Risk assessment methodology

By Matt Kelly  |  Posted 2006-01-09 Print this article Print

At the Massachusetts Institute of Technology, George Westerman wants to answer just that sort of question. As a research scientist at MITs Center for Information Systems Research, in Cambridge, Mass., Westerman said he wants to bring that same analytical discipline that insurance risk estimators use to the complexity of the modern corporate IT system.

"Its really a state-of-the-art management item," Westerman said. "People have started to get a good, audit-based view of IT and understanding where the holes are that they need to fix. And some of them have started to put a risk-based prioritization there, so theyre working on the risks that matter most to the firm. But very few firms have reached the point where they can measure this."

At Arch Chemicals Inc., in Norwalk, Conn., Vice President of IT Al Schmidt said he has tried to achieve that goal for the past three years. Using a risk-assessment methodology developed by the Government Accounting Office, Schmidt first developed a "threat library" for the $1.4 billion chemical wholesaler. He documented all possible risks along Archs supply chain and then played out various risk scenarios to gauge their severity.

Some of the questions Schmidt posed included "What would the consequence be in business terms?" and "Could the business absorb that?" Schmidt said he knew he had two choices for every IT risk: build security so strong as to make the risk impossible or mitigate the consequences so much that the risk would be harmless. "We had both levers at our disposal, and we used them," he said.

Arroyo uses a similar approach at Cingular. Where possible, he said he puts specific numbers on the possible damage from an IT risk—say, the lost revenue from a virus knocking Cingulars subscribers off the network for an hour. Where a threat does not lend itself to financial measurement, Arroyo and his team describe potential damage as "small," "medium" or "large."

Arroyos worry about data privacy is one example of a qualitative IT risk. Online services are popular and convenient for customers, he said, but they also expose Cingular users to the threat of identity theft. In reality, the likelihood of thieves stealing data on all 52 million Cingular users is remote, but fraud against even a few could damage Cingulars reputation enormously. That all adds up to a "high" IT risk.

Regardless of how a company evaluates IT risks—financial data might be ultrasecret at a private business, for example, but public record at a government agency—many in corporate America say that the CIO should not make decisions about managing those risks on his own. IT systems now underlie almost all business operations, so any decisions about how to structure those systems will inevitably affect how the business operates overall.

"In many cases, higher-level executives want to delegate this to CIOs to manage," Westerman said. "One thing Ive found ... is that if IT executives are left to decide IT issues on their own, theyre going to make important business trade-offs they just arent informed to make."

Stephen Foster, former chief information security officer at network equipment maker Avaya Inc., in Basking Ridge, N.J., and now a consultant, puts it even more bluntly. "CIOs are too busy. They have their own priorities; they have limited budgets; and their focus is on delivering technology, not delivering security," Foster said. "I dont want technology people making serious, strategic, business-risk decisions."

Matt Kelly is a freelance writer in Somerville, Mass. He can be reached at mkelly@mkcommunications.com.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel