Professional Documents
Culture Documents
Analysis Information: Technology
Analysis Information: Technology
Analysis Information: Technology
R I:x KL.I.Y RAtNER, JR., is Assistant Professor in they Department of Management ‹it
Auburn University. His rcscarch interests include executive information systems,
end-user computing, and current technology underlying information systems. He has
published in the Journal of Management Informoiion S yslews , and MIS Q uarirrl y.
among other journals.
KEY WORDS AND rI IRSSES: computcr sec urity, MIS risk analysis, risk nianagcm cnt.
demonstrate:
AT&T's nationwide network suffered the most widespread malfunction in its his iory
due to a software failure. {I 0}
Robert Mon is, Jr. was convicind of brcaking federal 1 aw when he introduced a com-
puter virus into Internet. affecting more ihan 6.000 computers. [23]
Transition io a new company wide computer system introduced system errors that
caused reduced net income for the founh quarter ai Sun Microsystems Inc. [21 ]
American Airline’s Sabre reservation sysiem crashed for 13 hours when data from an
application program wiped out vital information. [45]
Parker stated the importance of IT to an organization when he noted that the amount
of time that an organization can go without computer scrvices, or the “ mean time tc
belly-up,” was steadily decreasing [36].
While IT risk management is a rclatively new field, it is a natural extension of
management’s concern for thc organization’soverall risk posture. The objective of IT
risk management is to minimize the total expected cost of loss by selecting and
implementing an optimal combination Of security measures [14, 20, 22, 34, 35]. In
spite of the growing importnnce of IT risk management, a majority of companies do
not have a tested, up-to-date risk management program [19, 27, 28, 30, 36, 50].
Thc puiposc of this paper is Io exarninc risk analysis methodologies. First, the risk
analysis process is placed in the context of the overall risk management process. The
various risk analysis methodologies are discussed. The article then proposes a risk
analysis process employing a combination of methodologies thot practicing managcrs
can use in their organizations.
thereof) that address a parucular risk are prescntcd to managcment for an iiiiplciiicn-
u\tiun dccisi‹›n. The cost of \hc sccurity mcasurcs will bc wcighcd again.sl heir
cffcctiveness in reducing risk. Because 100 percent IT security is imptis.sible, nianag-
crs must evaluate the choicc of security measure.s. In general, any security ineiisurc or
combination of such measures must not cost more than it would cost to i‹ilcrate the
problem addressed by the mcasurc(s) [33j. Figure 2 indicates the tradc-offs between
increased costs and incrcascd security mea.sures. This figure also shows that there is
some optimal point bclwcen sccurity and cost.
After nianagcmcnt has decided on appropriate security mcasurcs, the implementa-
tion process is initiated und the security measwes are installed. Ncxt, ii sur vcillance
and auilit process is necessary; this should incorporate tcsting and cvalu:ition of the
IT security system. Data are gathered so that the cflcctivcncss of the security measures
in reducing risk may be determined. There are two basic strateg ics for survcill:ince
and audii of sccuri iy syste me [53]' (1) activcl y inoni iorin5 control system s as they ar‹•
132 RAI hO. S NUDER. ANH CARR
md Audit
seoirity
mmage‹ent
challengcd (e.g., control programs that monitor user logon procedures and keep a
record of logon failures); (2) challenging the security systrm under controlled,
simulated conditions (e.g., hiring outside personnel to attempt to infiltrate an
organization’s security mechanisms).
The risk management process is cyclical for two rensons. First, the changing
environment will generate new external threats for IT assets. Second, the security
RIS x Avaxsis rowim'ORMATION TECI I hOLOGY 133
surveillance and audit process will uncover ncw internal threats to IT assets. Therefore,
management must periodically reovaluate the organization’s exposure to loss.
