Page 1 of 41

CHAPTER 1.0: INTRODUCTION TO RISK, RISK MANAGEMENT AND INFORMATION

TECHNOLOGY RISK MANAGEMENT

Allah does not charge a soul except [with that within] its capacity...

Surah Al-Baqarah (the Cow) verse 286

(Source: Terjemahan Al-Hidayah Al-Qur’an Al-Karim, 2013)

Of all the wonders that I yet have heard

It seems to me most strange that men should fear

Seeing that death, a necessary end

Will come when it will come

– William Shakespeare, Julius Caesar

(Source: Shakespeare Online, 2014)

1.1 Introduction to Risk

Based on Islamic perspective by analyzing Surah Al-Baqarah verse 286, even that verse did

not clearly mention about modern word of risk, but we still can relate this verse with this

unwelcomed event. Generally risk can be refers to something that might happen, usually bad

and this verse explain to us that Allah s.w.t would not ever give a test or burden (risk) to his

followers except the one which they could effort it. So, here we can said that any risk that

come to us actually can be prevent, solve and can be control. However, it is depend on us in

handling such risk either by making precautionary plans or even taking any necessary

corrective actions.

Referring to great dramatist, William Shakespeare; he also comes out with his dramatic and

meaningful languages on the most fearful occurrence in human’s life which is the death.

However, we are not going to discuss on the death but the last sentence does give a

Ilaa akhir ayat….

Page 2 of 41

meaningful phrase to us which refers to an event that we cannot control. If something wants

to happen, it just happens and same goes with risk. This is because in most events, we as

human being do not have any power to stop any coming tragedies or catastrophes that will

harm our assets or even our precious life.

At a mean time, searching some ideas from scholars, they have their own definition on risk.

Risk is the idea that something might happen, usually something bad and risk is the

probability that exposure to a hazard which will lead to a negative consequences (Ropeik

and Gray, 2002). In other words, risk management can be said as a thinking of events that

will occur which are will give burden and negative effect to the victims since it has exposed

them to the danger. Other than that, risk also can be defined as a measure of the probability

and severity of adverse effects (Lowrance, 1976).

So, in order to get a better understanding on risk, three topics will be covered in Chapter 2

which is on the basic concept of risk, risk perceptions and also global risk award. Basic

concept of risk will brings the reader the concept perceived by scholar- Haimes, a respective

body- CLUSIF and also ISO/IEC 27005 standards.

1.2 Introduction to Risk Management

Risk Management can be referred as a process consisting of welldefined steps which, when

taken in sequence, support better decision making by contributing to a greater insight into

risks and their impacts (Sai Global, 2003). In other words, risk management is a procedure

that guide the organization in making a good decisions that suits with the coming or potential

risks that might faced by them. Due to that, Chapter 3 will give details to the reader on risk

management, starting from another brief definition on risk mangement and its revolution.

Then, the other matters pertaining risk management also has been discussed such as on the

process of risk management, risk management as an integral part of overall management,

total risk management, multi-tiered risk as well as the key roles of related officers in handling

risk. So, it seems that the management such as Chief Risk Officer have to understand all

Page 3 of 41

these roles so that they can manage well any potential or coming risks, thus minimizing the

negative effect that might influence company performances, even though zero negative

effect cannot achieve.

1.3 Introduction to Information Technology Risk Management

Since risk might disturb the operation of the organization, managing risk also need to cover

to the extend of the information technology used by the organizations too because in this

modern era, information technology is a compulsary tool for the organizations. Due to that,

chapter 4 will elaborate more on what information technology risk management is all about.

Process of information technology risk management, five phases of information technology

mitigation program and top ten emerging information technology risks will be covered well

under that chapter.

Page 4 of 41

CHAPTER 2.0: RISK

2.1 What is Risk?

Risk is often defined as a measure of the probability and severity of adverse effects (Haimes,

1998). Risks should be deal appropriately because entities, companies and organizations

own “assets” of both tangible and intangible that could be involved in risks and will give some

consequences to these entities (CLUSIF, 2008).

Assets are the mandatory elements needed for entities, organizations or even for a small

business to run their operations. In very general terms, an asset can be defined as anything

that could be of value or importance to the entity (CLUSIF, 2008). In 2008, both International

Organization for Standard (ISO) and International Electrotechnical Commission (IEC) has

come out with Information Technology – Security Techniques – Information Security Risk

Management (ISO/IEC 27005) and has clearly differentiated between both primary assets

and supporting assets that involved in the daily operations of the organizations in Annex B

(informative) Identification and Valuation of Assets and Impact Assessment (ISO/IEC 27005,

2008).

i) Primary assets

There are two types of primary assets:

a) Business processes (or sub-processes) and activities such as processes

that contain secret processes.

b) Information such as strategic information on how to achieve the objectives

as well as information for the exercise of both mission and vision of the

organization.

ii) Supporting assets

There are many types of supporting assets such as

a) Hardware which is consist of data processing equipment, transportable

equipment, fixed equipment, processing peripherals such as printer and

Page 5 of 41

also electronic medium such as CD ROM, removable hard disc and back-

up cartridge. Appendix 1 also portrays some information on hardware.

b) Software includes any programs that contributing to data processing set’s

operation and can be divided into two which is system software and

application software. System software might consist of system

management programs, system support programs as well as system

development programs. Then, application software might consist of

general purpose application programs and application specific programs

(Humayun Kabir, 2014). Refer appendix 2.

c) Network which consist of medium and supports network such as Public

Switching Telephone Network, Ethernet and GigabitEthernet. Network

also consists of passive or active relay and also communication interface.

