Security Risk Management Process -

Security Risk Management Process - Microsoft Company

Security Risk Management the Microsoft Way

Defining Risk and Risk Management

Value Risk Management

Risk Management Procedures and Processes

Key Success Factors For Security Risk Management

Risk Management Approaches

Risk Management Failure Reduction

An Analytical Review of Security Risk Management The Microsoft Way

Security risk management is a vital tool ensuring the continued success, productivity and stability of organizations across the globe. It is vital in an ever increasingly technology driven and global marketplace that organizations find ways to mitigate the increased risks associated with doing business in their environment. The purpose of this research paper is an analysis of the critical success factors related to security risk management at Microsoft Corporation. Specifically the researcher will attempt to understand what critical success factors Microsoft uses to successfully manage risk, and whether those practices might be useful or practical for other companies to adopt.

In recent years researchers and organizations have given security risk management more attention, in part because the level of risk has increased in recent years (Kimball, 2000). Multiple trends have contributed to an increased risk including globalization of trade and production and corporate investments in "volatile emerging markets" (Kimball, 3).

Risk management unfortunately however fails in many companies. In fact there are reputed and "well publicized failures associated with its implementation" (Kimball, 3). It is important that organizations recognize what factors contribute to failure as much as it is to recognize what factors contribute to success so adequate measures may be taken to improve risk management in the future and reduce errors associated with implementation and maintenance.

Background to Problem

Historically as organizations have grown technologically new security risks have become imminent that must be addressed. Today organizations are connected through IT infrastructures that operate in an environment considered "increasingly hostile" where "attacks are being mounted with increasing frequency" and occurring over shorter periods of time (Microsoft, 2004). There are many factors that contribute to increased risk including higher levels of volatility within financial markets, rapid advances in technology and increasing globalization in the marketplace (Simons, 1996). The rise in transaction volume in markets has also contributed to increased threats and risk, though many risks can be calculated and prepared for (Simons, 1996).

Unfortunately in the past many organizations have been slow to respond to security threats, resulting in increased impact on business processes and procedures. Microsoft has concerned itself among other things with managing the security and safety of its infrastructure to ensure business values to customers both internal and external.

Significance of Study

Microsoft notes that a 'failure to proactively manage security may put executives and whole organizations at risk" because breaches in both fiduciary and legal responsibilities to internal and external customers become apparent when security is lacking (Microsoft, 1).

Corporations must learn to not only identify what risk is acceptable, but also learn to manage the risk. What works for one company may not necessarily work for another, based on the complexity of an organizations infrastructure, an organizations resources and management responsibilities (Microsoft, 2004).

Literature Review: Security Risk Management the Microsoft Way

Defining Risk and Risk Management

Microsoft has developed a security risk management process based on customer experience and the companies own experiences. This guide provides "actionable guidance" which promises to delivery corporations multiple benefits including (1) providing customers a "proactive security base" (2) allowing companies to measure security and place a value on risk management and (3) enabling customers to minimize large risks without deflating all possible resources in the process (Microsoft, 2004).

Barrese & Scordis (2003) suggest that risk management be viewed "as the management of the operations and activities of a corporation and its financing practices" to develop a collection of risks that "yield a corresponding average payoff" (26). Risk according to the researchers has the ability to impact all aspects of business function and personal activity (Barresse & Scordis, 2003). Risk management includes measuring the "variation of actual outcomes around an expected outcome" (Barresse & Scordis, 26).

Kimball (2000) defines risk as "the existence of uncertainty about future outcomes" and suggests it is a key factor in economic transactions because firms make real investments each day without understanding whether their investments will result in debt or improved capital (Kimball, 2000).

Value Risk Management

Risk involves negative consequences whether financial or otherwise. Risk management practices are worthwhile because they may mitigate side effects of a volatile business environment, protect future investments, prevent "erosion of the firm's finance" and ensure the productivity and success value of a corporation (Barrese & Scordis, 26).

While corporations recognize the inherent value in managing risk, many spend too little resources on risk management in part because they lack information regarding "the nature of vulnerabilities, potential loses or options to upgrade security" (Manila, 2005). Simons (1996) points out that risk management can mitigate substantial concerns and potential losses within an organization particularly with respect to an organizations value portfolio.

Risk Management Procedures and Processes

Barrese & Scordis (2003) define risk management as a process. There are many models of risk management including Microsoft's. The number of steps involved will vary from company to company, but there should be core inclusions such as (1) establishing "risk return goals," (2) identifying and valuing root causes of future revenue fluctuations or instabilities, (3) balancing loss control and assessing and implementing financial tools used to mitigate risk and (4) implementation of final processes, maintenance, monitoring and ultimately review (Barresse & Scordis, 2003). A company's exposure to risk varies with time thus it is vital corporations review and consistently update risk management processes to resolve unexpected risks that may arise with time (Miller, 1992).

Simons (1996) supports an approach to risk management called "value at risk" or VAR, which suggests organizations, determine how much money they will lose over a defined period of time if risk is not managed. More precisely the researcher asks, "how much could the value of the portfolio of an organization decline" (Simons, 3). The need to place value on risk management is confirmed by numerous other researchers who note that value helps translate ideas into reality.

Simon's ideas are in line with Microsoft's security risk management approach that suggests organizations must assign value to assets and calculate risks. To do so Microsoft suggest the organization asses the "immediate financial impact" that will be realized if an asset is lost" as well as indirect impacts of a lost asset (Microsoft, 2004). In addition to assessing the total revenue that an organization might lose during a single incident, an organization must also determine how likely a risk is to re-occur during a given year and the amount of money that an organization may lose if no action is taken to mitigate risk (Microsoft, 2004). Likewise the cost of managing a particular risk must be assessed.

Key Success Factors For Security Risk Management

Microsoft (2004) had identified multiple critical success factors that allow implementation of a successful security risk management program. These include: (1) executive and management support of risk management processes, (2) clearly defined roles and responsibilities with respect to security risk management, (3) proper identification of the impact of risk by business owners and (4) identification of risk probability by information security teams. In addition the company uses their information technology team to implement controls to minimize any unacceptable risk within the organization (Microsoft, 2004).

For a risk management program to succeed it also must be well defined with regard to roles and responsibilities; it must be well planned; it must address "critical business threats and vulnerabilities" and it must "articulate" organizational priorities (Microsoft, 2004).

Barresse & Scordis (2003) confirm Microsoft's approach to risk management. The researchers state that multiple elements contribute to the success of a risk management program. The key elements defined by the researchers including (1) management buy in, particularly senior management buy in, (2) an organizational culture that supports risk management, (3) direct communication that moves up and down as well as across hierarchical boundaries in an organization, (4) common language to define risk management and lastly (5) a "company wide responsibility center" accountable for risk management processes and procedures (Barresse & Scordis, 26). Organizations must ensure that risk management ideals, objectives, goals and processes are ingrained in every day affairs and that employees are adequately trained with respect to risk management procedures (Barrese & Scordis, 2003).

Risk Management Approaches

Microsoft identifies multiple risk management approaches including a reactive and a proactive approach. The reactive approach occurs in response to an identified threat where most efforts are concentrated at resolving a problem or threat that is already imminent (Microsoft, 2004). While this approach may be effective as a 'tactical approach to security risks that have been exploited" typically organizations can find better ways of managing risk without succumbing to risk in the first place (Microsoft, 2004). The reactive approach however does allow managers to assess an organizations risk history in an attempt to predict future security risk threats and take action to prevent them (Microsoft, 2004; Barrese & Scordis, 2003; Kimball, 2000).

Microsoft proposes six steps to enable proper reactive management of security risks which include: protecting safety and life, containing and assessing the damage, determining the cause of and repairing damage, reviewing risk response and updating procedures in the hopes of preventing risk in the future (Microsoft, 2004).

A proactive approach is much more advantageous however as it enables corporations to prevent threats or minimize risks before negative occurrences happen within an organization. A proactive approach requires that organizations first identify what assets they have that need protecting, then determine what damage an attack could have on assets in question, next identify any vulnerabilities that could occur within current securities and finally decide on procedures to minimize the risk of threats and attacks by implementing proper risk management controls and procedures (Microsoft, 2004). In this sense risk management is much like risk "assessment' which allows organization to place value on assets and determine the benefits of protecting such assets (Microsoft, 2004).

Kimball (2000) supports such measures suggesting that failures in risk management result when organizations fail to properly assess their assets and define potential current and future risks. Like the Microsoft model Kimball (2000) suggest that mathematical probability and cost benefit analysis can be used to determine what parameters are necessary to minimize risk and what losses a company may realize if certain risks aren't mitigated. The researcher suggests additional measures be implemented to reduce risk including "purchasing insurance, hedging, screening customers, closely supervising employees and monitoring supervisors and diversification" (Kimball, 3). It is important to note the researcher does not suggest that risk may be completely eliminated, but rather that organizations can drastically reduce the probability that something catastrophic ill occur as a result of threats against the company.