IDR4TIMCATION
ANDANALYSIS
AMDANALYSIS
VUINERA8ILMY
IDDfFIMCATION
AND ANALYSIS
RISK ANALYSIS
Fig are 3 . The kisk Ana lysis I'rocess
results arc averaged. Each participant receives a li.si showing hi.s or her inc i wiou:
value in relation to the average valucs. Participants may now change iheir valuc.s or
provide a rauonale(s) for not doing so. In subsequent rountls, p:irticip:mls rccci 'c the
new average value, the previous average ranking(s), and their previous in tiii 'itl nal
ranking(s). The process continues until consensus is reached or until consen.sus cannot
be reac hed because individuals refuse to change their rankings.
The Delphi technique is not the truly approach thai may be used to re:ie h consensus.
Managers iiiay meet to brainstorm and negotiate. Group decision support system s
would be valuable in these ineeungs for anonymous in put and rJpitl attainment of
consensus. Although only Delphi techniques are noted in Uic remainder of' the paper r.
meetings (with or without GDSS) may be employed.
that would result from the realization of those threats. The vulnerability of each asset
to a threat is expressed as some probability of occurrence per year. Muluplying the
probability of occurrence per year by the expected loss yields the expected loss per
year from a particular threal/vulnerability pair. The summation of the expected losses
represents the total IT risk exposure. This figure represents what management may
reasonably spend for security and preventive measures.
Courtney
Courtney [37,38] modified the standard ALE approach by adopting scales of magni-
tude. In Courtney’s mcthod, dollar loss is expressed as a power of ten, and the
estimated frequency of occurrence is selected from a range of magnitudes. The
resulting estimates are used in a formula that yields a dollar estimate of the annualized
expected loss or exposure that an organization might reasonably expect.
Courtney Formula
}{} z;
Tolal IT exposure = ,
v dollar impart
0 0 0
1 10 onoe in 300 years
2 100 2
3 1000 3 car:e in 3 years
4 10,000 4 once in 100 days
5 100,000 5 onoe in 10 days
6 1,000,000 6 crxe per day
7 10,000,000 7
Valuss of p
l 2 3 5
1 300 3X 30It
2 300 3X 30E 3OOX
Valuee 3 300 3K 30K 30OK 3M
of v 4 300 3K 30K 30OK 3H 30M
5 300 3E 30K 3O0E 3M 3OM 3O0H
6 3K 30x 3eDx D 3m4 3O0H
7 30K 300E 3M 3Od 30DH
risk clements Risk elements are combinations of risk initiators, the ir propagation
paths (i.e., thc means by which thcy can affect IT assets), possible resulting
consequences, and applicable controls (see Figure 4). LRAM diflcrs from ALE,
however, in that it does not attempt to derive a total risk measure, but l’ocuscs
instead on the risk produced by individual risk elements involving the occurrcnc e
of single event losses.
LRAM Form ma
whcre R (fiñ,) is the annualized measure of risk associated with ihe itfi risk element;
MPL (C ) is the maximum potential loss (MPL ) that can be estimated to result from
unmitigated conscqucnccs (C,) of a threat to an asset; PCB (PMC ,) is the probability
of a control failure (PCB') of a combined set of preventive anrl mitigauve controls
[PMC ); and EF (T) is tfie expected frequency of a ihrcat expressed as an annuai
probability.
RIS K ANALYSIS FOR I NEORM ATION TECH NOLOG Y 1S9
Stochastic Dominance
Stochastic Dominance [40] initially assumes that some disaster or risk has already
occurred. The effects of the disaster are then analyzed over time by examining all areas
of the organization that are susceptible io In.sses if IT assets are damaged or destroyed.
S tochastic dominance describes thcsc loss functions mathematically and uses com -
putcr simulation to analyze rhem.
The stochastic dominance methodology answers the spccil'ic question of what type
of contingency plan should bc used if disaster stri1‹es. S4=• s cment does not have to
cstimatc thc probability that disaster might strike and dan age IT assets. Rather ,
management cstimatcs how long it will take to recover from a disaster, and how rti uch
the business will suffer during that time period.
The stochastic dominance methodology defines three scqucnoal stages in recovery
from a disaster. Stage I is the time period between the initial loss of processing
capability and the actual opcration of the coniingenc y system. Stage II begins when
the contingency system starts operating, and ends when processing capability is I ir.st
restored. Stage III is the time period necessary for full recovery of the information
system to normal operations.
