Working paper: A proposal for implementing an information risk management system with ISO 17799

Introduction

For as long as there has been life there has been risk. Human kind has natural risk management abilities, fear. Fear can be viewed as a human innate risk assessment ability. This may work well to warn us of an approaching tiger in the African wilderness but in today's world of complex systems and globalization, following in the wake of many corporate scandals, natural abilities must leave the way of scientific, methodological, risk management.

Organizations today want to manage risk. There are many factors that justified this. In some cases laws and regulations require them to implement a risk management program. In other cases it may be contractual requirements. Whatever the reason risk has become, in recent years, a subject of much interest to organizations of all sizes in all regions of the world. We have looked at existing risk management frameworks and find that there is a need for a new one. This is what we propose in this article.

We propose an approach based on best practices, international and well accepted standards and our experience as practitioners of information technology risk management. This approach seeks to integrate risk in an organizations culture to support organizational objectives while maintaining risk at acceptable levels. Risk management becomes a tool to assist organizations in making decisions that can reflect its requirements, respect its constraints and provide the most value for the organization to help it achieve its objectives.

It should be noted that this article is proposed as a demonstration of the application of standards in an organizational setting. Organizations who wish to implement this approach in a real-life setting showed get external advice before proceeding, as this article was not conceived for that purpose.

Standards used in this article

While international standards and best practices are, in our opinion, the best way to manage risk in organizations, what we propose here is based on international standards. However, it should be noted that following the recommendations, the methodologies, the tools and the processes documented in this article, do not ensure in any way conformity to the aforementioned standards. What we propose here is an approach that could, in theory, be implemented or adapted by organizations of any size who wish to implement best practices and due diligence in risk management. Organizations who wish for eventual certification on any of the standards will need to gather additional reference material, get specific training and hire consultants that have developed an expertise in compliance and conformity to those standards. A quick search on the Internet will produce a large list of consultants with this kind of expertise. They are available in most regions of the world.

What is risk

Before we can discuss implementation of risk mitigation measures and controls we need to get an understanding of the principal concepts, this is covered in this section. Understanding the basic concept of risk is a necessary first step for anyone who seeks to understand risk management and for any organization wishing to implement risk management.

Definition

Our definition of risk is best represented by the Chinese symbol for risk. It combines the symbols for the word danger and opportunity to illustrate risk as the danger, or the uncertainty, that accompanies opportunities. In this symbolizing the relationship between opportunities and risk, where a risk should be viewed as of the danger that the opportunity may not lead to the desired or ask that did outcome.

Risk should be viewed as a natural occurrence, a force that results from the pressures of the environment on an existing or developing opportunity. We should view risk as uncertainty, a discontinuity, a possible outcome that is different from what is expected or desired. In many cases it can be assessed, evaluated, qualified or quantified in relation to a given situation or opportunity. Of course there is a risk that things will occur as expected but we are concerned with risks that have negative consequences. There are many different types, or category's, of risk. Most will be familiar wit financial risks, environmental risks, operational risks, and insurance risks to name only a few. As risk is present in all endeavours there is a near infinite this of different types of risks. An organization must identify the activities where risks are the most significant for the organization. This may be motivated by several factors such as its legal obligations, the expectations of its stakeholders or for other reasons considered significant by managers in the organization. We give no clear direction as to whether an organization needs to implement formal processes to address all different categories of risks but we suggest that at the very least all that can be identified should be looked at in some form of risk management process.

When an outcome is certain that we do not have risk, we have a certainty.

Risk = threat x likelihood x impact mitigation

Risk can be defined in the mathematical fashion by a simple equation. While risk is directly proportional to the likelihood of their realization of a threat and is directly proportional to the impact, risk is inversely proportional to risk mitigation measures that are implemented by an organization. There is a limit at which the impact no longer affects risks in a significant fashion, for example, when a building is damaged in such a fashion that it can no longer be used and must be destroyed, it is likely that additional damages would have much impact. As well this relationship between risk and impact should not be understood to be a linear one. The same fashion risk mitigation measures will reduce risk to a certain limit. There is a point where risk mitigation measures may actually begin to increase risk, for example because of the increase in complexity it may bring to information systems.

