Abstract
Information security risk method (ISRM) is the main method 9f controlling the information security risk. This paper has a review of the methods used for this purpose and has suggested the use of Information security risk method (ISRM). This is essential to be implemented by every organization in order to ensure the business continuity.
Introduction:
This is an “Information Society” as a result of the swift expansion of global IT infrastructures during the past few years. Due to these global IT infrastructures, it is now possible to have the easy flow of information even with cross national borders. Now IT is being used as to support operational processes in business instead of its use at strategic level.IT infrastructures are enabling organizations to face the challenges of quickly altering economy (Gupta & Saini, 2013). These have also changed the way information is managed today as now every organization is making use of more and more information technology. With this new dependencies and new risks have emerged globally. Risk is basically defined as the consequence of uncertainty on objectives and this in context of information security is linked with uncertainty of destruction of an information asset, leading to the harm to organization(Webb, Ahmad, Maynard, & Shanks, 2014). Information assets are critical possessions that executives depend on to perform the business.
Although, information assets represent the sensitive information but information security environments are becoming more and more complex and have numerous issues as open systems along with the strategic misuse of electronic integration (Kotulic, & Clark, 2004). Information security includes many comprehensive areas that also mainly cover the technical aspects. Also, when a business opens its internal networks to customers along with its business associates and dealers, then there is a need of making ensure that there is no external intrusion and data is always protected. For business continuousness trustworthy information technology is a criterion(Fenz, Ekelhart, & Neubauer, 2009). For this purpose, information security risk management or (ISRM) is being used in organizations with other measures. Information security risk management is a risk management procedure that is connected with the use of information technology. It includes recognizing, evaluating, and considering risks to the confidentiality, integrity, as well as availability of an organization’s possessions(Abbass, Baina, & Bellafkih, 2016)
ISRM has many characteristics in common with other security methods. But it has a main feature that it doesn’t reflect regional and cultural issues and undertakes that all organizations functioning as huge systems that need refined formation security procedures. This process also matches risks in agreement with an organization’s general risk tolerance. It is not possible to remove all risks. But with Information security risk management there can only be the identification and attainment of a suitable risk level for their organization. Modern organizations are facing the issue of protection of information resources from the multifaceted security threats. Main concerns related to the security are seepage and amendment of sensitive information. In this category, there is also included the threat to the intellectual property and as well as trade secrets(Webb et al., 2014).One reason of having more information seepage today is the use of social networking as well as cloud computing(Webb et al., 2014). The paybacks of cloud computing are strong, thus, there is a need to develop the appropriate security for cloud applications. There is problem with this that it offers higher level of risks as vital services are often subcontracted to a third party. In order to safeguard the information resources, ISO27000 as an information security standard can be used(Webb et al., 2014). ISO27000 offers a wide assortment of managerial and technical controls for the purpose of protecting information resources. Here organization selection controls are linked with level of security risk exposure. Thus, the far better approach in this regard is to make use of risk management approach to secure the organization information (Webb et al., 2014). This paper will discuss the Information security risk management (ISRM) as a model for affectively addressing the security risk management in different organizations operating in different industries.
Research questions:
- What are the essential features of information security?
- What types of risks are associated with information security?
- What will be advantages of using the ISRM practice?
- How risk will be assessed under ISRM practice?
The paper will include different situations that were facing the issues of information security and how different risk assessment methods were used there for the purpose of removing the security risks. The literature review will provide all the deficiencies inherent in different models and will propose ISRM as best practice in order to address all the issues.
Literature review:
In today environment, where organizations possess number of informational assets, organizations get exposed to a wide range of internal and external security threats. There can be the manipulation in information assets along with the robbery of critical evidence (Ayatollahi and Shagerdi, 2017). There are also some natural risks associated with the destruction of data as accidental mistakes of computer operators. For example, in 2013, mobile malware targeted 99% of Android devices as reported by Cisco (Ayatollahi and Shagerdi, 2017). There can be the unauthorized usage of software and computers for the purpose of illegal activities. Furthermore, hackers and Trojan horses are some other threats to the security of data.
Today, number of different types of risk management methodologies is used by different organizations to manage and controls all these risks. These are being used at national and international levels. All these are developed to address the specifc needs and these have different objectives, along with structure and level of use. There is a common purpose behind these methods to rank and estimate the risk value along while suggesting the most appropriate mitigation plan. There are different drawbacks links with all the methods and these include absence of awareness, extraordinary cost, and prerequisite for expertise as well as lengthy process. Also, these do not consider the context of information security communication inside the organisational construction. These methodologies also possess frameworks with horizontal plane assessment of risks that can be carried out either at operational level or at tactical or strategic levels. These thus result in the form of lengthy reports are grounded on technical evaluation of the information security risks. Moreover, there is no use of these lengthy reports as these not get communicated to the required business units. These also lack the complete details of the business case. These reports are also not used for having the strategic decisions.
Some countries make use of computerized physician order entry (CPOE) systems that make enable clinicians to make entry of medication along with other orders into a central electronic system(Aarts & Koppel, 2009). There are fewer hospitals who are implementing this system so far although Institute of Medicine (IOM) and governmental and business groups in U.S. are recommending this to be used. First such system was used in the early 1970s for the purpose of cost savings. CPOE can be used as a method for the reduction of medical errors(Aarts & Koppel, 2009). Other advantages of CPOE systems include direct reach to pharmacies; reduction of committed errors of drug names along with the simply assimilation of information into medical histories. This system can also be connected with decision-support systems that have a function of providing reminders related to dosages as well as different drug allergies(Aarts & Koppel, 2009). Thus, this technology can be used for refining patient security. Research has found cost savings, patient protection in addition to local or national health IT strategies as motivators for the adoption of CPOE systems.
Risk management can be implemented in an organization with the use of both proactive as well as reactive approach. Companies use reactive approach as a retort to the safety risks that have previously happened in organization. Due to different security incidents, an effective response is generated in reactive approach. The examination of the reasons of creating security incidents assist in avoiding them in future. While applying the reactive approach, there is a need to follow the six steps (Stroie & Rusu, 2011). There must be laws in organizations that can protect human life and prevent work accidents. If there is any damage, this must be stopped and not allow to get spread. After the damage, it is also required to have the assessment of damage. For instance, in case of cyber-attack, there is a requirement of assessing the cyber damage. This will consists of conduction of detailed investigations related to the incident as well as immediate actions for restoring or replacing the hardware. Then there is a need of defining the damage causes. After this assessment, repairing of damages should be done. Moreover, polices and responses must be reviewed under reactive approach. The other approach is proactive approach, and it has many advantages as compared to the use of reactive approach (Stroie & Rusu, 2011). It is economical to lessen the likelihood of occurring the risk as compared to reacting towards the incident after its happening. Organizations must have plans for protection of their assets and for the implementation of controls, in order to lessen the risk of mistreatment of organization’s susceptibilities by malicious software’s. Also, if an organization is using the effective security strategies that this will result in reputational benefits along with cost savings, and reduction in incident response times. However, if an organization fails in the implementation of adequate security measures then organization’s competitive position will remain no more in the industry. This is due to the reason that in today technological world, business have huge amount of customers data. Customers in return expect business to protect their sensitive data. Thus, breach prevention along with the information security management is significant to organizational success.
Usually, data breaches narrate to one of three comprehensive categories that are confidentiality breaches along with the integrity breaches in addition to availability breaches. Confidentiality breaches are attempts to obtain admittance to delicate data while integrity breaches are more linked with modification. There are availability breaches that result in system outages. Organizations are now able to lessen the number of breaches but there rate is still very high in some industries as in healthcare. Moreover, with the change of conditions, risk management methodologies also evolve in view of that. One of the proactive approaches of risk management that has evolved with time is to use information security risk management (ISRM) model. Information security risk management (ISRM) provides the organizations with most effective and cost-effectual methods that enable organizations to regulate their information assets. It delivers an organization with a road map for the purpose of protection of information infrastructure.