This methodology uses natural language values to describe asscts, threats, and security
mechanisms. Fuzzy metrics is statistically valid, but requires absolutely consistent
definitions and understanding of the linguistic variables. There is at so much debar
atx›ut the best way to modcl thc natural language exprcssions mathematically.
Fuzzy metrics utilizes fuzzy descriptors. For exampIc, asscts may have values of
large, medium, and small. Also. threats may have probabilities of occurrcnce of high,
RIS K ANA LYS IS FOR I NJ-Olt M A’I'ION 'PUCK I NO l.OC Y 1 29
medium, and low. The simplcst way for all pariicipanis in the risk anal 'sis process to
understand the descriptors is by labeling them. Participants may define “large” valued
assets to be those from $1 mil lion to $2 million, “medium ” from $100,000 to S I
million, and “small ” less than 5100,000. Furthcr, participants may define “ high ”
probabilities of threats to be trom 0.7 to 1.0, “ medium’ ’ from 0.35 to 0.7, and “ low ”
less than 0.35.
The most elemcntary method for mathematically niotlc ling these descriptors is
to use the mean ot' ihe rangc of cach descriptor. In our exam plc, ihe na can ot
“ large’ ' va lucd assets is S I.5 million, that of ‘‘mcdi u m’’ assets is S550,00€1, anal
that of “small’’ assets is $50,000. The mean of' “ high ” probabilities is 0.81,
“ medium’ ' is 0.525, and “ low” is 0.175. Therefore, the expected loss of‘ a large
asset under high probabili iy of a threat equals $1.5 million multiplied by 0.85, ‹ir
51.275 million.
Another method that can be used to yield expected losses is to calculate the ranges
of such losscs. For example, a large asset under high probability of a threal will yic Ill
ezpectcd losses Item $700,000 to S2 million:
Qualitative methodologies are incxact. The variables used (i.e., low, medium, and
high) must be labeled and understood by all parties involvcrl in thc risk analysis,
including management. Management may consider qualiiativc methodologies suspect
because they do not provide “exact” dollar values and probabilities.
they should cmploy Delphi techniques to refine the completeness of the IT asset list
and ihe characterization of IT assets.
Cone fusion
ON i. I i UN i3R ID Y i:K r ENT •5Y CVRTTX IS L POSSIBLE. It simply cosIs too m uc h and is too
inconvcnicnt. Zalubsky [521 t•‹• f at the root of ihc prublcnJ For the risk nJanaycin m
pr‹›ccss is the overall lack ol awarcncss, attcnrion, c‹Jnccrn, ‹tm commiuncnt from
inane\gcmcnt. Further, Zimmcrman 153] mlcs that, as a result of huying security, the
firm will n‹›t be any bcttcr, it will merely be lcss likely lo be any wor4c. Sccurity
personnel want management to invest corporate resources in system sccurity mca.surcs
figure #. LRn Risk Elements
Threat 1 Asset 1
Threat 3, Asset 3
Ihreat 2 Asset 2
Ihreat 3 Asset 3
etr.
that will be unpopular with staff (because they bring new rules and restrictions), and
ihat will show no apparent return on investment. The most common situations thai
managcment faces are ihose in which threats are believed possible, but no empirical
evidence is avalable. The best possible scenario for security pcrsonncl is a disaster
that happens to the organization next doot, because such an occurrence will graphi-
cally provide empirical evidence to management.
Tlac proposed risk analysis process using a combination of meihodologics seems to
be more effective than the use of any single methodology. A single risk analysis
methodology is not flexible enough to properly consider the wide variety of IT asses,
threats, and vulnerabilities, and still give managemCnt a reasonable estimate of the
organization’soverall IT risk exposure. In addition, the proposed risk analysis process
includes management in every step, thereby ensuring management participation. By
using a combination of risk analysis methodologies, the firm can overcome these
problems.