Router, hub, switch and automatic exchange can be the best example of

passive or active relay and General Packet Radio Service (GPRS) and

Ethernet adaptor can be the best example for communication interface.

Wide scope of risks such as its nature, consequences and impact should be addressed

accurately and precisely by the organizations since it will give negative effect to the assets of

the organization either primary assets or supporting assets or even both. If the assets of the

organizations have been ruin by any kind of risks, for sure the operation of the organizations

will be disrupted and daily operations will be temporarily stop. Failure in analyzing the risks

might lead the organizations to fail in completing targeted tasks and both short and long term

vision of the organization cannot be achieved successfully. Research shows that an

organization inability to resume in a reasonable time span to normal business activities after

a major disruption is a key predictor to business survival (Brown et al, 2012).

Page 6 of 41

2.2 Basic Concept of Risk

The concept of risk has appeared in numerous investigations of decision making both

descriptive and an explanatory construct. After using various approaches, the study of risk

has comeout with three basic assumptions (Pollatsek and Tversky, 1970) and has been

stated clearly as below:

1. Risk is regarded as property options such as gambles, course of action the affects

choices among them (Pollatsek and Tversky, 1970). In other words, this first

assumption stated that the risk is exist when we make an option and risk is derives

from our own action and decisions. Other than gambles, we also can use the option

in making some investment in a business as a next example. Due to our option,

choice or decision to spend some money to invest in a company will exposed us to

the risk of being loss of that money if there is no profit in return. So, risk is arise due

to our course of action to invest.

2. Options can be meaningfully ordered with respect to their riskiness (Pollatsek and

Tversky, 1970). In other words, this second assumption do explain about the choice

or option that we choose or make is depend on the risk of that action itself. For

example is the risk between drugs trafficking and also smuggling cigarette. Generally

with our basic knowledge of law, we can say that the risk of trafficking the drugs have

higer risk as compared to smuggling cigarette.

Thus, taking into the consideration of meaningfully ordered with respect to their

riskiness, for sure we will choose to smuggling cigarette due to its low level of

riskiness as compared to trafficking the drugs – assuming we are criminal person. In

Malaysia, these two action do have different level of risk due to different level of

punnishment imposed by the law where trafficking the drugs have higher risk for the

guilty person if they get caught.

Page 7 of 41

According to Section 39B (1) for trafficking dangerous drugs, any gulity person who

brings contravines any of the provision of subsection (1) –- shall be gulity of an

offence against this Act and shall be punnished on conviction with death. “Dangerous

drug” means any drug or substance which is for the time is being compromised in the

First Schedule (Law of Malaysia: Dangerous Drugs Act, 1952). List of dangerous

drugs under First Schedule of this provision has been attached under appendix

number 3.

Then, for cigarette smugling, it will be investigated under Section 135 of the Customs

Act 1967 which provides a maximum fine of 20 times the value of goods seized or

imprisoned for three years or both (Official Website Royal Malaysia Customs

Department, 2013) (Law of Malaysia: Customs Act 1967). So, after analyze these two

acts in respect to their riskiness, for sure we will reluctant to trafficking the drugs and

start to choose smuggling cigarette – assuming we are criminal person.

3. The risk of an option is related in some way to the dispersion, or the variance, of its

outcomes (Pollatsek and Tversky, 1970). In other words, it means that the risk of an

option is later will depend on the outcomes of that option itself. For example, take into

consideration as in assumption number two (2) as in the above, between both

trafficking drugs and smuggling cigarette, we choose the option to smuggling

cigarette.

The risk of this option – smuggling cigarette – is depend on the outcome of this

smuggling activity itself. If the outcome is we are successfully smuggle the cigarette,

there is no risk since the difficult phase of smuggling, avioding from getting caught by

the authority bodies has come to an end. However, another way around will happen if

we get caught by authority body such as Royal Malaysian Customs and for sure at

Page 8 of 41

this phase we as a smuggler facing with high risk since will be charged under Section

135 of the Customs Act 1967 as what has been discussed in the above.

2.3 Where Do Our Fears About Risk Come From?

“People are disturbed, not by things, but by the view they take of them”

- Epictetus, 200 A.D

This phase explained that the fears that we feel is actually depend on how we perceived

things or our mind setting regarding that particular event; either we perceived it as good or

bad or even as a chances for us to improve or as an obstacle to our previous and future

effort. Similar with risk, it is actually depend on how we see that risk, how we perceive risk

and mind setting towards that risk either that coming risk or even risk that we are facing now

can be a chance for us to improved existing security or not. Sub-section 2.2.1 below

explained details about perception on risk.

2.3.1 Risk Perceptions

Perception of risk here can be referred to the thinking of people towards the risk, which is

mostly negative and it might consist of different level of thinking. People also often think risks

might bring huge impact to themselves, families and their surroundings or even small impact.

Listed below are three perceptions of people, explained on their thinking about risks (Ropeik

and Gray, 2002).

1. Most people are more afraid of risks that are new than those they have lived with for

a while . In other words, new comers are more afraid on risks that are coming to them

rather than those who already spent years or decades of their life in that place. For

example, new neighbors are more alert on the safety of their house at night as

compared to the citizens who already familiar with that residential area.

Page 9 of 41

2. Most people are more afraid to the risk resulted from human-made rather than risks

that are natural. For example, the radiation from nuclear waste or cell phones that

derives from human actions, will give more apprehension to people rather than the

radiation from the sun which scientifically have a far greater risk.