The principal action of ISRM is risk assessment that begins with the recognition of risks, their prioritized ranking, defining suitable control strategies as well as checking their status. It has mainly three functions to be performed in an organization. It classifies the organizations IT setting and assesses business capabilities. Identification of all potential security risks is also one of its functions along with their mitigation. Finally, it also makes recurrent enhancement of the organization’s security risk position. Thus, it is a constant process that allows an organization not only identify and analyzed the risk but also use the controls to lessen the risks to information assets.
Furthermore, it has four objectives. These include risk identification, risk assessment, risk treatment as well as risk review. This process has a main focus over the second stage; risk assessment. It is the first step in risk management methodology. During this stage, there is a collection of substantial amount of information related to the organization’s information resources (Webb et al., 2014).
Fig. Risk management process source: (Humphreys, 2008)
Risk assessment is a multifaceted process and a risk cannot be correctly coped except it is carefully assumed(Naseer, Shanks, Ahmad, & Maynard, 2016). If there are more information assets then risk assessment complexity increases so that organizations can protect these assets that can be spreaded over different targets(Naseer et al., 2016). Risk assessment capability along with security control monitoring is its two capabilities. Effective ISRM is essential to the success of any organisation and it is also a source of competitive advantage, when an organization has better ISRM procedure effectiveness as compared to its competitors. It is a strategic procedure as it purposes to support in protection of the confidentiality, integrity and availability (CIA) of an organization.
There are number of industries that are making use of information security risk management (ISRM) model. It also has numerous applications in healthcare industry, where it is used as an effective tool for the management and control of risk. Healthcare workers are stimulated to use and make sharing of electronic health information. For this reason they are particularly susceptible targets for data breaches. Now to protect the health information is more puzzling than in past due to the change of nature of data usage. Information security risk management (ISRM) being the strategic model, drives to support shelter patients’ data confidentiality, safeguard data integrity, in addition to assure data availability. If any of these aspects is not fully addressed then there can be issues such as legal and financial losses to healthcare centers. But if the data is secured, then patients and clinicians confidence will enhance and this will lead to the better usage of health data. Moreover, United Kingdom and Netherlands have also efficaciously prompted acceptance of health information technology. There are still few countries that have yet to make considerable development in the inpatient situations(Jha et al., 2009).
ISRAM is based on this formula that equals the level of risk with two factors that are likelihood of incidence of security breach along with the results of incidence of security breach. Bases on this formula, this process is carried out in the form of survey by organizations in an attempt to minimize the risk for their information assets.
Discussion:
Today healthcare organizations are using the computerized health information systems (CHISs) as a basic requirement for the purpose of dropping health care costs along with enhancing health care quality and safeguarding patient safety. This also has an advantage of dipping medical mistakes due to the use of efficient systems. Therefore, clinical, fiscal, and managerial actions of hospitals are progressively reliant on the enactment of the CHIS in comparison with the past. There are huge advantages of computerized health information systems. But a drawback with its use is the information security. In a health care sector, most of the information is the personal information of patients. It’s very risky to use a system that is not secured with reference to the personal information of patients. Therefore, it must be secured and save with reference to confidentiality and availability. During the past year, greater challenges have been faced by hospitals in different countries.
During the survey of acute care hospitals that had membership of the American Hospital Association, electronic-record functionalities were examined in detailed(Jha et al., 2009). During this survey, it was found that some hospitals had electronic health records in their clinical areas and these account only 1.5% of U.S. hospitals. Also, 7.6% U.S. hospitals have a use of basic system in their operations(Jha et al., 2009). There was thus an association between adoptions of electronic health records to specific hospital characteristics. VHA had been efficaciously using electronic-records systems for more than a decade with intense enhancements in clinical excellence. It was found more chances for bigger hospitals that were situated in urban areas to have use of computerized provider-order entry for the purpose of medications(Jha et al., 2009). Primary barriers to implementation of technology fund during the survey include huge capital requirements along with high upkeep costs. There is a need by policymakers to pay attention towards financial funding, interoperability, and teaching of information technology backing staff(Jha et al., 2009).
