Вы находитесь на странице: 1из 15

Information Management & Computer Security

A business approach to effective information technology risk analysis and management

Sharon Halliday Karin Badenhorst Rossouw von Solms
Article information:
To cite this document:
Sharon Halliday Karin Badenhorst Rossouw von Solms, (1996),"A business approach to effective information technology risk
analysis and management", Information Management & Computer Security, Vol. 4 Iss 1 pp. 19 - 31
Permanent link to this document:
Downloaded on: 30 January 2016, At: 14:38 (PT)
References: this document contains references to 14 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 3658 times since 2006*
Users who downloaded this article also downloaded:
Kakoli Bandyopadhyay, Peter P. Mykytyn, Kathleen Mykytyn, (1999),"A framework for integrated risk management in
information technology", Management Decision, Vol. 37 Iss 5 pp. 437-445 http://dx.doi.org/10.1108/00251749910274216
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

David Baccarini, Geoff Salm, Peter E.D. Love, (2004),"Management of risks in information technology projects", Industrial
Management & Data Systems, Vol. 104 Iss 4 pp. 286-295 http://dx.doi.org/10.1108/02635570410530702
Stefan Fenz, Johannes Heurix, Thomas Neubauer, Fabian Pechstein, (2014),"Current challenges in information security
risk management", Information Management & Computer Security, Vol. 22 Iss 5 pp. 410-430 http://dx.doi.org/10.1108/

Access to this document was granted through an Emerald subscription provided by emerald-srm:404409 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

A business approach to effective information
technology risk analysis and management

Sharon Halliday UNISYS, Port Elizabeth, South Africa

Karin Badenhorst Integrated Risk Consultants (IRC), Johannesburg, South
Africa, and
Rossouw von Solms Department of Information Technology, Port Elizabeth
Technikon, Port Elizabeth, South Africa

Suggests that a number of management of information security within

difficulties are experienced by Introduction an organization is vital to its survival and
organizations using conven- We live in an unsafe world in which we success. An organization needs to be able to
tional risk analysis and man- encounter threats against our safety and determine the current security status of its
agement. “Conventional” security every day. This is especially true in information and computer resources and
refers to those methodologies the information processing environment. raise it to a level that is acceptable to manage-
which are based on the tradi- More and more companies are becoming ment. To do this, the risks that threaten the
tional asset/threat/vulnerabil- security of its information and computer
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

totally dependent on computer systems for

ity model. Identifies a need for their day-to-day operations. Computer tech- resources need to be assessed and the neces-
an approach that is more nology is developing at a dramatic rate and, sary security controls need to be
suitable for smaller organiza- unfortunately, so are the techniques and implemented and managed effectively.
tions, as well as organizations mechanisms utilized by computer criminals.
requiring a quicker, more Fast developing issues, which provide
simplified and less resource- increased opportunities for computer crime Risk analysis and management
intensive approach. In light of and which result in a greater demand for Risk analysis and management provides an
this requirement, proposes an security, include: increased computer access, organization with a means of identifying,
alternative approach to networks (Internet), open systems, assessing and controlling the organization’s
effective information technol- client/server, etc. risks. Risk analysis deals with the following:
ogy (IT) risk analysis and Crime usually does its ingenious best to • Which assets need protection?
management. This approach keep pace with technology[1]. • What is the value of these assets?
has a business-oriented focus Network security has become the most • What threats prevail?
from an IT perspective. important concern of organizations today. • What is the probability of each threat?
Gary Jensen, Operations Manager, Scientific • What is the vulnerability of the assets to
Computing Division, National Centre for the threats?
Atmospheric Research, states: “If you have • How much is the company at risk?
telephone lines attached to your network, you
can’t be 100 per cent secure”[2, p. 6]. Based on Once the risks have been identified, they need
a US survey (1995) of respondents running to be reduced to an acceptable, low level by
vital business systems on local area networks introducing countermeasures. Risk
(LANs), 50 per cent believe LAN security is management involves the identification and
unsatisfactory. At larger organizations (over implementation of effective security controls
2,500 employees), 55 per cent report unsatis- to mitigate, control and resolve the
factory security for mission critical systems organization’s risks. Cost-benefit analyses
running on LANs (see Figure 1). need to be performed to determine which
As organizations become more and more controls are the most effective and justifiable
dependent on their computer-based informa- in terms of cost and protection provided.
tion systems, which play a vital role and Figure 2 provides an overview of risk analy-
important part in their business operations, sis and management.
there needs to be a greater awareness and The risk analysis and management
concern about the security of these systems. approach which has just been described can
be classified as “conventional”. It is based on
Information has become the key resource and
the conventional asset/threat/vulnerability
even the lifeblood of many organizations.
model which refers to the analysis of assets,
“Information is the glue that holds an organi-
threats, vulnerabilities and outcomes to
zation together and that allows all other
determine risks, followed by the implementa-
resources to be managed”[3, p. 71].
tion of effective counter-measures.
Information security appears on the list of
critical success factors of most major organi-
zations today[4]. There are three fundamental
Information Management &
qualities of information which are vulnerable
Implementation of risk analysis
Computer Security
4/1 [1996] 19–31 to risk and which, therefore, need to be pro-
and management
© MCB University Press tected at all times, namely availability, The task of performing a risk analysis and
[ISSN 0968-5227] integrity and confidentiality. The successful management review is a complex one which
[ 19 ]
Sharon Halliday, Figure 1 A list of some of the criteria that have been
Karin Badenhorst Mission critical systems in an insecure used previously in a review of risk analysis
and Rossouw von Solms environment methods follows[5, p. 42]:
A business approach to • Background. This refers to the type of
effective information
technology risk analysis and Per cent community in which the system was ini-
management 63 tially developed, e.g. military, government,
Information Management & etc.
Computer Security 62 • Type of system. This refers to the type of
4/1 [1996] 19–31 approach that the system uses, e.g. qualita-
tive, quantitative or both.
60 • Supported by a method. This refers to how
well the system is supported by a method.
59 A system which has little support will
place more demands on the reviewer.
Systems run on Systems run on • Size of the system. Size of the system means
department/business LANs how extensive the system is in terms of
unit minicomputer
number of questions, etc.
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