All these can be perfectly portrayed by the guideline on managing nuclear radiation

by Japan and the safety information by Samsung on their product, to give a little

distance between pacemaker and the device such as for Samsung Galaxy Note 8.0

due to its negative effect to the device (Samsung Electronics, 2013). However,

human awareness on sun radiation is less since they are keeping contributing to

ozone depletion due to the usage of hazardous goods to the ozone which contain

chlorofluorocarbons (CFC) such as refrigerator and pesticides spray.

3. Most people are more afraid on risks imposed on them rather than on risks derive

from their action. For example, smokers are more afraid on asbestos and other indoor

air pollution in their workplace rather than negative effect from smoking behavior.

Then, something that even worst, risks derived from cigarette smoke also not only

harm to the smoker but also to the passive smoker because smoke contains

carcinogens materials which might lead to cancer. However, people are still less

afraid on risks derived from their action of smoking and this can be portrayed on the

increasing number of smoker regardless of age.

There is an increasing number of young people and even children, as young as 13,

who have addicted to smoking and also a sharp increase in female smokers in

Malaysia, especially among young women, girls and even expectant mothers (The

Star Online, 2012).

As a conclusion, understanding basic concept of risk might help the management in

analyzing the risks such as its nature, consequences and impact that risks will bring to the

Page 10 of 41

organization. It is crucial to be implemented because it will help the organization to get ready

to any negative circumstances come to them as well as in providing and preparing necessary

actions. Failure in analyzing the risks might drive to fail in completing routine activities of the

company and thus, might reducing financial achievement and stability of the company.

Page 11 of 41

CHAPTER 3.0: RISK MANAGEMENT

3.1 What is Risk Management?

Risk Management is a process consisting of welldefined steps which, when taken in

sequence, support better decision making by contributing to a greater insight into risks and

their impacts (Sai Global, 2003). In other words, risk management is a process which define

the procedures that should be taken by the organizations in order to dismiss and handle the

risks and its negative consequences to the organization’s operations.

In another point of view, risk management is commonly distinguished from risk assessment,

even though some may use the term risk management to connote the entire process of risk

assessment and management (Haimes, 1998). Risk management begins with three basic

questions:

1. What can go wrong?

This questions derives and demand the organizations to define and find what are the

risk that might be faced by the assets.

2. What will we do to prevent it?

This questions derives and demand the organizations to find and address

precautionary action that should be implemented in order to prevent such risks.

3. What will we do if it happens?

This questions derives and demand the organizations to find and address corrective

actions that should be implemented if the risk cannot be avoided and had occured.

Page 12 of 41

3.2 Fifty Years Revolution of Risk Management

As the title indicates, listed in Table 1 below is fifty years risk management revolution,

starting from modern risk management.

Year Revolution

1955-1964 Origin date of modern risk management

Sources: Crockford, 1982; Harrington and Neihaus, 2003; Williams and Heins,

1995

1963-1964 First two academic books were published by Mehr and Hedges in 1963 and

Williams and Hems in 1964

Source: Dionne, 2013

1970-1980 The use of derivatives as instruments to manage insurable and uninsurable

risk begin and developed quickly in 1980s

Source: Dionne, 2013

1980 Companies began to consider financial management or risk portfolio

Source: Dionne, 2013

1990 Operational risk, liquidity risk and international regulation of risk began

Source: Dionne, 2013

2001

Sarbanes Oxley regulation was introduced in United States

Source: Dionne, 2013

Table 1: Risk Management Revolution

(Sources: Crockford, 1982; Harrington and Neihaus, 2003; Williams and Heins, 1995;

Dionne, 2013)

Page 13 of 41

3.3 Risk Management Process

Figure 1: Risk Management Process

(Source: Locke and Gallagher, 2011)

As illustrated in Figure 1 in the above, both information and communication flows has taken

place in the the risk management process whereas black arrows have take a roles in

representing the primary flows within this process. As we know, information and

communication are vital in managing everything in daily life since these two things can help

us to get clear with what we want to do and supposed to do. Thus, similar roles of both

information and communication also applicable in this risk management process.

Adequate information is very crucial since necessary information can make risk management

process to be done to face the actual coming risks accurately and precisely. For example, is

the adequate informations on the nature of the risk itself such as when that catastrophy might

occur or the level of its negative impact towards organization’s assets either small or huge.

Same goes with the communication where it plays vital role in transmitting the information

Frame

Assess

Respond

Monitor

Information and

Communications Flows

Information and

Communications Flows

Page 14 of 41

(data) throughout the organization or even to the respective officers. Be precise and

truthfulness in disemminating the information is crucial since it shows the transparency and

allow exact decisions to be made. In other words, right decision in managing the risk can be

done if respective officers are able to analyse the valid information and it can be achieve if

there is a good and effective communication between those parties.

Generally, risk framing plays important part in this process by informing all the activities

moving from risk assessment to risk response and to risk monitoring in sequential step-by-

step. For example, new legislation, directives, or policies may require the organizations to

implement additional risk response measures immediately. This information is communicated

directly from the risk framing component to the risk response component where specific

activities are carried out to achieve compliance with the new legislation, directives, or

policies. However, this flow should passed through risk assessment in which addressing

what should the organizations are supposed to do taken place, before monitoring process on

the activities carried out is happen.

