Pages

Thursday, March 17, 2011

An Approach to Understanding IT's Business Risk

An Approach to Understanding IT's Business Risk

IT Risk Management

In order to make relevant decisions, business managers need to be provided with information that is relevant to their operations, not to their IT departments' operations. Managers need answers to questions such as "what losses am I risking?" not "what is the uptime of my servers?" Existing security dashboards and metrics do not do a good job of transforming technical data into information upon which one can make business decisions. For instance if a vulnerability is discovered or suspected in a web application, consider how to answer the following questions:

o Under what conditions should risk be borne in order to sustain operations?
o What would the cost be to the organization if the vulnerability was exploited?
o How much should a firm be willing to pay to insure against or avoid this risk?
o What is the optimal bundle of risks for the firm to take, given the impact of capabilities and constraints on business operations?

There are real challenges to managing IT security risks and providing answers to these questions. Attempts to manage such risks are hampered by the lack of statistically representative information and difficulty in determining the effectiveness of security that is in-place. Metrics involve costs that can be difficult to determine, such as the costs of private information becoming public, the loss of customer confidence in the privacy of their dealings with the firm, etc. The result is uncertainty both in the appropriate type and size of security investments as well as in the level of exposure of the firm.

The development of new types of metrics can provide this type of business decision support. The answers to all of these questions will result from considering a combination of technical data provided by IT, operational data provided by the line of business, and applying relevant risks models. The combination of security and operational risk data enable a holistic view of risk management across the firm. Finally, the key questions of how much money should be spent to mitigate
risks, and where it should be applied can be determined by applying scenario analysis to such a dashboard system.

Download

Download full seminar papers At
http://www.enjineer.com/forum
at

No comments:

Post a Comment