Assessing the risk factor

• Tags:
• Evaluation,
• IT Strategy,
• Threats,
• Vulnerabilities

Deb Shinder

Published: 30 Nov 2005 16:25 GMT

• 
• 
• 
• 
• 

Risk management is a popular buzzword in today's business world, but many IT administrators have only a vague idea of what it means and how it fits into their job descriptions. Risk management is a fairly simple concept; it refers to the process of making decisions based on an evaluation of the factors that present a threat to the business. In IT, that means assessing your network's vulnerabilities and threat exposure, and taking the steps necessary to mitigate them.

There are several different components to risk management. These include a risk management framework that describes areas of responsibility and the stream of accountability within the organisation or department; risk analysis, a process of identifying vulnerabilities and calculating financial and loss expectancy metrics and a risk management plan, which lays out the way specific tools will be used to reduce the risks to an acceptable level.

If all this sounds like a bunch of MBA mumbo-jumbo to you, you're not alone.

Risk management in plain English
The steps involved in performing a risk analysis can be broken down into a few categories:

• Identifying the risks (in this case, the risks to your organisation that are presented by your network).
• Determining the potential impact of the threats
• Weighing the cost of safeguards against the impact of the threats
• Making the decision on how to address risks effectively and cost efficiently
• Implementing risk controls
• Assessing effectiveness

A risk can be to the company's assets — a risk that can result in financial loss, such as the exposure of the company's trade secrets to a competitor or violation of regulatory statutes such as HIPAA or the GLB Act, which would result in fines and possibly other penalties. Some risks are to the company's mission — risks that interfere with employees' performance of their jobs, such as a denial of service attack that brings down the network. Of course, these categories can overlap; a single vulnerability may threaten both assets and mission.

The impact refers to the severity of the threat and the probability of a loss resulting from it. Probability x severity = the risk exposure.

The next step is to determine the cost/benefit ratio of the various measures you can take to reduce or eliminate the risk, and making decisions based on that information. Risk management formulae can...

For more, click here... 

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed

• Most Recent
• Most Popular