Page 15 of 41

3.4 Risk Management as an Integral Part of Overall Management

Technological Age

Risk Management ≈ Optimal Balance

Figure 2: Risk Management as an integral part of overall management

(Source: Haimes, 1998)

In order to develop an effective and meaningful protection for organizations, risk

management must be put as an integral part of the overall management of a system. This is

because if there is some failure on the hardware, the software, the organization, or on the

human involved, then for sure it also will lead and cause to the system failure. Thus, risk

management should taken place all over the organization integrally.

Discussing more on role of risk management as an integral part, for a better understanding

especially for the one who have no basic knowledge, “whole” should be the best word to

replace word of integral. In other words, the risk management can be said as the whole part

of the overall management in an organization and frankly speaking, risk management has

been said to be the whole part because of it comprised of both risk assessment and

management where involved all angles. The premise that risk assessment and management

Uncertain Benefits Uncertain Costs

Technology Management:

Man/Machine/Software Systems

-Planning

-Design

-Operation

Risk Management

Page 16 of 41

must be an integral part of decision making process necessitates following a systematic,

holistic approach to dealing with risk (Haimes, 1998).

Depicted in Figure 2 in the above is on the integral part of overall management played role

by risk management. As shown in the above, risk management do covers all important

aspect in the organization such as man, machine, software systems, planning, design,

operation as well as the benefits and also cost faced by the organizations. In other words, we

can say that risk management does cover the input - man, machine and system software and

also cover the processes - planning and design. It also concern on risk that might exist in

daily operations, some reducing or added benefits and also on the inclination cost faced by

the organizations.

Page 17 of 41

3.5 Total Risk Management

Total Risk Management (TRM) can be define as a systematic and statistically based holistic

process that builds on a formal risk assessment and management (Ropeik and Gray, 2002).

TRM plays significant role in answering two sets of triplet questions for risk assessment and

management and also addresses the set four sources of failures within a hierarchical-multi

objective framework (Haimes, 1998). TRM paradigm has been depicted clearly in Figure 3

and as a part from TRM; source of failure also has been depicted in Figure 4, in the name of

system failure.

Figure 3: Total Risk Management

(Source: Haimes, 1998)

Risk Assessment Questions:

What can go wrong?

What is the likelihood that it would go wrong?

What are the consequences?

Source of Failure:

Hardware Failure

Human Failure

Software Failure

Organizational Failure

Risk Management Questions:

What can be done?

What options are available and what are

their associated trades-offs in terms of all

costs, benefits, and risks?

What are the impacts of current

management decisions on future options?

Page 18 of 41

Figure 4: System Failure

(Source: Haimes, 1998)

3.6 Multi-tiered for Risk Management

In order to integrate the risk management process throughout the organization, a three-tiered

approach is employed to addresses risk at the: (i) organization level; (ii) mission/business

process level; and (iii) information system level (Locke and Gallagher, 2011). The risk

management process is suggested to be carried out without any interrupted in every each of

these tiers, aiming to achieve the continuous improvement on the risk-related activities of the

organizations. Figure 5 below illustrate on multi-tiered of risk management.

Human

Failure

Hardwar

e Failure

Organizati

onal

Failure

Softwar

e

Failure

Page 19 of 41

Figure 5: Multi-tiered Organization-Wide Risk Management

(Source: Locke and Gallagher, 2011)

Tier 1:

Organization

Tier 2:

Mission/Business Processes

Tier 3:

Information Systems

Tactical Risk

Strategic Risk

-Inter-Tier and Intra-Tier

Communications

-Feedback Loop for Continuous

Improvement

-Traceability and Transparency of

Risk-Based Decisions

-Organization-Wide Risk Awareness

Page 20 of 41

3.7 Key Roles

Risk management is obviously a part of management responsibility. As portrayed in Table 2 below, this sub-section describe the key roles of

the personnel, groups of people who actually should support and participate in the risk management processes.

Position Role

Senior Management - Ensure necessary resources are effectively applied to develop the capabilities needed to accomplish the mission

- Assess and incorporate results gain from risk assessment activity so that it can be use in decision making process

- Provide full support and involvement in assessing and mitigates IT-related mission risks

Chief Information

Officer (CIO)

- Make precise decisions Responsible for the agency’s IT planning, budgeting, and performance and also information

security components

System and

Information Owners

- Responsible in ensuring proper controls in place in order to address integrity, confidentiality, and availability of the IT

systems and data they own

- Responsible for changes to their IT systems by give some approval and sign off on changes to their IT systems such as

on system enhancement, major changes to the software and hardware

Business and

Functional Managers

- Play an active role in risk management process

- Have the authority and full responsibility for making the trade-off decisions essential to mission accomplishment

- Their involvement in the risk management process enables the achievement of proper security for the IT systems, which,

if managed properly, will provide mission effectiveness with a minimal expenditure of resources

Information System

Security Officer

(ISSO)

- Responsible for their organizations’ security programs, including risk management

- Play a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize risks to

the IT systems that support their organizations’ missions

- Act as major consultants in support of senior management to ensure that this activity takes place on an ongoing basis

IT Security

Practitioners

- Responsible for proper implementation of security requirements in IT systems

- Identify and assess new potential risks and implement new security controls as needed to safeguard IT systems such as

on network, system, application, together with database administrators, computer specialists, security analysts and

Page 21 of 41

security consultants

Security Awareness

Trainers (Security/

Subject Matter

Professionals)

- Develop appropriate training materials and incorporate risk assessment into training programs in order to educate the end

users so it can minimize risk to the IT systems

Table 2: Key Roles

(Source: Stoneburner, Goguen, and Feringa, 2002)

As a conclusion, all the above personnel have to know their own job scopes or requirements in handling, supporting and participating in the risk

management processes. It is vital for every each of them to really follow all those stated key roles so that the necessary action can be done.

