**1. Introduction**

Ting and Comings [1] described how to use the Information Assurance (IA) Object Measurement (OM®) metric as a tool to measure the monitoring step (Step 6) described in the United States (U.S.) National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)1 [2]. This chapter expands the applicability of the IA OM® metric and shows how it may be used as an enterprise-wide information security risk management metric.

Risk management is concerned with the identification of risks, the avoidance, mitigation, transference, or sharing of unacceptable risks, and the acceptance of risks that are within an organization's risk tolerance. However, just as with information system controls within NIST's RMF, it is necessary to monitor the risk posture of systems, maintaining an ongoing assessment of the level of risk they represent within and to an organization. This risk posture changes with changes to the hardware and software employed by the organization, as well as when patches and updates are released that are intended to be applied to deployed software. Changes can also occur from vulnerabilities identified with no patch available, or when new types of information are allowed on a previously authorized or accredited information system. Different types of information are of varying interest to an organization or adversary. More valuable information generally has a higher impact on the organization when it is compromised2, and can increase the threat level of an information system. From an information system perspective, many of the monitoring activities, conducted to ensure the systems remain operational and maintain an acceptable security posture, are also activities involved in the management of information system risks.

<sup>2</sup> Compromise is used in this chapter to indicate a loss of confidentiality, integrity, or availability of the information.

© 2012 Comings and Ting, licensee InTech. This is an open access chapter distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. © 2012 Comings and Ting, licensee InTech. This is a paper distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

<sup>1</sup> The RMF is described in detail in NIST Special Publication (SP) 800-37, available from: http://csrc.nist.gov/ publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

The IA OM® metric is a good choice for use as an enterprise risk management metric, as described in this chapter, due to its versatility as a management metric. This metric:

IA OM®

information system, and is resource intensive to try [3, 4]. In order to effectively manage resources and maintain usability of the system, it is necessary to implement a risk managed

To understand this change, it is important to start with a good definition of risk. A good definition in this case is one that can be understood operationally and can be easily used to clarify the process. Not surprisingly, there are many different definitions of risk. Wheeler [3] defines risk as: "the probable frequency and probable magnitude of future loss of confidentiality, integrity, availability or accountability". Accountability is not commonly accepted as being a part of the definition of risk, is not included in the definition of risk used by the NIST4, and thus will not be included in the definition of risk used in this chapter. The

**Risk:** The probable frequency and probable magnitude of future loss of an organization's operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation resulting from a loss of confidentiality,

There are two fundamentally different approaches to Information security risk management

Each of these approaches, while working toward the overall objective of ensuring the confidentiality, integrity, and availability of the organization's information and information systems, attempts to meet that objective in a fundamentally different way. Compliancebased approaches default to including controls from the best practice or other framework they are implementing – not including a prescribed control is the exception [5]. On the other hand, risk management-based approaches default to not including a control unless its need

Failure to comply with the legal and regulatory structures confronting an organization can result in penalties, loss of contracts, loss of confidence, loss of business, and stock price declines [6]. Some of the requirements that organizations may need to maintain compliance

U.S. Legal requirements (e.g., the Sarbanes-Oxley Act, the Health Insurance Portability

<sup>4</sup> The definition of risk provided by the NIST is: "A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation),

and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA);

organizational assets, individuals, other organizations, and the Nation]" [17].

approach to securing Information Technology (IT) systems.

definition of risk used for this chapter is therefore:

and utility can be justified by a risk analysis [5].

*2.1.1. Compliance and best practice frameworks* 

integrity, or availability.

activities used by organizations:

1. Compliance-based; and 2. Risk management-based.

with include:

as an Enterprise Risk Management Metric 207

