Security and Risk Management: A Fundamental Business Issue

By McAdams, Arthur C. | Information Management, July/August 2004 | Go to article overview
Save to active project

Security and Risk Management: A Fundamental Business Issue

McAdams, Arthur C., Information Management

All organizations must focus on the management issues of security, including organizational structures, skill sets, processes, and methodologies for managing security and risk management

According to a report by The Computer Security Institute, 251 of the organizations polled lost $202 million in 2003 due to computer crime. While this loss rate is down from 2002, it is still significant, and many of the companies said they were not able to quantify their losses. International finance and operations executive Oscar Kolodzinski states, "most incidents of cybercrime go unreported because the individuals and businesses affected want to avoid the negative publicity." Therefore, experts believe the real loss is probably greater than stated, and it includes only the losses that are recognized (whether reported or not).

According to Lawrence Gordon and Martin Loeb's article "The Economics of Information Security Investment," there is a void in the research on creating a framework for an economic model that establishes the appropriate investment in security programs. Gordon and Loeb say that most proposed methodologies favor too much spending on certain countermeasures. In "The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officer," Andre Liebenberg and Robert Hoyt note that there is also a dearth of research on enterprise risk management and cite several reasons for an integrated risk management program. If they were aware of it, this information would probably alarm chief executive officers (CEOs) and other leaders enough for them to order further studies.

Security and Risk Management

The American Dictionary of the English Language formally defines "risk" as "the possibility of suffering harm or loss; danger." "Management" is defined as "the practice of managing, handling, or controlling something." The definition of "security" is "freedom from risk or danger." With these terms formally defined, the blended definition roughly describes risk management and security as the practice of controlling and mitigating the amount of loss an organization will have to endure because of any adverse action or situation, whether intentionally or unintentionally initiated. This interrelationship between security and risk management should prompt a convergence that would then lead to a combined effort to address these issues in an integrated manner within an organization.

Organizations have to deal with managing risks as a regular part of conducting business. In the article "Security in Enterprise Systems," published in The ISSA Journal, P. Tippet says risk can be defined as "annualized loss expectancy." Liebenberg and Hoyt note that certain industries have created well-established risk management specialties to address specific types of risk. For instance, a bank may address credit risk with one group of experts, interest rate risk with another, and information risks with yet another group. Ultimately, the organization may have several disparate sub-groups (e.g., facilities, information technology, compliance, human resources), each managing risk by leveraging its own subject-matter experts (e.g., in this scenario - and in any similar situation - the organization will only be as strong as its weakest link).

A painful reality for most organizations is that staff are often more responsible than intruders for data and information loss. According to Ivan Arce and Elais Levy, the workstation offers the most opportunity for exposure in the information technology (IT) area. If an organization has placed updated antivirus and encryption software on the workstation, then it has implemented a single-dimensional level of effort, note S. Liu, J. Ormaner, and J. Sullivan in "A Practical Approach to Enterprise IT Security." If the single-dimension solution were to significantly improve the security of a single component (in this case, the desktop), then something else may become the new weakest link.

The rest of this article is only available to active members of Questia

Sign up now for a free, 1-day trial and receive full access to:

  • Questia's entire collection
  • Automatic bibliography creation
  • More helpful research tools like notes, citations, and highlights
  • Ad-free environment

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
Loading One moment ...
Project items
Cite this article

Cited article

Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

Cited article

Security and Risk Management: A Fundamental Business Issue


Text size Smaller Larger
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

While we understand printed pages are helpful to our users, this limitation is necessary to help protect our publishers' copyrighted material and prevent its unlawful distribution. We are sorry for any inconvenience.
Full screen

matching results for page

Cited passage

Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

Cited passage

Welcome to the new Questia Reader

The Questia Reader has been updated to provide you with an even better online reading experience.  It is now 100% Responsive, which means you can read our books and articles on any sized device you wish.  All of your favorite tools like notes, highlights, and citations are still here, but the way you select text has been updated to be easier to use, especially on touchscreen devices.  Here's how:

1. Click or tap the first word you want to select.
2. Click or tap the last word you want to select.

OK, got it!

Thanks for trying Questia!

Please continue trying out our research tools, but please note, full functionality is available only to our active members.

Your work will be lost once you leave this Web page.

For full access in an ad-free environment, sign up now for a FREE, 1-day trial.

Already a member? Log in now.

Are you sure you want to delete this highlight?