Respondents who report environment as insecure but • Automated cost/benefit. This refers to the
continue to process critical systems in the environment
amount of automated cost/benefit support
provided by the system.
• Degree of automation. This refers to the
Figure 2 amount of work the system does. A low
Risk analysis and management degree of automation means that a lot of
work needs to be done by the analyst.
Risk analysis scope
• Gathering of input information. It is impor-
tant that the system models threats and
assets in such a way that it is possible for
Threats Risks Counter-measures the user to find accurate information.
• Degree of completeness. This refers to the
number of aspects of computer security
which are covered by the system. Some
Risk analysis Risk management systems concentrate more on a specific
aspect of computer security.
Table I provides a comparison of the named
has been made easier by formal methodolo-
gies that implement the theory of risk analy-
sis and management. These methodologies Difficulties with the application of
consist of a set of specific phases and guide- conventional risk analysis and
lines to be followed by an organization. management methodologies
Many of these methodologies are available
The term “conventional” is used to refer to
in the form of a software package. The
many of the risk analysis and management
methodology chosen by an organization will
methodologies that exist today. One com-
depend on the size of the organization as
monality between these methodologies is
well as on the decision about how much
that they are all based on the traditional
effort and time is going to be spent in the
asset/threat/vulnerability model. The focus
area of computer security.
of this model is mainly within the IT
department and does not take into account
business issues. Because of the nature of
Review of current methodologies conventional risk analysis methods, which
This section will provide a brief are mostly bottom-up (i.e. driven from a
comparison of several of the most well- technology assets perspective), such
known and respected risk analysis and man- reviews tend to become time-consuming,
agement methodologies, namely LRAM, especially in medium to large organizations.
LAVA, CRAMM and MARION. These The simplest framework for a risk analysis
methodologies have been widely accepted is based on extensive threat and asset check-
and implemented in countries all over the lists[6, p. 91]. Unless reviews can be more
world. Although many basic concepts are focused on the critical parts of the business
similar, they vary widely in terms of scope, and completed within a limited period of
analytical depth, costs and resource require- time, much value will be lost and a danger
ments. will exist that the risk analysis will become
[ 20 ]
Sharon Halliday, Table I
Karin Badenhorst A comparison of reviewed methodologies
and Rossouw von Solms
A business approach to LRAM LAVA CRAMM MARION
effective information
technology risk analysis and Background Military Government Government Consulting insurance
management Type of system Quantitative Both Both Both
Information Management & Supported by method Medium High High High
Computer Security Size of system Medium Large Large Medium
4/1 [1996] 19–31 Automated cost/benefit Yes No No Yes
Degree of automation Low Medium Medium Medium
Gathering of input information Medium Low Medium Medium
Degree of completeness n/a High High High

more expensive than the acceptance of the

risks. A proposed business approach to
Many of the well-known methodologies risk analysis and management
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

were initially developed to address the secu- The terms “corporate approach” and “busi-
rity needs of large organizations such as ness-oriented approach” are used to define
military and government institutions. the proposed risk analysis and management
Although they can be tailored to suit the approach. This approach differs from conven-
needs of smaller organizations, to be able to tional methodologies in that it focuses on
do this and apply the modified methods identifying the risks that threaten the organi-
effectively, a certain amount of knowledge zation’s critical business processes instead of
and expertise is required. The skill level(s) the risks that threaten each individual IT
of the person(s) required to conduct an IT asset.
risk analysis review is often If the security of an organization’s com-
underestimated. Considerable demands are puter resources or the availability, integrity
placed on the reviewer’s expertise in the way and confidentiality of its information is
of subjective estimations and judgements violated or compromised in any way, it will
that are required to be made[7, p. 423]. The affect business continuity and, consequently,
risk analysis has to be supervised by experi- the whole company will be affected. Any part
enced IT security staff, trained in the of the business that relies on the company’s
methodology, or with at least a reasonable information systems for its daily functioning
knowledge of general computer security will be at risk.
principles[6, p. 103]. Rather than approaching the analysis and
It is also very important to keep the focus management of IT risks in the traditional
on a more comprehensive risk management manner, through rigidly considering domains
process, rather than limiting an exercise to such as hardware, software, the environment
the risk analysis/assessment part of the and personnel as done by conventional meth-
process, as is often the case. There is little ods, a corporate approach which focuses on
value in identifying and quantifying risk the critical business processes of the organi-
without implementation of cost-effective zation is proposed. Figure 3 illustrates the
security measures to counter the risk. An difference in focus of the proposed business-
important aspect of a risk analysis and man- oriented approach.
agement methodology is the provision of
some means by which risks can be prioritized
and countermeasures can be selected and Figure 3
implemented on a cost-effective basis. Focus of the business-oriented approach
The results from a conventional risk review
are normally not carried through to a busi-
ness impact analysis (BIA) which is required The business
in the development of a business continuity
plan. Added value can be achieved by an
organization if the risk review can be inte- Business Finance Sales Marketing
grated with a BIA.
An alternative approach to effective IT risk
analysis and management will be proposed. Business Order Customer
processes processing relations Focus
The objective of the rest of this paper is to
discuss the formulation of the proposed
approach and to put into perspective, the Individual
concepts applied within it. tasks

[ 21 ]
Sharon Halliday, The business-oriented approach is con- computer technologies that support these
Karin Badenhorst cerned with identifying risks at the business information systems, are taken into account.
and Rossouw von Solms process level. Its objective is to ensure the They are considered in terms of the impact
A business approach to continuity of essential business functions that a loss of their availability, integrity and
effective information
technology risk analysis and and the organization as a whole through confidentiality will have on the business
management assessing the criticality of business processes that they support, and ultimately
Information Management & processes and determining the effect of their the organization. Figure 4 illustrates the
Computer Security unavailability or obstruction on the definition of IT as applied within this paper.
4/1 [1996] 19–31 organization’s day-to-day operations. The The proposed approach focuses on business
recording of the individual tasks within each dependence (the dependency of business
business process provides areas which are processes on IT and its impact on the organi-
significantly reduced to enable risks to be zation) instead of on computing vulnerability
easily identified. (the vulnerability of IT assets to threats).
The business-oriented approach focuses on Organizations need to look at the business
the critical business processes of the organi- functions being supported by computers and
zation from an IT perspective. ask questions about the information manipu-
lated in these processes. For example, “how
An information technology (IT) perspective valuable, sensitive or critical is the informa-
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

