Security and risk management: a fundamental business issue: all organizations must focus on the management issues of security, including organizational structures, skill sets, processes, and methodologies for managing security and risk management.

• Author: McAdams, Arthur C.

According to a report by The Computer Security Institute, 251 of the organizations polled lost $202 million in 2003 due to computer crime. While this loss rate is down from 2002, it is still significant, and many of the companies said they were not able to quantify their losses. International finance and operations executive Oscar Kolodzinski states, "most incidents of cybercrime go unreported because the individuals and businesses affected want to avoid the negative publicity." Therefore, experts believe the real loss is probably greater than stated, and it includes only the losses that are recognized (whether reported or not).

According to Lawrence Gordon and Martin Loeb's article "The Economics of Information Security Investment" there is a void in the research on creating a framework for an economic model that establishes the appropriate investment in security programs. Gordon and Loeb say that most proposed methodologies favor too much spending on certain countermeasures. In "The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officer," Andre Liebenberg and Robert Hoyt note that there is also a dearth of research on enterprise risk management and cite several reasons for an integrated risk management program. If they were aware of it, this information would probably alarm chief executive officers (CEOs) and other leaders enough for them to order further studies.

Security and Risk Management

The American Dictionary of the English Language formally defines "risk" as "the possibility of suffering harm or loss; danger." "Management" is defined as "the practice of managing, handling, or controlling something." The definition of "security" is "freedom from risk or danger." With these terms formally defined, the blended definition roughly describes risk management and security as the practice of controlling and mitigating the amount of loss an organization will have to endure because of any adverse action or situation, whether intentionally or unintentionally initiated. This interrelationship between security and risk management should prompt a convergence that would then lead to a combined effort to address these issues in an integrated manner within an organization.

Organizations have to deal with managing risks as a regular part of conducting business. In the article "Security in Enterprise Systems," published in The ISSA Journal, P. Tippet says risk can be defined as "annualized loss expectancy." Liebenberg and Hoyt note that certain industries have created well-established risk management specialties to address specific types of risk. For instance, a bank may address credit risk with one group of experts, interest rate risk with another, and information risks with yet another group. Ultimately, the organization may have several disparate sub-groups (e.g., facilities, information technology, compliance, human resources), each managing risk by leveraging its own subject-matter experts (e.g., in this scenario - and in any similar situation--the organization will only be as strong as its weakest link).

A painful reality for most organizations is that staff are often more responsible than intruders for data and information loss. According to Ivan Arce and Elais Levy, the workstation offers the most opportunity for exposure in the information technology (IT) area. If an organization has placed updated antivirus and encryption software on the workstation, then it has implemented a single dimensional level of effort, note S. Liu, J. Ormaner, and J. Sullivan in "A Practical Approach to Enterprise IT Security." If the single-dimension solution were to significantly improve the security of a single component (in this case, the desktop), then something else may become the new weakest link. Therefore, the weakest link may continually shift from the technology area to the physical area, to the human resources area, to the policy area, and so on. Arce and Levy also emphasize the temporal aspect of vulnerabilities. In particular, they suggest that the weakest link can shift from the desktop operating systems to the individuals operating them. Determining the appropriate countermeasures and monetary investment that should be calculated at the highest level in the organization to ensure an effective overall security program is important. Without a high-level view, an organization may over-invest in areas that are not the weakest links.

The Chief Risk/Security Officer

This need for a centralized view of security has led to a worldwide rise in interest in the position of chief risk officer (CRO). In his Financial Director article, Elspeth Wales states that there are now more than 200 companies with a board-level CRO, primarily in the financial services sector, with the primary responsibility of integrating credit, market, operational, and economic risk within the organization. This new CRO position, also referred to as chief security officer (CSO), is still developing as the need to address the entire organization, or enterprise, gains attention. For instance, Liebenberg and Hoyt cite an organization's ability to improve both strategic and operational decision-making (especially in highly leveraged organizations), which leads to improved earnings, decreased costs, and lowered stock volatility, through the implementation of a formal enterprise risk management position. The CSO may report to the CEO, the chief financial officer" (CFO), the chief legal executive, the chief operating officer (COO), or any other executive-level officer. This placement varies by industry and by importance of security within a specific organization.

James Lam lists the following responsibilities for CROs:

* Provide...