Risk Analysis for IT_2

download Risk Analysis for IT_2

of 20

Transcript of Risk Analysis for IT_2

  • 8/12/2019 Risk Analysis for IT_2

    1/20

    Risk Analysis for Information TechnologyREX KELLY RAIN ER.JR. CHARLES A. SNYDE Ra nd H O U S T O N H . C A R RREX KELLY R AINER , JR . , is Assistant Professor in the Department of Managentient atAubum University. His research interests include executive information systems,end-tiser com puting, and current technology und erlying information system s. He haspublished in theJournal of Ma nageme nt Information Systems and MIS Quarterlyamong other journals.C H A R L E S A. SNYDER is Professor and head of the Department of Management atAubum University. His research interests include information resource management,end-user computing, and telecommunications managcmenL He has published in theJournal of Ma nageme nt Information Sysiems Information and Ma nageme nt theAcademy of Management Review as well as other journ als.H O U S T O N H . C A R R is Associate Professor of Management and Coordinator of MISPrograms al Aubum University. His research interests include end-user computingand telecommunications management. He has published in Journal ofManagementInformation Systems MIS Quarterly an dInformation and Management among otherjourn als. He is the author of Managing ruiUser Computing.ABSTRACT; As Information Technology (IT) has become increasingly important tothe competitive position of firms, managers have grown more sensitive to theirorga niza tion s overall IT risk m anagem ent. Recent publicity conce rning losses in-curred by com panies because ofprob lcm s with their sophisticated information systemshas focused attention on the importance of these systems to the organization. In anattempt to minim ize or avoid such losses, managers are employing various qualitativeand qtianiitative risk analysis metho dologies. The risk analysis literature, however,suggests that these ma nagers typically utilize a single methodology , not a com binationof method ologies. This paper proposes a risk analysis process that employs a com bi-nation of qualitative and quantitative methodologies. This process should providema nagers with a better approximation of their organiz ation s overall informationtechnology risk posture. Practicing managers can use this proposed process as aguideline in formulating new risk analysis procedures an d/or evaluating their currentrisk analysis procedures.KE Y W OR DS AND PHR AS ES;computer security, MIS risk analysis, risk management.INFORMATION TECHNOLOGY (IT) RESOURCES are becoming increasingly essen tial forthe firm s daily op erations andsu ategicobjectives. Risk man ageme nt for IT resourceshas therefore assumed greater importance. As companies become more dependentupon IT . the consequen ces of loss of IT assets can be critical, as the following exam plesAn earlier version of this paper was presented at the 14th Symposium on Operations Research,Ulm, Germany. September 1989.

  • 8/12/2019 Risk Analysis for IT_2

    2/20

    130 RAJNER, SNYDER, AND CARR

    demonstrate:AT&T's nationwide network suffered the most widespread malfunclion in its historydue to a software failure. [10]Rob ert Morris, Jr. was convicted of breaking federal I aw when he introduced a com-puter virus into Internet, affecting more than 6 000computers. [25]Transition to a new com panywide com puter system introduced system errors thatcaused reduced net income for the fourth quarter at Sun Microsystems Inc. [21]American Airline's Sabre reservation system crashed for 13 hours when data from anapplication program wiped out vital information. [45]

    Parker stated the importance of IT to an organization when he noted that the amountof time that an organization can go without computer services, or the' 'mean time tobel y-u p," wa s steadily decreasing [36].

    While IT risk management is a relatively new field, it is a natural extension ofma nag em ent's concern for the organ ization's overall risk posture. The objective of ITrisk management is to minimize the total expected cost of loss by selecting andimplementing an optimal combination of security measures [14, 20, 22, 34, 35]. Inspite of the growing importance of IT risk management, a majority of companies donot have a tested, up-to-date risk management program [1 9, 27 ,2 8, 30 ,3 6, 50 ].

    Th e purpose ofthispaper is to exam ine risk analysis metho dologies. First, the riskanalysis process is placed in the context of the overall risk managem ent pr ocess. T hevarious risk analysis methodologies are discussed. The article then proposes a riskanalysis process emp loying a combinalion of method ologies that practicing ma nagerscan use in their organ izations.

    The Risk Management ProcessF O R EVERY ORG AN EAT ION THEREI SSOM E COMBINATIONof optimum loss preventionand reasonable co st. The purpose of risk managem ent is to find that combination [16,17],Simply stated, risk man agem ent seeks to avoid or lessen loss. Loss implies injuryto ,denial of access to , or destruction of, assets. The oppo rtunity for a threat to im pactan asset adversely is called a vulnerability. Risk is present when an asset is vu lnerableto a threat. Assets associated with IT include data, hard ware , software, personn el, iindfacilities. Facilities consist of comp uter sites, the comm unications network plan t, andassociated subsystem installations [5 ,36] .

    Many authors have discussed the varied threats to IT resources [ 4 , 1 9 , 3 1 ,3 4, 35,49].Table lists these threats and shows that they may originate from physical sou rces,unauthorized access, and authorized access. Further, threats may originate frominternal and extem al sourc es. Th e threats arising from authorized acc ess are the mostdifficult to find and assess.

    The risk manage men t life cycle (see Figure 1) begins with the risk analysis process ,which analyzes IT assets, threats to those assets, and vulnerabilities of those assets.Risk a nalysis is discussed in the next section of this paper.