Kimball suggests that many other factors can be utilized to evaluate and manage risk. Aspects of a firms operations including managers ability to diversify portfolios, the proportion of "intangible assets" an organization have and the "convexity of tax schedules" among all influence risk and thus must be evaluated (Kimball, 3).

Leithhead & McNamee (2000) identify multiple approaches to risk management, including the database approach, the algorithm approach and the matrix approach. The database approach concerns itself with developing a database that extracts reports delineating common risks within a group (Leithhead & McNamee, 200). Such an approach might also be referred to as a scenario driven approach to risk management, and may help managers review data for financial risks or risks associated with specific asset groups.

The algorithm approach involves mathematical calculations to asses risk management (Leithhead & McNamee, 2000). This approach is sued by the Microsoft security risk management system. Risk model using this approach include database gathering of information as well as strategic-based planning (Leithhead & McNamee, 2000). Mangers can manipulate data more using this approach than the database approach alone. The matrix approach involves "higher level focus and graphic display of risk" where an organization's business units are compared with high-level risks on two axis. Teams then asses risk and display risk on a matrix (Leithhead & McNamee, 2000).

Risk Management Failure Reduction

Failure occurs when organizations realize catastrophic losses that exceed worse case expectations, when errors occur in risk management or when firms simply fail to plan for risk management as part of operations (Kimball, 2000).

Microsoft (2004) suggests that failure may occur when an organization leaves out vital portions of the risk management process, which may include engaging in qualitative and quantitative analysis of risk measurement. Quantitative risk assessment includes evaluating and assigning monetary significance to define assets, creating a list of medium to high risk threats, calculating the probability these threats will occur and how long they will last, determining the loss potential for an organization over a 12-month period and recommending appropriate cost reasonable safeguards and controls to mitigate risks (Microsoft, 2004).

While most of these calculations would be subjective at best they nonetheless will provide an organization with valuable information related to risk management. Organizations can't exactly define risks or the potential losses that will result from a threat; they can however take steps to reasonable assume the potential risk or threat of a given situation and calculate the cost to benefit ratio of mitigating this risk.

Qualitative assessment is unlike quantitative assessment in that it involves much more subjectivity and experience related information. It does not involve assignment of monetary values to losses and assets, but rather involves risk evaluations through questionnaire and workshops that share knowledge between different people (Microsoft, 2004).

Researchers have also defined this as 'scenario driven' risk management and planning (Acar & Georgantzas, 1995). Strategic management according to Acar & Georgantzas (1996) involves detecting and planning for threats and converting them into opportunities. They call this process scenario driven planning and can help an organization improve the "content and process or what and how of strategy design" (6). Much like Microsoft's approach scenario driven planning involves identifying variables that may act as threats and identifying a firms objectives with respect to its strategic initiatives.

Firms must evaluate "causal relationships" and determine how changes in relationships may or may not result in looses. Variables that should be considered include the organizations external environment, which offers threats including "competition, emergence of new products and processes, government regulation, fluctuations in currency rates and interest" all of which can determine an organization's success and looses over time (Acar & Georgantzas, 386). The researchers further suggest that organization engage in environmental analysis to not only identify trends and threats but also opportunities for success and profits. An organization must at the same time identify its own resources, strengths and any weaknesses that may prevent it from taking action, implementing a risk management program or dealing with organizational resistance to risk management procedures (Acar & Georgantzas, 1996).

Methods

The aim of this research is to identify what critical success factors have contributed to Microsoft's security risk management approach but also define whether the principles underlying this approach can be applied to other organizations. As part of the research process the researcher will review other approaches companies have taken to manage security risk and compare these practices with Microsoft corporation. The intent of the researcher is to analyze the merits of the Microsoft security risk management program and ascertain whether the guidelines established by the company are applicable to theirs.

This research adopts use of narrative review as a qualitative approach toward examining risk management. Narrative interpretive method allows the researcher to analyze current documents and case studies to prove or disprove the validity of a particular approach (Jones, 2004). Qualitative research such as this is a much about reporting as it is about collecting evidence to support social research (Jones, 2004). This type of methodology is concerned with finding and verifying the meaning and truth or reality and significance of any given phenomena or occurrence (Hiatt, 1986).