CHAPTER 14 IT Risk Analysis and Risk Management


This chapter integrates most of the concepts discussed in previous chapters into an overall framework to deal with information security. The previous chapters have taken a bottom-up approach to security, discussing individual concepts in detail. This chapter takes a top-down approach, beginning with the concerns of society and top management as they relate to information security. These constituencies are less concerned with the technology and more interested in minimizing the economic impacts of information security. The phrase “IT risk management” organizes all issues associated with information security, utilizing inputs from both management and technology experts.

Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management,1 a number of popular IT risk-management frameworks have emerged. We provide a quick tour of these frameworks. We then distill ideas from these frameworks to create a risk-management framework that is consistent with the standard frameworks we have used for other related concepts in earlier chapters. At the end of this chapter, you should know:

  • The relevance of risk management to top management
  • IT risk-management frameworks
  • Risk analysis – identification and assessment
  • Risk management – mitigation, preparation, and response


Risk is a quantitative measure of the potential damage caused by a specified threat ...

Get Information Security and IT Risk Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.