Statistics Based Information Security Risk Management Methodology

On the one hand organizations are confronted with increasing sophistication, severity and number of threats and on the other hand organizations are getting even more dependent on IT which is rapidly changing with introduction of new technologies such as outsourcing, cloud, mobility and social media. Traditional risk management methodologies are proving ineffective in addressing these risks and in keeping pace with the complexity and dynamically changing IT environment. In such a situation, there is a need for an effective Risk Management methodology that can address diverse kinds of risks and leverage data from within the organization to analyze risks scientifically rather than through primitive and subjective methods based on rudimentary calculations. This paper presents a methodology which addresses these issues. Adapting from Medical and Finance fields, this methodology has generated information security risk indicators for the IT environment. These Risk Indicators are observed over a period of time leading to data driven factual process that inspires greater confidence among stakeholders. Drawing inspiration once again from the fields of medicine and finance, this methodology has conducted risk analysis statistically using second generation statistical technique Structured Equation Modeling ( SEM). The methodology provides a prediction model that predicts future risks scientifically. The Relative Risk Benchmark that this methodology has developed improves decision making when organizations need to prioritize risks, by providing a scientifically generated contribution of each risk towards the negative impact that organization faces. The path breaking information security risk management methodology cuts costs by enabling organizations to focus efforts and resources only on the risks that matter. This methodology inspires greater confidence in the results of the risk assessment since risks are assessed scientifically thus removing assessor bias while reducing the dependence of risk assessments on expert judgment.