Properly addressing responsible person also important to be done by the organization so that they can give full focus on that respective area

since there is no redundancy on the tasks allocated to them.

Page 22 of 41

CHAPTER 4.0: INFORMATION TECHNOLOGY RISK MANAGEMENT

4.1 What is Information Technology Risk Management?

Rephrasing the definition of risk management from Sai Global in 2003, as what has been

discussed in Chapter 3.1, risk management is a process which define the procedures that

should be taken by the organizations in order to dismiss and handle the risks and its negative

consequences to the organization’s operations. Thus, clearly we can said that information

technology risk management is the effort from the management in extrapolating, monitoring,

handling, and minimizing the risk that happen towards information technology used by the

company.

The use of information technology not only will create a digital society (Gutmann, 2001) but

also usefull in communicating and disseminating the information within and through out the

organization. However, if there is any catastrophy or natural disaster or even human made

disaster, for sure the process of communicating and disseminating the information in the

organization will be distrupted. Due to that, it is crucial for the organization to have their own

information technology risk management so that the organization will be able to run their

daily operation without any disturbances as well as to make the whole process to run

smoothly.

Then, to help the organization to manage risk that arise in their information technology, sub-

topic 4.3 will discussed further on the process of information technology risk management.

4.2 Information Technology Risk Management Process Overview

In order to get a better understanding, sample of information technology risk management

process from University of Virginia will be discussed clearly under this sub-topic. The sample

from this university has been choose because of this university does have their latest

information on this as compared to others. Four steps on information technology risk

management process of University of Virginia are listed as below. However, to make the

Page 23 of 41

explanation achieve the reader clearly, some additional information has been added briefly

on some points.

Step 1: Information Technology (IT) Mission Impact Analysis (see appendix 4)

Verify department’s critical assets such as hardware, software, information, people

Hardware: Hardware consists of electronic components and related gadgetry

that input, process, output, and storage data according to instructions

encoded in computer programs or software (Kroenke and McKinney, 2013).

For the example of hardware, please refer to appendix 1.

Software: There are two basic types of software – system and application.

System software is required to use the computer whereas application

software processes the user’s data (McLeod and Schell, 2004). For the

example of software, please refer to appendix 2.

Information: Information is processed data that is meaningful, which is it

usually tells the user something that she or he did not already know (McLeod

and Schell, 2004).

People: As part of the five-component framework, one of the five fundamental

components of an information system; includes those who operate and

service the computers, those who maintain the data, those who support the

networks and those who use the system (Kroenke and McKinney, 2013).

Step 2: Information Technology (IT) Risk Assessment

Assess departmental security practices according to standard decided by

organization, state and federal

Plot your department’s assets from Step 1 to the threat scenarios provided (and

others that your department identifies)

Assign weight to each threat to your assets based on the likelihood of it occurring in

your environment and the impact of any vulnerability

List threats based on their priority of harm the organization

Page 24 of 41

Plot these threats back to answer the strategies provided (and others your

department develops)

Construct (or update if you already have one) your department’s safety plan for

justifying or accepting the identified risks

Take into account previously implemented strategies and existing plans – use (and

document) effort and analysis that you have already produced

Document your key decisions and justifications

Step 3: IT Mission Continuity Planning

Create (or update) a response plan for your department to use in the event that

critical IT assets are lost, unavailable, corrupted or disclosed

Test your plan

Step 4: Evaluation and Reassessment

Repeat Steps 1-3 every three years or when there are significant changes to

departmental IT assets or risk environment

Review the success of your prior analysis, testing and any responses made, whether

they were corrective, preventative or post-incident

Incorporate responses to any intervening changes such as new operating system,

critical applications or data.

(Source: University of Virginia Information Technology Security Risk Management

(ITS-RM) Program Version 4.0, 2014)

However, the time frame or time taken to complete this process will vary depend on the size

of the organization itself. The bigger the organization, the longer time will be needed. Due to

that, organizations should establish internal deadlines for the completion of each step of the

process in order to ensure steady progress and to avoid any delay which out from the actual

Page 25 of 41

time frame. Delay of this process only will result the organization dumbly response to the risk

and for sure will lead to the disturbances and failure to the organization’s operation process.

Chart 1 will provide more brief idea on this process.

Page 26 of 41

Chart 1: Information Technology (IT) Security Risk Management Process Flow

(Source: University of Virginia Information Technology Security Risk Management (ITS-RM)

Program Version 4.0, 2014)

Step 1 – Identify Critical

Information Technology (IT)

Assets

Step 2 – Assess Risks

For each critical asset:

Assign weight to likelihood & impact of threats to each asset

Prioritize threats Select response strategies Develop security plan

Step 3 – Mission Continuity

Planning

Create a response plan to

use in the event that critical

IT assets are lost,

unavailable, corrupted or

disclosed

Step 4 – Evaluation and Reassessment

Required at least once every three years

Critical

Assets

List

Security

Plan

Disaster

Recovery

Plan

Interim

Manual

Procedures

Page 27 of 41

4.3 Five phases of Information Technology Mitigation Programme

A successful IT risk mitigation program consists of five phases such as Management and

governance, assessment, planning and design, implementation and testing, and monitoring.

Management and governance: Both business conditions and IT capabilities and costs

change over time. IT risk management and governance is the process by which an

appropriate IT risk posture is maintained long term. Key elements include:

Creating policies with clear roles and responsibilities to establish the context of “risk”

as related to the company’s enterprise

Defining key risk indicators (KRIs) for IT risk (indicators that can be measured and

monitored to give an early warning to changes in the company’s risk profile)

Embedding IT risk management considerations into the operational processes of the

enterprise

Evaluating, reporting and communicating on the IT risk profile

Re-evaluating IT risks and updating mitigation strategies as appropriate

Assessment: The first step of this phase is to clearly identify and evaluate the types of IT

risk an organization might face and to gauge its ability to rapidly respond to risk events.

Assessment is an ongoing process that involves:

Defining the key value-producing business services that the organization performs

and quantifying their value

Decomposing the business services into the business components required for their

delivery

Establishing the business impact to the service if a given business component is

nonfunctional

Defining the most significant threats and their relevant risks to the business

components by evaluating the probability of each threat’s occurrence and the impact

should it occur

Page 28 of 41

Determining the business services impact based on the effects to the business

components

Establishing and implementing appropriate, cost-effective strategies to mitigate the

defined risks based on understanding the organization’s “risk appetite”

Determining external risk dependencies and how the organization and systems would

respond if compromised

Planning and design: During the planning and design phase, the organization develops

mitigation strategies for managing IT risks. This phase includes:

Determining ways to sustain critical operations in the event of a disruption by defining

strategic business continuity, disaster recovery and crisis management plans

Designing a business-requirement-based architecture for the organization’s IT

environment

Optimizing the balance between the organization’s investments in IT risk

management and their business value

Implementing and testing: This phase gives the organization an opportunity to validate the

effectiveness of its plans, as well as identify weaknesses. Key elements include:

Creating test plans, executing a successful test, identifying gaps and recommending

fixes

Integrating IT and business needs

Validating that the IT risk solution is current and actionable

Monitoring: Continuous monitoring of KRIs helps ensure that the organization can identify

changing risk levels and take action before the risks materialize and impact a key business

service. The keys to successful IT risk monitoring include:

Mapping IT service components to the business services they support

Defining KRI thresholds that represent a potentially abnormal condition

Page 29 of 41

Implementing mechanisms to alert appropriate agents (both people and technology)

to take preventive or corrective action

Page 30 of 41

4.4 Top 10 Emerging Information Technology Risks

Due to the globalization process, information technology risks are keep to emerge from day to day and might harm the organizations. However,

all these information technology risks is actually vary in its level of risk - according to the industry, technology or business processes itself.

Listed in tabular form below are ten emerging information technology risks by Mazoguchi in 2012 and listed in no particular order. Elaborated

below also the issues that might arise from the risks.

No. Emerging IT Risk Issue Risk

1 Social

Networking

Use of social media technologies is expanding into new areas

such as for user communities, business collaboration, and

commerce.

• Brand protection

• Unauthorized access to confidential data

• Regulatory or legal violations

2 Mobile Devices Rapid creation on number of smart devices, and its smart

function

• Loss / release of critical business data

• Security and identity management

• Application development challenges

3 Malware Malware continues to increase in sophistication, and has more

avenues for execution.

• Loss or theft of critical information

• Hardware impacts

• Cash impact

• Lost productivity

4 End User

Computing

End User Computing (EUC) applications continue to evolve

given resource constraints of economic downturn.

• Misstated financial statements

• Unsupported decision making

• Regulatory concerns

• Loss or corruption of data

5 Corporate

Espionage

More specific targeted efforts (often for gain), assisted by

increase in mobile computing technologies.

• Loss or release of corporate data

• Denial of service

• Intellectual Property loss

6 Project Backlog Economic downturn caused decrease in IT investment and

deferral of critical projects resulting in large project backlogs.

• Project delays or failure

• Completed projects short changing security and

Page 31 of 41

controls

• Failure to achieve business objectives

• Poor or inadequate vendor management

7 IT Governance Reduced enterprise IT support / budgets and increased ease of

technology deployments has led to multiple “shadow IT”

organizations within enterprises. Shadow groups tend to not

follow established control procedures.

• Failure to comply with corporate IT policies and

controls

• Operational impacts

• Information security risks

• Regulatory violations

• Duplication of efforts, increased costs and

inefficiencies

8 Electronic Record

Management

Increased deployment of ERM solutions, with corresponding

data conversions and process changes.

• Loss of data in conversion process

• Regulatory violations if inadequate controls exist

• Storage, retention, and forensic issues

9 Data

Management

Lack of ability to identify types/location of enterprise data and

also lack of robust data stratification schema to categorize

sensitive data.

• Regulatory penalties

• Brand damage

• Increased cost of compliance

10 Cloud Computing Proliferation of external cloud computing solutions, corporate-

and user-based. Different deployments available; data,

applications, services.

• Administrative access

• Data management

location/compliance/recovery/security

• Dependent upon availability of cloud provider and

internet connection

• Long-term viability

Figure 6: Top 10 Emerging Information Technology Risks

(Source: Mizoguchi, 2012)

Page 32 of 41

CHAPTER 5.0: CONCLUSION

In a nut shell, all three main topics have been covered well in specific chapters allocated.

