Risk analysis is required in all companies to help the business owners or top managers make decisions about risk management strategy, which itself provides an organization with a roadmap for information and information infrastructure protection aligned to business goals and the organization's risk profile. This chapter identifies information assets including network, electricity, hardware, service, software, and human resources in the ICT department of a health insurance company and their relevant risks. To determine the risks, the level of confidentiality, level of integrity, level of availability, the likelihood of threat occurrence, and intensity of vulnerability have been assessed and rated. Assessment is done based on the opinions of 30 experts in the field of information security. According to the results, the highest information security risk is on the network.
TopResearch Literature
Risk management is recognized as a complex activity which has many different aspects or features and involves in the entire organization. All levels of the organization from senior managers who define a strategic vision and main objectives to mid-level managers who plan, execute, and manage projects, and finally to workforces in operational level who operate with information technologies should participate in risk management (NIST, 2011). In risk identification, the degree of an organization’s involvement in a critical situation is to be considered. This requires a deep understanding of the organization, the organization target market, the legal, socio-political and cultural context of that organization as well as the strategic and operational goals of the organization, such as the factors affecting success or failure in meeting these goals. Risk identification should be implemented in a systematic manner so that it would be possible to ensure that all important activities within the organization are recognized and all the possible risks are defined. It is also necessary to identify and categorize all possible irregularities and instabilities of this activity.
According to Ikenwe et al. (2016), since information is a common thread in all areas of human effort and expertise, there is no need to emphasize its importance. They also believe that there are differences between developed and developing countries in terms of the level of awareness, access, and use of information and hence, information can be considered as a source of “power”.
Coertz and Solms (2012) refer several instructions, presented to help implement information security governance, in the form of best practices, guidelines, and standards. Nevertheless, they stated that there is often a lack of knowledge to interpret and use these instructions in the business and government agencies of developing countries due to the lack of resources. With the growing dependence of businesses and government agencies on information technology to integrate electronic services into their day-to-day operations, this concern is becoming more important. According to them, failure to take security risks related to such electronic services into account may lead to a catastrophe for both these sectors and the economy of the country where they operate. Hence, developing countries face an unexpected tsunami of information insecurity that in case of negligence, can lead to the collapse of business and, ultimately, of the economy as a whole.