The importance of IS/IT Risk Management Practices to improve an organisation’s cyber resilience

Introduction

With the fast pace that the technology is growing at, more risks and uncertainties from existing and new threats are also to be on the rise. A key target of related attacks from such threats is the information systems (IS) and information technology (IT) systems. Even with the installation of the best, comprehensive and stringent policies, it is not possible to completely eliminate the risks in the corporate environment. Risk management has been described as the process of identifying and accessing risks and coming up with methods of reducing their effects to an acceptable level (Tohidi, 2011, p. 881). The main aim of risks management is to assist organizations in the process of better managing the risks to their information systems. This clearly points out that despite these efforts, different attacks still come to the IS/IT system, gives rise to need of the issue of organizations’ resilience arises. In term of the IS and IT system this type of resilience is referred to as cyber resilience. This describes the toughness or ability to spring back and recover from a shock or an attack that occurred. Therefore, organizations’ resilience determines the ability of the organization to resume stable and operational state and recover from the adverse consequences of risks and cyber-security threats. This paper will seek to establish the importance of IS/IT risk management practice to improvement of the organization’s resilience. 

Risk management of Information Systems

Information systems risk management has been described as a major problem area that is wide, complex and interdisciplinary (Finne, 2000, p.2). The process of risk management is used to identify and put risks at manageable and acceptable level. Risk management is noted to allow IT managers an opportunity to create a balance between the operational and economic costs of fulfilling the protection of IT systems and capabilities within an organization (Tohidi, 2011, p. 882).

The process of risk management occurs in three main steps; risk estimation, risk reduction, risk assessment and evaluation. Risk estimation is the initial process and is used to establish the potential dangers of minimal risk. The result of this process assists in pointing the technical controls necessary in the reduction of the risks during the process of risk reduction. In establishing the possibility of occurrence of adverse future events, it is essential to analyze the vulnerability and potential threats to IT systems. The step used in the process to estimate risks include system, characterization, identification of threats, identification of vulnerabilities, analysis of controls, establishing the possibility of their occurrence, analysis of their effects, determination of risks, control of purchase order, documentation of results ((Tohidi, 2011, p. 884).

The next step in the risk management process is on risk reduction. This process includes the prioritization, evaluation, and application of appropriate risk reducing controls. Ideally, it is not practical to eliminate all risks but managers can choose an approach that significantly reduces risks to acceptable level.

The next step in the process of risk management is on assessment and evaluation. This is carried to ascertain the implications of decisions made in the previous stages of the risk management process. This step seeks to establish whether there is new level of risk or the risks previously dealt with, have significantly changed (886). 

Organization Resilience 

Resilience refers to the ability of a system to react to and recover from disturbances from threats with minimal effects on dynamic stability. Organizations are indicated to be in need of resilience due to the increased level of complexity in systems and organization. The interconnection of threats and incidents of different nature is said to increase. Resilience entails the ability of a systems to undergo graceful and controlled degradation, ability to rebound from degradation, presence of redundancy, ability of manage margins, and presence of flexibility in systems and organizations (Johnsen, 2010, p. 1). Resilience has continuously gained importance in safety and risk research. It deals with the ability of information system to sustain or restore its functionality and performance after a change in the underlying condition of the system. Resilience management is indicated to go beyond the traditional quantitative risk assessments and broader qualitative risk consideration and assessment to deal with increased levels of uncertainty and knowledge levels (Aven, 2017, p. 2).

Resilience is noted to be an interconnection of various disciplines. Resilience is indicated more as a process rather than outcome that entails learning, adaptation, anticipation, and improvement in the system. resilience combines a dynamic set of conditions. A resilient system possesses some properties which include; a high level of diversity, level of connectivity, combination of different forms of energy, acceptable level of redundancy, equal and inclusive components, and social cohesion and capital (Mitchell & Harris, 2012, p.2).

Effects of Risk Management to Organization’s Resilience 

Managing risks assists in the process of strengthening resilience through establishing systems that has a varied range of risk management options. Effective risk management is thereby indicated to be essential in creating the resilience of the organization. To achieve this, there is a need for the institution capacities to be enhanced in a manner that they can accommodate resilience as a process that is very specific to a particular context (Mitchell & Harris, 2012, p. 3).

The Australian Securities and Investments Commission in their description of the cyber resilience good practices notes that cyber risk management and threat assessment is among the important concepts that organization need to put in place (Australian Securities and Investments Commission, 2017). The good practice in cyber risk management and threat is led by intelligence gathering through the use of third party experts and driven by routine threat assessments. On this note, cyber risk management is an essential resilience good practice, has shifted to become intelligence-oriented dealings offer real-time processes. This is achieved through automation of the risk management tools to ensure that they can integrate different sources of risks. As part of risk management, some organizations have put up specialist’s functional groups within their organizations to keep cross-check and deal with the risks are there appear in real time. These fusion centers contribute to improvement an organization’s resilience level. 

