According to a report by The Computer Security Institute, 251 of the organizations polled lost $202 million in 2003 due to computer crime. While this loss rate is down from 2002, it is still significant, and many of the companies said they were not able to quantify their losses. International finance and operations executive Oscar Kolodzinski states, "most incidents of cybercrime go unreported because the individuals and businesses affected want to avoid the negative publicity." Therefore, experts believe the real loss is probably greater than stated, and it includes only the losses that are recognized (whether reported or not).
According to Lawrence Gordon and Martin Loeb's article "The Economics of Information Security Investment" there is a void in the research on creating a framework for an economic model that establishes the appropriate investment in security programs. Gordon and Loeb say that most proposed methodologies favor too much spending on certain countermeasures. In "The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officer," Andre Liebenberg and Robert Hoyt note that there is also a dearth of research on enterprise risk management and cite several reasons for an integrated risk management program. If they were aware of it, this information would probably alarm chief executive officers (CEOs) and other leaders enough for them to order further studies.
Security and Risk Management
The American Dictionary of the English Language formally defines "risk" as "the possibility of suffering harm or loss; danger." "Management" is defined as "the practice of managing, handling, or controlling something." The definition of "security" is "freedom from risk or danger." With these terms formally defined, the blended definition roughly describes risk management and security as the practice of controlling and mitigating the amount of loss an organization will have to endure because of any adverse action or situation, whether intentionally or unintentionally initiated. This interrelationship between security and risk management should prompt a convergence that would then lead to a combined effort to address these issues in an integrated manner within an organization.
Organizations have to deal with managing risks as a regular part of conducting business. In the article "Security in Enterprise Systems," published in The ISSA Journal, P. Tippet says risk can be defined as "annualized loss expectancy." Liebenberg and Hoyt note that certain industries have created well-established risk management specialties to address specific types of risk. For instance, a bank may address credit risk with one group of experts, interest rate risk with another, and information risks with yet another group. Ultimately, the organization may have several disparate sub-groups (e.g., facilities, information technology, compliance, human resources), each managing risk by leveraging its own subject-matter experts (e.g., in this scenario - and in any similar situation--the organization will only be as strong as its weakest link).
A painful reality for most organizations is that staff are often more responsible than intruders for data and information loss. According to Ivan Arce and Elais Levy, the workstation offers the most opportunity for exposure in the information technology (IT) area. If an organization has placed updated antivirus and encryption software on the workstation, then it has implemented a single dimensional level of effort, note S. Liu, J. Ormaner, and J. Sullivan in "A Practical Approach to Enterprise IT Security." If the single-dimension solution were to significantly improve the security of a single component (in this case, the desktop), then something else may become the new weakest link. Therefore, the weakest link may continually shift from the technology area to the physical area, to the human resources area, to the policy area, and so on. …