Running head: MANAGING INFORMATION SECURITY RISKS 1 Managing Information Security Risks: Understanding and Implementing Effective Security Metrics (Name) (Institutional Affiliation) MANAGING INFORMATION SECURITY RISKS 2 Abstract The paper examines select articles pertaining to the security metrics used in information risk management. It begins with a hypothetical case, illustrating the damaging consequences of the utter lack of an information security system vis-à-vis business operations and general standing in the industry. An overview of the information security risk management in general was initially discussed, with subsequent discussions on the varying approaches taken by companies implementing their own security system. The articles delved on the use of security metrics in analyzing existing and potential vulnerabilities of the information management system of a business organisation, defining further security metrics and identifying its ideal characteristics and features to best serve the business interest of a corporate entity. Likewise evaluated are some leading reasons explaining the initial reluctance of most companies in fully implementing security metrics and incorporating the same as equally important components of the business operations. Toward the end of the paper, an analytical discussion was made on the investment aspect of security metrics and information security, in general, with the end view of making possible recommendations for value managers. MANAGING INFORMATION SECURITY RISKS 3 Managing Information Security Risks: Understanding and Implementing Effective Security Metrics The increasing complexity of a business operation demands for enhanced information management approach. Concomitant with the need to efficiently manage information for greater efficiency is the need to address potential risks to the security of the information database. The growing reliance on information technology of many business operations calls for a definitive and efficient information security risk management to arrest threats and prevent losses. Take the following sample case highlighting the need for an effective security risk tool: A former network administrator at a manufacturing plant thought he had destroyed not only his former employer’s manufacturing capabilities but also the evidence that would link him to the crime. The trusted, 11-year employee built and maintained the network at the company. When he fell from corporate grace and knew he was to be fired for performance and behavioral problems, he built a software time bomb to destroy the system. Three weeks after the network administrator was fired, a plant worker started the day by logging on to central file server. Instead of booting up, a message came on the screen saying an area of the operating system was being fixed. Then the server crashed, and in an instant, all of the plant’s 1,000 tolling and manufacturing programs were gone…. ...In the days that followed the crash, the company called in three different people to attempt data recovery. Five days after the crash, the plant manager started shifting workers around the department and shutting down machines that were MANAGING INFORMATION SECURITY RISKS 4 running out of raw materials or creating excess inventory. He took steps to hire a fleet of programmers to start rebuilding some of the 1,000 lost programs. The company’s chief financial officer testified that the software bomb destroyed all the programs and code generators that allowed the company to manufacture 25,000 different products and customize those basic products into as many as 500,000 different designs. The company lost its twin advantages of being able to modify products easily and produce them inexpensively. It lost more than $10 million, forfeited its position in the industry, and eventually had to lay off 80 employees. (Alberts & Dorofee, 2002, pp. 4-5) Overview of Information Security Risk Management Managing information security risks is far more than placing firewalls or making backup files of essential programs necessary in various components of the business operation. As Tipton and Krause put it, information security pertains to the “confidentiality, integrity, and availability of information” (2008, p. 16). Information security enables a company to identify specific areas of the business operation dependent on information technology that need protection, sources of threats, the reasons behind the security management system, and extent and duration for as long as such system is needed. Activities dependent on information technology continue to expand. Continuing technological innovations allow for faster exchange of information that correlatively increases the risks and security threats (Killmeyer & Tudor, 2006). Security Risk Management Tool: Security Metrics Review of Various Approaches Different business organisations have variant approaches toward in
Get 20% discount on your first order