IT Governance Institute, Information Security Governance: Guidance for Boards of Directors and Executive Management. 2nd edition. Illinois, IT Governance Institute. 2006. Print.
Longstaff, Thomas, A, Chittister, Clyde, Pethia, Rich & Haimes, Yacov, Y. “Are We Forgetting the Risks of Information Technology?” Computer, pp. 43-51. 2000. Print.
Parsloe, Phyllida. Risk Assessment in Social Care and Social Work (Research Highlights), 5th editon, London, Jesica Kingsley Publishers. 2005. Print.
Risky Thinking, Risk Mitigation. Accessed on 7 November 2013, retrieved from http://www.riskythinking.com/glossary/risk_mitigation.php. N.d. Web
Stroie, Elena, Ramona & Rusu, Alina Cristina. “Security Risk Management – Approaches and Methodology”. Informatica Economica. Vol. 15, no. 1, pp. 228 – 240.
Talabis, Mark & Martin, Jason. Information Security Risk Assessment Toolkit. Mason, Elsevier, Inc. 2013. Print.
Talbot, Julian & Jakeman, Miles. Security Risk Management Body of Knowledge. Wiley. 2011. Print.
Vacca, Johm. Computer and Information Security Handbook. Burlington, Morgan Kaufman Publishers. 2009. Print.
Wagner, Stephan, M & Bode, Christoph. Managing Risk and Security.The Safeguard of Long-Term Success for Logistics Service Providers. Zurich, Haupt Berne. 2009. Print.
Wheeler, Evan. Security Risk Management: Building an Information Security Risk Management Program for the Ground Up. Mason, Elsevier. 2011. Print.