Two very important aspects of IT that are tion”[3, p. 202].

essential to the successful operation of the In the next section, the business oriented
organization are: approach will be further defined in terms of
1 availability so that the organization can its framework, the model on which the frame-
perform its operations; work is based and the differences in its
2 functionality so that the organization can method of identifying and managing risks.
perform its operations correctly.
A problem in the past has been that senior
A framework for the proposed
executives have separated the organization’s
technological and information-processing
activities from the business functions they To be able to perform an analysis at the busi-
support. These activities are often seen as ness process level, all of the above and under-
trivial adjuncts to the business functions and lying levels need to be looked at. This is
processes. Management needs to realize how because of the interdependence and commu-
dependent the functions and processes are on nication between the various levels. The
IT. Few end-to-end business processes can framework of the business-oriented approach
exist efficiently without a computer[8, p. 6]. A is based on a model called the value chain
single failure in IT could have a dramatic defined by Michael E. Porter[9].
impact on many parts of the organization.
Therefore, management needs to pay extra Porter’s value chain
attention to its security. IT should be inte- The value chain introduced by Porter
grated throughout the entire business opera- [9, p. 36], is defined as a tool for systematically
tion and act as a full participant in perform- examining all the activities of a firm and the
ing the business mission. Terry Lamb of way in which these activities interact. Every
Ernst & Young in Europe stated in January
1993: “Alignment of IT with organizational Figure 4
needs is a top-down process that requires a The definition of IT as applied within this paper
business driven approach”.
Within the scope of this paper, IT has been Business function
defined as consisting of the following two
1 the information systems (including related Business processes
information) on which the critical busi-
ness functions and processes depend;
2 the computer technologies (hardware and Stock control system Information
software) which support the processing, systems
storage and distribution of the company’s
data and information.
= IT
The business-oriented approach has a
corporate or business focus, but from an IT
perspective. During the identification of
risks, the information systems (and associ- MCB
ated information) on which the critical
business processes depend, as well as the Hardware Software

[ 22 ]
Sharon Halliday, firm consists of a collection of activities that • Systematic (functional) level. The main
Karin Badenhorst are performed in order to produce, market, activities (business functions and
and Rossouw von Solms deliver and support its products and services. processes) of the organization are per-
A business approach to formed at this level. It consists of a number
The value chain disaggregates a firm into its
effective information
technology risk analysis and strategically relevant activities in order to of business departments controlled by
management understand the behaviour of costs and the middle management.
Information Management & existing and potential sources of differentia- • Situational (support) level. This level con-
Computer Security tion. A firm gains competitive advantage by sists of the daily operations required to
4/1 [1996] 19–31 support the business functions and
performing these strategically important
activities more cheaply or better than its processes of the organization.
competitors. Every firm has a set of distinct business func-
Within this paper, Porter’s value chain is tions and processes which must be performed
used to define a model on which the frame- if it is to achieve its mission and objectives.
work of the business approach will be based. Every function employs purchased inputs,
human resources and some form of technol-
Definition of the organizational chain ogy to achieve its objectives. Figure 5 illus-
Definition of this model is necessary in order trates the organizational chain which is
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

to facilitate formation of a framework for the defined from Porter’s value chain.
business-oriented approach. Porter’s value With regard to the organizational chain,
chain is customized to fit the focus of the primary activities are referred to as business
business oriented approach, i.e. it is functions while support activities are
customized to define an organization as a referred to as support tasks.
hierarchy of levels consisting of different Business functions (primary activities)
business functions, processes and tasks. There are five generic categories of primary
Because of its sole purpose to represent the functions involved in competing in any indus-
structure and operation of an organization, try. Each category is divisible into a number
the term value chain is replaced with the of distinct functions that are determined by
term organizational chain for the purpose of the particular industry and firm strategy.
this paper. These categories can be applied to the busi-
The organizational chain of a company ness functions of any type of firm, e.g.
comprises the following levels: manufacturing, service providing, banking,
• Strategic level. This is the top level in the etc. The example organization used in the
organization, consisting of senior following explanation of the five categories is
management. It also represents what the characterized as having a production
business is all about (business type, function.
mission, focus, goals, customers and 1 Inbound logistics. Functions belonging
suppliers). to this category are associated with

Figure 5
The organizational chain

The organizational chain

Strategic Business environment – type, mission,
level: strategy, goals, objectives, customers and suppliers, etc.
Strategic activities

Business Inbound Operations Outbound Marketing Customer
functions logistics logistics and sales service
and processes

Technology management
Human resource management
Firm infrastructure
Situational level: Day-to-day support operations (tasks) activities

[ 23 ]
Sharon Halliday, receiving, storing and disseminating as raw materials, are purchased by the
Karin Badenhorst inputs to the product such as order receiv- conventional purchasing department, while
and Rossouw von Solms ing, material handling, returns, etc. other items, such as machines, are pur-
A business approach to 2 Operations. These functions are associated chased by plant managers.
effective information
technology risk analysis and with transforming the inputs into the final
The three levels in the organization, together
management product form, e.g. machining, packaging,
with the business functions, processes and
Information Management & assembly, etc.
support tasks discussed above, serve to define
Computer Security 3 Outbound logistics. This category consists
4/1 [1996] 19–31
the organizational chain from Porter’s value
of functions associated with collecting,
chain. The application of the organizational
storing and physically distributing the
chain in defining the framework of the pro-
product to buyers, e.g. finished goods ware-
posed business-oriented approach will be
housing, deliveries, scheduling, etc.
discussed in the following section.
4 Marketing and sales. Functions within this
category are associated with providing a
Definition of a framework based on the
means by which buyers can purchase the
organizational chain
product, and inducing them to do so, such
The business-oriented approach focuses on
as advertising, promotions, sales force, etc.
the organization as a whole (corporate focus)
5 Customer service. These functions are
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