While several theories have been developed in the past, particularly in relation to gains and financial investments, there is no single mathematical representation of risk that can apply to all situations. This is why we view risk more as they subject to state of mind than as a quantifiable object.

In any business activity, operation or opportunity, internal or external forces will generate pressures, that we see having an influence on the amount of risk perceived from within. These internal or external forces are seen as threats to the achievement of the expected outcome. If by looking at the processes we are able to identify these forces that it may be possible to get an understanding of risk at a moment in time in an organization. The probability of the realization of a threatening situation while considering the risk mitigation processes in place in an organization formed the basis of risk management. There are various types of risk such as financial risks, insurance risks, health risks, environmental risks and many other categories. Our principal interest is in risks that affect information technology, systems and data as well as risks that are generated by the integration of information technology in organizations.

In order to enable us to take a scientific approach to risk management we must be able to measure it in some way. To do this we need to define the opportunity, business process,

We will begin by defining the components of risk and their interaction. This will allow us to get better understanding of the complex interactions within organizations and how it may affect risk, risk assessment and risk treatment.

Risk Management or Information Security

Risk management or information security, what are we talking about here?

We prefer using the expression information risk management rather than information security as we will that it more accurately describes what we are talking about. Managing risk related to the use of information, the management of information and information systems allows to go beyond typical information security, which is mostly concerned with information technology, to consider all information, and all its forms and on all the physical supports that it may use as an important asset of the organization. Looking to information as an asset rather than a to all forces organizations to look at the information and the use of the information as different things to which different organizational risk treatments may apply.

Components of risk

Organizational risk can be decomposed as the sum of all the individual risks that exist within the organization. We can look at risk from an organizational point of view but also in relation to an activity, a system where business process. We can also look at risk in relation to data managed within an organization. Whatever way we choose to look at it the existing risk is the sum of the various risks that are present.

For risk to exist requires the presence of a threat or of several threats that may materialize and have a negative effect on the expected outcome. The likelihood that the threat may materialize has a significant impact on the amount of energy the organization should put on mitigating the effects of the threat. The possible negative outcome, what we view as the impact, should have an effect on how much resources an organization should reasonably put forward to mitigate the impact of the realization of the threat or to put in place tools or processes to reduce the likelihood that the threat materializes. We are concerned about threats that may have a negative impact, however it should be noted that this may not always be the case but in risk assessment we tend to give more significance to events that may negatively impact the desired outcome. This follows certain economic models, such as prospect theory, in the where individuals tend to accord more significance to certain type of events, loss aversion, while be willing to take more rich then we would expect in other situations.

Threat

We define a threat as a situation, event or chain of events, other susceptible of having a negative impact on an organization. Threats can be many things, fire can be considered threat as uncontrolled fire could destroy building that houses an organization. We usually do you threats as situations that may result in the inability of an organization to meet certain of its objectives. In the case of information risk management we are mostly concerned about things like the loss of confidentiality, the accidental or voluntary modification of data which would affect its integrity, the disabling, or apparent unavailability, of systems as well as other aspects such as access control.

The number of threats present, in any given situation, does not necessarily have an impact on the level of risk. In many cases, threats are independent events with no relationship between the each other. Thus independent threats may lead to independent incidents, at different times, with different impacts.

Threats, in a general way, can be inventoried and categorized in relation to the category or type of impact that they may have on the organization. There is no single right way to do that, we have chosen to categorized threats in relation to certain types of impacts that are significant in relation to information technology. An organization may choose different categories based on its requirements, business and objectives.

Risk is often categorized in reference to threats or categories of threats existing in an organizational setting. Although this may certainly be a valid approach we prefer an approach based on impacts the realisation of threats. We find, and our practice, that this approach is closer to the expectations of the individuals involved within the organisations.

We provide here a list of threats that we have found useful and our practice and that could be used as a starting point for organizations.

Categories of threats

We are principally interested here in risk involving the use of information technology. Because of this we are limiting this list of threats to those that seem most likely to impact information systems. While we feel there is no single right way to categorize threats, we have chosen to have two categories:

• Threats that may result in material damages;

• Threats that may result in immaterial damages.