In particular, it is important to note that the proposed risk anai ysis process dcx•s not
use quantitative methodologies until the last step (Step 8). The reason for this late
appearance is chat a lnrge amounc of information musc be dctcrmined before quanriw-
five methodologies can be used wilh even rudimeniaty accuracy. Qualilativc
“ brainstorming” methodologies are used to obtain this oflcn imprccisc information.
Too many organizations, if they have a formal risk analysis process at all, simply use
a singlc qualitative or quantitative mcthodology for the entire process. Such an
approach is too simplistic for a process that is based solely on informed estimates.
The risk analysis process proposed here can help with the difficulty of convincing
management to invest in security measures. Properly used, this process will provide
management with an idea of the importance and value of their lT assets, the threats to
those asseis, and the probability that those threats will succeed in harming the assets.
This risk analysis process will provide management with a basis for logical and
prudent investment in a risk management program.
Table 4. The Risk Analysis Process and Applicablc Methodologies
Alavi, M and Weiss, I.R Managing the risks associated with end- user
Journal of Ma' 8emeru Information $ ystems 2, 3 (W inier 1985/86), 5-20.
2. Bacon, M. Assessing public network security. Telecommunicaiiom 23. 12 (December
l9tl3). 19-20.
3. Banking World. The management of risk. October 1988. 34-36.
Behesfi, H.M and Maison, M.R. Computer based management informadon
146 RAI NER, S NYD n. hND CARR
1954), 66-67.
6. Briere. D., and Walton, L.T. The best way to prevent e disastcr: plan for on*. Network
I't'orld 6. 47 (November 27. 1989), pp. 1. 31, 34.
4. Business Week. How personal computers can trip up executives. September 24, 1984,
94-102.
8. Cash, 1.1.-, Mc£arlan, F.W.; and Me Kenncy, J.L. Corporate lnforn'mlion S stems Man-
agement, 2d ed. Homewood, IL: Richard D. Irwin, 1988.
9. Cohen. F. Design and proteclion of an information network under a partial ordering: a
case study. Computers and Security 6 (1987), 332-338.
10. Cownunicntions Week. Hacker’s doings are costly. January 29, 1990, 14.
11. Croekford, N. In Introduction to Risk Managemem. Cambridge, MA: Woodhead-
Faulkner, 1980.
12. Crouch, E.A.C., and Wilson, R. fiisUfiene/ir Anofysñ. Cambridge, MA: Ballingcr ,
1982.
13. Doherty, N.A. Corporate pisk 3fanagetnent. New York: McGraw-Hill, 1985.
14. Emmett, A. Managing risk. Network World. Novemkr 21, 1988, 37-38, 47.
15. Even-Tsur. D., and Shulman. D. Designing built-in system controls. Journal o/ /›i/or
maiion S ysiez s Manageme rri (Winter 1989), 28-36.
16. Farthing, D. How risk management is driven by ins m ance. National Underwriter. No-
vember 2. 1987, 9, 14-15.
17. Farthing, D. Is risk managem‹:rit essential to cor{x›rate surv iv or? Rred Management,
FMu t988,34-37.
18. Gerard, T. Ev aluaung a disaster recovery plan. Datacenter Manager 2, 1 (January/Feb-
ruary 1990). 36N1.
19. Gonnella, G. Making eipensiv c decisions. Information Center 4. 10 (October 1985),
32-35.
20. Gottfried, l.S. When disaster strikes. mural of Information S ystem.s Management
(Spring 1989). 86-89.
21. Greenstein, I. MIS snafu lost orders, could mean sun loss, Ma›mpemem in/or ion
S ysiems fleet 10, 23 (June 5, 1989). 4.
22. G uarro, S.B. Principles and procedures of the LRAM approach to informal ion systems
risk analysis and management. Counters end Securil y 6 (1987). 493-504.
23. Hammond, R. Improving productivity through risk management. In Umbaugh, R.F.,
ed., Handbook of MIS Ma genieru, 2d ed. Boston: Auerbach, 1988. 655-665.
24. Housel, T.1.; El Sa wy. O.A.; and Donovan. P.F. Information systems for crisis man-
egemont. MIS @uarrer/} 10, 4 (December 1986), 389-402.
