Schneier (2007) sees security as something mathematical that is based on the probability of diverse risks and the effectiveness of countermeasures against them. For instance one can calculate how much his/her house is at risk of being burglarized by basing it on the crime rate in his/her neighbourhood, his/her door and windows locks and so on. Having ample date one can estimate how secure one’s assets are, but security can also be a feeling, for example one feels safer parking one’s car when the car has an alarm system and is parked in a parking lot equipped with CCTV surveillance. The feeling and reality of safety is not the same thing (Schneier, 2007). Security Management is the process, which guarantees the confidentiality, integrity and availability of any organization’s asset, data, information, and also IT Services (ITIL, 2008). According to Culp (2001), the world is ‘an unpredictable place’ and therefore this uncertainty makes the world a place full of risks, which somehow have to be managed. Risk can range substantially, from the unexpected death of a high official in a company, to a fire that demolishes the office buildings. In these cases risk can be defined as the possibility of an unwelcome result in an unpredictable situation (Andress, 2003). Risk management is the process of detecting significant risks that may jeopardize the accomplishment of the authority/organization’s strategic and operational objectives. It also entails evaluating the likely consequences of these risks and executing the most efficient way of taking action, controlling and monitoring them. Risk management is all about taking the right informed decisions; achieving the objectives foreseen and delivering the expected results once those decisions are made. When one is more risk aware, the person/organization/company will be better equipped in avoiding threats and taking advantage of opportunities (Cummings, 2004:2)
Security is a reaction to various threats and risks; these can be attacks on a person, attacks on property or attacks on organisations. The reasons behind these can be various and may include revenge, financial gain, and political, social or religious motives, for thrills and so on. In brief, security is protection against these possible attacks. Protection includes prevention, response and pre-emptive attacks,"nipping the problem in the bud" (Kurtus, 2002). One important elementary task in security management in organisations is to assess the current security level in the organisation. One way of doing this is the ‘walk about’ method proposed by Peltier (2008) that advises to carry out these steps after work. There are five tasks in the ‘walk about’ method: checking that office doors are locked; desks and cabinets are locked; workstations are secured; diskettes are secured; and company information is secured. The checking of these five elements will give one an idea of the level of control and security already in place. Once new security plans are in place, one should repeat the five-step procedure a few months later (Peltier, 2008). Security concerns are most likely to be developed according to trends that they cannot control, for example after the 9/11 incident security became largely concerned with terrorism. Mostly though, security is concerned with common security threats such as theft, robbery, burglary and fraud (Button, 2007). The practice of security is majorly influenced and consumed with standards and regulations, which come mainly from governments. Advancements in technology, in the past twenty years have aided the security management of companies and organisations as well as other sectors requiring security. Expansions in the use of CCTV, better alarm and control systems and other technologic innovations have bettered security’s machinations (Button, 2007). Security requires an amalgamation of people, processes and technology (Information Security, 2008). However, the people aspect of security is usually overlooked (Bright, Kark, and Orlov, 2005). Setting and knowing the limitations of each of them alone, will help balance and create a better management of security. In truth most security managements focus their resources mostly on prevention, while detection and response are only used to minimize the damage that has occurred (Information Security, 2008).
Organizations make use of diverse approaches to security management. However, the approach that is most effectual is the one that manages and supports any level of security, which is appropriate to the organization’s requisites. One can also notice the range of traits of approaches to security management;
“On the lower end, the characteristics outline a security approach that tends to be irregular, reactive, and immeasurable; on the contrary, a higher end approach that aims to improve and sustain the organization’s resiliency as a goal is characterized by a systematic, continuous, adaptive, and measurable process. Organizations may appropriately fall at either end of this scale or anywhere in between, and the approach that they are using may be entirely adequate to meet their needs” (Caralli, 2004: 24).
The following are the theoretical approaches to security management; ad hoc, vulnerability based, risk based, and also enterprise based. When tackling security with an ad hoc approach, it is done without any defined strategy, policy, process, and procedure or practice. With this approach, security is not given much importance or budget and there is little if no responsibility concerned with security. The organization’s security only reacts, therefore works when the threats and events have already happened. Security and management do not work together and when they do it is usually by accident. The major problem with this approach is that the organization has to regularly compensate for the risks they have not foreseen and prepared for. (Caralli, 2004: 24).