Threats that may result in material damages

This category includes threats that our most likely to cause material, or physical, damages to infrastructures, information systems and telecommunication equipment of an organization. Overall statistics show that these generally account for only a small percentage of computer related incidents. Losses or the actual impact can usually be evaluated in relation to the cost of repair or replacement. In more general risk management process, this category of threats would include those that may impact critical infrastructures, buildings, the environment, vehicles and human beings. We provide here a list of the most common types that we use in our practice.

• Accidents, including:

  • accidental failure,

  • power failure

  • power spikes

  • industrial accident

  • peripheral accident

  • fire

  • flood

  • earthquake

  • Tornado

  • Hurricane

  • environmental disaster

  • Collateral damage.

• Vandalism, including:

  • theft

  • arson

  • sabotage

  • war

  • activism and Cyber activism

  • terrorism.

Here again we don't claim this list to be complete or adequate for all organizations, however it should provide a useful starting point.

Threats that may result in immaterial damages.

Threats that may result in immaterial damages include those which, should they happen could cause damages to information, data, software, applications and files contained within an organization and its information systems. This category of threats includes those that are the most common in many organizations. We suggest starting with the following categories:

• Error

• Fraud

• Cybercrimes

• Hackers

Likelihood

The likelihood component should be understood to the likelihood of their realization of the threat. We are here in the domain of statistics. Likelihood of realization has to do with the probability that a threat may actualize to become an incident. It can often be express in terms of very percentage, like there is a 10% chance that this may happen in a given timeframe. It can also be view as the odds that something may happen, like there is a one in 10 chances that this may happen. It seems that using a quantitative approach, such as we just mentioned, may make it simpler for individuals seeking to forecast the likelihood of the realization of a threat, a probable future an event, to make a decision. Qualitative approaches, while being more expedient, may produce results with low levels of confidence and increased possibility of judgment errors.

When evaluating the likelihood of realization of the threat an organization may look to its past to help it. If a particular threat or type of threat has occurred in the past, this can be used as a reference to identify the likelihood that it may have been in the future. If it happened, it may happen again. Although this is not a fool-proof approach. In an organizational setting and evaluation of the likelihood of the realization of a threat can use knowledge of the organization possessed by members of the organization, this will help provide some indications. However this work could benefit significantly from external expertise that can be provided by a risk management consultants, by a financial expert or an accountant.

Impact

Assessing the impact of possible future events is both a simple and complex task. While we know that certain individuals tend to over way certain types of impacts, such as financial impacts, we find that other types of impacts tend to be greatly under estimated. This being said, evaluation of impacts, may significantly benefit from the input of an external, unbiased, expert. This doesn't mean that we are saying that you absolutely must have external expertise but only that it may be useful, when evaluating impacts, to have a less biased view on the organizational impacts of a specific threat.

Determination of impact is usually done in relation to what we call the seven variables of risk:

• confidentiality ;

• availability ;

• integrity ;

• non repudiation;

• user authentication;

• identification of the origins of data; and

• access control

In order to determine the the impact requires the organization to have an understanding of its requirements in relationship to the seven variables. Usually, when implementing some form of risk management, the identification of the requirements to these variables will be done at an early stage. In the approach that we propose in this article, it is identification is a key elements throughout the process.

In a situation where it has been determine that, for example, there is a requirement to protect the confidentiality of certain information's under the custody of the organization, release of the information to unauthorized parties would be considered, in a certain way, a risk. This risk could be associated to several threats which, should they realize themselves, would result in the loss, or partial loss, of the confidentiality of the information. The likelihood of their realization of the these threats would vary depending on the threat itself. The impact of this could be determined by the organization by looking at how this would impact its activities, objectives and legal obligations. In the cases of confidentiality the organization could be contravening to local or national laws, such as privacy protection laws or access to information loss. These loans would have sanctions associated to them. These sanctions are a part of the impact.

How do we assess the impact ?

