The scientific study of risk, the potential realization of undesirable consequences from hazards arising from a possible event, the assessment of the acceptability of the risks, and the management of unacceptable risks. For example, the probability of contracting lung cancer (unwanted consequence) is a risk caused by carcinogens (hazards) contained in second-hand tobacco smoke (event). The risk is estimated using scientific methods and then the acceptability of that risk is assessed by public health officials. Risk management is the term for the systematic analysis and control of risk, such as prohibiting smoking in public places. Risks are caused by exposure to hazards. Sudden hazards are referred to as acute (for example, a flash flood caused by heavy rains); prolonged hazards are referred to as chronic (for example, carcinogens in second-hand tobacco smoke and polluted air).
The definition of risk contains two components: the probability of an undesirable consequence of an event and the seriousness of that consequence. In the example of a flash flood, risk can be defined as the probability of having a flood of a given magnitude. Sometimes the probability is expressed as a return period, which means, for instance, that a flood of a specified magnitude is expected to occur once every 100 years. The scope of a flood can be expressed as the level or stage of a river, or the dollar amount of property damage.
Most human activities involve risk. The risk of driving, for example, can be subdivided according to property damage, human injuries, fatalities, and harm to the environment. Even the stress and lack of exercise due to driving create health risks. Although risk pervades modern society and is widely acknowledged, it continues to cause unending controversy and debate.
Risk estimates are seldom accurate to even two orders of magnitude, and widely varying perceptions of risk by different interest groups can add confusion and conflict to the risk management process. Environmental risk assessment is laden with uncertainty, particularly with respect to the quantification of chemical emissions; the nature of contaminant transport (such as the region over which a chemical may spread and the velocity of movement) in the water, air, and soil; the type of exposure pathway (such as inhalation, ingestion, and dermal contact); the effects on people based on dose-response studies (which are extrapolated from animals); ecological impacts; and so forth.
Thousands of natural and other hazards are subjected to the statistical analysis of mortality and morbidity data. Society selects a small number of risks to manage, but often some high risks (such as radon in houses) may not be managed, while some low risks (such as movement of dangerous goods) may be selected for management. Management alternatives include banning of the hazard (drugs), regulating the hazard (drivers' tests and licensing), controlling the release and exposure of hazardous materials, treatment after exposure, and penalties for damages. Each management alternative may be analyzed to estimate the impact on risk.
Risk estimates are uncertain, are described in technical language, and are outside the general understanding or experience of most people. Perception plays a crucial role, tending to exaggerate the significance, for example, of risks that are involuntary, catastrophic, or newsworthy. Effective risk management therefore requires effective risk communication.
Risk assessment is the evaluation of the relative importance of an estimated risk with respect to other risks faced by the population, the benefits of the activity source of the risk, and the costs of managing the risk. For risks due to long-term exposure to chemicals, the risk assessment activity generally incorporates the estimation of the response of people to the exposure (that is, risk analysis is a part of risk assessment). The methods used include studies on animals, exposure of tissues, and epidemiology.
Risk With Respect To Information Systems?
Risk is the potential harm that may arise from some current process or from some future event.Risk is present in every aspect of our lives and many different disciplines focus on risk as it applies to them. From the IT security perspective, risk management is the process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system. IT security risk is the harm to a process or the related information resulting from some purposeful or accidental event that negatively impacts the process or the related information.
Why Is It Important to Manage Risk? The principle reason for managing risk in an organization is to protect the mission and assets of the organization. Therefore, risk management must be a management function rather than a technical function. It is vital to manage risks to systems. Understanding risk, and in particular, understanding the specific risks to a system allow the system owner to protect the information system commensurate with its value to the organization. The fact is that all organizations have limited resources and risk can never be reduced to zero. So, understanding risk, especially the magnitude of the risk, allows organizations to prioritize scarce resources.
How Is Risk Assessed? Risk is assessed by identifying threats and vulnerabilities, then determining the likelihood and impact for each risk. It’s easy, right? Unfortunately, risk assessment is a complex undertaking, usually based on imperfect information. There are many methodologies aimed at allowing risk assessment to be repeatable and give consistent results.
How Is Risk Managed? Recall that the purpose of assessing risk is to assist management in determining where to direct resources. There are four basic strategies for managing risk: mitigation, transference, acceptance and avoidance. Each will be discussed below. For each risk in the risk assessment report, a risk management strategy must be devised that reduces the risk to an acceptable level for an acceptable cost. For each risk management strategy, the cost associated with the strategy and the basic steps for achieving the strategy (known as the Plan Of Action & Milestones or POAM) must also be determined.
Successful and effective risk management is the basis of successful and effective IT security. Due to the reality of limited resources and nearly unlimited threats, a reasonable decision must be made concerning the allocation of resources to protect systems. Risk management practices allow the organization to protect information and business process commensurate with their value. To ensure the maximum value of risk management, it must be consistent and repeatable, while focusing on measurable reductions in risk. Establishing and utilizing an effective, high quality risk management process and basing the information security activities of the organization on this process will lead to an effective information security program in the organization.
