This chapter is intended as an informal reference guide to information security personnel involved in making risk management decisions for computing systems and for those personnel that support those risk management decisions through design, analysis, policy development, or implementation. The scope of the chapter is introductory information on basic risk and risk management concepts as it applies to information systems (i.e. - the combination of hardware, software, operating systems, personnel, policy, physical location and the supporting operations, maintenance, and logistics that provide the information services necessary to support operational missions). It is not a comprehensive treatment of the subject; however, information and cyber security professionals will hopefully find this a useful common reference in supporting the remaining chapters in this book and when asked to participate in critical risk management decisions.
TopIntroduction
Within computing environments, risk management has become a widely used phrase to describe how we determine a suitable level of investment in security (Hopkin, 2018). Often risk management has been characterized as the antithesis of risk avoidance – the investment of whatever resources is necessary to eliminate any risk. Risk avoidance is really just one style of risk management. Total risk acceptance can be viewed as the opposite style of risk management to risk avoidance. Both deal with strategies for managing the various elements of risk to fit within an acceptable range along a continuous spectrum of risk. Likewise, both provide an approach for dealing with the fundamental risk management decision . . . “How best do I invest my constrained, available resources among a variety of alternative options to best accomplish my assigned mission in a potentially hostile environment?”
Sometimes this investment decision is portrayed as a contest between investment in functionality or security (Boranbayev et al., 2022). They are treated as if functionality and security are independent of one another and measured against different requirements (Boranbayev et al., 2022). This is a poor portrayal of the risk management decision since most computing systems are required to be operational in varying degrees of a hostile environment. Within a hostile environment, it is often the investment in security measures that allow there to be any functionality at all. A better portrayal of the risk management question would be the determination of the proper balance of the costs and benefits derived from any system feature (functional or security) to the success of the mission in the operational environment. How much functionality or how much security is in a system is NOT the ultimate measure. Operational mission success is the fundamental yardstick of any risk management decision.
Because of its widespread application within various industries, this chapter provides a basic reference guide to fundamental concepts of risk management. This chapter will introduce the concepts of:
- •
What is Risk and Risk Management?
- •
The Cyclical Risk Management Process
- •
Risk Analysis
- •
Types of Risk Analysis
- •
Risk Acceptance Strategies
- •
The Risk Management Infrastructure
- •
Roles and Responsibilities – The Risk Team
TopIs Risk Management Needed?
To understand the purpose and role of Risk Management, we must first understand the notion of risk. Sometimes risk is referred to as the harm that can occur as the result of different actions. At other times we use that term to mean the likelihood of a harmful event happening. Risk is sometimes used to mean the characteristics of a system that are being exploited or even used to mean the source of a hostile action. At times we even try to define risk in terms of a specific mathematical function. Risk and risk management are many things to many people. In practice, we do not have a common understanding of risk nor a common approach to risk management.
So, what is Risk? At its most fundamental level:
Risk is the combined note of the Harm caused by specific events and the Likelihood that Harm will happen
And what is Risk Management?
Risk management is the analysis of alternative courses of action and the selection and implementation of that course of action, which in a potentially hostile environment best supports an organization’s operational objectives.
And what are Risk Management Decisions?
Risk management decisions deter the proper balance between the costs and benefits of functionality and security from among the available alternatives, which best satisfies the operational objectives in the face of a potentially hostile environment.
These basic concepts become more and more complex as we try to provide more rigorous definitions to what is meant by HARM, LIKELIHOOD and how those notions are COMBINED to form the notion of RISK, however, to establish a common approach to addressing risk, we need to develop a common: