IT Enterprise Risk Management

Introduction

The most important concern with linking computers together is this increases the information system’s vulnerability to data security risks. Because of this vulnerability, computer bugs, DoS attacks, and intrusion in data systems are commonplace (Agrafiotis, Nurse, Goldsmith, Creese, & Upton, 2018). The public now knows conscious of computer security challenges through stories from the most popular news media. Computer attacks, cyber fraud, DoS attacks, and data espionage are very significant news reports (Agrafiotis et al., 2018).

With the use of system firewalls, protection architecture, intrusion detection methods, and other innovative tools, the business’s computers, systems, and data are not secure (Agrafiotis et al., 2018). Despite this attempt, the speed of innovation from cyber attackers to exploit those weaknesses has improved. Within an environment with scarce funds, organizations are required to determine how to allocate their resources to lessen this threat and protect themselves from security risks in the most cost-efficient ways (Amini & Jamil, 2018). The most important aim of the analysis is to research the managerial decision taken in an IT enterprise to redistribute security infrastructure.

Research Objectives and Hypothesis

Using both qualitative and qualitative procedures, this research aims to investigate the risk analysis that associations experience to devote their safety tools. Enterprise risk management (ERM) is a form of risk analysis conducted to reduce the effects of data security attacks (Braumann, 2018). Enterprise security attacks and vulnerabilities take different forms. Security attacks could be external or internal (Braumann, 2018). External enterprise attacks include cyber-attacks, system worms, viruses, denial of service attacks, or identity theft. Internal attacks could be human error, technical obsolescence, and unsuccessful safety controls (Amini & Jamil, 2018).

With the number of risks involved in IT security, companies must select which resources are critical to the business’s survival. Decisions to balance risk factors must be approved to secure the investment. Such choices include risk analysis and control, keeping legal need or preventing lawsuits against clients (Amini & Jamil, 2018). If a company focuses on a single variable, funds have been wasted, which could balance the challenges posed by a different risk. Thus, enterprise risk management and analysis rely on the conventional technique of identifying areas of vulnerability in terms of information access, software, and hardware control (Ryutov, Sintov, Zhao, & John, 2017). This study tries to determine the ERM procedure from the organization.

Research Hypothesis

Using risk analysis and the methods deployed to allocate security resources is directly proportional to the perceptions of enterprise risk effectiveness and threat significance.

Literature Review

Information Security

There are two forms of information security analysis in data management. Quantitative risk analysis is an unbiased evaluation security threat that uses numerical information to allocate resources (Wangen, Hallstensen, & Snekkenes, 2018). Qualitative risk analysis is a subjective test based on experience and decisions of board members. It is challenging to conduct a quantitative ERM procedure without a subjective review.

In addition, qualitative risk analysis does not require the objectivity of these vulnerabilities (Braumann). Thus, the constraints of both approaches might raise the probability of unintended and uninterrupted losses of a company. Information security is the collection of procedures, processes, employees, and engineering, equipped with protecting a company’s data assets (Wangen et al., 2018).

The process starts with all the senior executives examining external conditions and organizational structure to produce the business strategy. The executives work collectively and in synergy with operational directors to make policies for various departments. The head of information operations reacts to its mandate by producing information security policies that dictate the implementation of their organization’s data systems and the guidelines of every section.

The information security policy includes comprehensive plans and processes for risk analysis and security resource allocation (Wangen et al., 2018). These actions include end-user development, operations, task management, threat assessment, and policy analysis. End-user instruction and development are enforced by the data security section to mitigate the number of security attacks caused consumers’ inefficiency (King et al., 2018).

Enterprise operations deal with all the daily maintenance of data security infrastructure and service tasks (Wangen et al., 2018). Project management addresses the development and execution of new safety structures. Risk management is the practice of identifying vulnerabilities within the IT enterprise and controlling those flaws. When systems are attacked, the user adds modifications to the business and data security policy to include contingency strategies, incident response, disaster recovery, and business continuity plan (Wangen et al., 2018). This research concentrates on risk analysis as a subset of enterprise risk management represented in Table 1.

Table 1.

Risk Analysis

Braumann (2018) defined risk analysis as a procedure to inspect threats confronting their IT assets along with the vulnerabilities of these security infrastructures. The authors suggested that risk analysis consisted of classifying resources, identifying risks to these resources, and discovering the vulnerability of assets to these dangers, along with ERM methodologies (King et al., 2018). These methodologies must be acceptable, detailed enough to evaluate all vulnerabilities, sound, effective to provide the ideal protection, and conducive to understand via documentations of their risk assessment procedure (King et al., 2018).

Data security professionals use ERM as a resource tool to justify the cost of installing security infrastructure (King et al., 2018). Security professionals also attribute the efficiency of enterprise risk management to its use as the connection between security and IT experts who take decisions regarding IT security operations (Radanliev et al., 2018). Corporations have reported doubt regarding the thoroughness of their training because of the uncertainty of data security vulnerability (Radanliev et al., 2018). To achieve the aim of reducing the risk of data assets, many ERM methodologies have been suggested.

Risk Management

Risk is the likelihood that an event will unfavorably or beneficially influence a company’s capacity to accomplish its goals (Radanliev et al., 2018). Risk management is a progressing procedure created to control the probability of antagonistic events and can be characterized as a pattern of recognizing data security threat and finding ways to mitigate the challenges to an acceptable limit. Enterprise risk management describes the processes to deal with the issues presented by system attacks. Many strategies, procedures, and program tool enhance risk management (Radanliev et al., 2018).

Each component of a complex system has its properties and risk assessment. As a result, each threat analysis is matched with specific actions to mitigate the risk (Tweneboah-Koduah & Buchanan, 2018). The most common process for enterprise risk management is summarized below.

1. Distinguish the threat
2. Evaluate the threat
3. Create controls and settle on threat choices
4. Execute controls
5. Manage and assess the outcome

The above process is reflected in various works of literature on risk management analysis. However, some risk experts proposed a different set of events as summarized below.

1. Collect threat information
2. Create solutions and alternatives
3. Decide and approve a plan of action
4. Implement the decision
5. valuate the implementation process

System Classification

In evaluating the risk for an IT enterprise, the main undertaking is to characterize the procedure, application, framework, or resources to proffer solutions. The threats of IT frameworks are then tested with the company’s security policy and program. This encourages the manager to classify system assets that define the threat (Tweneboah-Koduah & Buchanan, 2018)

Risk Identification

An IT risk is the likelihood of a specific threat source to cause damage. Vulnerabilities are exposures that can be unintentionally activated or deliberately abused (Tweneboah-Koduah & Buchanan, 2018). The motivation behind this progression is to recognize the source of risk and classify them in a threat report. The threat expert must list all areas of exposure to avoid uncertainties. The threat expert must assess the implementation process or the approved control measures.

Significance of IT Security Policy

Security policies guarantee an effective control architecture, describe employee responsibilities in risk management, and display the significance of securing the firm’s complex systems. An IT security policy prevents the threats associated with unsuitable utilization of data resources (Lykou, Anagnostopoulou, & Gritzalis, 2018; Tweneboah-Koduah & Buchanan, 2018; Sidi et al., 2017). Having a security strategy enhances the company’s endeavors to secure its data assets and reduces the danger of human-factor errors. Building a security framework empowers the classification, definition, and certification of the firm’s infrastructure. It provides an incorporated record of all data security systems (Tweneboah-Koduah & Buchanan, 2018).

Alternative Approaches to Enterprise Risk Analysis

Lykou et al. (2018) categorized several IT risk analysis methods into both quantitative and qualitative classes. These methods allow the company to identify vulnerable resources, develop contingency strategies to isolate the assets, and examine these strategies to show how vital these resources would be in the business. However, the inaccuracy of outcomes and cost are the limitations of these methodologies. Assessing the probabilities of assets being assaulted with these risks is an imprecise effort. While being inappropriate, the procedure can be costly in human resource, time, and funding (Sidi et al., 2017). Based on this limitation, the authors recommended the use of qualitative methods as alternative methodologies (Sidi et al., 2017). Qualitative methods include hierarchical evaluation and surveys.

Research Methodology

This study combines qualitative and quantitative interviewing methods to assess the impact of ERM on security resources. Quantitative interview investigates the number of employees in each category and the features of each group. The research is characterized by closed-ended queries, collect numerical data about the system infrastructure. Researchers could combine qualitative and quantitative composition methods in research (Aspers & Corte, 2019).

Instrument Creation

The researchers created a research instrument to investigate the administrative decisions taken in an IT enterprise. To achieve the study objective, the researcher, and other IT certified professionals created the study instrument. The study panel reviewed the survey queries and recommended adjustments based on the ERM process. Proposals were made and changes executed in different phases of the investigation.

Data Collection Technique

The researcher sent emails to over 350 certified participants asking for their consent to the study. Thirty-five people responded to the emails with approval to join the research team. Based on the research objective, the inclusion criteria were used to collect specific details for the participants. Participants must possess a CISSP certification and head the IT security unit. The inclusion criteria include employee, industry, job position, IT experience, and data security experience.

Data Analysis

The quantitative study contains information evaluation through the arrangement and organization of data converted to codes and subjects. Based on these research assumptions, the frequency statistical tool was used to test the reliability of the observational outcome. The sample data values were coded and recorded based on the sampling procedure. The percentage analysis was used to evaluate the values of InfoSec certification, characteristics of respondents, and the threat significance.

Results

The results showed that respondents had at least one IT certification. All the participants had the CISSP certification.

Table 2.

The results showed that the study adhered to its inclusion criteria of choosing employees with CISSP certification.

Characteristics of Respondents

The research collected information based on the number of employees, industry, job position, IT experience, and InfoSec training. Table 3 shows the responses regarding these variables.

Table 3.

Participants who work in organizations with 10,000 employees accounted for 49% of the sample population. Participants who work in organizations with 300 employees accounted for 11% of the sample population. Respondents with 5 years of experience in InfoSec accounted for 43% of the population. However, participants with over 15 years of experience in InfoSec accounted for 21% of the population. Most respondents worked in the IT industry with 44%, while the other worked in the manufacturing sector, banking firms, real estates, and government institutions.

Threat Significance

The study investigated the pattern of asset allocation based on threat significance. The threat significance was coded based on the researcher’s discretion. Based on the research objective, the threat significance was coded from level 1–level 5 in ascending order of priority.

Table 4.

The results show that IT experts prioritize the level of security based on threat significance. By implication, when the vulnerability is assessed, the threat significance is calculated by the value assigned to the vulnerability. Vulnerabilities with a higher priority level receive the most asset deployment. However, the threat assessment is based on the personnel’s years of experience. Respondents agreed that the threat level influences the decision-making process. When the threat level is high, the management is forced to begin the policy implementation design. IT experts use different techniques to test the level of exposures and damage.

The test methodologies include vulnerability testing, firewall configuration, antivirus analysis, internal and external security review, access control evaluation, war dialing, IT policy review, and password authorization check. A detailed analysis will be conducted using surveys, questionnaires, cost-benefit analysis, the single loss expectancy, scenario analysis, fuzzy metrics, and the OCTAVE method. The methods of risk analysis used to allocate security resources are directly proportional to the perceptions of enterprise risk effectiveness and threat significance. Respondents agreed that IT experience influences the choice of threat policy. Thus, IT experts deploy solutions based on the effectiveness of the security policy.

Discussion

This study lays the basis for additional explorations in the enterprise IT security. The percentage statistical tool was used to explore the risk analysis process and asset distribution. The findings are consistent with several works of literature on the influence of policy effectiveness (Dawson & Thomson, 2018; Tweneboah-Koduah & Buchanan, 2018; Sidi et al., 2017). The results show that policy knowledge plays a significant role in asset deployment. Security infrastructures can be prioritized based on the threat assessment. Thus, the methods of risk analysis used to allocate security resources are directly proportional to the perceptions of enterprise risk effectiveness and threat significance.

