Order Now
Uncategorized

Practical Methods For Information Security Risk Management

17 min read
Posted on 
April 22nd, 2025
Home Uncategorized Practical Methods For Information Security Risk Management

Information security risks

Discuss about the Practical Methods For Information Security Risk Management.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

In the modern day world, information has become the most valuable asset any organisation has. Managing of the operations is somehow dependent on the data they have regarding their present and previous condition (Saleh and Alfantookh, 2011). It has become crucial for the firms to ensure that they have an effective mechanism for securing these data. This is due to the fact that there is consistent increase in the number of cyber-crimes that are attempted for stealing or damaging the data. In the modern day business, any breach to security can be very dangerous for the firm. Other firms can gain competitive advantage over the firm using their information. In order to protect firms from any kind of data breaches, it is essential that companies develop strong information security policies. These policies must be highly descriptive and must have a holistic point of view towards managing security within the firm (Poolsappasit, Dewri and Ray, 2012). Policies must clearly define the role and responsibilities of each and every stakeholder in maintaining data security. Policies must lay down the laws that signify the operations of information system and the way in which the information security risks must be avoided.

Cosmos is an online newspaper and has several stakeholders associated with it. In such situation it has become highly essential for the company to manage the security risk attached with their information system. This company aims to enhance its information security policy so that they can make sure that data does not get leaked through various sources.

This report analyses the information security risks that are present in the modern day firm. It evaluates the information security risks that are present in front of the management of the company. It also describes the policies that are used by the company for managing its information security.

In the age of digitalisation, managing data security has become highly difficult (Fenz and Ekelhart, 2011). This is due to the reason that there are several ways in which data breaches can be possible. This not only enhances the risks associated with information security but also increases the risk for the company in terms of security failure. Some of the major risks that are attached with the information security are as follows:

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper
  • Adopting technology too early: Cosmos must not be too fast in adopting any new technology. This is due to the reason that adoption of technology always brings security issues with it (Peltier, 2013). For example while installing new version of operating system, it must be seen that if there is any antivirus that supports security of the system.
  • Connecting new devices: When any new device is connected to the systems there is always a chance that new kind of malicious content or bugs can attack the system (Whitman and Mattord, 2013). This risk is very major in the Case of Cosmos as many news documents come to them from various sources. This could be highly dangerous for the firm. It is also linked with the fact that no new devices must be connected with internet without the use of firewalls.
  • Algorithms: This can be attributed by the fact that companies these days are using algorithms that are data driven. The risks are itself present in the data. The digital decisions become highly vulnerable when algorithms for making it are compromised (Lo and Chen, 2012). Any algorithm and the data on which it is based must be checked twice so that there must be no flaws remain in the system or it might produce wrong or misinterpreted data.
  • Aging infrastructure: Since the technology related to stealing of the data is increasing at much faster rate hence hackers have become smarter these days. This requires a continuous improvement in the information architecture or the ageing infrastructure may enhance the risk associated with it (Von Solms and Van Niekerk, 2013). There must be any resource constraints in terms availing security infrastructure. The risk gets wider when there is improper accounting of the system infrastructure.  
  • Confusing compliances with cyber-security: There are compliances that get generated when there is absence of effective management of the system architecture (Yildirim, et. al., 2011). If there is any kind of confusions in the cyber-security policies or the way in which stakeholder enjoys their power, it can lead to higher cyber-security risks attached in the business process.

There are various guidelines made by the Cosmos Company so as to make sure that they have an effective security measures taken for managing security. Every company makes their guidelines based on the standards that they have set for managing security (Whitman and Mattord, 2011). There are various related to various aspects of the information security is as follows:

Guidelines for managing cyber security risks

 In order to reduce the risk that are attached with the information security Cosmos have made a clear instruction where they have made sure that proper accounting of the systems will be done. This will be done on regular basis so as to reduce the chances of failure.

Information assets need to be properly kept in a particular storage place where it cannot be breached (Shamala, Ahmad and Yusoff, 2013). This also accounts to the fact that they have not made their information system very complex. The network for the exchange of data is also kept simple. This is due to the reason that a complex network has multiple nodes and through each node data breach could be possible. Since there are many free lancers connected with Cosmos hence the problem gets widened.