Understanding on risk, risk management and on information technology risk management is

crucial for every one of us in this modern era even though the elaborations in this project

paper are more focusing to the organizations. As an individual, having a good understanding

on these three topics also important since we also might involved with any unpredictable

risks and at the end, we also might be one of the member of the organization. Thus,

knowledge on these topics is useful in overcoming risks.

Reevaluating back on what has been addressed by Surah Al-Baqarah verse 286 and also

dramatic phases from William Shakespeare; something I can conclude from these two

sources is that actually if something wants to happen such as any catastrophe, natural

disaster or even human made disaster, we as human being for sure cannot avoid all these

events. As a Muslim, if Allah said “Kun Faya Kun”, everything will happen and nothing can

avoid it. As stated in Surah Yassin verse 82, whenever He (Allah) intends a thing, He needs

only to say: "Be (Kun)," and it is Faya Kun.

However, to give us some relief, we as a Muslim have to come back to our Holy Quran. As

stated before, verse 286 of Surah Al- Baqarah stated that Allah does not charge a soul

except (with that within) its capacity. So, here we can say that any risks coming is just a trial

from Allah to his slaves and it is depend on us on how to perceived that trial, neither from

positive perspective nor negative. However, it is our duty to try our best since we have a

chance to do so.

“Work for the affairs of the world as if you were going to live forever but work for the

Hereafter as though you will die tomorrow.”

The Prophet Muhammad pbuh

Page 33 of 41

APPENDIXES

Appendix 1: Hardware - Example of Computer Hardware

(Source: Warepin, 2010)

Page 34 of 41

Appendix 2: Software - Example of System and Application

Source: Humayun Kabir (2014)

Page 35 of 41

Appendix 3: List of dangerous drugs under First Schedule of Dangerous

Drugs Act 1952

FIRST

SCHEDULE

[Sections 2, 11(1) and

17(3)] PART I

Raw Opium

Coca

Leaves

Poppy-

Straw

Cannabis

PART

II

Prepared Opium

Cannabis

Cannabis resin and substances of which such resin forms the base

PART

III Acetorphine

Acetyl-alpha-methylfentanyl

Acetylmethadol

Alfentanil

Allylprodine

Alphacetylmethad

ol Alphameprodine

Alphamethadol

Alpha-methylfentanyl

Alpha-

methylthiofentanyl

Alphaprodine

Page 36 of 41

2-amino-1-(2, 5-dimethoxy-4-methyl) phenylpropane

Amphetamine

Anileridine

Benzethidine

Benzylmorphine

Betacetylmethad

ol

8-beta-11-dihydroxy-delta-9-tetrahydroxycannabinol

8-beta-hydroxy-delta-9-tetrahydrocannabinol

Beta-hydroxyfentanyl

Betahydroxy-3-

methylfentanyl

Betameprodine

Betamethadol Betaprodine

Bezitrami Butorphanol

4-bromo-2, 5-

dimethoxyphenylethylamine

(2C-B) Cathinone

Clonitazene

Cocaine

Codoxime

Concentrate of poppy-straw

(the material arising when

poppy-straw has entered

into a process for the

concentration of its

alkaloids, when such

material is made available

in trade)

delta-8-

tetrahydrocannabinol delta-

9-tetrahydrocannabinol

Desomorphine

Page 37 of 41

Appendix 4: Steps 1- IT Mission Impact Analysis Questions

Unit Name: ___________________ Sub-Unit Name: ___________________

Mission Impact Analysis Questions

This section identifies information, computing hardware and software, and associated

personnel that require protection against unavailability, unauthorized access,

modification, disclosure or other security breaches.

Note: Any use of highly sensitive data (including Social Security numbers, protected

health information, etc.) is inherently a critical component of the unit’s mission and a

source of significant risk.

1. What’s your department’s mission?

2. What are the key functions your department performs to implement

your mission?

3. What IT hardware infrastructure and assets are critical to the

performance of those key functions? Please list these assets and

prioritize them based on their criticality to the functions identified above.

Be sure to include individual, departmental, central UVa and external

(e.g., vendor) assets as appropriate, and list a system administrator,

model number and operating system, where applicable, for each asset.

Examples:

•Servers (including those hosted by others)

•Desktops/laptops/mobile devices that host critical or highly sensitive

data

4. What software applications are critical to the performance of those key

functions? Please list these and prioritize them based on their criticality

to the functions identified above. Be sure to include individual,

departmental, central UVa and external (e.g., vendor, federal and state)

assets as appropriate.

Note: Even common applications, like web browsers and Microsoft

Office, may be critical and must be kept updated and secure to protect

your systems.

5. What IT data assets are critical to the performance of those key

functions? Please list these assets and prioritize them based on their

criticality to the functions identified above. Be sure to include individual,

departmental, central UVa and external (e.g., vendor, federal and state)

data swapping assets as appropriate.

Page 38 of 41

Examples:

•Academic: instructional resources, databases necessary to maintain a

given research program

•Administrative: sensitive student or financial data necessary for

business operations and student services

•Health-related: sensitive patient data, both clinical and research

•External data provider

6.Do you store student SSNs in the department, whether in paper or

electronic form? If so, provide 1) a complete location inventory of these

numbers, and 2) an explanation of the legal requirement and/or business

process that necessitates their storage.

