Call Us: US - +1 845 478 5244 | UK - +44 20 7193 7850 | AUS - +61 2 8005 4826

Describe the necessary components in any organizational risk

Information security is not risk management

The field of information security is often described as managing the risks associated with using information technology. A closer look at the nature of information security, however, shows that this description applies to very few real-world situations. Understanding why this is so may give insights into why some traditional risk management approaches do not work well when applied to security, says Luther Martin, Voltage Security.

The term ‘risk’ has a precise meaning in risk management, and is defined to be the average loss associated with some event. So if there is an event that will cause a loss of £10,000 and has a 10 per cent chance of happening, then this event represents a risk of £1,000, or 10 per cent of the £10,000 loss.

Applying this model to information security is difficult, if not impossible, because we rarely have accurate estimates for the chances of security-related events happening or the damage caused by these events. What are the chances of your email being intercepted and read? How much damage would it cause if a hacker could read your email?

Our lack of accurate data in such cases makes information security more about managing uncertainty than about managing risk. If we have accurate estimates for probabilities and losses then we are dealing with a risk; if we do not, we are dealing with an uncertainty.

The American economist Frank Knight first noted the difference between risk and uncertainty in his 1921 book Risk and Uncertainty. Since then, economists have devised three general ways for understanding uncertainty and the way that people make decisions in the face of uncertainty.