Training related to the IT personnel must be given on timely basis which would help them in gaining control over the operations and ensure that best infrastructure could be maintained within the firm (Peltier, 2016). This training must be given at various levels of the organisation irrespective of the position they hold within the organisation. It will help in reducing the risks that are caused to information system personnel or other employees.

There is a clear laydown regarding the outsourcing of data as well as the risks that are linked with use of outsourcing facility. Any outsourcing of information brings many consequences with it  like data breach, data loss, account or traffic hijacking, Insecure API, insufficient due diligence, malicious insider (Feng and Li, 2011). This could lead to heavy losses to the company as important data can get leaked.

There are several things that must be done by the information security personnel while evaluating risk or say when the risk is identified. Some of the considerations that must be used by them are as follows:

  • What is the possible outcome of the risk eventuating?
  • When and how frequent the risk identified can happen?
  • At what place the risk is probable to impact?
  • Who all are most likely to get impacted by the risks?
  • What sort of impact is these risks could bring and who are the stakeholders who will get affected by this?
  • What catalysts may lead to risk event?
  • What are the ways in which eventuality of the risk could be mitigated?
  • What are the ways in which risk consequences can be mitigated?
  • How much reliable is the information on which the risk is based upon?

These entire questions are to be answered so as to find a probable solution for eliminating the risk presents in the information security system. It will also help in reducing the impact that could be done by the risks.

Whenever any risk is identified the information must be shared to the higher officials of the firm. This will help in ensuring that there will less chance that it gets widen. This is because the upper officials take decisions accordingly so as to reduce the probability of the risk occurrence.

Staffs needs to document all the process done by them for eliminating the risk as well as the thing that happened during the whole process (Bennett, et. al., 2013). This will help the firm in reducing the probability of risk in the system. Documentation also helps in reporting as it gives the exact idea of what happened.

Issues attached with managing information security risk

The company has designed an information security program which includes following elements:

  • Chief Information security Officer: There is a chief Information Security Officer inside Cosmos who have the role of checking all the information security measures taken by the company. He has the role of informing about the information security to all the shareholders of the company.
  • Information security Steering Committee: CISO is a part of this committee who has the role of checking the cross sectional aspects of Information security. This committee includes senior representatives of sales, marketing, finance, HR, IT and operations.
  • Information security responsibilities: There are various responsibility assigned to various persons at different levels of the organisation. Some of the responsibilities are as follows:

Functional Role

Security Responsibilities

Chief Executive Officer

He is accountable for overall security capacity of the firm

Chief information security officer & steering Committee

Providing leadership, establishing policies, coordinate implementation, responsible for vulnerability and risk assessment

Staffs and managers

Implementing procedures and policies, staying aware, being vigilant, Report any vulnerability or attempted breaches

Cosmos have created an Information security culture that helped them in increasing the information security program. This culture included being aware about the possible cyber security breaches, training employees regarding the new possibilities of data breaches. Information security practices may define, impart and regulate IS knowledge. The outcome of the culture is the result that is often a gap between the dictates of information security policy and the behaviour of the people (Gillies, 2011). This includes the level of oversight and control agencies have on the information management.

There is a policy stated within the company that also describes about the unauthorised access to confidential data. The punishments are also to be mentioned within the policies made by the company. The disciplinary actions will be taken against the defaulters. If any employee unintentionally breaches the security of the information, he or she must immediately report to the higher officials so that immediate actions could be taken. Before use of any new technological device a formal permission must be taken from the security in charge.

Risk management relies on four different processes namely assess, monitor and respond (Amancei, 2011). The guidelines clearly elaborate all the fur process. First is assessment or identification of the risk, second is risk monitoring that suggests of checking the information system throughout the day and third is the response i.e. responding towards the risk that has arrived at the information system. Regular monitoring must be done so as to respond to the potential risk that can become threat for the company.

