**4. The actual risk management approach**

The top edge of security management is represented by the International Standard that adopts the "Plan–Do- Check–Act" (PDCA) model which is applied to structure all Information Security Management Systems (ISMS ) process (ISO/IEC 27001 p. v–vi).

The adoption of PDCA model will also reflect the principle the principles governing the security of information systems and networks. This is a robust model for implementing the principle of those guidelines governing risk assessment, security design and implementation, security management and reassessment.

Risk management as define by "random house dictionary" as "the technique or profession of assessing, minimizing, and preventing accidental loss to a business, as "through the use of insurance, safety measures etc" (Tipton F. H. – Henry K p. 56):

A systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective information security management system – ISMS - (ISO/IEC, 27005 p.3-6).

Information Security Management Accounting 125

Very Unlikely Low Unlikely Medium

**Very Low 0 1 2 3 4 Low 1 2 3 4 5 Medium 2 3 5 5 6 High 3 4 5 6 7 Very High 4 5 6 7 8** 

The risk can be transferred to a third party. The transfer to a third party generally

The consequent step of risk management is its reduction within levels of acceptance introducing safeguards that reduce the rate of the product probability by consequences, where both the terms are included under an ordered category as it is shown in figure 4.

**Low Moderate Sensitive Critical**

**B2**

**A = Retenction Area B1 = Critical Area**

**B2 = Sensitive Area**

**B1**

**Immediate interventions**

**Urgency of mitigations**

Possible High Likely Very High

**Rate of impact**

Frequent

Likelihood of incident scenario

Very Low

Table 1. Estimation of risk levels based on ISO/IEC 27005: 2008.

implies transfer of liability to an insurance carrier.

**A**

The risk can be assumed or retained;

**Low**

**Moderate**

Fig. 4. Levels of risk acceptance.

**Hight**

**Probability**

**Very hight**

The subsequent management of risk is facing three basic options (Broder p. 641). The risk can be avoided, eliminated, or reduced to manageable proportions;

**Business impact** 

This approach should be suitable for the organization's environment, and in particular should be aligned with overall enterprise risk management. Security efforts should address risks in an effective and timely manner where and when they are needed. Information security risk management should be an integral part of all information security management activities and should be applied both to implementation and the ongoing operation of an ISMS.

Information security risk management should be a continual process.

The process should establish the context, assess the risks and treat the risks using a risk treatment plan to implement the recommendations and decisions.

Risk management analyses what can happen and what possible consequence can be, before deciding what should be done and when, to reduce the risk to an acceptable level. Information security risk management should contribute to the following:


The information security risk management process can be applied to the organization as a whole, any discrete part of the organization (e.g. a department, a physical location, a service) any information system, existing or planned or particular aspects of control (e.g. business continuity planning).

The information security risk management process consists of context establishment, risk assessment, risk treatment, risk acceptance, risk communication and risk monitoring and review.

The level of risk is estimated on the basis of likelihood of an incident scenario, mapped against the estimated negative impact. The likelihood of an incident scenario is given by a threat exploiting vulnerability with a given likelihood.

The following shows the risk level as a function of the business impact and likelihood of the incident scenario. The resulting risk is measured on a scale 0 to 8 that can be evaluated against risk acceptance criteria. This risk scale could also be mapped to a simple overall risk rating according to the matrix in table 1 (CSA 2009, p. 21):


This approach should be suitable for the organization's environment, and in particular should be aligned with overall enterprise risk management. Security efforts should address risks in an effective and timely manner where and when they are needed. Information security risk management should be an integral part of all information security management activities and should be applied both to implementation and the ongoing operation of an

The process should establish the context, assess the risks and treat the risks using a risk

Risk management analyses what can happen and what possible consequence can be, before deciding what should be done and when, to reduce the risk to an acceptable level.

Risks being assessed in terms of their consequences to the business and the likelihood of

Stakeholders being involved when risk management decisions are made and kept

The likelihood and consequences of these risks being communicate and understood

Risks and the risk management process being monitored and reviewed regularly

Managers and staff being educated about the risks and the actions to mitigate them

The information security risk management process can be applied to the organization as a whole, any discrete part of the organization (e.g. a department, a physical location, a service) any information system, existing or planned or particular aspects of control (e.g. business

The information security risk management process consists of context establishment, risk assessment, risk treatment, risk acceptance, risk communication and risk monitoring and

The level of risk is estimated on the basis of likelihood of an incident scenario, mapped against the estimated negative impact. The likelihood of an incident scenario is given by a

The following shows the risk level as a function of the business impact and likelihood of the incident scenario. The resulting risk is measured on a scale 0 to 8 that can be evaluated against risk acceptance criteria. This risk scale could also be mapped to a simple overall risk

Information being captured to improve the risk management approach

Information security risk management should be a continual process.

Information security risk management should contribute to the following:

treatment plan to implement the recommendations and decisions.

 Priority order for risk treatment being established Priority for actions to reduce risks occurring

threat exploiting vulnerability with a given likelihood.

rating according to the matrix in table 1 (CSA 2009, p. 21):

informed of the risk management status Effectiveness of risk treatment monitoring

ISMS.

Risks being identified

their occurrence

continuity planning).

 Low risk: 0-2; Medium risk 3-5; High risk 6-8

review.


Table 1. Estimation of risk levels based on ISO/IEC 27005: 2008.

The subsequent management of risk is facing three basic options (Broder p. 641).


The consequent step of risk management is its reduction within levels of acceptance introducing safeguards that reduce the rate of the product probability by consequences, where both the terms are included under an ordered category as it is shown in figure 4.

Fig. 4. Levels of risk acceptance.

Information Security Management Accounting 127

**ICT SECURITY COMPANY's SYSTEM**

**COMPANY'S MISSION**

**Resources, Requirements &Threats**

**BUSINESS FLOW (FACTs; ACTs; RI; DI;) in a given timing**

**Protection Service**

Fig. 5. The three missions are the entities of a close market where Company and Information

**"Information mission"** is a pure deterministic system. It is designed to deliver business flows either on demand or automatically. Its competitive advantage is done by the effective

> Numbers of B.I.F.s Unit of time

It is designed to exploit the on – demand Business Information flows for a commercial objective either a service or a good. It is the only Mission in which there is the coexistence of pure risk (loss no-loss situation) and speculative risk (loss or gain situation). Its competitive advantage is done by the summation of profit per any Business Information Flow in the

(single BIF x its own profit) Fiscal ∆T "**Security Mission"** is a pure probabilistic system. It's designed to protect the effectiveness of the business information flows according to the C.I.A. triangle. Its competitive advantage is done by One minus the probability of occurrence of a negative event divided by the

**"Company Mission" is both a probabilistic and deterministic system** 

**ICT SECURITY MISSION** 

**INFORMATION** 

**MISSION**

fiscal period:

are the two customers of Security Services.

business information flows per unit of time:

functional cost of the Security Mission:

Risk are always understood in relation to overall business opportunity and appetite for risk. Sometimes risk is compensated by opportunity (ENISA 2009 p.22). The European Network and Information Security Agency (ENISA) in its report regarding Cloud Computing Risk Assessment.

The risks identified in the assessment are classified into three categories:

