The Benefits of Risk Analysis The Benefits of Risk AnalysisWhy do most major businesses and many public/government bodies now employ a formal IT security Risk Analysis methodology? What tangible advantages and benefits does such a programme actually bring? How can these be maximised?
To answer these questions, we need to go back to the basics and also ask 'what is risk analysis?'. A classical definition of Risk Analysis is one which describes it as a process to ensure that the security controls for a system are fully commensurate with its risks.
This description is accurate, at the highest level. However, there are many other almost equally beneficial advantages. The list below was compiled by an existing COBRA client.
Additional security almost always involves additional expense. As this does not directly generate income, it is important that this is justified in financial terms. The Risk Analysis process should directly and automatically generate such justification, vindicating all the security recommendations made.
A Risk Analysis programme should increase the productivity of the security or audit team. By creating a review structure, formalising and automating the review, pooling security knowledge in the system's "knowledge base", and utilising "self-analysis" features, much more productive use of time is possible. The ability to 'build-in' expertise should also alleviate the need for expensive external security consultants.
Risk Analysis should not only direct appropriate information at both department management and IT staff, but play a major and pro-active role in enhancing the understanding of each, of the needs and role of the other.
The Risk Assessment system should enable security to be driven into more areas and to become more devolved. It should allow security to become part of the organisation's culture, allowing departmental management to take more of the responsibility for ensuring an adequate and appropriate level of security.
The widescale application of a risk assessment programme, by actively involving a range of, and greater number of, staff, will promote security as an issue for discussion, and increase security awareness within the enterprise.
Security should be properly targeted, and directly related to potential impacts, threats, and existing vulnerabilities. Failure to achieve this could result in excessive or unnecessary expenditure. Risk Analysis promotes far better targeting and facilitates accurate security decisions.
Many organisations require adherence to certain 'baseline' standards. This could be for a variety of reasons, such as legislation (eg: Data Protection Act), organisation policy, regulatory controls, etc. The Risk Analysis methodology should support such requirements, and enable rapid identification of shortcomings.
A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies across different departments, but different types of department.
Copyright © 2002 C & A Systems Security Ltd
