MANAGING INFORMATION SECURITY RISKS

 Running head: MANAGING INFORMATION SECURITY RISKS 1
Managing Information Security Risks:
Understanding and Implementing Effective Security Metrics
(Name)
(Institutional Affiliation)
MANAGING INFORMATION SECURITY RISKS 2
Abstract
The paper examines select articles pertaining to the security metrics used in information risk
management. It begins with a hypothetical case, illustrating the damaging consequences of the
utter lack of an information security system vis-à-vis business operations and general standing in
the industry. An overview of the information security risk management in general was initially
discussed, with subsequent discussions on the varying approaches taken by companies
implementing their own security system. The articles delved on the use of security metrics in
analyzing existing and potential vulnerabilities of the information management system of a
business organisation, defining further security metrics and identifying its ideal characteristics
and features to best serve the business interest of a corporate entity. Likewise evaluated are
some leading reasons explaining the initial reluctance of most companies in fully implementing
security metrics and incorporating the same as equally important components of the business
operations.
Toward the end of the paper, an analytical discussion was made on the investment aspect of
security metrics and information security, in general, with the end view of making possible
recommendations for value managers.
MANAGING INFORMATION SECURITY RISKS 3
Managing Information Security Risks:
Understanding and Implementing Effective Security Metrics
The increasing complexity of a business operation demands for enhanced information
management approach. Concomitant with the need to efficiently manage information for greater
efficiency is the need to address potential risks to the security of the information database. The
growing reliance on information technology of many business operations calls for a definitive
and efficient information security risk management to arrest threats and prevent losses. Take the
following sample case highlighting the need for an effective security risk tool:
A former network administrator at a manufacturing plant thought he had
destroyed not only his former employer’s manufacturing capabilities but also the
evidence that would link him to the crime. The trusted, 11-year employee built
and maintained the network at the company. When he fell from corporate grace
and knew he was to be fired for performance and behavioral problems, he built a
software time bomb to destroy the system.
Three weeks after the network administrator was fired, a plant worker started the
day by logging on to central file server. Instead of booting up, a message came on
the screen saying an area of the operating system was being fixed. Then the
server crashed, and in an instant, all of the plant’s 1,000 tolling and manufacturing
programs were gone….
...In the days that followed the crash, the company called in three different people
to attempt data recovery. Five days after the crash, the plant manager started
shifting workers around the department and shutting down machines that were
MANAGING INFORMATION SECURITY RISKS 4
running out of raw materials or creating excess inventory. He took steps to hire a
fleet of programmers to start rebuilding some of the 1,000 lost programs.
The company’s chief financial officer testified that the software bomb destroyed
all the programs and code generators that allowed the company to manufacture
25,000 different products and customize those basic products into as many as
500,000 different designs. The company lost its twin advantages of being able to
modify products easily and produce them inexpensively. It lost more than $10
million, forfeited its position in the industry, and eventually had to lay off 80
employees. (Alberts & Dorofee, 2002, pp. 4-5)
Overview of Information Security Risk Management
Managing information security risks is far more than placing firewalls or making backup
files of essential programs necessary in various components of the business operation. As Tipton
and Krause put it, information security pertains to the “confidentiality, integrity, and availability
of information” (2008, p. 16). Information security enables a company to identify specific areas
of the business operation dependent on information technology that need protection, sources of
threats, the reasons behind the security management system, and extent and duration for as long
as such system is needed. Activities dependent on information technology continue to expand.
Continuing technological innovations allow for faster exchange of information that correlatively
increases the risks and security threats (Killmeyer & Tudor, 2006).
Security Risk Management Tool: Security Metrics
Review of Various Approaches
Different business organisations have variant approaches toward in