Aligning IT Teams' Risk Management to Business Requirements

Aligning IT Teams' Risk Management to Business Requirements

Corey Hirsch (LeCroy Corporation, USA) and Jean-Noel Ezingeard (Kingston University, UK)
DOI: 10.4018/978-1-60566-036-3.ch017
OnDemand PDF Download:
No Current Special Offers


Achieving alignment of risk perception, assessment, and tolerance among and between management teams within an organisation is an important foundation upon which an effective enterprise information security management strategy can be built .We argue the importance of such alignment based on information security and risk assessment literature. Too often lack of alignment dampens clean execution of strategy, eroding support during development and implementation of information security programs . We argue that alignment can be achieved by developing an understanding of enterprise risk management plans and actions, risk perceptions and risk culture. This is done by examining context, context and process. We illustrate this through the case of LeCroy Corp., illustrating how LeCroy managers perceive risk in practice, and how LeCroy fosters alignment in risk perception and execution of risk management strategy as part of an overall information security program. We show that in some circumstances diversity of risk tolerance profiles aide a management teams’ function. In other circumstances, variances lead to dysfunction. We have uncovered and quantified nonlinearities and special cases in LeCroy executive management’s risk tolerance profiles.
Chapter Preview


A good understanding of both intolerance and tolerance to risk is at the core of any successful information security policy, usually developed in three stages. The first stage typically entails risk identification and assessment. This is usually followed by stages looking at how risks can be monitored and controlled, with a third and final stage concerned with risk avoidance and mitigation. For instance, COBIT 4.0 (ITGI, 2005) proposes that the “assess and manage IT risks” high level control objective should be met through a series of 10 activities culminating in the maintenance and monitoring of a risk action plan. Similarly, in ISO 17799:2005 (ISO, 2005a), the first section describing best practice is one on “risk assessment and treatment.”

Sources of information security risk are usually documented in taxonomies of risks. They tend to list broad categories of risk sources (Backhouse & Dhillon, 1996) that can be used to ensure that all sources of potential risks have been surveyed. For instance, Loch, Carr, and Warkentin (1992) classify sources of information security risks as internal versus external, human versus non-human, and accidental versus intentional. Similar classifications exist in the ISO 27001 control objectives (ISO, 2005b) and in most text relating to information security (see for instance, Whitman & Mattord, 2003)

Complete Chapter List

Search this Book: