The risk of everyday life, from crossing the street against the light to getting on an airplane, is well understood. But when it comes to assessing risk at the corporate level, ignorance is often bliss.
In the post 9/11 world, the concept of risk assessment was a top priority. But to some extent, corporate complacency has re-surfaced.
“I think 9/11 had its impact, but being Canadians, I think we still think we are some what immune to those issues,” said Bryce Mitchell, executive vice-president of sales with Securac Inc. in Toronto.
The economic slowdown in 2002 didn’t help, Mitchell added. But on the plus side, Mitchell said he is hearing corporate rumblings about the security portion of Canadian IT budgets making a comeback. Risk- and security-related budgets are up three to five times in large corporate Canada, and “2003 seems like a better year,” Mitchell said.
IT risk assessment traditionally looks at all possible scenarios involving the loss, damage, inaccessibility (due to a server being down) or theft of information. It is calculated as a dollar value. This is done by multiplying the value of the data times the likelihood of its loss or destruction. Though the process can sometimes be done in a matter of days, it usually takes weeks.
Today almost all companies are behind the proverbial eight ball. “I would say that we are further along than we were but we are nowhere near where we need to be,” said Michael Rasmussen, director of research, information security with Giga Information Group Inc. in Chicago.
Certain industries are more mature in their approach to risk assessment. The insurance and the financial industries are at the top of the list, Rassmussen said.
But “they are the most paranoid,” said Dan McLean, research analyst with IDC Canada Ltd. in Toronto. Nevertheless, McLean agrees that the vast majority of Canadian companies are doing little in the way of implementing a corporate-wide risk management and assessment system.
Part of the problem lies in the process of accurately assessing risk for a specific company. Most risk assessment is not a corporeal as flying in a plane.
Software exists to help with the risk assessment process, and industry data is available on certain types of cybercrimes. But how well it moulds to a given company is still up for debate.
“I think those kinds of products are designed to give companies a sense of what is at stake,” McLean said. “But…if I were a large company, a large bank, I wouldn’t necessarily base what I do around risk by a software solution where I plug in a bunch of numbers.”
The key to properly assessing risk and vulnerability is to define behaviour within a company, he said. “To me…it is much more a behaviour question than it is a technical question.”
Another problem, McLean points out, is that far too often discussions about security become discussions about technology. “It kind of misses the point, the real vulnerability is around how people behave.”