IT risk management is the strategic process of administering the assessed risk. While risk assessment focuses on identifying, quantifying, and prioritizing risks, the goal of risk management is to manage the risks across the agency. Risk management is an ongoing process and consists of multiple phases. Senior management presence and direction are strongly recommended during the risk management phase. Table 1 illustrates the major differences between risk management and risk assessment.
Once risks have been identified, they can be accepted, avoided, mitigated, or simply transferred. Risk acceptance warrants accepting the potential loss from the risk; on the other hand, risk avoidance signifies eliminating the risk by not performing the activity that could carry a risk. An example would be not buying a program that handles electronic transactions on an unsecured port, such as port 80. Mitigating the risk would involve reducing the likelihood of the loss from occurring by using a secure port.
Risk can be mitigated by technical and non-technical approaches. Awareness training, for example, is considered a non-technical approach. Agencies may install firewalls (as a technical approach) at their gateway to limit unauthorized users from accessing their networks. Another example would be enabling Transmission Layer Security (TLS) on transactions, in order to make the transaction go over a secure port, such as port 443. Transferring risk, on the other hand, signifies sharing with another party the adversity of loss or the privilege of gain, from a risk. For example, buying car insurance signifies risk transfer. Figure 1 illustrates the four options of handling the assessed risks.
IT risk management is the application of risk management methods to Information technology in order to manage IT risk, i.e.:
- The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise or organization
IT risk management can be considered a component of a wider enterprise risk management system.
The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.
Different methodologies have been proposed to manage IT risks, each of them divided in processes and steps.
According to Risk IT, it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.
Because risk is strictly tied to uncertainty, Decision theory should be applied to manage risk as a science, i.e. rationally making choices under uncertainty.
Generally speaking, risk is the product of likelihood times impact (Risk = Likelihood * Impact).
The measure of an IT risk can be determined as a product of threat, vulnerability and asset values:
Risk = Threat * Vulnerability * Asset
A more current Risk management framework for IT Risk would be the TIK framework: Risk = ((Vulnerability * Threat) / Counter Measure) * Asset Value at Risk IT Risk