IT Risk | Open Security Architecture

Most IT risk discussions focus narrowly on IT Security, yet modern business processes depend heavily on IT and risk management is a critical corporate governance concern that extends much further.

Definitions

ISO/IEC 13335-1:2005: The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of an event and its consequence.
NIST: The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur.
FAIR: Risk: The probable frequency and probable magnitude of future loss.

Practical Example

Consider system patches or upgrades causing employee productivity loss - a self-inflicted denial of service often more likely than external hacker attacks.

Risk Landscape

Organizations classify IT risks by exposed assets (project goals, service continuity, reputation) or threat nature (external, internal, deliberate, unintentional). Human errors typically cause more IT business interruptions than malicious attacks, yet security risks remain disproportionately assessed.

Risk Perception

Based on Bruce Schneier's analysis, common cognitive biases in risk assessment include:

Over-reaction to intentional actions; under-reaction to accidents
Moral offense reactions versus business value assessment
Immediate threat focus over long-term threats
Under-reaction to gradual changes (drifting into failure)