with regard to IT security, as shown in

associated with providing service to
Figure 6. The business processes are the most
enhance or maintain the value of the prod-
important part of an organization and are
uct, e.g. installation, repairs, training, etc.
essential to its survival as they allow it to
Each of the above categories may be vital to continue functioning, carry out its mission,
the survival of the organization depending on achieve its goals and objectives and make
the industry type. Each of the business profit. Therefore, it is important that these
processes that compose a business function processes are protected from all possible
can be decomposed into a number of individ- disruptions. The risk analysis and manage-
ual tasks that support it. ment review is performed at the systematic
level in the organization. Figure 6 graphically
Support tasks (support activities)
illustrates the mapping of the organizational
The individual tasks performed at the situa-
chain to the framework of the business-
tional level support the business functions
oriented approach.
and processes and each other by providing
Figure 6 shows how the IT perspective of
purchased inputs, technology, human
the business-oriented approach is taken from
resources and various firm-wide activities.
the technology management entity in the
As with business functions, support tasks can
organizational chain. Other entities at the
also be divided into a number of generic cate-
situational level (firm infrastructure, pro-
gories applicable to any given industry type.
curement, etc.) are not considered. During
• Firm infrastructure. Firm infrastructure
the identification of risks, the information
consists of a number of tasks including
systems and computers on which the busi-
general management, planning, finance,
ness processes depend are taken into account.
legal and government affairs, quality man-
Figure 6 also shows how risk analysis can
agement, etc. Unlike other support tasks, it
be integrated with a business impact analysis
usually supports the entire organizational
(BIA). The author’s approach simplifies the
chain and not individual business
development of a business continuity plan
because the critical operations and business
• Human resource management. Human
processes of the organization, as well as the
resource management consists of tasks
computer technologies that support these
involved in the recruiting, hiring, training,
processes, will already have been identified in
compensation, etc. of all types of personnel.
the risk analysis. This information can then
• Technology management. The array of tech-
be carried through to the BIA and the organi-
nologies employed in most firms is very
zation does not have to spend additional time
broad, ranging from those technologies
and resources on a second analysis.
used in preparing documents and trans-
The next two sections discuss the differ-
porting goods to those technologies embod-
ences in the way the proposed business
ied in the product itself. Technology man-
approach deals with the identification, analy-
agement may support any of the numerous
sis and management of risks.
technologies embodied in support tasks,
including such areas as telecommunica-
tions technology or office automation.
Risk analysis
• Procurement. Procurement refers to the
purchasing of inputs used in the firm’s The business-oriented approach is concerned
organizational chain and not to the pur- with identifying risks for the critical busi-
chased inputs themselves. Some items, such ness processes in the organization. It follows
[ 24 ]
Sharon Halliday, Figure 6
Karin Badenhorst Framework definition from the organizational chain
and Rossouw von Solms
A business-oriented approach The organizational
to effective information chain
Strategic Business environment – type, mission,
technology risk analysis and level: strategy, goals, objectives, customers and suppliers, etc.
Information Management & Strategic
Computer Security
4/1 [1996] 19–31

Business Inbound Operations Outbound Marketing Customer
functions logistics logistics and sales service
and processes
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

Technology management
Human resource management
Firm infrastructure

Situational level: Day-to-day support operations (tasks)

From an


Systematic Risk analysis and

(functional) management

Business impact analysis approach

a top-down process in which each of the three model is used to model the business func-
levels in the organization are analysed but in tions into their component processes and
varying degrees of detail. tasks. Business functions are identified
within the primary categories discussed
Analysis at each organizational level earlier. Only those business processes that
Each of the three levels in the organization is are dependent on or related to IT are
analysed with specific aims in view. analysed.
1 The strategic level in the organization is 3 Each business process is supported by a
analysed to determine the business envi- number of individual tasks which are
ronment (business type, focus, depart- performed at the situational (support)
ments, customers and suppliers, etc.). level. It has already been mentioned that
Analysing the business environment will the recording of individual tasks provides
help to identify those areas which are areas which are significantly reduced to
predominantly at risk and which, there- enable risks to be easily identified. The
fore, need to be concentrated on. This is concept of the delimitation of areas is also
necessary to determine the boundary and applied in MARION, in which the organi-
scope of the review. zation is divided into risk areas and the
2 The actual risk analysis and management
people responsible for each area are inter-
review is performed at the systematic level,
during which the critical business func-
tions and processes in the organization are In the business-oriented approach, only the
analysed. A functional decomposition IT components of the situational level are
[ 25 ]
Sharon Halliday, focused on. The information systems and The concept of a “risk scenario” can also be
Karin Badenhorst computer resources are analysed in terms seen in LRAM and MARION which proves
and Rossouw von Solms of the impact on a business process caused that this concept is not totally foreign. In
A business approach to LRAM, the basic unit is a risk element which
effective information
by a loss of their availability, integrity and
technology risk analysis and confidentiality. A systems model can be refers to a risk scenario[10, p. 498]. A risk
management used to model the information systems and element consists of a threat initiator, poten-
Information Management & hardware and software used by each task in tial target asset and the consequences if the
Computer Security the business process. Through focusing on threat reaches the asset[5, p. 24]. These three
4/1 [1996] 19–31 entities, in effect, compose a risk. MARION
each task it is easy to determine at which
point the process becomes dependent on IT has an eight-step risk scenario instruction
and also on which systems it becomes process that follows a similar line of reason-
dependent. ing.
Figure 7 shows how a systems model can be Risk scenarios are constructed by deter-
used to model the individual tasks within a mining what could befall the information
systems and computer resources that support
business process together with the IT (infor-
each business process. Risks are classified
mation systems and computer technology)
according to their primary effect on one of
used by each task.
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

the following:
• availability of information systems and
Identification of risks
computer resources;
In the business-oriented approach, risks are
• integrity of information;
not the end result but instead are identified at
• confidentiality of information.
the start of the analysis. Risks are identified
by constructing “risk scenarios” which are In the case where a risk will affect more than
defined as undesirable situations that could one of the above, e.g. integrity and confiden-
disrupt a business process, e.g. unauthorized tiality, then the risk must be categorized
modification of debtors’ information. A risk according to its primary effect (the most
scenario comprises a risk description, likely critical effect) and any other effects are con-
causes (initiators of the risk), e.g. conspiracy sidered as secondary.
between employee and debtor, an expected For each risk, the following is recorded:
frequency and impact and a risk growth fac- • likely causes;
tor. The identification of risks is made easier • expected frequency;
by analysing one business process at a time • impact on a business process;
(including its component tasks and support- • growth factor.
ing IT). The reason for recording the likely If a risk has not occurred before, it is difficult
causes of a risk is that it simplifies the to estimate its expected future occurrence.
recommendation of counter-measures as the Therefore, to assist in the determination of
sources of the risk are known. frequencies, a certain amount of flexibility is

Figure 7
A systems model with supporting IT

Function: Purchase parts

Processes: Place order and monitor order receipt

Identify late/
Purchasing problem orders Materials
system Inquire or reconcile control clerk
File order copy
by vendor Mapper
Verify price Informix
and availability Verify receipts
against orders Unix
Identify items
and vendors
Invoice approval
clerk Create invoices and
Buyer send to accountant

Create and mail order

Vendor Accountant

[ 26 ]
Sharon Halliday, provided where reviewers can rely on their Prioritization of risks
Karin Badenhorst knowledge and understanding of the business Management needs to have some means of
and Rossouw von Solms as well as past experiences with risk events. determining the level of risk that is accept-
A business approach to There are two frequency measures available: able and the level of risk that needs to be
effective information
technology risk analysis and
1 frequency of past occurrences; addressed in the organization. High level
management 2 probability of future occurrences. risks, which pose the biggest threat to the
Information Management & critical business processes, should be
The risk growth factor can be seen as a third
Computer Security addressed first.
4/1 [1996] 19–31
dimension when recording risks. It is used to
A tool called a bubble chart is proposed,
describe the possible future developments of
which can be used to plot the risks for each
a particular risk. For example, a major risk
business process once they have been identi-
with a low growth factor is typically a risk
fied and quantified. Risks can be grouped into
that will disappear or diminish soon. This
different levels according to their criticality,
may be due to various influencing factors
as shown in Figure 9. These levels represent
(e.g. introduction of legislation). On the other
the order in which the risks need to be
hand, a small risk with a large growth factor
addressed and can be used to plan the
is a risk that could grow into a much larger
implementation of the necessary security
one in a very short time period. The growth
countermeasures. The lines dividing the
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

factor will have a large influence on the criti-

risks into addressable levels (shown as dotted
cality of a risk and thus also on the amount of
lines in the graph), can be positioned by man-
effort, time and resources spent on address-
agement depending on the level of risk that
ing the risk. Although a risk may currently
they are willing to accept (e.g. frequency < = 5
have a high value (determined by frequency
and impact < = 5) and the criticality of each
and impact), if it has a low growth factor, then
a large amount of effort should not be spent
A bubble chart is very similar to a scatter
on addressing it immediately, because of the
or XY graph. The difference is in the number
likelihood that it will diminish in the near
of variables required to plot an intersection
future. The differences with regard to risk
point. An XY graph requires two co-
identification between conventional
ordinates, namely an X-axis value and a
approaches and the business-oriented
Y-axis value. A bubble chart is a three-
approach are shown in Figure 8.
In the next section, a graphical tool is pro-
posed which will provide support in the risk
management process. Figure 9
The prioritization of risks using a bubble chart
Bubble chart
Risk management
Process : place order of function : purchase parts
The objective of the proposed tool is to
address the following two aspects of risk Frequency
management: 8

1 the prioritization of risks;

7 5
2 the recommendation and selection of Risk for
appropriate security controls. immediate attention

5 4
Figure 8 Risk to be
Conventional risk analysis versus business- 4 next
oriented approach
3 4 2

Traditional Business-oriented
methodologies approach 2 2 3

Risk • Availability 1
Threat • Integrity Acceptable
scenario • Confidentiality risk level
0 1 2 3 4 5 6 7 8
Frequency Likely causes
Vulnerability impact Vulnerability Frequency Impact
Growth factor Key
Asset Business Input error Calculation error
= process Incorrect Backup failure
Risk  Tasks  verification-price Printer failure
 Information
Computer technology (hardware 
Failure of Unix
 and software)  machine

[ 27 ]
Sharon Halliday, dimensional graph and, therefore, requires Figure 10
Karin Badenhorst three variables – an X-axis value, a Y-axis Recommendation and selection of counter-
and Rossouw von Solms value and a third value which is used to deter- measures using a bubble chart
A business approach to mine the radius (size) of a bubble.
effective information
technology risk analysis and There are three measures used to plot risks. Bubble chart
management The first two are impact and frequency (risk
value). The position of a risk in the graph is Process : place order of function : purchase parts
Information Management &
Computer Security determined by the intersection of its impact Frequency
4/1 [1996] 19–31 and frequency. The X- and Y-axes are used to Control risk Risk (reduce frequency
plot the impact and frequency values of a risk (reduce frequency) and impact)
respectively. The third mesaure is risk 8
growth factor. The growth factor of a risk
(shown as a number in the chart) determines 7 5
the radius (size) of its bubble.
A bubble chart is a very useful manage- 6

ment tool as it graphically illustrates all the

5 4
risks to a business process as well as the criti-
cality of each risk in relation to the others. Q4 Q3
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

Based on the size and position of the bubbles,
management can determine the level of risk 3 4 2
that is acceptable and the level of risk that
needs to be addressed in the organization. 2 2 3
Once the risks have been prioritized, man- Q1 Q2
agement needs to determine the type and 1
Accept/retain risk Transfer risk
amount of security that is needed for each (do nothing) (insure)
risk. 0
0 1 2 3 4 5 6 7 8
Recommendation and selection of security
controls Key
Decisions on the type and amount of security Input error Calculation error
required to address the identified risks will Incorrect Backup failure
be influenced by the criticality of each risk. verification-price Printer failure
The higher the level of exposure, the more Failure of Unix
important it is to counter the risk. The bubble machine
chart shown in Figure 10 can be used by man-
agement in the recommendation and selec- that the risk should be carefully monitored as
tion of a set of appropriate security counter- it could quickly move into another quadrant
measures. in the near future. Management should
The bubble chart in Figure 10 is divided refrain from spending a lot of time and effort
into four quadrants, Q1 to Q4. Each quadrant in addressing immediately this type of risk
has certain countermeasures which will best because of the likelihood that it will change
address the risks that fall within it. The very soon.
position of a bubble within a quadrant can be The following are recommended counter-
used as a guideline for selecting counter- measures for each quadrant:
measures for the risk which it represents. 1 First quadrant: accept/retain risks. The
The lines dividing the chart into quadrants risks within this quadrant normally have
may not be adjusted by an organization a very low frequency and impact. It may
because of the danger that some managers not be worthwhile to implement any secu-
may try to minimize the amount of effort, rity controls as the cost of doing so could
time and money that has to be spent on exceed the financial implications caused
addressing some of the risks. Depending on by the materialization of such risks. These
the level of risk that an organization is will- risks are generally just accepted.
ing to accept, each quadrant can be redefined 2 Second quadrant: transfer risks. These
into smaller quadrants to highlight those risks have a very high impact and a low
risks that are severe and that require extra frequency, e.g. fire, floods, terrorism. They
attention. are totally unpredictable and the losses
It is important to remember that it is possi- they cause are generally uncontrollable.
ble for a risk to move into a different quad- These risks are normally addressed
rant because of its growth factor. For exam- through some form of insurance or out-
ple, although the risk “calculation error” (in sourcing.
Figure 10) has a low frequency (3) and impact 3 Third quadrant: avoid/prevent risks. These
(3), its growth factor of 4 is fairly large in are the most critical risks as they have
comparison to the other risks. This implies both a high impact and high frequency,

[ 28 ]
Sharon Halliday, and may be too expensive to insure finance and administration). The branches
Karin Badenhorst against. Examples are fraud, theft of hard- are usually connected via a network to each
and Rossouw von Solms ware or information, etc. The organization other and the head office. It is not uncommon
A business approach to needs to implement the necessary security for the branches to share information and
effective information
technology risk analysis and
controls to reduce to an absolute minimum computer resources which can either be
management the chances of such a risk materializing situated locally or centrally. The business-
Information Management & (e.g. physical locks, access control, etc.). oriented approach can be used to perform a
Computer Security These controls should also be able to detect risk analysis review for each branch or the
4/1 [1996] 19–31 the materialization of such a risk and entire company. It makes no difference where
ensure the effective and timely recovery of the information systems and computer
business operations. resources used by each business process are
4 Fourth quadrant: control risks. These risks located. Risks are still identified in terms of
normally have a high frequency and a low the impact on a business process caused by a
impact, e.g. errors and omissions, and loss of the availability, integrity and confiden-
virus attacks, and are management prob- tiality of the supporting information systems
lems. The organization needs to imple- and computer resources.
ment counter-measures to reduce the fre-
quency of these risks (e.g. modification
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

rights to users, etc.) and to detect their The correct approach

occurrence (e.g. error detection and cor-
rection procedures). An existing danger with any risk analysis
and management exercise is one where peo-
During the selection of counter-measures, ple become involved in too much detail. More
management must take into account the costs is spent on gathering information and per-
(development, implementation, operation
forming evaluations and computations than
and maintenance) of the counter-measures.
on what is actually at risk. This results in
people finding themselves at a dead end
where they have become mired in too much
Other issues of consideration detail, lost their focus and forgotten what is
There are two important issues that always that they are trying to achieve. The key is to
seem to be raised with regard to risk analysis use a technique which is sufficiently inexact,
and management methodologies, namely permitting the study to be focused and ade-
their applicability to future or planned IT quately performed in a reasonable time. The
systems, and their suitability for distributed author’s approach does not focus on excessive
organizations. detail, but rather focuses on the organization
from a higher level (i.e. top-down). Even
Future IT systems though the business oriented approach repre-
The business-oriented approach can be used sents a different way of performing a risk
to identify risks to an organization with analysis and management exercise, it does
future or planned IT systems. In this case, ensure that the primary objective of such an
risks will be identified with regard to the exercise is achieved – which is to identify the
development and implementation processes organization’s risks and to reduce them to an
of information systems. This is possible as acceptable, low level. The approach is defi-
the business-oriented approach does not nitely a management-driven one; this does
focus on identifying risks to IT systems per se, not mean that management is responsible for
but instead focuses on identifying risks to the performing all the tasks in the analysis, it
business processes that will rely on these merely suggests that management should be
systems. The impact caused by errors in, or involved and give their full support in the
disruptions to, the development and imple- review.
mentation of an information system on which
various business processes will depend must
be taken into account during the identifica- Benefits of the business approach
tion of risks. The continued operation of a
business function without these IT systems There are a number of benefits offered by the
in place is often, in itself, a major risk. business-oriented approach.
• It encourages management’s involvement.
Distributed organizations A methodology that adopts a corporate
Distributed organizations normally consist of approach based on generality, and which
a head office in one location and a number of focuses on the business processes of the
branches separated geographically. Some organization rather than on the computer
functions are performed locally at each technologies that support these processes,
branch while other main functions are will be much more understandable to all
performed centrally by the head office (e.g. management in the organization. This will
[ 29 ]
Sharon Halliday, help to encourage their support and making, authority and discretion in identi-
Karin Badenhorst involvement in the review. fying and addressing risks. This involve-
and Rossouw von Solms • It is effective in terms of cost, time and ment provides managers with a sense of
A business-oriented approach resources. The business-oriented approach “ownership” and responsibility, and hence
to effective information
technology risk analysis and
saves time and resources, as it does not they will take extra pride and care in
management require a detailed analysis of all assets, all ensuring the protection and continuous
Information Management & possible threats, the vulnerability between operation of their business functions. By
Computer Security each threat and asset and all possible out- encouraging communication between
4/1 [1996] 19–31 comes. It is also less complex as its focus is enterprise functions, people are empow-
at a much higher level, namely on the ered to work as part of multifunctional
company’s business processes. teams.
• It has a mission focus. The business • It supports business process re-engineering
processes are the most essential part of the (BPR). The business-oriented approach fits
organization and are vital to its survival. together well with BPR. Companies need
Any organization, whether a manufactur- to re-evaluate what they do and how they
ing firm, a service organization or a con- do it[13, p. 113]. According to a survey by
sulting firm, accomplishes its mission via Computer Sciences Corporation, business
processes[11]. Therefore, it makes sense to process re-engineering through IT is the
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