Risk management process for the IT system provides relevant information and data to improve on the organizational reliance especially on the aspects of cyber risks. Developing cyber resilience involves a strategic approach that entails making an evaluation on what occurs before, during, and after a threat occurs to the organization’s enterprise system or network. It is here that a long-term and wide-reaching policy of risk management in the enterprise enhances the capabilities of the organization to make prior preparations to the identified vulnerabilities and threats. Risk management also helps the organization develop necessary defenses against attacks and there allocate necessary resources to deal with these issues. This greatly improves the ability of an organization to restore normal operations after an attach. 

Aven (2017, p.4) argues that resilience analysis within an organization greatly benefits from developments in risk analysis. This is said to lead to indication of the knowledge and strengths of knowledge judgments. The use of probabilities in establishing the uncertainties can still be applied within an organization to carry out the resilience analysis. The process of risk assessment and management as Aven observed is beneficial as it supplements resilience analysis and management through checking into potential occurrences of events. This kind of analysis is expected to yield new insights that would help organization process of falling back to normal operations after an attack or malfunction to the system. Since risk management entails study of different threats, there is tendency of comprehensive understanding being gained which can assist in developing more resilient measures. Such kind of information assists in resilience management as it covers all activities that need to be conducted to ensure that operation hits normalcy. 

Installation of information systems is unknown to produce either positive or negative effects. The adoption of this new of technology is known to affect the organization in different ways among then introduction on a source inherent risk.  But of maintenance process of the information systems is risk analysis and management. The information systems can influence the business processes of an organization. This prompts the manager to have an understanding of the effects highlighted through the risk management process. The type of information technology is also likely to cause an impact to the organization. On this note the IT systems are said to be either facilitator, initiator, or an enabler for the organization. Learning how to manage the risk emanating from the Information technology is important to achieve resilience within an organization. IT introduces a risk of alteration of the skills for employees for individual jobs and working protocols. By identifying such potential changes, the process of risk manager determines the readiness of the organization in meeting the demands and arising needs of the business. 

Another way the risk management of the IT systems that can enhance the organizational resilience is by increasing the level of work monitoring. This provides for greater control by the managerial group. The employees engaged in the process of risk management are able to dissect the underlying issues there gain deeper understanding of the issues at hand. Analysis of risks in the IT system involves large amount of transaction data that can be used to enhance an understanding on how to eliminate the burdensome administrative issues that my hinder organizational resilience (Kornkaew, 2012, p. 20).

It has been argued that the rationale for enhancing resilience in an organization is based on the study of safety-critical socio-technology systems comprised of high uncertainty. Most organizations indicate that failure is not that very hard or entirely impossible to determine. Resilience is noted to be made up of a mix of technical designs and organizational features. IT/IS risk and security management has been noted to be couple with a tussle between the IT-oriented productivity against emerging vulnerability and risks. Risk management process is structured in a way that it deals with the complexity in the business environment and the risks of a fragile IS that makes it susceptible to unforeseeable disruption (Muller et al., 2013, p. 3).

References

Australian Securities and Investments Commission, 2017. Cyber Resilience Good Practices. [Online]
Available at: http://asic.gov.au/regulatory-resources/digital-transformation/cyber-resilience/cyber-resilience-good-practices/

Aven, T., 2017. How some types of risk assessments can support resilience analysis and management. Reliability Engineering & System Safety, 167, pp.536-543.

Helm, P., 2015. Risk and resilience: strategies for security. Civil Engineering and Environmental Systems, 32(1-2), pp.100-118.

Johnsen, S., 2010, March. Resilience in risk analysis and risk assessment. In International Conference on Critical Infrastructure Protection (pp. 215-227). Springer, Berlin, Heidelberg.

Kornkaew, A., 2012. Management information system implementation challenges, success key issues, effects and consequences: A case study of fenix system. Jonkoping International Business School.

Mitchell, T. and Harris, K., 2012. Resilience: A risk management approach. ODI Background Note. Overseas Development Institute: London.

Müller, G., Koslowski, T.G. and Accorsi, R., 2013, June. Resilience-a new research field in business information systems?. In International Conference on Business Information Systems (pp. 3-14). Springer, Berlin, Heidelberg.

Tohidi, H., 2011. The Role of Risk Management in IT systems of organizations. Procedia Computer Science, 3, pp.881-887.