Enterprise risk management (ERM) is а form of risk analysis conducted to reduce the effects of data security attacks. With the number of risks involved in IT security, companies must select which resources are critical to the business’s survival. Decisions to balance risk factors must be approved to secure the investment. Such choices include risk analysis and control, keeping legal need or preventing lawsuits against clients. The information security policy includes comprehensive plans and processes for risk analysis and security resource allocation

Limitations of the Study

This analysis investigates IT professionals who had the CISSP certification. By focusing solely on those specialists, this research may have disregarded information security experts with relevant knowledge. Some organizations create IT security framework with no CISSP certified employee. Some ministries may not require a certified employee, while others may design their program for such investigation. Secondly, the study population was broad, which created issues in data collection. Future research might have to concentrate on a particular industry since each organization has its threat assessment. The sample size affected the broader investigation of the qualitative data (Aspers & Corte, 2019). The future analysis must create techniques to gather information for IT professionals in sufficient amount to offer a broader perspective on the study area.

Implications for Research and Practice

Investigations on a company’s data security system are invasive. Researchers must find innovative approaches to boost the confidence of suspicious participants and encourage them to provide valid and confidential information. Managers that are interested in protecting their company’s data infrastructure must create a comprehensive enterprise risk analysis. With a collaborative effort, data security professionals can maintain procedures that identify vulnerabilities, protect the firm’s resources, and create a comprehensive security policy.

Guidelines for Future Research

This research contributes to the restricted information on enterprise IT security. The ERM procedure was researched across several businesses. This analysis gave insight into the ERM process by using various data collection procedures. This analysis investigated the process of risk analysis and asset distribution. Future studies will be required to ensure that investments use the most effective ERM. Future research might have to concentrate on a particular industry since each organization has its threat assessment.

References

Agrafiotis, I., Nurse, J. R. C., Goldsmith, M., Creese, S., & Upton, D. (2018). A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity, 4(1), 1-15.

Amini, A., & Jamil, N. (2018). A comprehensive review of existing risk assessment models in cloud computing. Journal of Physics: Conference Series, 1018(1), 1-10.

Aspers, P., & Corte, U. (2019). What is qualitative in qualitative research. Qualitative Sociology, 42(2), 139-160.

Braumann, E. (2018). Analyzing the role of risk awareness in enterprise risk management. Journal of Management Accounting Research, 30(2), 241-268.

Dawson, J., & Thomson, R. (2018). The future cybersecurity workforce: Going beyond technical skills for successful cyber performance. Frontiers in Psychology, 9(1), 1-12.

King, Z. M., Henshel, D. S., Flora, L., Cains, M. G., Hoffman, B., & Sample, C. (2018). Characterizing and measuring maliciousness for cybersecurity risk assessment. Frontiers in Psychology, 9(1), 1-19.

Lykou, G., Anagnostopoulou, A., & Gritzalis, D. (2018). Smart airport cybersecurity: Threat mitigation and cyber resilience controls. Sensors, 19(1), 19.

Radanliev, P., De Roure, D. C., Nicolescu, R., Huth, M., Montalvo, R. M., Cannady, S., & Burnap, P. (2018). Future developments in cyber risk assessment for the internet of things. Computers in Industry, 102(1), 14-22.

Ryutov, T., Sintov, N., Zhao, M., & John, R. S. (2017). Predicting information security policy compliance intentions and behavior for six employee-based risks. Journal of Information Privacy and Security, 13(4), 260–281. Web.

Sidi, F., Daud, M., Ahmad, S., Zainuddin, N., Anneisa Abdullah, S., Jabar, M. A., … Ramadzan Hairani, S. (2017). Towards an enhancement of organizational information security through threat factor profiling (TFP) model. Journal of Physics: Conference Series, 892(1), 1-9. Web.

Tweneboah-Koduah, S., & Buchanan, W. J. (2018). Security risk assessment of critical infrastructure systems: A comparative study. The Computer Journal, 61(9), 1389-1406. Web.

Wangen, G., Hallstensen, C., & Snekkenes, E. (2018). A framework for estimating information security risk assessment method completeness: Core unified risk framework, CURF. International Journal of Information Security, 17(6), 681-699. Web.