focus first on these processes which form biggest challenge facing IS managers[14].
the basic core of the company, and then on The importance of IT within BPR is
the technologies that support these emphasized by the following statement “IS
processes. managers identify the two enablers to the
• It supports an integrated IS environment. reengineering process, IT and human
Nowadays, the information systems resources”[14]. Because the development
within many organizations are becoming of information systems logically follows
more integrated. It is becoming increas- the re-engineering of business processes,
ingly difficult to define a particular com- the approach proposed in this paper is
puter system separately from the physical very applicable to BPR where the focus is
bounds within which it is contained, also on the business process first and then
because of the dissipation of the comput- IT.
ing function throughout the organization,
Figure 12 shows the three ways in which a
and networks abound[12].
risk analysis can be performed together with
Figure 11 shows the total interdependency BPR. A risk analysis review can be
and integration of business departments and performed prior to BPR to identify the risks
information systems within an organization. that threaten the business processes. The
Business processes are no longer situated number of risks identified for a process can
within one department but may cut across serve as an indication as to whether the said
several organizational units. Because of the process should be re-engineered or scrapped.
total integration of business processes across Also, operational activities will be
different departments, and their dependence highlighted which may underline any opera-
on IT, a business approach will be more suit- tional inefficiencies and overlapping func-
able. tions, both of which could represent security
• It empowers process owners. The managers problems. Alternatively, the risk analysis can
of each business function need to be be performed during BPR to simultaneously
involved in the review. They are identify the risks to obsolete processes as well
provided with increased control, decision as the risks to those processes that require

Figure 11 Figure 12
Total integration of departments within the IS Risk analysis and BPR
environment Option 1 Risk analysis
Interdependent Business processes
and risks
business departments
IT requirement Business Option 2 identify risks and
processes and Risk analysis re-engineer
IT functions of
business processes

Communication Re-engineered business
between Option 3
departments Risk analysis

[ 30 ]
Sharon Halliday, re-engineering. Lastly, a risk analysis can be and success. Rather than approaching the
Karin Badenhorst performed after BPR to identify the risks that analysis and management of risks in the
and Rossouw von Solms threaten the re-engineered business traditional manner through a detailed analy-
A business-oriented approach processes. sis of IT assets such as hardware, software,
to effective information
technology risk analysis and • It provides a logical link to business conti- communications, etc., a corporate approach,
management nuity planning (BCP). Traditionally, a risk which focuses on the critical business
Information Management & analysis and business impact analysis processes of the organization, is proposed.
Computer Security (BIA) were performed as two totally sepa- The approach is concerned with ensuring the
4/1 [1996] 19–31 rate analyses because of their different continuity of essential business processes
focus. In the business oriented approach, and, ultimately, the whole organization. It
the critical business areas are identified focuses on business dependence instead of
up front. Current developments in BCP computing vulnerability. If this approach
follow a similar top-down approach where becomes part of the business operations of an
the business processes are identified first, organization, it can serve as a value-added
and then IT. The method proposed will tool in ensuring the company’s survival and
therefore concurrently benefit the busi- success.
ness continuity planning process.
• It is adaptable to other focus areas. The References
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

business oriented approach also opens the 1 Forcht, K.A., Computer Security Management,
door for risk analysis and management Boyd & Fraser, Danvers, MA, 1994, p. 296.
reviews from other focus areas. This paper 2 Butler, J., “Hackers beware!”, The EDP Audit,
looked at risk analysis and management Control and Security Newsletter, Vol. XV No. 9,
from an IT perspective. The same princi- March 1988, pp. 6-8.
ples will apply if this approach had to be 3 Wood, C.C., Effective Information Security
used from any other perspective, e.g. finan- Management, Elsevier Advanced Technology,
cial or business risk analysis, etc. Oxford, 1991.
4 Eloff, J.H.P., Labuschagne, L. and Badenhorst,
K.P., “A comparative framework for risk
Concluding remarks analysis methods”, Computers & Security,
Vol. 12 No. 6, 1993, pp. 597-603.
Information has become one of the most 5 Wahlgren, G., “Survey of computer aided risk
important resources in many organizations analysis packages for computer security”,
today, and the importance of, and need for, its DSV, Department of Computer and Systems
security must be realized by management. Science, Stockholm University, 1990.
Information security needs to become totally 6 Caelli, W., Longley, D. and Shain, M., Informa-
integrated into the operations of the busi- tion Security Handbook, Macmillan,
ness. Risk analysis and management pro- Basingstoke, 1991.
vides a company with a means of assessing 7 Clark, R., “Risk management – a new
and managing the risks that threaten the approach”, IFIP Conference, Elsevier Science
security of its information and computer Publishers, North-Holland, 1989, p. 423.
resources. 8 Currid, C., “Rapid development tools – one of
Formalized methodologies were developed 18 top technologies for reengineering”, Profiles
to provide a structured approach to IT risk Magazine, Winter 1995, pp. 6, 7 cont. 58.
analysis and management. Each one differs 9 Porter, M.E., Competitive Advantage – Creating
in terms of its approach, degree of complete- and sustaining Superior Performance, The
Free Press, New York, NY, 1985.
ness, size, complexity, classification and valu-
10 Guarro, S.B., “Principles and procedures of the
ation techniques used, etc. There are a num-
LRAM approach to information systems risk
ber of difficulties experienced by organiza-
analysis and management”, Computers &
tions applying conventional risk analysis and
Security, Vol. 6, 1987, pp. 493-504.
management theory. Many of these problems
11 Hunt, D.V., Reengineering – Leveraging the
have become characteristic of the methodolo- Power of Integrated Product Development,
gies that implement this theory. Also, many of Omneo, Essex Junction, VT, 1993, p. 14.
the existing methodologies are considered 12 Smith, M.R., Commonsense Computer Security
unsuitable by smaller organizations or orga- – Your Practical Guide to Preventing Accidental
nizations requiring a quicker and more sim- and Deliberate Electronic Data Loss, McGraw-
plified approach. This prompted a search for Hill, London, 1989, p. 5.
an alternative approach to effective risk 13 Conger, S., The New Software Engineering,
analysis and management. Wadsworth, Belmont, CA, 1994, p. 113.
IT security should be addressed as a corpo- 14 Daniel, D., “A whole new way of thinking –
rate issue, as a failure in IT will have a dra- business process re-engineering”, Computing
matic impact on the organization’s survival Canada, Vol. 20 No. 7, March 1994, p. 17.

