This snapshot, taken on 07/08/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
 
 08 August 2007
Confident Consumers - A Fair Deal creating Prosperity & Success for All
 
You are here:
 

Risk Management

Prevention is better than cure!

Statistics show that the risks to information security are very real. If a business is serious about managing information risk, the most important step it can take is to understand the risks faced.

This is normally the first phase of a practice called risk management, followed by some form of risk analysis.

The list of risks to information is long and varied. It includes:

  • Fraud
  • Illegal personal investigation
  • Industrial espionage
  • Terrorism
  • Computer viruses

A risk is normally a product of threats and vulnerabilities.

Vulnerabilities include:

  • Poor website design
  • Slack recruiting procedures
  • Mismanaged computer systems
  • Inadequate staff training

Threats include:

  • Deliberate manipulation of information prior to input
  • Impersonation of a legitimate user
  • Untrained staff
  • Loss of service

 

If your business is open to fraud (it may, for example, handle large sums of money), unmanaged vulnerabilities will provide the opportunity for a risk to manifest itself.

The aim of risk management is to reduce such risks to an acceptable level.

Risk Statistics

The DTI [BERR] Information Security Breaches Survey 2006 reveals a number of trends that require concerted attention by businesses - especially small to medium sized enterprises (SMEs). Did you know that:

  • Over 60% of UK businesses have suffered at least one premeditated or malicious incident in the past year
  • The average cost of an organisation's most serious security incident was roughly £12,000, up from £10,000 two years ago. Virus infections were still the major cause of security breaches, despite the vast majority of companies using anti-virus software
  • Despite an overall increase in security expenditure, roughly two thirds of business still spend less than 1% of their IT budget on security
  • A quarter of UK companies have no protection in place against spyware
  • One in five wireless networks still has no protection and over 50% of companies have no protection in place against removable media device

 

Information security is a real issue which could have an impact on you and your business. What are you doing about it?

Risk analysis

Risk Analysis is a formal process of determining risks and developing a plan to deal with them.

A risk analysis process involves:

  • Understanding risks to the business and how they can occur
  • Understanding the potential cost to the business if they do occur
  • Identifying suitable and effective measures to:
    • Minimise the likelihood of occurrence
    • Prevent or detect the threat
    • Enable appropriate recovery action to be take

Risk can be quantified in straightforward ways:

  • Threats are identifiable and known about through research
  • Vulnerabilities can be determined through review, testing and audit
  • Likelihood can be determined based on statistical research

 

The most important element in the process is that risk decisions are taken openly. Denying the presence of risk is not helpful. But trying to reduce the risk to zero is not realistic, and will normally cost more than it will save.

Once a measurement of risk has been agreed, the organisation must take a view on the impact of a security event on the successful operation of the business. Once this is done, controls (also known as countermeasures) should be applied to address the risks.

If you are concerned about information security risks within your own organisation, try our interactive Health Check or, for risk information in specific areas, see our pages covering Virus RiskInappropriate Usage Risk,  Unauthorised Access Risk,  Theft Risk  or Systems Failure Risk.

© Crown copyright 2007