Operational risks are often information security risks

What is often called operational risk has to do with flaws and faults pertaining to the internal processes, people, and systems or triggered by external events. For most modern businesses, most operational risks are in fact information security risks – that is, risks associated with the use of Information Technology (IT). This is because even companies whose products and services are physical par excellence rely on IT systems for accounting, marketing, and customer or enterprise management. In the face of major leaks and well-publicized hacking incidents, companies are facing increasing pressure to improve their security.

As social interactions, business and identities move to the digital domain, old ways of understanding and mitigating information security risk need to be re-thought. The increased availability of hacking tools and tutorials makes cyber-attacks and cyber-fraud easier to perform, while the anonymity provided by the Internet means cyber-criminals are much harder to catch. The computational power of modern computers and the interconnected nature of IT systems open up possibilities for attacks on unprecedented scales. These factors led to cyber-crime related losses of roughly $400 billion in 2014. These are expected to rise to around $2 Trillion per Year by 2019.

Photo by Lubo Minar on Unsplash

Risk Management (RM) in general, and Information Security Risk Management (ISRM) in particular, aims at obtaining a balance between realizing opportunities for gains and minimizing vulnerabilities and losses/ A Risk Assessment (RA) is a structured or semi-structured approach of analyzing the security of an system or organization, identifying weak spots, and selecting countermeasures. Risk Assessment techniques, as well as most Risk Management methodologies, do not aim at obtaining full security. Rather, they strive to achieve an acceptable level of security at an acceptable cost (also called “good enough” security). Frameworks differ in their interpretation of this, and in the way of achieving and maintaining it.

However, the sheer number of recommended RM/RA methods and tools pertaining to information systems can be overwhelming. Furthermore, each such method follows aslightly different procedure, uses different data, relies on specific skills, generates various reports, or is based on a different understanding of Risk all-together.

Criteria for selecting an Information Security Risk Management framework

When assessing the operational risks pertaining to the development and/or operation of a piece of software or an information system, some important criteria for choosing an appropriate risk management or risk assessment framework are:

  • Size of the organization
  • Security needs
  • The business context
  • Availability of experts
  • System/software criticality
  • Time-frame for conducting the assessment

Use the form below to narrow down your choices of suitable risk assessment methodology: