Management Essays – Risk Assessment
Risk assessment is the focus of Chapter Eight from the book. The premise behind risk assessment is to take into consideration the findings of the assessments of the asset, threat, and vulnerability. By studying these areas a risk professional can devise a comprehensive risk assessment and aid in determining the overall acceptability of the risk. This paper will review the questions at the end of Chapter Eight in regards to this subject.
Thoroughly answer questions 1-4 at the conclusion of Chapter Eight.
Chapter Eight deals with the fourth rung on the ladder when discussing the risk management process and that rung is risk assessment. This process will help lead the way to setting priorities for the critical assets that were previously identified the preceding rungs. The book defines risk assessment as “The process of evaluating threats to and the vulnerabilities of an asset to give an expert opinion on the probability of loss or damage, and its impact, as a guide to taking action.” (Roper, 1999, p. 73) Basically it is the culmination of the three assessments (assets, vulnerabilities, threats) that have been discussed in previously. The end of Chapter Eight asks four questions in regards to risk management which will be reviewed.
The first question at the end of Chapter Eight asks, “Is it possible to estimate the degree of impact of an undesirable event if the risk manager were to review the results of each step individually, never referring to other step results? Why?” The simple answer to the question would be yes it is possible to estimate the degree of impact of an undesirable event looking at each step individually but how accurate would that be. For example, a risk professional could look at a room and determine many things. They could see that it is not secured properly and many people pass by it day after day giving ample opportunity for someone to access it. Basically the room is unsecured. If that professional decides to do things like add a security camera, set it up so only an access badge can get into it, or puts a guard on it, that room would be very well secured. However, we know nothing of the asset that is inside of it. On the inside is only a few filing cabinets full of construction paper, glue, markers, and books on how to make the next company party more fun. This person has now wasted time and money on protecting an asset that was never going to be compromised in the first place and if it was stolen from, nobody would care that much. This is an extreme example but it does go to show that all three steps must be reviewed to estimate the degree of and undesirable event. Joel Dubin, a security expert and author of The Little Black Book of Computer Security, puts it best when he states, “You don’t want to spend your security budget on protecting a low-risk assets, you want to spend it on high-risk assets, those that might house sensitive customer data, or handle financial transactions, for example.” (Dubin, 2006) This holds true no matter what industry a person is working in.
Question number two from Chapter Eight asks, “When reviewing step results and comparing them to others, is it expected that based on the results of other steps (and the associated background information for those decisions) the risk manager could be able to reduce any of the individual ratings within any of the rating columns? Why?” Yes, the ratings can be if the risk manager starts to “upgrade” or “downgrade” the level of rating in the various categories. Once more is learned about each of the steps, adjustments can take place. The budget is a huge driver in the “upgrading” or “downgrading” of ratings. A trade-off between risk and total cost may have to be considered. When balance is achieved in the level of risk and the grading impact on cost, mission, and schedule, the system is ready for implementation. At this point, the design/analysis process is complete. (Sandia National Laboratories, N/A)
The third question from Chapter Eight asks, “If the organization is willing to accept risk, what does this indicate?” This would more than likely indicate that the overall risk is either low/low or low/medium. This could vary depending on the amount of risk one is willing to accept. Much like auto insurance, one can choose the type of coverage they want and the amount of deductible they are willing to pay. The newer the automobile is the more coverage they may want. The older it gets, the less it needs to be covered for. Just like in business, it costs a lot of money to build and maintain risk management and sometimes quantifying it becomes tough as well. “Regulators and analyst firms have been working hard to put the pieces together to justify operational-risk-mitigation investment, and it sounds good, but it’s hard to prove that any one organization is taking the right steps for operating risk,” says Susan Cournoyer, principal analyst at Gartner. (Colkin Cuneo, 2003)
The last question in Chapter Eight is a follow up to the previous question as it asks, “What is indicated when an organization is not willing to accept the risk?” This simply suggests that the risk is too high and there needs to be action taken in some of the previous steps to lower or downgrade the risk. These risks are normally medium/high or high/high. A risk management professional would have to reevaluate some of the previous steps. A recent example of an organization not willing to take risks was American Airlines. Their entire fleet of MD-80 jetliners was grounded so wiring bundles could be inspected. American had scrubbed over 3000 flights with the final cost possibly exceeding $30 million, said Philip Baggaley, an industry analyst at Standard & Poor’s Corp. (Pae & Zimmerman, 2008) This does not take into account the cost of the inspections themselves and the amount of customer service that will need to be rendered. This was a situation where the airline was not willing to accept the risk of a major catastrophe in the air but were willing to accept the consequences of their actions by grounding the flights.
In conclusion, risk assessment is another important aspect in the security of an organization. This reviews the previous steps and helps determine an outcome of overall risk and whether or not that risk is accepted. This at times can become a very difficult decision to make.
- Colkin Cuneo, E. (2003, May 12). Accepting Risk. Information Week(May/2003 Issue), CIO Central. Retrieved April 14, 2008, from http://www.informationweek.com/news/management/showArticle.jhtml;jsessionid=1WXPXXAJWTAQYQSNDLPSKH0CJUNN2JVN?articleID=9800003&_requestid=844720.
- Dubin, J. (2006, July 7). What steps are involved in assessing risk? (Identity Management and Access Control Questions and Answers). Retrieved April 14, 2008, from searchsecurity.com: http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1197739,00.html#.
- Pae, P., & Zimmerman, M. (2008, April 11). American Airlines struggles to get its MD-80s back in the air. Los Angeles Times, Business. Retrieved April 14, 2008, from http://www.latimes.com/business/printedition/la-fi-american11apr11,0,4628138.story.
- Roper, C. A. (1999). Risk Management for Security Professionals. Burlington, MA: Butterworth-Heinemann.
- Sandia National Laboratories. (N/A, N/A). A Risk Assessment Methodology (RAM) for Physical Security. Retrieved April 14, 2008, from sandia.gov: http://www.sandia.gov/ram/RAM%20White%20Paper.pdf.