What is the role of risk management in information security?

What is the role of risk management in information security?


A potential role of Risk Management in Information Security maybe as Stewart and Tittel’s CISSP study guide says on the topic of Auditing:

“Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Secure IT environments rely heavily on auditing. Overall, auditing is the primary type of detective control used in a secure environment.” (Stewart, James M., Tittel, Ed 2011-01-14, p. 464).

While auditing maybe considered a sub-topic within risk analyses and management, this quote is very to the point. The detection of unwarranted, and unwanted conditions which could allow a threat to turned into a compromise is a major component of risk management.

The role of Risk Management would appear to be to detect, analyze and come up with recommended solutions to discovered risks. These solutions could be in the form of mitigation, acceptance, transference, and I would even put forth an additional definition: sharing risk with a partner.

Daril Gibson’s guide to the Security+ certification puts forth the following definition of Risk:

“Risk Assessment: A risk assessment, or risk analysis, is an important task in risk management. It quantifies or qualifies risks based on different values or judgments.” (Gibson, Darril, 2011, Kindle Locations 9767-9769)


How can effective risk management strategies help to strengthen information security? Provide an example to explain your answer.

I believe by including a hybrid mixture of Risk Management which includes risk quantification and qualification systems, along with integrated staff training, inclusion and nurturing of stake holder relationships, and having an arm always connected to the academic research community, risk management can make a huge difference in an organizations risk profile.

One thing on reflection of my readings regarding FRAAP and FAIR which I have started to think about is the idea that a Risk Management System itself needs auditing to see what’s working, and what’s not working.

What’s exciting and a challenge at the same time I believe is how new all these technologies are. Being 49 this month, I remember the days of: no Internet, no computers, no cell phones, and no beepers. When we advance at such an incredibly rapid pace as a society sometimes our ability to understand how to use the technology and manage associated risk can be a challenge.

I am excited to be part of Excelsior Security Group which I am a founding member of, because I believe it’s out of environments like this one that the future Cyber Security leaders will come. I was at a talk by CERT’s Christopher May recently, and he discussed how important every one of us is in the daily battle of cybersecurity.

Here’s to a working together, and to great things coming out of our shared Internet experiences.






Ali, Shakeel; Tedi Heriyanto, (2011). BackTrack 4: Assuring Security by Penetration Testing.

 Stewart, James M.; Tittel, Ed (2011-01-14). CISSP: Certified Information Systems Security

Professional Study Guide (p. 464). Wiley. Kindle Edition.
Gibson, Darril (2011-11-10). CompTIA Security+: Get Certified Get Ahead: SY0-301 Study








Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s