Why Do a Risk Analysis?

¶ … Security and Risk Analysis

The job of an information security officer is not confined simply to the realm of digital data protection, as the rigorous demands of modern global commerce require an information security plan which is specifically designed to prioritize a firm's operational functionality. While constructing control mechanisms that entirely eliminate systemic risks may be an information security officer's notion of time well spent, managers and executives expect their firm's information security policies to enhance productivity rather than impose restrictive barriers to doing business. One of the most important aspects of risk management and data protection is the concept of risk analysis, which is the process of assessing "the business risks of an application, system, or other asset to determine the most prudent method of operation" (Peltier, Peltier and Blackley, 2005). The vast majority of risk management experts within the information security field share the fundamental belief that "by conducting a business-oriented risk analysis, an organization can determine what needs to be included within its information security policy" (Layton, 2007), and conducting a thorough risk analysis is now essential to the overall objection of securing a firm's invaluable data.

Managers are expected to run a series of regular risk analyses because the operational structure of their firm is continually adapting to external market conditions, while the application of various technological tools is constantly being updated to assure optimal efficiency. It has been observed that "the risk analysis process has two key objectives: (1) to implement only those controls necessary and (2) to document management's due diligence" (Peltier, Peltier and Blackley, 2005), which is another prime motivational factor for managers considering the benefits of including a risk analysis within their overall information security policy. The directives produced by a proper risk analysis process provide managers and executives with direct evidence of their efforts to prevent external intrusions and internal negligence, which may prove to be useful in the unlikely event that a control method fails or becomes breached. When one considers how "to a large degree, information security is about continually assessing risks that are applicable to the environment," it becomes self-evident that "the balance and exact controls that are implemented should be the result of a detailed and customized risk analysis process" (Layton, 2007). The ultimate goal of any information security policy must always be a combination of threat detection and prevention with a pragmatic appraisal of a firm's operational requirements, because when precise security controls are applied unnecessarily, they only impede the daily work of trusted employees under the false promise of enhanced security. The true success of the risk analysis process can only be measured through a dual analysis of the threats which have been identified and thwarted, along with the effectiveness and efficiency of a firm's systemic structure.