  • 8/12/2019 Risk Analysis for IT_2

    3/20

    RISK ANALYSIS FOR INFORMATION TECHNOLOGY 131

    Table 1 Potential Threats to IT 1) Physical Threats E quipment failure [19.20] Power interruption [19,20] Contaminants in the air [19,20] Weather [19.20] Fire [19.20] Humidity [19.20] Destruction or damage to facility or equipment by humans [19 ,20] Death or injury to key personnel [11,13] Personnel turnover [11,12] 2) Unauthorized physical or electronic access Microcomputer theft [10] Theft of data [20,42] Disclosure, modification, and/or destruction of data [1 0, 52 ,5 3] Hackers [10] Viruses, bombs, worms [52] EDI fraud [2,6, 31] Phantom nodes on network [2,6,9,31,46] Voice mail fraud [2, 6.3 1J Software piracy [ 1 ] 3) Authorized physical or electronic access I/S applications portfolio may be outdated or obsolete [8,2 9] Increase in end-user computing [1 ,19 ,2 6,4 1, 44 ]

    increased end-user access to corporate dataproliferation of end-user-developed applications

    thereoO that address a particular risk are presented to m anagement for an implem en-tation decision. The cost of the security measures will be weighed against theireffectiveness in reducing risk. Because 100 percent IT security is impossib le, manag -ers must evaluate the choice of security measures. In general, any security measu re orcombination of such measures must not cost more than it would cost to tolerate theproblem addressed by the measure s) [33]. Figure 2 indicates the trade-offs betweenincreased costs and increased security m easures. This figure also shows that there issome optim al point between security and cost.

    After m anagement has decided on appropriate security measu res, the imp lementa-tion process is initiated and the security measures are installed. Next, a surveillanceand audit process is necessary; this should incorporate testing and evaluation of theIT security syste m. Data are gathered so that the effectiveness ofth e secu rity measu res

  • 8/12/2019 Risk Analysis for IT_2

    4/20

    132 RAINER . SNYDER. AND CARR

    Q i a n g e s i n E nv i r ca T m en t N e w I h r e a t s )

    E x t e r n a lI h r e a t s

    R i s k A r e i l y si s R e s u l t sI n t e m a l T h r e a t sS e c u r i t yS u r v e i l l a n c ea n d A u d i t

    V u l n e r a b i l i t i e s S e c u r i t yM e a s u r e s

    G e n e r a t e S e c u r i t yM e a s u r e A l t e r n a t i v e s S e c u r i t yM e a s u r eI i t p l e m e n t a t i C T

    S e l e c t e dA l t e r n a t i v e s S e c u r i t yM e a s u r e sM a n a g e r n e n tD e c i s i o n

    Figure 1 The Risk Management Life Cycle

    c o s tI n c r e a s e s

    Cost ofPrtJtection

    Expected

    Level of protection increasesigur 2 Trade-offe between Cost of Protection and Cost of osschallenged (e.g., control programs that monitor user logon procedures and keep arecord of logon failures); (2) challenging the security system under controlled,simulated conditions (e.g., hiring outside personnel to attempt to infiltrate anorganization s security mechanisms).

    The risk management process is cyclical for two reasons. First, the changing

  • 8/12/2019 Risk Analysis for IT_2

    5/20

    RtSK ANALYSIS FOR INFORMATION TECHNOLOG Y 133

    surveillance and audit process w ill uncover new intem al threatstoIT assets. Therefore,management must periodically reevaluate the organization's exposure to loss.The Risk Analysis ProcessR I S KAN ALYSIS IS THEPROCESSMAINAGERS USEto exam ine the threats facing their ITassets and the vu lnerabilities of those assets to the risks (see Figure 3 ). Risk analysisconsists of identifying IT assets, identifying threats to those assets, and determiningthe vulnerability of asset(s) to threat(s).

    Risk analysis is the basis on which risk man agemen t decisions are made. H owe ver,risk analysis is also the point in the risk m anagement process w here the m ost difficultyarises. The fact that risk must often be expressed in perceptions makes any measureof risk highly subjective. The high degree of subjectivity associated with perceptionof risk means that management is often skeptical of risk analysis results, and isunwilling to make important decisions based on them.

    There are many methodologies currently in use that attempt to measure the lossexposure of IT assets. These methodologies may be categorized as quantitative orqualitative.

    Regardless of the methodology used, it should have certain desirable properties.First, it should eacceptabletomanagem ent, the user eomm unity, and the informationsystems department. Second, even though no single risk analysis methodology canconsider all risks, it should be as comprehensive as possible, and be able to handlenew technologies. Third, it should be logically sound. Fourth, it should be practicalmeaning that it should deliver optimum protection forihecost Fifth, it should be opento continuing evaluation from all parties. Sixth, it should be conducive to learning,accompanied by clear documentation and records of deliberations.

    Q u a n t i t a t i v e R i s k A n a l y s i s M e t h o d o l o g i e sMo st quantitative m ethods are based on regarding loss exposu re as a function of thevubierab ility of an assetloa threat mu ltiplied by the probability ofthethreat becom inga reality. These methods are called expected value analyses, and include annualizedloss expectancy (ALE) [34, 37, 38, 40], Courtney [37, 38], the Livermore RiskAnalysis Methodology (LRAM) [22],and Stochastic Dominance [40].

    It is important that manage rs involved in the risk analysis process reaeh conse nsusregarding the value of IT assets and probability estimates. Delphi technique s may beused in conjunction with any of the four qua ntitative metho dologies to elicit values ofIT assets as well as probability estimates of threat occu rrence.

    The Delphi approach begins with an initial open solicitation step followed bymu ltiple round s of feedback, and may be used to identify issues and obtain con.sensusamong participants. This technique is effective when participants are not in physicalproxim ity, a situation typical with busy m anagers.

