This snapshot, taken on
04/03/2010
, shows web content acquired for preservation by The National Archives. External links, forms and search may not work in archived websites and contact details are likely to be out of date.
 
 
The UK Government Web Archive does not use cookies but some may be left in your browser from archived websites.

We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for

 
 

Risk Management

Prevention is better than cure!

Statistics show that the risks to information security are very real. If a business is serious about managing information risk, the most important step it can take is to understand the risks faced.

This is normally the first phase of a practice called risk management, followed by some form of risk analysis.

The list of risks to information is long and varied. It includes:

  • Fraud
  • Illegal personal investigation
  • Industrial espionage
  • Terrorism
  • Computer viruses

A risk is normally a product of threats and vulnerabilities.

Vulnerabilities include:

  • Poor website design
  • Slack recruiting procedures
  • Mismanaged computer systems
  • Inadequate staff training

Threats include:

  • Deliberate manipulation of information prior to input
  • Impersonation of a legitimate user
  • Untrained staff
  • Loss of service

If your business is open to fraud (it may, for example, handle large sums of money), unmanaged vulnerabilities will provide the opportunity for a risk to manifest itself.

The aim of risk management is to reduce such risks to an acceptable level.

Risk Statistics

The BERR Information Security Beaches Survey 2008 reveals a number of trends that require concerted attention by businesses - especially small to medium sized enterprises (SMEs). Did you know that:

  • 45% of UK businesses have suffered at least one security incident in the past year
  • The average total cost of an organisation's most serious security incident was between £10,000 and £20,000 (up slightly on the 2006 figures). Virus infections (the largest cause of security incidents for the last decade) have fallen dramatically, whereas unauthorised access by outsiders is not declining and remains at four times the level seen in 2000
  • Despite an overall increase in security expenditure, 21% of businesses still spend less than 1% of their IT budget on security
  • 78% of companies that had computers stolen did not encrypt hard discs
  • 84% of companies do not scan outgoing email for confidential data

Information security is a real issue which could have an impact on you and your business. What are you doing about it?

Risk analysis

Risk Analysis is a formal process of determining risks and developing a plan to deal with them.

A risk analysis process involves:

  • Understanding risks to the business and how they can occur
  • Understanding the potential cost to the business if they do occur
  • Identifying suitable and effective measures to:
    • Minimise the likelihood of occurrence
    • Prevent or detect the threat
    • Enable appropriate recovery action to be take

Risk can be quantified in straightforward ways:

  • Threats are identifiable and known about through research
  • Vulnerabilities can be determined through review, testing and audit
  • Likelihood can be determined based on statistical research

 

The most important element in the process is that risk decisions are taken openly. Denying the presence of risk is not helpful. But trying to reduce the risk to zero is not realistic, and will normally cost more than it will save.

Once a measurement of risk has been agreed, the organisation must take a view on the impact of a security event on the successful operation of the business. Once this is done, controls (also known as countermeasures) should be applied to address the risks.

If you are concerned about information security risks within your own organisation see our pages covering Virus RiskInappropriate Usage Risk,  Unauthorised Access Risk,  Theft Risk  or Systems Failure Risk.

© Crown copyright2010