25. Keller, 1.J. Software bug closes AT&T’s network, cutting phone service for millions
in U.S. Wall Street Journal, January 16, 1990, A2.
26. King. J.L. Coping with the perils of expanding PC use. Journal oflrformalion S ys-
tems Manageme *, * tF•1i 1986). 66-70.
27. Abel, J. Rlsk analysis in the 1980’s. American Federation of Informal ion Processing
Soeiei res Proceedings (National Computer Confaence) 49 (May 19-22, 1980), 831-836.
28. Mansui. B.J. The night Ore lights went out in Georgia. Telecommunicm ions 23. 12
(December 1989), 67-68.
29. McFsrlan, F.W., and McKenney. J. IS technology organization issues. In Me Ferlan.
F.W., and McKenney, 1., Gorporote Information S ysiems Management. Homewood, IL:
Irwin. 1983, 27-48.
30. Meall, L. Survival of the finest. Accountonry (March 1989). 140-141.
31. Morrisey, J. New security risks seen for ’90s. PC tr ees December 11. 1989, 55.
32. Murray, W. How much is enough? Expert says security efforts should pay. not cosi,
Compwerworld, April 6, 1988, 30.
33. National Bureau of Standards. Guidelines for ADP risk analysis. Washington, DC:
U.S. Department of Commerce, FtPS Publicauon 87, Merch 1981.
34. Ncwion, f.D. Developing and implementing an EDP disaster contingency plan for a
small naiional bank. Unpublished master’s thesis, Auburn University, 1987.
35. Newton, 1.D.. and Snyder, C.A. Risk analysis for computerized information systems.
Proceedings, Southern Msnagemenr Association (1987), 306-308.
RIS K ANALYS IS FOR INFORMATION TECHNOLOGY IAJ
36. Parker, D.B. Computer Security Management. Rcston, VA: Reston Publishing, 1981.
37. Perschke, G.A.; Karabin, S.J.; and Brock, T.L. Four steps to information security.
Journal of Accou rarer (April 1986), 104-111.
38. Pickard, R. Computer crime. f/ormotioc Center 5, 9 (September 1989), 18-27.
39. Porter, M.E., and Millar. Y.E. How information gives you competitive advantage. Har-
vard Business Review (July-Augusi 1985). 149-160.
40. Post G.V., and Diltz, LD. A stochasuc dominance approach to risk analysis of com-
puter systems. MIS Quarlerl 10, 4 (December 1986), 363-375.
41. Pybum. P.J. Managing personal computer use: the role of corporate management infor-
mation sysmms. Journal of Managemeru Informfion S ynems 3, 2 (Winter 1986-87), 49-70.
42. Radding. A. Plans for a safer system. CompHer Decixioiu (April 6. 1987). 36-38.
43. Riemer, M.S. Fighfing computer viruses through systems management. Information
Center 3, 9 (September 1989). 11-17.
44. Rivard, S., and Huff, S.L. An empirical study of users as application developers. lnfor-
cin£ion and ñfonngemerif 8, 2 (January 1985), 89-102.
45. Scheier. R.L. American Aéline’s still shoring up SABRE. PC Week, June 26, 1989.
46. Semilof, M. Network disaster planning. CornmuNcai ionsWeek, Febniary 12, 1990,
33-3S.
47. Sobol, M. DP all iance bolsters security. CompNerworld. December 16, 1985. 59-60.
48. Stem, E. The lessons of San Francisco. Dataceruer Manager 2, 1 (January/February
1990), 30-35.
49. Tate. P. Risk I the third facior. Daiamation, April 15. 1988, 58-64.
50. V iiale, M.R. The growing risks of iriforinañon systems success. MIS Quarferl y 10, 4
(December 1986). 327-334.
51. Wood, C.C. The human immune system as an information systems security model.
Computers and Security 6 (1987), 511-516.
52. Zalubski. J. Threat of viruses must be iaLen seriously. Network World. luly 31. 1989,
53. Zimmerman, J.S. 1s your computer insecure? Datamaiion, May 15, 1985. I 19-128.
View publication stats