  • 8/12/2019 Risk Analysis for IT_2

    6/20

    134 RAINER. SNYDER, AND CARR

    A S S E TIUtWi iFICATICNAND ANALYSIS

    IHREATITFICA

    AND ANALYSIS

    AN D ANALYSIS

    RISK ANALYSISFigure 3 The Risk Analysis Processresults are averaged. Each participant receives a list showing his or her individualvalue in relation to the average values. Participants may now change their values orprovide a rationale s) for not doing so. In subsequent rou nds, participants receive thenew average value, the previous average ranking s), and their previous individualranking s). The process continues until consensus is reached or until consen sus cann otbe reached be cause individuals refuse to change their rankings.

    The D elphi technique is not the only approach that may be used to reach c onsen sus.Managers may meet to brainstorm and negotiate. Group decision support systemswould be valuable in these meetings for anonymous input and rapid attainment ofconsen sus. Although only Delphi techniques are noted in the remainder of the paper,meetings with or without GDSS) may be employed.

    Annualized Loss ExpectancyAnnualized Loss Expectancy ALE) [ 34 ,37 ,38 ,4 0] first lists all IT assets. Then, with

  • 8/12/2019 Risk Analysis for IT_2

    7/20

    RISK ANALYSIS FOR INFORMATION TE aiN OL OG Y 135

    that would result from the realization of those threats. Th e vulnerability of each assetto a threat is expressed as some probability of occurrence per year. Multiplying theprobability of occurrence per year by the expected loss yields the expected loss peryear from a particular threat/vulnerability pair. The summation of tlic expected lossesrepresents the total IT risk exposure. This figure represents what management mayreasonably spend for security and preventive measures.

    Annualized Loss Expectancy FormulaTotal IT risk exposure = ^ (^,

    whe re vulnerability =V =probability of occurrence per year, and exp ected loss =EL-= expected loss of (th threat/vulnerability pair.CourtneyCourtney [37,3 8] m odified the standard ALE approach by adopting scales of magni-tude. In Courtney's method, dollar loss is expressed as a power of ten, and theestimated frequency of occurrence is selected from a range of magnitudes. Theresulting estimates a re used in a formula that yields a dollar estimate of the annualizedexpected loss or exposure that an organization might reasonably e xpect.

    Courtney FormulaJQ pfl^3Total IT exposure = ,

    where j= an integer representing orders of magnitude of estimated frequencies of a loss ,andV =an integer representing orders of magnitude of lhe dollar impact of an ass et's loss.

    Table 2, associated w ith the Courtney m ethodology, show s the integer values forvandp,and the corresponding v alues associated with each integer.

    Tab le 3, also associated with the Courtney method ology, shows the values of/? andV.and the exp ected d ollar loss associated with each pair of p andvvalues. In Table 3,K represents SI,000 andM represents 1,000,000. For exam ple, if the dollar impactof a threat to an asset is 510,000 (v = 4), and the estimated frequency of occurrenc e isonce in three years p 3), the expected loss is S333 3.33.

    The Courtney method results in a generalized m easure of annualized expected lossand is therefore b est suited for initial risk analysis . This m ethod sav es time , effort, andmon ey, but it is inexact. Therefore, if greater accuracy is required, other qu antitativerisk analysis methodologies must be used.

    Livermo re Risk Analysis MethodologyThe Livermore R isk Analysis Me thodology (LRAM ) [22] operates similarly to ALE.

  • 8/12/2019 Risk Analysis for IT_2

    8/20

    136 RAINER. SNYDER, AND CARR

    Tab le 2 Rang es of Mag nitude for Courtney M ethodology

    V01234567

    dollar iirpact0

    101 0 0100010,000100,0001,000,00010,000,000

    p01234567

    estimated frequencypractically nevercncein 3 yearscaxin 3 yearscrce in 3yearso o in 1 daysanoein 1 dayscnoeper dayten tizoesper day

    Tab le 3 Estimated Dollar Losses from Courdiey Methodology

    Valueso f V

    1234567

    1

    33K

    3 K

    2

    3 3K3 K

    3 K

    Valuesof3

    33K3 K

    3 K3H

    4

    33K

    3 K3 K3M

    3CH

    P5

    33K

    3 K3 K3M

    3CN3 CH

    63K

    3 K3 K

    3H3GM3 CM

    73 K

    3 K3H

    3CM3 CM

    risk e lemen ts. Risk elements are combinationsofrisk initiators, their p ropaga tionpaths i.e.,themeansbywhich theycanaffect ITassets) , possible resultingcons eque nces , and applicable controls see Figure 4) . LR AM differs from A LE ,however,inthatitdoes not attem pttoderiveatotal risk me asure, but focusesinstead on the risk produced by individual risk elements involving the occurrenceof single event losses.

    LRAM FormulaR REi)=M PL Q ) ^ EF T,),

    whereR RE) is the annualized m easureofriskassociated w ith the ith risk elem ent;MPL C,) is the maxim um potential loss MPL) that can be estimated to result fromunmitigated consequences Qof a threat to an asset;PCF PMC,)is the probabilityof a control failure PCF)ofacombined setofpreventive an d m itigative controls

  • 8/12/2019 Risk Analysis for IT_2

    9/20

    RISK ANALYSIS FOR INFORMATION TECHNOLOGY 137

    Stochastic DominanceStochastic Dominance [40] initially assumes that some disaster or risk has alreadyoccurre d. The effects ofth e disaster are then analyzed over time by examining all areasof the organization that are susceptible t o losses if IT assets are damaged or destroyed.Stochastic dominance describes these loss functions mathematically and uses com-puter simulation to analyze them.

    Th e stochastic dominan ce methodology answ ers the specific question of what typeof contingency plan should be used if disaster strikes. Managem ent does not h ave toestimate the probability that disaster might strike and damage IT assets. Rather,man agem ent estimates how long it will take to recover from a disaster, and how m uchthe business will suffer during that time period.

    Th e stochastic dominan ce methodology defines three sequential stages in recovw yfrom a disaster. Stage I is the time period between the initial loss of processingcapability and the actual operation ofthe contingency system. Stage II begins whenIhe contingency system starts operating, and ends when proc essing capab ility is firstrestored. Stage III is the time period necessary for full recovery of the informationsystem to normal operations.

    Daily Loss Formu lae for the Three Stages of Stochastic D ominanceS t a g e I: d a i l y l o s s = R[\- e ~ ^ ^ ] \

    whereR= predisaster daily revenue, and t= number of days spent in stage I. Totalstage I loss = summation of daily losses.

    Stage II:daily loss is equal to the loss incurred during the lastday of S tage I. Total S tage II loss = summ ation of daily losses.Stage HI:daily los s = daily loss in stage II if 0 < / < 0.257;

    daily loss =DL, xe^ ^ ' ' ' ' ' ' ' ^ < ' ' ^ ^J , i f t > 025TDL2 = daily loss in stage II;T = total time spen t in stage III.The stochastic dominance approach considers only major disastersUiat i s catastrophes

    that cause the loss of mainframe computing for the organization. This approach does notconsider other, smaller threats, such as theft or modification of data (see Table 1 ).

    Advantages of Quantitative Risk Analysis MethodologiesQuantitative risk analysis methodologies have several advantages. Participants mustidentify specific IT assets that are most susceptible to damage or disaster. Further,participants must identify IT assets that are most critical to the operation of theorganization. Generating and testing contingency plans shows management where

  • 8/12/2019 Risk Analysis for IT_2

    10/20

    138 RAINER, SNYDER, AND CARR

    Disadvantages of Quantitative Risk Analysis MethodologiesQuantitative risk analysis methodologies also have disadvantages. Estimating theprobability of dam age or loss of each IT asset is imprecise. In addition, the prob abilitydistribution of losses is highly skewed. Many circumstances can cause minor prob-lems, but few circumstances can cause major problems. Quantitative risk analysistends to average these events, thus blurring the differences between the extrem es andimplying similar solutions. Quantitative risk analysis techniques cannot literallydefine the contingency plan an organization should u se. Finally, quantitative m ethod-ologies result npoint estimates, which are statistically too high 50 percent ofthe time ,and too low 50 percent of the time.

    Qualitative Risk Analysis MethodologiesIt may be neither necessary nor desirable to spend the time and effort required toperform a quantitative risk analysis. Management may decide that only a quickevaluation of the firm s IT risk posture is needed. In such ca ses, qualitative riskanalysis approaches may be used.

    Qua litative methodologies attempt to express risk in terms of descriptive variab les,rather than in precise dollar terms. These approache s are based on the assump tion thatcertain threat or loss data cannot be appropriately expressed in dollars or discreteevents, and that precise information may be unobtainable. These methodologiesinclude Scenario Analysis [2 3,2 7,3 4,3 5] , Fuzzy M euics [23 ,34 ,35 ], and question-naires [27, 34,35J. Delphi techniques could be used with any of the three methodol-ogies presented here to clarify descriptive or natural language va riables.Scenario Analysis [23,27, 34,35]In this methodology, a group of experts identifies IT assets and potential threats. Th egroup then develops various scenarios describing how those assets might be subjectto loss from ihe threats. These scenarios can be ranked in order of importance and willquickly identify the weakest parts of a security program .

    Scenarios are an excellent comm unication tool, in that they can graphically explainhow a loss could result. Management can therefore visualize the risk. Scenarios canbe especially useful in identifying vulnerability to intentional threats.Fuzzy Metrics [23,34,35]This methodo logy uses natural language valuestodescribe assets, threats, and securitymechanisms. Fuzzy metrics is statistically valid, but requires absolutely consistentdefinitions and understanding of the linguistic variables. Thens is also much debateabout the best way to model the natural language expressions mathe matically.

  • 8/12/2019 Risk Analysis for IT_2

    11/20

    RISK ANALYSIS FOR INI-ORMATION TECHNOLOGY 139

    med ium, and low . The simplest way for all participants in the risk analysis process tounderstandthedescriptorsisby labeling them. Participants may defm e' ' la rg e' ' valuedassets to be those from $1 million to $2 million, m ed iu m from Sl 00,0 00 to SImillion, and sm a ll less than $100,000. Further, participants may define h ig hprobabilities of threats to be from 0.7 to LO, m ed iu m '' from 0.35 to 0.7, a n d ' 'l ow ''less than 0.35.

    The most elementary method for mathematically modeling these descriptors isto use the mean of the range of each descriptor. In our example, the mean of la r g e valued assets i s $ L 5 million, that of m e d iu m assets is S55O,OOO, andthat of s m a ll assets is S50,000. The mean of h ig h probabilit ies is 0.85, m ed iu m is 0.525, and l o w is 0.175. Therefore, the expected loss of a largeasset under high probability of a threat equals Sl.5 million multiplied by 0.85, or$1,275 m illion.

    Another method that can be used to yield expected losses is to calculate the rang esof such losses. For ex amp le, a large asset under high probability of a threat will yieldexpected losses from $700,000 to $2 million:

    low e stimate = SI million x 0.7 = $700,000;high estimate = $2 m illion x LO = S2 million.The difficulty of mathematically modeling fuzzy descriptors is illustrated by noting

    that the midpo int of the range of expec ted losses is 1.35 millio n. This figure is higherthan that obtained above by multiplying the mean ofthelarge asset range and the meanof the high probability range ($1,275 million). Both figures are co rre ct .

    Questionnaires [27,34,35]Que stionnaires regarding risk analysis are available from compu ter ve ndors, securitycompanies, and publications on computer security. Questions are usually segregatedinto functional areas such as input, com mun ications, processing, andoutput They mayalso b e listed by asset, such as hardw are, software, personne l, etc.

    Questionnaires do provide an advantage. They typically ean identify glaringweak nesses often present in a firm where security has recently becom e a concern orwhere it has been neglected for a period of time. However, questionnaires do havedisadvan tages. They are generic, while compan ies have unique IT assets. They do no tconsider the probabilities associated with potential losses, nor do they consider themag nitude of those potential losses.Advantages of Qualitative Risk Analysis MethodologiesThese methodologies save time, effort, and expense over quantitative methodologiesbeca use IT assets need not have exact dollar values, nor do threats need to have exactprobabilities. Further, qualitative methodologies are valuable in identifying gross

  • 8/12/2019 Risk Analysis for IT_2

    12/20

    t40 RAINER. SNYDER, AND CARR

    Disadvantages of Qualitative Risk Analysis MethodologiesQualitative meLhodologies are inexact The variables used (i.e., low, medium, andhigh) must be labeled and understood by all parties involved in the risk analysis,including m anagem ent. Man agement m ay consider qualitative meLhodologies suspectbecause they do not provide ex a c t dollar values and probabilities.

    A Propo sed Risk Analysis ProcessTHERE ARE MANY RISK ANALYSIS METHODOLOGIES available to an organization.These methodologies may be applied singly or in combination to help determine therisk posture of the firm. However, the advantages and disadvantage s of each method-ology sug gest that each one m ay best be applied to certain types of threats or certainareas of the organization. Therefore, a combination of methodologies provides theoptimum process for risk analysis in the firm.

    Step 1: Use the Value Chaint Enum erate the Orga nization's ActivitiesBefore beginning the risk analysis process, lhe firm must clearly understand all itsvarious activities and the IT compon ent of each. The value chain is a system atic wayof exam ining all the activities a firm performs, and their interaction [39].This conceptdivides the firm's activities into value activities, those essential, distinct, and inter-dependent actions that bring a product or service to a customer. These primaryactivities consist of inbound logistics, operations, outbound logistics, marketing andsales, and service.

    Inbound logistics consists of those activities associated with receiving, storing, anddissemina ting inputs to the product, such as material handling, inventory con trol, andreturns to suppliers. Operations consists of those activities associated with transform-ing inputs into final product form, for exam ple, machining , packaging, and a ssem bly.Outbound logistics consists of those activities associated with collecting, storing, andphysically distributing the product to buyers, such as warehousing, m aterial hand ling,and order processing. M arketing and sales consists of those activities associated withproviding a means by which buyers can purchase the product and inducing them todo so , including adv ertising, promotion, sales force, pricing, etc . Service consists ofthose activities associated with providing service to enhance or maintain the value ofthe product, such as installation, repair, training, and parts supp ly.

    Step 2; Use the Value Chain to Enumerate the IT C ompo nentof Each Value ActivityThe concept of the value chain has been employed to help manag ers understand howinfonnation technology can be used to support their business activities [36]. Each

  • 8/12/2019 Risk Analysis for IT_2

    13/20

    RISK ANALYSIS FOR INFORMATION TECHNOLOGY 141

    The information-processing componen t includes the steps required to capture, man ip-ulate, and channel the data to support the activity. Information systems tech nology isparticularly extensive in the value chain, because every value activity creates and usesinformation [39].

    Exa mp les of IT eom ponents of inbound logistics value activities include inventory,purcha sing, and order processing systems. Exam ples of IT com ponents of ope rationsvalue activities include computer-assisted design, computer-aided m anufacturing, androbotics. Examples of IT components of outbound logistic s value activities includeinventory, materials handling, and order-processing sy stems. Exam ples of IT com po-nents of marketing and sale s value activities include multimed ia and telecom mun i-cations. Examples of IT components of service value activities include tele com m unication s,desktop pu blishing, and scheduling the service force.

    To list and describe the IT assets that support each value activity, participants (users,MIS/DP personnel, general management) can use a qualitative methodology orcom bination of qualitative methodologies such as scenarios orquesU onnaires. F urther,they can emp loy D elphi techniques to refine the com pleteness of the IT asset list andthe characterization of IT assets.

    Step 3: Use the Value Chain to Enumerate the Linkagesbetween Value A ctivities and to Determine the IT Assetsthat Support Each LinkageLinkages are relationships between the way one value activity is performed and thecost or performance of another. For example, in a fast-food store, the timing ofpromotional campaigns influences capacity utilization [39].

    IT resources have an im portant role in linkages among value activities of all types,because the coordination and optim ization of linkages requires information flowamo ng activities. A good exam ple of IT support of linkages is Am erican Ai rline sSabre reservations system. American leases terminals to travel agents, which allowsautomated reservations and ticketing. The system is also used inside American forticketing and issuing boarding passes, as well as in route scheduling. Am erican alsosells listings on the system to other airlines.

    The important point of linkages is that the organization may n otice the im portanceof IT assets in areas that might, in isolation, be considered noncritical. Th e importanceof IT in some of the activities, such as ope rations, may be relatively obvious. At thesame time, essential IT compone nts in other activities may not readily be associatedwith the overall performance of the business. The performance of any activity mayaffeet the performance of any other. Thus, the value chain can clearly indicate toma nagers the IT compon ent of each activity and, through linkage examina tion, revealthe importance to the total business system.

    To list and describe the IT assets that support each linkage, participants (users,

  • 8/12/2019 Risk Analysis for IT_2

    14/20

    1 4 2 R A IN E R , S N Y D E R , At D C A R R

    they should employ Delphi techniques to refine the completeness of the IT asset listand the characterization of IT assets.

    Step 4: U se the Value Chain to Exa m ine theOrganizat ional Value System and to Determine IT Assetsthat Support Interorganizational LinkagesLinkages exist between a firm s value chain and the value chains of suppliers andcustom ers. For exam ple, a firm s inbound logistic s activities interact with a supplie r sorder entry system , a supplier s engineering staff works with a firm s technologydevelopm ent and manufacturing activities, or frequent supplier shipments can red uceafurm s inventory needs. Similar examp les exist for linkages between the firm s valuechain and customer value chains. The best example of IT resources that supportinterorganizational linkages is electronic data interchange (ED I).

    To list and describe the IT assets that support the value system s interorganizationallinkages, participants (users, MIS/DP personnel, general management) should use aqualitative m ethodology or combination of qualitative me thodologies such as scenar-ios and/or questionnaires. Further, they can employ Delphi techniques to refine thecom pleteness of the IT asset list and the characterization of IT asse ts.

    S t e p 5 : D e t e r m i n e t h e V a l u e o f t h e I T A s s e t s L i s t e da n d D e s c r i b e d i n S t e p s 1 t h r o u g h 4The o rganization has em ployed the value chain in an effort to catalog and d escribe allIT assets. The participants in the risk analysis process m ust now assign a value to eachIT asset. There are two methods for assigning such values. The first is for theparticipants to assign an exact dollar value to each IT asset. Delphi techniques maybe employed to refine assigned dollar values by helping the participants reachconsen sus. The second method istoemploy fuzzy metrics and assign fuzzy descriptorssuch as high, medium , and low as values of IT assets. Again, Delphi techn iques maybe used with fuzzy metrics.S t e p 6 : E n u m e r a t e t h e P o s s i b l e T h r e a t s t o I T A s s e t sTo list and describe the threats to IT assets, participants (users, MIS/DP personnel,general management) should use a qualitative methodology or combination of quali-tative methodologies such as scenarios and/or questionnaires. Further, they mayemploy Delphi techniques to refine the completeness of the threat list and thecharacterization ofthe threats.

    S t e p 7 : D e t e r m i n e t h e V u l n e r a b i l i t y o f I T A s s e t s t o P o t e n t i a l T h r e a t s

  • 8/12/2019 Risk Analysis for IT_2

    15/20

    RISK ANALYSIS FOR INFORMATION TECHNOLOGY 143

    the vulnerability of IT assets to threats, participants must first note that any asset maybe vulnerable to more than one threat, and that one threat may impact more than o neasset. Therefore, the participants should consider asset/threat pairs in the followingmanner. The assets and threats should be listed in side-by-side columns, and arrowsdrawn to represent threats that may impact an asset, as shown in Figure 5.

    The vulnerability of the asset to the threat must be assigned for each asset/threatpair. The participants may defme these vulnerabilities precisely by designating anumber (e.g., the probability of threat impacting asset is 0.33), or by using fuzzydescriptors (e.g., the probability of threat 1 impacting asset 1 is medium). Theparticipants m ay use Delphi techniquestorefine proba bility num bers or fuzzy d escrip -tors.

    Step 8: Detennine the IT Risk Exposure for the OrganizationParticipants now have the information they need to determine the overall IT riskexposure for their organization. Participants have two po ssible paths, depending onthe risk analysis process tothispoint If the participants have assigned exact num ericalvalues to IT assets, and the vulnerabilities of those assets to threats, they may use thequantitative methodologies of ALE, Courtney, or LRAM. The ALE, Courtney, andLRA M methods w ill result in precise dollar estimates for the firm s risk expos ure. TheCourtney method, ho wever, is not as exact as the other two because it uses ranges ofvalues in its calculations. An imp ortant point is that if the participants are performingrisk analysis for a complete disaster, they should employ stochastic dominance andnot one of the other quantitative m ethods.

    Iftheparticipa nts have assigned fuzzy descriptorstoIT assets and the vulnerab ilitiesof those assets to threats, they m ust use fuzzy metrics to describe the firm s riskexpo sure. Fuzzy m etrics will result in descriptions (e.g., high, m edium, and low) thatwill categorize the firm s risk expo sure.

    Table 4 sum marizes the risk analysis process and the methodologies applicable ineach step.

