Subscribe

Risk analysis rationalises security spending

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 21 Oct 2014
The biggest challenge concerning risk analysis is staying current with the state of threats, The Open Group says.
The biggest challenge concerning risk analysis is staying current with the state of threats, The Open Group says.

In today's Internet-connected world, organisations that process and store sensitive information are a target. It doesn't matter whether an organisation deals with customer data, credit card data, intellectual property or other sensitive data, the information needs protection.

So says Jim Hietala, VP for security at IT standards industry body The Open Group, who notes organisations need to start information security efforts with effective analysis of the risks they face; and ideally taking a quantitative approach to measuring risk, versus less useful qualitative methods of risk analysis.

According to Hietala, the biggest challenge concerning risk analysis is staying current with the state of threats. "By this, I mean the threats and potential risks facing organisations are evolving pretty rapidly, while most organisations conduct risk analyses on a periodic basis."

He also notes risk analysis presents opportunities. "The biggest opportunity is to use risk analysis to truly rationalise security spending. We see many organisations spending on IT security projects in ways disconnected from where there is real risk in their organisation, so aligning risk analysis and security spending is a big area of opportunity."

Hietala believes without effective analysis and measurement of risk, it is easy for security organisations to overspend on security controls for assets that don't matter, and to underspend on protecting ones that do.

He argues qualitative risk analysis often produces pretty subjective findings, with loose measures of risk (what is high, medium, or low risk?).

On the other hand, he says, quantitative risk analysis moves risk findings to more business-like statements of the likelihood and impact. Organisations that embrace quantitative risk analysis methods end up with risk findings or statements that are easier for business leaders to embrace and act upon. "For example: 'There's a 70% likelihood of a successful attack in the next 12 months, and the impact of such an attack is $500 000 in direct and indirect costs', he explains.

Hietala points out there are high-level risk management frameworks, including ISO 31000, which deals with enterprise risk management, and ISO 27005, which is specific to IT security risk management, which are useful to follow as processes to manage risk.

"To ensure risk is effectively measured and analysed, the Open Fair risk analysis standards are of great help, and can be used in concert with the ISO standards," he concludes.

Share