Prepared by: Administrative contact

Name: __________________________

Signature: __________________________

Title: __________________________

Date: __________________________

Approved by: Unit head

Name: __________________________ Signature: __________________________

Title: __________________________ Date: __________________________

Prepared by:

Technical contact

Name:

______________

Signature:

______________

Title:

______________

Date:

______________

(Source: University of Virginia, 2014)

Page 39 of 41

REFERENCES

Brown, C. V., Dehayes, D. W., Hoffer, J. A., Martin, E. W., and Perkins, W. C. (2012)

Management Information Technology 7th Ed. Pearson Education Inc. New Jersey.

CLUSIF. (2008). Risk Management: Concept and Methods. Retrieved on November 2nd,

2014 from www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-risk-managemen

t.pdf

Crockford, G. N. (1982). The Bibliography and History of Risk Management: Some

Preliminary Observations. The Geneva Papers on Risk and Insurance. 7, 169-179.

Dionne, G. (2013). Risk Management: History, Definition and Critique. Retrieved on

November 2nd, 2014 from http://neumann.hec.ca/gestiondesrisques/13-02.pdf

Gutmann, M. (2001). Information Technology and Society. Retrieved on November 2nd, 2014

from http://www.zurich.ibm.com/pdf/news/Gutmann.pdf

Haimes, Y. Y. (1998). Risk Modeling, Assessment and Management. John Wiley and Sons

Inc. New York.

Harrington, S. and Niehaus, G. R. (2003). Risk Management and Insurance. Irwin/McGraw-

Hill, USA.

Humayun Kabir. (2014). What is Computer Software and Types of Computer Software?

Retrieved on November 2nd, 2014 from http://www.easytechtips24.com/what-is-

computer-software-and-types-of-computer-software/

International Organization for Standard (ISO) and International Electrotechnical Commission.

(2008). Information Technology – Security Techniques – Information Security Risk

Management (ISO/IEC 27005:2008). Retrieved on November 2nd, 2014 from http://ww

w.pqm-online.com/assets/files/standards/iso_iec_27005-2008.pdf

Page 40 of 41

Kroenke. D. M. and McKinney. J. E. H. (2013). Processes, Systems, and Information: An

Introduction to MIS. Pearson Education Inc. New Jersey.

Law of Malaysia Act 234. (2006). Dangerous Drugs Act 1952. Publisher the Commissioner of

Law Revision, Malaysia. Percetakan Nasional Malaysia Berhad. Retrieved on

November 2nd, 2014 from http://www.agc.gov.my/Akta/Vol.%205/Act%20234.pdf

Law of Malaysia Act 235. (2006). Customs Act 1967. Publisher the Commissioner of Law

Revision, Malaysia. Percetakan Nasional Malaysia Berhad. Retrieved on November

2nd, 2014 from http://www.agc.gov.my/Akta/Vol.%205/Act%20235.pdf

Locke, G. and Gallagher, P. D. (2011) Managing Information Security Risk: Organization,

Mission, and Information System View. Retrieved on November 2nd, 2014 from Error!

Hyperlink reference not valid.P800-39-final.pdf

Lowrance, W. W. (1976). Of Acceptable Risk. William Kaufman. Los Altos: CA.

Mizoguchi, T. (2012). Information Technology Risks in Today’s Environment. Retrieved on

November 2nd, 2014 from https://chapters.theiia.org/san-diego/Documents/Seminars/

SD_IIA___ISACA_Event_041112_Deloitte_IA_Top_Ten_Risks.pdf

McLeod. J. M. and Schell. G. P. (2004). Management Information Systems. Pearson

Education Inc. New Jersey.

Official Website Royal Malaysia Customs Department. (2013). Keputusan Ketetapan Kastam

November hingga Desember 2013. Retrieved on November 2nd, 2014 from Error!

Hyperlink reference not valid.

Pollatsek, A. and Tversky, A. (1970). A Theory of Risk. Journal of Mathematical Psychology.

7, 540-553

Ropeik, D. and Gray, G. (2002). Risk: A Practical Guide for Deciding What’s Really Safe and

What’s Really Dangerous in the World Around You. Houghton Mifflin. Boston: New

York.

Page 41 of 41

Sai Global. (2003). Risk Management. Retrieved on November 10th, 2014 from http://www.ri

skmanagement.com.au/

Samsung Electronics. (2013). Quick Start Guide. Samsung Electronics Euro QA Lab.

Hampshire: United Kingdom

Shakespeare Online. Retrieved on November 10th, 2014 from Error! Hyperlink reference

not valid.

Smoking a Cause for Concern. (July 12, 2012). The Star Online. Retrieved on November

2nd, 2014 from http://www.thestar.com.my/story/?file=%2f2012%2f7%2f12%2ffocus

%2f11646513&sec=focus

Stoneburner, G., Goguen, A. and Feringa, A. (2002). Risk Management Guide for

Information technology System. Retrieved on November 2nd, 2014 from http://csrc.nist

.gov/publications/nistpubs/800-30/sp800-30.pdf

Terjemahan Al-Hidayah Al-Qur’an Al-Karim. (2013). Al-Qur’an Al-Karim Rasm Uthmani

Dalam Bahasa Melayu Al-Hidayah House of Qur’an Sdn. Bhd

University of Virginia. (2014). Information Technology Security Risk Management (ITS-RM)

Program Version 4.0. Retrieved on November 2nd, 2014 from Error! Hyperlink

reference not valid.informationsecurity/riskmanagement/

Warepin. (2010). Four Categories of Computer Hardware. Retrieved on November 23rd, 2014

from http://www.warepin.com/4-categories-of-computer-hardware/

Williams, A. and Heins, M. H. (1995). Risk Management and Insurance. McGraw-Hill. New

York.