We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for
Statistics show that the risks to information security are very real. If a business is serious about managing information risk, the most important step it can take is to understand the risks faced.
This is normally the first phase of a practice called risk management, followed by some form of risk analysis.
The list of risks to information is long and varied. It includes:
A risk is normally a product of threats and vulnerabilities.
If your business is open to fraud (it may, for example, handle large sums of money), unmanaged vulnerabilities will provide the opportunity for a risk to manifest itself.
The aim of risk management is to reduce such risks to an acceptable level.
The BERR Information Security Beaches Survey 2008 reveals a number of trends that require concerted attention by businesses - especially small to medium sized enterprises (SMEs). Did you know that:
Information security is a real issue which could have an impact on you and your business. What are you doing about it?
Risk Analysis is a formal process of determining risks and developing a plan to deal with them.
A risk analysis process involves:
Risk can be quantified in straightforward ways:
The most important element in the process is that risk decisions are taken openly. Denying the presence of risk is not helpful. But trying to reduce the risk to zero is not realistic, and will normally cost more than it will save.
Once a measurement of risk has been agreed, the organisation must take a view on the impact of a security event on the successful operation of the business. Once this is done, controls (also known as countermeasures) should be applied to address the risks.
If you are concerned about information security risks within your own organisation see our pages covering Virus Risk, Inappropriate Usage Risk, Unauthorised Access Risk, Theft Risk or Systems Failure Risk.