In 2014, a case study was conducted in north-west of Iran in healthcare industry. The sample in this case study were the managers of the information technology sections. Data was collected from these managers by the use of questionnaire that had three parts; personal information, systems characteristics along with risk identification. Natural disasters, human threats as well as environmental threats were used as information security threats in hospitals. Data was then analyzed by means of both quantitative and qualitative methods. The results of the study showed fire, lack of smoke alarm systems in addition to lack of access to a strong and up to date antivirus as some threats in healthcare organizations under consideration. Inappropriate structure of the networks, careless computer users come under physical/environmental threats in this case study. There was more use of technical safeguards as compared to the administrative and the physical safeguards. The most prevalent security control methods comprised of the precautionary control actions, for example admission control and user certification. Thus, in order to control the fire, it is required to use early warning fire along with the smoke detection systems in diverse extents of the hospitals. The access level of people in any healthcare organization must be restricted or defines earlier. There must also be a proper training of the computer users. There must also be the use of physical safeguards in order to protect the IT infrastructure.
To promote the use of electronic health records, new government in 2014 in Iran implemented a health reform plan(Zarei & Sadoughi, 2016). According to this plan, it was required to connect hospital information system programs via internet to the Iranian system of electronic health records (SEPAS system) (Zarei & Sadoughi, 2016). A problem emerged with this system that having the connection through the public Internet network resulted in significantly upsurges the risks of illegal admittance to facts and figures related to patients. Thus, there were no stated rules on privacy of patient information that were causing the problems in the system effectiveness. Also, there were more cases of cyber-attacks in Iran due to the disputed nuclear programme started by the country.
To overcome all the above difficulties, it is required to use such a system that addresses all the issues and is more trustworthy. In spite of having number of models in the industries, shield of information assets from the multifaceted and quickly developing security hazard landscape is a noteworthy trial to the contemporary organizations (Webb et al., 2014). The best model to be used in this regard is to use information security risk management (ISRM). Its successful implementation needs all individuals to be the part in the identification and assessing of risk along with its mitigation. Individuals who will be the part of risk assessment must need to be authorized to interconnect willingly and fairly throughout the process. In addition to this, this process must be taken as similar to the audit procedure (Bornman & Labuschagne, 2005). Rather it must be used as a procedure for the purpose of protection of assets in order to achieve the goals related to information security. During the risk assessment process, it is required first to identify assets. It is essential to have the complete and up-to-date collection of all information assets. These assets can be hardware, software, and data along with the facilities. Then these assets must be valued by the organization based on the CIA effectiveness. Threats also need to be identified in order to effectively address the problems. Threat can be any activity that can harm the system. Threats can be in the form of hardware or software letdown along with the personnel changes. There can also be the accidental annihilation of data due to unauthorized access or due to some other reason. There can be environmental reasons that can cause harm to the data and these are power failure as well as natural disasters. Computer viruses are also the main threats that are faced by the information security in today environment along with hackers.
Security is taken as a strategic business matter and it is due to the rise in number of data breach occurrences. There are also new policies and laws in different industries as a result of data breaches and data protection failures. These laws have the ability to impose fines associated with breach incidents and accidental data loss. This serves as the process of ensuring the safety of the procures along with the strategy of the risk minimization. Organizations feel apprehension towards the data security in order to escape from the heavy cost of the patient lawsuits and fines imposed by government for the failing to protect data.