By looking to the past, by identifying similar situations both in fairly to the organization and in the outside world, for example in similar organizations. To get a good understanding of the potential impacts of a specific threat to the organization requires an understanding of the objectives and the purpose of the organization. Individuals inside the organization are in the best position to do this. Looking to incidents that have taken place affecting the organization and looking to incidents in similar organizations, whether in the same market, business or activity, is probably a good starting point.

Assessing the impact of a threat such as the threat that and accidental fire may cause, an organization would try to determine, based on incidents that may at happen in the past or based on its knowledge of its environment, what would be the losses incurred. These could be many, for example a fire could result in the destruction of buildings, files both in paper form or stored in information systems, as well as many other grave consequences. An organization, once it has identified the principal threats in its environment may be able, by looking at the possible impacts in a way such as we have just mentioned should be able to adequately assess impact.

Organisational maturity

One of the first things an organization needs to do in dealing with risk is to determine its level of organizational maturity in regards to risk. The concept being that organizational change is a complex thing, a natural resistance to change and other organizational factors contribute to make it to this is necessary for change to be done at a rate that is consistent with the organizational level of maturity.

We suggest using the model proposed by the SSE-CMM standard (ISO/IEC 21827). This model is based on the capacity maturity model that is widely known in the information technology field. In this model the level of risk maturity increases with the integration of risk management in the organization. As well, the level of maturity increases with the level of organizational understanding of the different aspects and elements of risk that affect the organization. While the level of complexity increases with the level of maturity, the organization acquires the ability to deal with it more efficiently. To move from one level of maturity to a superior one requires an investment in resources, time, money and people. It also requires other elements such as those mentioned in this article.

One of the key elements in risk management in organizations has to do with the management of change. Properly assessing where the organization finds itself any given moment in time in regards to its risk maturity will allow an organization and particularly its risk managers to put in place an action plan for the establishment of a risk management framework that will respect the organizations ability to change, its requirements as well as the culture of the organization. We have found in our practice that moving to quickly to implement a risk management framework will most likely result in failure.

Developing a risk culture

Organizations who think about risk as an integral part of their business decision processes are most likely to manage risk appropriately in the short medium or long-term. Successful organizations have developed sensibilities to risk at every level. By making a risk a shared responsibility of all the members of an organization, they have developed what we call a risk culture. In our view this should be an important goal of any organization who wishes to implement a formal risk management framework.

Developing a risk culture involves ensuring that all members of the organization have an understanding of existing and potential risks that there organization faces in its day-to-day activities. These individuals tend then include risk management thoughts as a part of what they do. So then risk will be considered in all aspects of the activities of the organization, in an area is where a risk management has always been present in some form, such as in financial activities, but also in area is such as logistics, application development, sales and all other business units within a small or large organization.

The first step towards this should probably be the nomination, or identification, of a risk champion. The risk champion should be a senior and influential individual within the organization who has a clear mandate from the highest levels of the organization. This individual should dispose of sufficient resources, such as time, staff, budgets and technology, at a level that is deemed appropriate considering the particular constraints of a given organization. It's job responsibilities should be made to include those required to appropriately manage known risks to the organization as well as provide enough flexibility so the risk champion may be able to respond to risk in all areas of the organization. The risk champion can act as a single point of contact within the organization and between the organization and the outside world.

Communicating risk

A key for the implementation of a risk culture in any organization is communication. Communicating information about risk to all members of the organization, at all levels, is a critical success factor for the implementation of a risk management framework. From the inception of the project through its implementation as well as throughout the continuous improvement process, such as we propose here, informing that all stakeholders understand how they are affected by risk management activities is the best way to manage the natural resistance to change that is often the cause of failure of these types of projects.

While there is no single best way to communicate this information, we have found that there are certain approaches that seemed to be present in successful projects. Certainly visible management involvement and ownership of the project at the highest levels in the organization is critical. This high-level ownership must be publicized throughout the organization. We also find that the creation of a communication plan which should include direct communications, using e-mail or a newsletter, is a good way to go. Throughout the project and on an ongoing basis after the initial implementation the organization needs to receive positive reinforcement about the usefulness of the risk management framework and of its risk management activities in order to maintain the perception throughout the organization that it is necessary to allocate time, money and other resources to these activities.