The vulnerability-based approach to security focuses on vulnerabilities and reacts to them. This approach is somehow proactive and tries to plan its security issues beforehand. It provides organizations with the ability to detect weak spots and defects in software, and aims at reducing exploitation. This approach however is limited by tackling only the already known vulnerabilities in an organization/company. There is no effort in uncovering any new vulnerability. This approach is mostly technology based and therefore tackled by IT professionals, which are not business oriented as they are concentrated and concerned on information and network security. This approach is usually used by organizations who want to reduce costs and therefore human resources (Caralli, 2004: 25).
The approach to security management based on risk is a considerable improvement over ad hoc and reactive approaches. The risk-based approach focuses on the organization’s vital assets, mostly on information assets that are essential to accomplishing the organization’s set mission. This approach used the expertise of the most important managers in the organization to set about identifying and prioritizing the organization’s assets and threats and then develop a risk mitigation strategy that also keeps in mind how the organization will be effected the threats are fulfilled. Vulnerabilities are only important if they may potentially affect critical assets or if they can impact the organization in some way or other. Therefore one can see that there is an implicit alliance between the security strategies and the organization’s critical assets. The risk based approach needs a partnership between key subject matter experts, managers and the information technology sections. In some organizations, the risk-based approach is adapted by employing a strategic leader such as a chief information security officer. Smaller organizations can also sponsor the security strategy, and in even smaller organizations IT may have this role. Since security is expensive, an organization must attempt to see the benefits of it (Caralli, 2004: 25).
The enterprise security management view explicitly aligns security strategies with organizational strategies. Its aim is to achieve, improve, and sustain the organization’s resiliency. The focus is not only on important assets but also the decisive business processes of the organization and the e system of internal controls that ensures that these assets and processes remain productive. “Security is directed by a c-level executive who is independent of the information technology organization and is involved in the strategic planning for the organization” (Caralli, 2004: 26). Security is a task that is managed throughout the whole organization, and relies on the different capabilities that can be found in the organization. The excellence in IT is one of the major strengths that aid the target reaching of the organization’s security. In this case, security is seen as an essential investment, and thus an organization expects to see the fruits of its investment (Caralli, 2004: 26).
In the following content, risk management will be tackled. There are two types of risk; speculative and pure. Speculative risk is when one takes on a task, which can, in due course fail or succeed (Borgsdorf and Pliszka, 1999). Pure risk, on the other hand is the definition used when applied to situations that involve chances of loss or no loss (
Cox and Tait (1998) define risk management as the process which involves risk identification, estimation, evaluation, reduction and also risk control. According to the task at hand, Cox and Tait (1998) divide risk management into six interlinked phases: hazard identification, hazard analysis, risk estimation, risk evaluation, implementation and finally monitoring and auditing. The first four phases are risk assessment while the next phases are risk reduction. In hazard identification one must find the sources and workings of a hazardous event including any target, which could be potentially at risk. The second step is the hazard analyses that determine probabilities and rates, movement and estimation of targets at risk. This is followed by a risk estimation that is a quantitative analyses and assessment of probability. The last step of risk assessment is the risk evaluation, were one judges the significance of the assessed risks, the risk benefit analyses, risk acceptability and the uncertainty in risk estimation. In this phase one also analyses what the public perceives as risk and the economic impact it may have. The second part of the six phases is concerned with risk reduction start with the implementation phase. In this phase there is the development of the implementation strategy, the examination of policy options, designs and layouts and implementation of quality systems. The last phase of risk reduction and of the six interlinked phases of risk management is the monitoring and auditing. This phase produces monitoring and audits that produce new risk information.
Rescher (1983, as cited in Wharton, 1992) suggested that the rational management of risk must make use of three cardinal rules, which are; “the maximization of expected values, the avoidance of catastrophe and the ignoring of remote possibilities.” When applying these rules one must make a judgmental decision. What exactly would one consider to be a catastrophe or what can be dismissed as being a remote possibility? According to Wharton (1992), there can always be the possibility that any course of action can lead to disaster and consequently one must establish some type of order of priority in the application of these rules.