There are various issues attached with managing of the information security risk. Some of the most common issues that are linked with managing of information security risk are as follows:

  • Justifying the value preposition: One of the biggest challenges that information security management has to face is to justify their value preposition to the business for ensuring that security requirements receive sufficient resource allocations (Dotcenko, Vladyko and Letenko, 2014). A paradox exists here that if the security risk management is effective then also it cannot be said that there is good security in place. This is because while observing the flaw it is possible that hackers show no interest in attacking at that time. This is an issue for the Cosmos as they have to think about the weaknesses that are present in the system all the time.
  • Lack of focus: It is also seen that many a time there is lack of focus. Lack of focus by management means not seeing the problems that are actually exists within the firm and gives the security mechanism a positive rating (Chen, Ramamurthy and Wen, 2012). Such an auditing always increases the chances of probable attacks on the system. Cosmos have faced this issue in the past which has led to significant data loss to the company.
  • Improper data abstraction mechanism: Any company like Cosmos has to install the best of data abstraction mechanism.  This will help them in ensuring that only the required amount of data gets shared with any particular employees (Kooper, Maes and Lindgreen, 2011). Discrepancy in data abstraction mechanism installed in the information system at Cosmos can lead to some huge loses to the company.
  • Complex organisational structure: One of the biggest challenges to information security management is the complex organisational structure Cosmos has. This could be dangerous for the firm as it creates a lot of loop holes in the system and data leaks could be possible from many points.  Even the best of policies for information risk management can fail because of multiple nodes (Greenshpon, et. al., 2013).
  • Slow response function: If the response mechanism of company is weaker or slower, then any risk may get bigger which is a problem for the company in the longer run. It is crucial for the firm to ensure that their mechanism for responding towards any risk is and hence a better risk mitigation measures could be used. Risk mitigation measures must be fast and highly responsive (Abbas, et. al., 2011).
  • Changing industry standards: There are large numbers of changes noticed in the business environment. This has also enhanced standards that are implemented for safeguarding against risk incidents. Cosmos need to upgrade themselves on timely basis so as to ensure that they comply with the standards.
  • Communication: One of the major issues that are present in any company’s information security management is communication. If any flaws remain in the communication mechanism of the company then there is a chance of improper risk management of information system (Ghazouani, et. al., 2014). It is the role of the Chief Information Security officer to manage the communication that is required for effectively avoiding risks. It also plays a greater role in reducing the confusions regarding the role play of any staff while managing security risk.

While constructing the guideline for managing information security risk, there are several assumptions that need to be made by the organisation so as to ensure high information security. These are based on the type of risks that are posed to their business as well as the resources that Cosmos have for tackling the situation. These assumptions help the organisation in making best of policies or to make changes in them. Some of the most common assumptions in this regards is as follows:

  • The information system that is used within the organisation is of high quality. This assumption could be dangerous for the firm as it reduces the focus of the organisation towards the risks that could possibly confront the business of Cosmos. The Information security management committee must ensure that any such confidence may not exist in the members who are responsible for managing the risk associated with information security.
  • Firewalls installed are not out dated is another most common assumption that is made by the organisation and it may lead to several malicious contents entering into the security system. This is dangerous for the quality of data that is stored at the firm. Firewalls must be up graded on regular basis so that any possible attack through the use of malicious contents could not be possible (Montesino and Fenz, 2011).
  • Most common assumption that is made by the organisations while changing their policy is regarding training. This is a problem as companies like Cosmos’s staffs are having different expertise and generally has lesser knowledge regarding the use of information system. This may be due to laggings in the training program which was previously assumed to be good.
  • Another important assumption in this regards is that a Cosmos has all the resources available with them and there is no financial constraints attached with the purchasing of effective technology. This will empower the organisation to make policies without any problems. In the risk assessment, this assumption plays a very crucial role.
  • Before making policies is that there must not be any confusion remaining in the minds of people who have the role in the information security management can lead to some serious loss (Ristola, 2011). In order to remove this company needs to have a formal communication within the organisation.
  • Company also need to make sure that they have an effective organisational structure within the organisation. This will help them to understand the responsibilities they have in the whole process of risk management. A proper data abstraction is required within the firm and hence ensuring a higher level of security to crucial information.

Conclusion

From the above based report, it can be concluded that Cosmos is one the best online newspaper company and is planning to make changes in their risk management policies. There are several guidelines that have been made by the management of the Cosmos.  All these guidelines are made according to the issues that are present in the organisation’s management of information security risk. In the designing of the guidelines for the organisation, Cosmos need to make many kinds of assumptions. These assumptions must be based on the available risk environment and the potential resources that the cited firm has with them.