[ 31 ]
This article has been cited by:

1. Ali Mohammad Padyab, Tero Päivärinta, Dan Harnesk 1237. [CrossRef]

2. Nik Zulkarnaen Khidzir, Azlinah Mohamed, Noor Habibah ArshadEvaluation of Vulnerability Risk Factor: Critical ICT
Outsourcing project characteristics 1-5. [CrossRef]
3. Palaniappan Shamala, Rabiah AhmadA proposed taxonomy of assets for information security risk assessment (ISRA) 29-33.
4. Priya Seetharaman, Ambreen Alam Sajjad. 2014. Ashok Leyland. Journal of Cases on Information Technology 14:10.4018/
JCIT.20120701, 57-74. [CrossRef]
5. Xiaoling Hao, Songqiao Han. 2014. Measurement and Control of Operational Risk of Banking Industry based on Complex
Network. Journal of Software 9. . [CrossRef]
6. Lotto Kim Hung Lai, Kwai Sang Chin. 2014. Development of a Failure Mode and Effects Analysis Based Risk Assessment
Tool for Information Security. Industrial Engineering and Management Systems 13, 87-100. [CrossRef]
7. Ali Mohammad Padyab, Tero Paivarinta, Dan HarneskGenre-Based Assessment of Information and Knowledge Security
Risks 3442-3451. [CrossRef]
8. Mario Silic, Andrea Back. 2013. Factors impacting information governance in the mobile device dual‐use context. Records
Management Journal 23:2, 73-89. [Abstract] [Full Text] [PDF]
9. Stefan Taubenberger, Jan Jürjens, Yijun Yu, Bashar Nuseibeh. 2013. Resolving vulnerability identification errors using security
requirements on business process models. Information Management & Computer Security 21:3, 202-223. [Abstract] [Full
Downloaded by San Diego State University At 14:38 30 January 2016 (PT)

Text] [PDF]
10. Nik Zulkarnaen Khidzir, Azlinah Mohamed, Noor Habibah Arshad. 2013. ICT Outsourcing Information Security Risk
Factors: An Exploratory Analysis of Threat Risks Factor for Critical Project Characteristics. Journal of Industrial and Intelligent
Information 1:10.12720/jiii.1.4, 218-222. [CrossRef]
11. Kuo-Hsiung Liao, Hao-En Chueh. 2012. Medical Organization Information Security Management Based on ISO27001
Information Security Standard. Journal of Software 7. . [CrossRef]
12. Yu Zhiwei, Ji Zhongyuan. 2012. A Survey on the Evolution of Risk Evaluation for Information Systems Security. Energy
Procedia 17, 1288-1294. [CrossRef]
13. Piya Shedden, Rens Scheepers, Wally Smith, Atif Ahmad. 2011. Incorporating a knowledge perspective into security risk
assessments. VINE 41:2, 152-166. [Abstract] [Full Text] [PDF]
14. Tao Zhang, Weimin Lin, Yufei Wang, Song Deng, Congcong Shi, Lu ChenThe design of information security protection
framework to support Smart Grid 1-5. [CrossRef]
15. Xiaoling Hao, Nan YangIT operational risk assessment and control model based on Bayesian Network 1105-1109. [CrossRef]
16. Rua‐Huan Tsaih, Wan‐Ying Lin, Ada Chen. 2008. Safeguard gaps and their managerial issues. Industrial Management &
Data Systems 108:5, 669-676. [Abstract] [Full Text] [PDF]
17. Neil Lategan, Rossouw von Solms. 2006. Towards enterprise information risk management – a body analogy. Computer
Fraud & Security 2006, 15-19. [CrossRef]
18. Shaun Posthumus, Rossouw von Solms. 2004. A framework for the governance of information security. Computers & Security
23, 638-646. [CrossRef]
19. Jacques Botha, Rossouw Von Solms. 2004. A cyclic approach to business continuity planning. Information Management &
Computer Security 12:4, 328-337. [Abstract] [Full Text] [PDF]
20. Syed Irfan Nabi, Ghmlas Saleh Al-Ghmlas, Khaled AlghathbarEnterprise Information Security Policies, Standards, and
Procedures 67-89. [CrossRef]
21. Syed Irfan Nabi, Ghmlas Saleh Al-Ghmlas, Khaled AlghathbarEnterprise Information Security Policies, Standards, and
Procedures: 750-773. [CrossRef]
22. Bao-Chyuan Guan, Chi-Chun Lo, Ping Wang, Jaw-Shi HwangEvaluation of information security related risks of an
organization - the application of the multi-criteria decision-making method 168-175. [CrossRef]