Since there are some distinguishable crossovers between the theories of management and risk management, some suggest that they may be one and the same. This may be true, when one considers that most of the time lack of good management creates risk. As a result, a manager and a risk manager must work hand in hand, as in thus doing the company will be more efficient at reducing, preventing and minimizing losses (Borgsdorf and Pliszka, 1999). Risk management is a huge business that involves many authorities, holds inquests and commissions research, passes laws and creates regulations. It also involves safety-training programmes, posts warning signs, puts up fences and locks gates. The main objective of the risk management business is to reduce risk (
Crime theory can assist risk management. The theories that are effectively used are the routine activity approach, the rational choice perspective and the crime pattern theory (Felson and Clarke, 1998). In the routine activity approach, there must be three elements present; a possible offender, a fitting target and the lack of a guardian. In this case a guardian does not necessarily have to be a police officer but can be anyone that is present and discourages the crime from being done. So, in this case minimizing risk can take on a simple form for example a housewife at home, a neighbour or worker. Their presence will discourage the committal of a crime by eliminating one of the three elements that are to be present according to the routine activity theory (Felson and Clarke, 1998). Four main elements influence a target’s risk of criminal attack; these are value, inertia, visibility and access (VIVA). In order to understand these four points, one must put him/herself in the offender’s shoes. By value we mean that the objects the offender seeks to take has a financial or otherwise important value to him/her, for example, a branded pair of jeans. Inertia simply means the weight of the object to be stolen, so we can say that it is easier for one to steal an i-pod than a refrigerator. Exposure means how visible the targets are for the offender to steal, for example putting an i-pod in your back pocket or handling large amounts of cash in crowded public places. Access refers to how easily one may obtain the coveted good, for example when the pension cheque arrives and elderly go to cash it at the local bank (Felson and Clarke, 1998). The rational choice perspective focuses mostly on the offender/s’ decision making. Offenders have goals; they do what they do to achieve something or another. The offender usually does not set his sights on the future, and calculates mostly the benefits not the risk. The offender is set on the immediate effects of pleasure not on the long-term effect of crime. The situational crime prevention model closely affects this theory. Withdrawing or minimizing opportunity makes crime decrease; therefore increasing criminal opportunity will on the other hand increase crime (Felson and Clarke, 1998). The last theory is the Crime Pattern Theory that is an integral part of environmental criminology. This theory fits with the Routine Theory Activity and has three main concepts; nodes, paths and edges. Nodes refer to where people travel to and from. Offenders look for their targets in their area for example pubs, schools and so on, these are also called paths. These paths are also the ones people take everyday and will relate to where they fall victim to crime. The crime pattern theory pays a lot of attention to daily activities and where they are situated. These can generate crime maps, for example linking crimes to events and places like when school finishes or bars close, together with nodes and paths people follow. Edges refer to the boundaries where people live. Crime tends to occur more often in these boundary areas (edges). This is because of the distinction that lies between outsider and insiders in communities (Felson and Clarke, 1998).
Security risk management can be defined as “ a logical process that may be used to assess and quantify risk, and provide management with cost-effective solutions to security risk reduction using available resources” (SRMG, 2002:1). In a broad sense, such management includes technology, education and management (Insight Protection, 2007). The fundamental aspects of security risk management are; visibility and measurement. The former aspects help to recognize, measure and lessen risks. “They are also the key to effective process management” (Lacey, 2006). The aims of security management are the following: to recognize and measure assets to be protected; to assess the criticality of every asset
Conclusion
Through out this assignment, we have tackled ‘security’, ‘security management’, ‘risk’, ‘risk management’ and ‘security risk management’. The very fact that information on security management was scarcer than on any other subject mentioned above, indicates that security management is somewhat of a newer study and discipline, than risk management. Giever (2007) argues that the discipline of security has not yet matured and is still in its infancy stage of development. Throughout, the assignment one can note that security and risk work hand in hand, like partners. Where one is present, the other will be too, in some order or another. One cannot compute a risk management assessment without taking into consideration security management and vice versa. These two disciplines are interlinked , and together, if managed correctly will produce better results.
0 comments:
Post a Comment