Assumptions

References

Abbas, H., Magnusson, C., Yngstrom, L. and Hemani, A., (2011) Addressing dynamic issues in information security management. Information Management & Computer Security, 19(1), pp.5-24.

Amancei, C., (2011) Practical methods for information security risk management. Informatica Economica, 15(1), p.151.

Bennett, J., Stager, M., Shevlin, G. and Tang, W., ALLGRESS Inc, (2013) Enterprise information security management software for prediction modeling with interactive graphs. U.S. Patent 8,516,594.

Chen, Y., Ramamurthy, K. and Wen, K.W., (2012) Organizations’ information security policy compliance: Stick or carrot approach?. Journal of Management Information Systems, 29(3), pp.157-188.

Dotcenko, S., Vladyko, A. and Letenko, I., (2014) February. A fuzzy logic-based information security management for software-defined networks. In Advanced Communication Technology (ICACT), 2014 16th International Conference on (pp. 167-171). IEEE.

Feng, N. and Li, M., (2011) An information systems security risk assessment model under uncertain environment. Applied Soft Computing, 11(7), pp.4332-4340.

Fenz, S. and Ekelhart, A., (2011) Verification, validation, and evaluation in information security risk management. IEEE Security & Privacy, 9(2), pp.58-65.

Ghazouani, M., Faris, S., Medromi, H. and Sayouti, A., (2014) Information Security Risk Assessment–A Practical Approach with a Mathematical Formulation of Risk. International Journal of Computer Applications, 103(8).

Gillies, A., (2011) Improving the quality of information security management systems with ISO27000. The TQM Journal, 23(4), pp.367-376.

Greenshpon, A., Karidi, R., Helman, Y. and Rubin, S.A., Microsoft Corp, (2013) Estimating and visualizing security risk in information technology systems. U.S. Patent 8,402,546.

Kooper, M.N., Maes, R. and Lindgreen, E.R., (2011) On the governance of information: Introducing a new concept of governance to support the management of information. International Journal of Information Management, 31(3), pp.195-200.

Lo, C.C. and Chen, W.J., (2012) A hybrid information security risk assessment procedure considering interdependences between controls. Expert Systems with Applications, 39(1), pp.247-257.

Montesino, R. and Fenz, S., (2011) September. Automation possibilities in information security management. In Intelligence and Security Informatics Conference (EISIC), 2011 European (pp. 259-262). IEEE.

Peltier, T.R., (2013) Information security fundamentals. CRC Press.

Peltier, T.R., (2016) Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Poolsappasit, N., Dewri, R. and Ray, I., (2012) Dynamic security risk management using bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1), pp.61-74.

Ristola, T., (2011) Risk management in information system development. [Online]. Available at: https://www.theseus.fi/bitstream/handle/10024/32978/Ristola_Teemu.pdf?sequence=2. [Accessed on: 18th may 2018].

Saleh, M.S. and Alfantookh, A., (2011) A new comprehensive framework for enterprise information security risk management. Applied computing and informatics, 9(2), pp.107-118.

Shamala, P., Ahmad, R. and Yusoff, M., (2013) A conceptual framework of info structure for information security risk assessment (ISRA). Journal of Information Security and Applications, 18(1), pp.45-52.

Von Solms, R. and Van Niekerk, J., (2013) From information security to cyber security. computers & security, 38, pp.97-102.

Whitman, M. and Mattord, H., (2013) Management of information security. Nelson Education.

Whitman, M.E. and Mattord, H.J., (2011) Principles of information security. Cengage Learning.

Yildirim, E.Y., Akalp, G., Aytac, S. and Bayram, N., (2011) Factors influencing information security management in small-and medium-sized enterprises: A case study from Turkey. International Journal of Information Management, 31(4), pp.360-365.

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order
Calculate the price
Pages (275 words)
$0.00
Course Scholars
Company
Legal
How Our Service is Used:
Course Scholars essays are NOT intended to be forwarded as finalized work as it is only strictly meant to be used for research and study purposes. Course Scholars does not endorse or condone any type of plagiarism.
Subscribe
No Spam
© 2025 Course Scholars. All rights reserved.
Course Scholars will be listed as ‘Course Scholars’ on your bank statement.

Order your essay today and save 15% with the discount code GINGER

Order Now