Findings of this study are contributing towards the current body of literature connecting to data privacy need. Information controlled in this study could benefit healthcare physicians comprehend the influences linked with data security risks and consistent prevention policies desired to diminish data privacy gaps. Thus, business leaders can make use of this study for the purpose of managing information security risks. This study can also be used for the purpose of devising new methods to managing strategic significances linked with information security more successfully. Healthcare practitioners need to act beforehand an incident happens. There is a need of widespread preplanning, creation of main operational procedures, and lengthily scrutinize organizational strategies and trials.
Conclusion
Today, in almost every industry there is a use of more and more technology and organisations are operating their systems based on the technology. For this purpose the main data that organizations use serves as their main assets. The protection of this data is required for the existence and growth of the business. There are vital monetary losses to organizations as a result of the data breaches. Keeping these losses in views, it is now required by organizational managers to have the use of such methods that can save them from these losses. There are web-based solutions along with remote, and mobile technologies can are making the information security risks higher for the organizations. It is not possible to avoid the use of such technologies as these are essential in today business environment for the purpose of making progress competitively. The use of techno in today business environment is serving as a source of competitive advantage. The use of computers and computer networks by organizations lead to reduction in costs. This also helps in achievement of suitable and effective facilities.
Therefore, organizations need such measures that ensure the security of the data along with the security of other assets of the organization. For this purpose, number of methods can be used. Most of the methods have several drawbacks that do not make them effective (Gupta & Saini, 2013). Thus, there must be the use of such method that has a focus over the effectiveness of the methods in the form of the improvement in the security of the system as well as its reliability. The policy maker must have a focus over the financial support in this regard along with addressing the issues of staff training.
Organizations can make use of ISO 27001 in order to manage the risk in their organizations. These can also adopt ISMS standards to service security authorities in the body of inventiveness. One of the effective methods to be used is to use information security risk management (ISRM) practice. Its main goals are to make sure the confidentiality along with integrity and availability in the form of CIA triad related to the IT assets. Here the confidentiality refers to the safeguarding of the confidentiality of systems. With this system ensures that only authorized users have a reach to the data and no other outside person has the access towards the data. Here, the integrity refers to the procedures and controls that are in position to safeguard variations to systems. Moreover, availability is the surety that data is available to the authorized users on continuous basis. These all components are achieved successfully, if all the organization employees have the active participation in this process. But the ultimate responsibility of the effective use of ISRM practice is still towards the board of directors and executive management. Organizations cannot use the tradional methods for the purpose of controlling the risks associated with the information security. The factors responsible for the risk in the information assets are linked each other and are not addressed with the use of tradional methods. The best approach in this regard is to use the above proposed model.
When an organization applies technology over the information, then it results in the form of information security risks. This information can be distorted and inappropriately disclosed. It can also be modified by the unauthorized user for some other purpose that is not suitable for the organization. This results in dollar losses to the organization (Blakley et al.,2001).From the literature, the most common information security risk is fire, as well as the technical and environmental threats. The factor that requires the high impact risk factor requires more consideration, towards the mitigation of risk. There is always a need of identification of the underlying causes of risks and these must be addressed before hand. So that organizations must not face any adverse consequences. In this regarded, it is also important to address the causes more effectively, when the operating industry is healthcare. In this industry these must be addressed at macro level to ensure the patient safety.
Most of time organizations lack the required sources in the form of financial sources and other material sources that lead towards the failure of the program. Thus, top management must have the responsibility of ensuring the success of the program at least in financial requirements. This also shows the management’s commitment towards the information security. With effective ISRM program board of directors found an adequate level of risk and make well knowledgeable risk management choices. They also determine the potential influence of these risks to the association. There is also the identification of the information security risks for the purpose of achieving the organization respective missions. This also allows the fulfilment of regulatory requirements in an economical way.
