Managing Enterprise IT Risks through Automated Security Metrics

Introduction

Information Technology (IT) risk is ambiguous and modern enterprise environments are no exception. Historically, the field of IT risk management has been dominated by theoretical discussions, practical misfits and indecipherable algorithms all of them adding to complexity and little in essence. Recent corporate failures, such as the collapse of Lehman Brothers which caused severe consequences including economic turndown and an extended systemic risk in every sector or industry, reveal the failure to identify and manage risk at an enterprise level.

Fact is that enterprise ΙΤ risk management has evolved but to what extent? Evolution reveals that first attempts on managing risks on enterprises started as isolated and stand-alone process before becoming fully integrated with the business processes. Figure 1 demonstrates the evolution of risk management.

Figure 1.

Evolution of IT risk management

First, there was the philosophy that risk should be avoided at all costs. This notion was supported by the fact that the majority of enterprises transferred business and IT risk to third party insurance companies. This notion became quickly outdated since business community started to realize that managing ΙΤ enterprise risk is not an individual responsibility and transferring risk is not a viable option. Therefore, enterprises started to align IT risk management as part of business activities with sight of managing risk rather than avoiding it. This brought up the need for IT security awareness programs and training as well as involvement of all business units. However, there were missing parts, such as governance and compliance issues. Towards this perspective, the term Enterprise Risk Management (ERM) emerged to address the limitations of previous notions, such as static risk management procedures and the need to include governance and compliance issues into a unified approach (Hampton, 2015).

Developing effective risk management strategies requires the collection of data from various stakeholders from the enterprise’s environment. In turn, stakeholders started to communicate an enterprise IT risk management philosophy as means to nurture a risk-oriented culture capable to add value to the enterprise and become a proactive solution to IT risks. Towards this perspective, stakeholders should develop a high level of competence reflecting the skills and know-how to perform assigned tasks (Hoyt & Liebenberg, 2011).

Delegation is vital for a more organized and decentralized decision-making however, at the same time, this may increase the number of undesired events and affect the internal environment if individuals are not accountable for their actions. In this regard, segregation of duties (SoD) is considered a key component to maintain a strong internal control environment because it delegates responsibility to those individuals capable to accomplish a task and avoid a fraudulent activity (Taylor, 2014).

As a result, Enterprise IT risk management principal aim is to focus on enterprise objectives, resources optimization and manage IT-related risks. Following the evolution of IT risk management in an enterprise environment, the main objectives of this chapter are as follows:

• 1.

  Decompose enterprise IT risk into areas of attention.

• 2.

  Describe enterprise IT risk management essentials.

• 3.

  Review and compare IT risk management approaches tailored to suit modern enterprise environments.

• 4.

  Present and classify automated security specifications, in terms of Security Content Automation Protocol (SCAP) and similar, as means to manage the security content of enterprise information systems.

• 5.

  Develop a state of the art research review on reputed vulnerability scoring methods as means to aid in vulnerability management for enterprise information systems.