    As yet, there is no empirical evidence to support the proposed risk an alysis proeess.Subs tantiating the effectiveness ofthisprocess will require a field study of one or m oreorganizations . The field study would exam ine the risk analysis process each firm uses.In addition, the study w ould ask each company how clearly it feels thatitsrisk analysisproeess portrays the firm s overall IT risk po sture.ConclusionO NE HUNDRKD PERCENT SECURITY IS IMPOSSIBLE.It simply costs too much and is tooinconvenient. Zalubsky [52]stiitesthattheroot of the problem for the risk m anagem entprocess is the overall lack of awareness, attention, concern, and commitment fromman agement. Further, Zimm erman [53] notes that, as a result of buying secu rity, the

  • 8/12/2019 Risk Analysis for IT_2

    16/20

    144 RAINER, SNYDER, AND CARR

    threat preventivecontrols ssets mitig tivexrrttols risequen es

    Figure 4 LRAM Risk Elements

    Threat 1^- -AssetThreat2 ^ ^ ^ Asset2Threat3 Asset3

    etc etcFigure 5 Asset-Threat Pairs

    Asset/Threat PairsThreat 1, AssetThreat1,Asset3Threat 2, AssetThreat 2, Asset2Threat 3, Asset3

    that will be unpo pular with staff (becau se they bring new rules and restrictions), andthat will show no apparent retum on investment. The most common situations thatman agem ent faces are those in which threats are believed possible, but no empiricalevidence is available. The best possible scenario for security personnel isadisasterthat happens to the organization next door, because such an occurrence will graphi-cally provide empirical evidence to management.

    The proposed risk analysis process using a combination of method ologies seem s tobe more effective than ihe use ofany single m ethodology.Asingle risk ana lysismethodology is not flexible enough to properiy consider the wide variety of IT asse ts,threats, and vulnerabilities, and still give managementa reasonable estimateoftheorga nizatio n's overall IT risk exposure. In addition, the proposed risk analysis pro cessincludes management in every step, thereby ensuring management participation. Byusingacombinationof risk analysis methodologies, the firm can overcome theseproblems.

    In particular, it is important to note that the proposed risk analysis process does notuse quantitative methodologies until the last step (Step 8). The reason for this lateappearance is that a large amount of information must be determined before quantita-tive methodologies can be used with even rudimentary accuracy. Qualitative bra ins tor m ing methodologies are used to obtain this often imp recise information.Too many organ izations, if they have a formal risk analysis process a t all, simply usea single qualitativeor quantitative methodology for theentire process. Suchanapproach is too simplistic for a process that is based solely on informed estimates.

    The risk analysis process proposed here can help with the difficulty of convincingmanage ment to invest in security m easures. Properly used, this process will providemana gem ent with an idea of the importance and value of their IT assets, the threats tothose assets, and the probability that those threats will succeed in harm ing the a ssets.This risk analysis process will provide management with abasisfor logical andprudent investment inarisk management program.

  • 8/12/2019 Risk Analysis for IT_2

    17/20

    RISK ANALYSIS FOR INFORMATION TECHNOLOGY 145

    Tab le 4 The Risk Analysis Process and Applicable Methodologiessteps

    1) >iumerate onganizaticnalvalue activities

    2) EnumerateITaxpcnentofeach value activity

    3) Enumerate linkages cinox|value activitiesand ITocnpcnent that supportseach

    4) DetermineITassets thatsupport interorganizationailin>3ges

    5) Determine valueofIT assets

    6) Enumerate possible threats

    7) Detennine vulnerabilityofassetstothreats

    8) Determine overallITriskexposure

    Methcxiologles

    Scenario anchor questicrmaire Delphi

    Scenario antVor questicnrHire Delphi

    Scenarioard orquestionnaire Delphi

    Scenario anchor questionnaire Delphi

    a) assign exact dollar values Delphis

    b)usefuzzy metrics -t-DelphiScenario and/or questicrmaire -*Delphi

    a) assign precise nuntier Delphib)usefuzzy metrics Delphi

    *ifprecise nuntsers heive beenassigned,use:a) Stochastic Daninancefor a

    t o t a l H i< g; < s t- jf >rb) ALE, Courtney, SiMiforotherthreats*iffuzzy metrics have been used,aiploy ftizzy metricsforfinedcalculaticffTS

    REFERENCES1. Alavi, M., and Weiss, I.R. Managing the risks associated with end-user computing.

    Journai of Management Informaiion Systems 2 3 Winter 1985/86), 5-20.2 Bacon, M. Assessing public network security.Telecommunications 23^12 December

    1983). 19-20.3 BankingWorW. The management of risk. October 1988, 34-36.4 Behesti, H.M., and Mattson, M.R. Computer based management infonnation systems and

    risk management.Focus on Managemeni Society for Advanccmeni of Management) 1, 3.

  • 8/12/2019 Risk Analysis for IT_2

    18/20

    146 RAINER. SNYDER. AND CARR

    1984), 66-67.6. Briere. D., and W alton. LT . The best way to prevent a disaster: plan for one. NetworkWorld6,47 (November 27.1989), pp.1 31.34.7. BusinessWeek.How personal computers can trip up executives. September 24 , 1984.