While using the ISRM strategy, it is required to use the risk profile and appetite of the organization. If there is no risk profile, then risks cannot be minimized in the organizations through the use of this method. ISRM strategy must have an aim to achieve business goals and maintain the security of the organization. ISRM is used as one constituent of a complete enterprise risk management (ERM) competence, and it must be in consistent with the goals and policies of organization. Also, while developing the ISRM strategy, it is required to comprehend the organization’s present business circumstances. These circumstances show the capability of organizations towards the execution of the strategy. For example, if any organization is functioning in loss and has no budget for any model to be implemented, then, it is not possible to devise any such strategy. This will only waste the organizations time, thus, it is required to have the necessary sources for the purpose of effective implementation of the model to ensure the safety of the organization assets. With the financial resources, there are several other factors that need to be considered.
Use of ISRM is essential in every industry. But it has more importance in health industry. This industry is facing the huge pressure of reducing costs and improving health care quality. There is also a need to ensure the patient safety by reducing the mistakes that are committed by the health care providers. These mistakes can be in the form of delivering wrong services and not following the correct prescriptions. Thus, to achieve the above objectives, use of ISRM is essential in every industry. It is structured and continuous process that removes the risks and achieves the objectives effectually. As it is a continuous process, thus, it affectively address all the issues that come in the form of information security as information security risks are not constant over time. This is due to the reason that conditions of the organizations continuously change and thus, the information assets of the organizations, associated risks and solutions also changes. This also provides the opportunity to have a more focus towards the high risk areas. ISRM is such a practice that lessens the overall risks adhered in the organisations structure of the information assets. This is also effective in terms of the cost–benefit analysis of the implementation.
Reliable ISRM signifies a major trial for organizations as for this there is a need of having the effective data entered into the system for the purpose of generation of the effective decisions. This is due to the reason that structure and type of information technologies have altered extremely over last period. The simple separate batch requests changed into dispersed computing surroundings. These changes are responsible for the nature of security risk analysis and its control.
References
Aarts, J., & Koppel, R. (2009). Implementation of computerized physician order entry in seven countries. Health Affairs, 28(2), 404-414.
Abbass, W., Baina, A., & Bellafkih, M. (2016, October). Improvement of information system security risk management. In Information Science and Technology (CiSt), 2016 4th IEEE International Colloquium on (pp. 182-187). IEEE.
Ayatollahi, H., & Shagerdi, G. (2017). Information Security Risk Assessment in Hospitals. The open medical informatics journal, 11, 37.
Blakley, B., McDermott, E., & Geer, D. (2001, September). Information security is information risk management. In Proceedings of the 2001 workshop on New security paradigms (pp. 97-104). ACM.
Bornman, W., & Labuschagne, L. (2005). A Framework for Information Security Risk Management Communication. In ISSA (pp. 1-11).
Fenz, S., Ekelhart, A., & Neubauer, T. (2009, September). Business process-based resource importance determination. In International Conference on Business Process Management (pp. 113-127). Springer, Berlin, Heidelberg.
Gupta, S., & Saini, A. K. (2013). Information System Security and Risk Management: Issues and Impact on Organizations. Global Journal of Enterprise Information System, 5(1), 31-35.
Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. information security technical report, 13(4), 247-255.
Jha, A. K., DesRoches, C. M., Campbell, E. G., Donelan, K., Rao, S. R., Ferris, T. G., … & Blumenthal, D. (2009). Use of electronic health records in US hospitals. New England Journal of Medicine, 360(16), 1628-1638.
Kotulic, A. G., & Clark, J. G. (2004). Why there aren’t more information security research studies. Information & Management, 41(5), 597-607.
Naseer, H., Shanks, G., Ahmad, A., & Maynard, S. (2016). Enhancing Information Security Risk Management with Security Analytics: A Dynamic Capabilities Perspective.
Shedden, P., Smith, W., & Ahmad, A. (2010). Information security risk assessment: towards a business practice perspective.
Stroie, E. R., & Rusu, A. C. (2011). Security Risk Management-Approaches and Methodology. Informatica Economica, 15(1), 228.
Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for information security risk management. Computers & security, 44, 1-15.