    94-102.8. Cash, J.L; McFarlan. F.W.; and McKenney, J.L. Corporate Information Systems M an-agement 2d ed. Homewood, IL: Richard D. Irwin. 1988.9. Cohen, F. Design and protection of an information network under a partial ordering: acase study.Com puters and Security6 (1987). 332-338.10. Com/nunicationsWeek.Hacker's doings are costly. January 29,1990.14.11 .Crockford. N .An Introduction to Risk Management.C ambridge. MA: Woodhead-Faulkner. 1980.12. Crouch. E.A.C,, and Wilson,R.RiskJ enefitAruilysis. C amhndge MA: Ballinger,1982.13 .Doherty, N.A.Corporate R isk Management.N ew York: McGraw-HiU. 1985,14.Emmett, A. Managing risk.NetworkWorld November 21.1988. 37-38.47 .15 .Even-Tsur, D.. and Shulman, D. Designing built-in system controls,/O U/TW/ of Infor-mation Systems M anagement (Winter 1989). 28-36.16.Farthing. D, How risk management is driven by insurance. National Underwriter N o-vember 2, 19 87.9 .14-15 .n .F a rt h in g .D . Is risk management essential to corporate survival? i?i.vitMartd^emen/.February 1988.34-37.18.Gera rd.T. Evaluating adisasterreco veryplan ./Pj3/ ace/ erA/ anagcr2 .1 (January/Feb-ruaiy 1990), 36 41 .19. Gonnella. G. Making expensive decisions.Information Center 4 10 (O ctober 1988),32-35.20 .Gottfried. I.S. When disaster strikes. Journal of Inforrratlon Systems Management(Spring 1989). 86-89.21.G reenstein, I. MIS snafu lost orders, could mean sun loss.Management InformationSystems Week 10, 23 (June 5,198 9), 4.22.G uar ro. S.B. Principles and procedures of the LRAM approach to information systemsrisk analysis and management.Com puters and Security6 (1987). 493-504.23.H amm ond. R. Improving productivity through risk management. In U mbaugh. R .F..cd..Handbookof MIS Management 2dai.Boslon:AueThach 1988, 655-66 5.24 .H ousel, T.J.; El Sawy, O .A.; and Donov an, P.F. Information systems for crisis ma n-agement.MIS Quarterly 10, 4 (December 1986). 389-402.25 . Keller. J.J. Software bug closes AT T's network, cutting phone sravice for millionsin U.S.Wall Street Journal January 16. 1990. A2.26 .King, J.L. Coping with the perils of expanding PC use.Journal o f Information Sys-tems Management 3 4 {VaW 1986), 66-70.27 .Lob el, J. Risk analysis in the 198O 's. American Federation of Information ProcessingSocieties Proceedings (National Computer Conference) 49 (May 19-22, 1980). 831-836.28 .Mansur, B.J. The night the lights went out in Georgia.Telecommunications23 12(December 1989). 67-68.29 .McFarlajT. F.W.. and McKenney, J. IS technology organization issues. In McFarlan,F.W.. and McK enney. J..C orporate Information Systems M anagemeru.Homewood, IL:i rwin. 198 3 .274 8 .30 .Meall. L. Survivalof the fittest. >lccoim/ancy (March 1989), 140-141.31.Morrisey. J. New security risks seen for '90s.PC Week December 11.1989,55.32 .Murray. W. How much is enough? Expert says security efforts should pay. not cost.Computerworld April 6. 1988, 30.33.N ational Bureau of Standards. Guidelines for ADP risk analysis. Washington. DC :U.S. Department of Commerce, FIPS Publication 87. March 1981.34 .Newton. J.D. Developing and implementing an EDP disaster contingency plan for asmall national bank. Unpublished master's thesis. Aubum University, 1987.

  • 8/12/2019 Risk Analysis for IT_2

    19/20

    RISK ANALYSIS FOR INFORMATION TECHNOLOG Y 147

    36.Parker, D,B.Com puter SecurityManagemerU.R csion, VA: Reston Publishing, 1981.37.Perschke, G.A.; Karabin, S.J.; and Brock, T.L. Four steps to infonnation security.Journal of Accoun tancy {A pril1986), 104-111.38 . Pickard, R. Computer crime. Information Center5,9 (September 1989), 18-27.39.Porter, M.E., and Millar, V.E. How mformation gives you competitive advantage.Har-vard Business Review (July-August 1985). 149-160.40.Post, G. V., and D iltz, J.D . A stochastic dom inance approach to risk analysis of com -puter systems.MIS Q uarterly 10, 4 (December 1986), 363 -375 .41. Pybum, P J . M anaging personal computer use: ihe role of corporate management infor-mation systems.Journal ofManagemeni Information Systems 3,2 (Winter 1986-87), 49-70.42.Rad ding. A. Plans for a safer system .C omputer Decisions (April 6, 1987), 36- 38.43 .R icmer, M.S. Fighting computer viruses through systems manageme nt. InformationCenter 5 9 (September 1989). 11-17.44-Rivard, S., andHuff S.L. An empirical study of users as application developers./n^or-mation and Management8, 2 (January 1985), 89-102.45.Scheier, R.L. American A irline's still shoring up SA BRE.PC Week June 26, 1989,

    65.46 . Semilof,M. Network disaster planning. Communications WeeA, February 12, 1990,33-35.47.Sobol, M. DP alliance bolsters security.Computerworld.December 16, 1985. 59-60.48.Stem, E. The lessons of Saii Francisco.Datacenier Manager 2 (January/February1990), 30 -35 .49.Tate, P. Risk the third factor.Datamation.April 15, 1988. 58-6 4.50.Vitale, M.R. The growing risks of information systems success. M/^ Gu ar/er /y 10. 4(December 1986), 327-334.51.W ood, C.C. The human imm une system as an information systems security m odel.Compu/r.s am/5ecu/-iO'6 (1987), 511-51 6.52.Zalubski. J. Threat of viruses must be taken seriously.NetworkWorld July 31,1989 ,29.53 .Zimmerman. J.S. Is your computer insecure? Da;ama/ion, May 15,1 985 .119 -128 .

  • 8/12/2019 Risk Analysis for IT_2

    20/20