Information Security and Risk Management Project - [University Name]

Verified

Added on 2020/03/04

AI Summary

This project delves into the critical aspects of information security and risk management, examining the necessity of balancing qualitative and quantitative risk assessments to comprehensively address potential threats. The project highlights the importance of these assessments in identifying, evaluating, and mitigating risks, especially for small and medium enterprises (SMEs). It emphasizes the vulnerability of SMEs to cyber-attacks and the need for proactive strategies, including risk identification, analysis, and mitigation plans. The project underscores the significance of employee education, software updates, and implementing backup systems to ensure effective information security. Furthermore, it provides a detailed analysis of effective information security and risk management strategies, offering practical solutions to minimize risks and achieve organizational objectives. The project also explores the benefits of integrating both assessment techniques to cover a wide range of potential disasters and providing comprehensive reports that cover the possible sources of risk at all levels. The project concludes by advocating for increased investment in information security to improve business operations, emphasizing the importance of a strong defense mechanism and effective risk management for SMEs.

Information Security & Risk Management 1
Information Security and Risk Management Project By
Student’s Name
Name of the Professor
Institutional Affiliation
City/State
Year/Month/Day

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security & Risk Management 2
Q.1 The Need to Balance the Qualitative and Quantitative assessments in Risk
Management
In the current world, there has been the rapid development of various projects which has
increased concern to every organization to put measures that can help minimize risks and hence
achieve the desired objective. As such, the best strategy to handle this is to balance both the
qualitative and quantitative risk assessments. Whereas qualitative assessment aims at assessing
the priority and the impact of the risks that may affect project objective, the quantitative
approach focuses mainly on the numerical analyzing effect of identified risks on the overall
objectives (Coleman and Marks, 1999).
There is a great need in balancing the two approaches of risk assessment in an investment
project so as to comprehensively cover the risks associated. By balancing both the risk
assessments, one is able to identify several risks under the normal condition
Balancing the qualitative and quantitative also is important as it predetermines the
possible situations of disaster with a lot of insight (Han and Weng, 2010). This assists the
concerned organization to take necessary steps of a recovery plan in advance. When only both
assessment techniques are used, listing the possible disasters is usually an easy task. This is
because the team is able to come up with a full comprehensive report that covers almost all the
possible sources of risk at all levels. Additionally, both the qualitative and quantitative
assessments help to cover all kinds of disasters while working on a project.
Integrating qualitative and quantitative assessments greatly helps during cases of disaster
happenings and as such, it assists to evaluate the extent of damage caused (Finch, 2004). In such
scenario, it is easier to plan the recovery process and putting measures to curb such future events.

Information Security & Risk Management 3
These assessments also may give a comprehensive approach to insurance companies for cases of
compensation.
Besides, putting much focus on the qualitative assessment alongside quantitative is
beneficial when it comes to elimination of barriers that would otherwise prevent the effective
running of an organization towards its goals (Steinbach et al., 2009). This is ensured by making
sure everything is in its rightful place before commencing on the operational phase of a project
or organization. When such barriers are eliminated, there improved productivity and quality of
work output will be higher as well. In cases where qualitative and quantitative assessments were
not properly done together, the cases of time and resource wastage are usually more frequent.
For instance, when employees have to deal with defective tools and equipment as a result of a
failure in planning, they waste a lot of time fixing them (Smit and Watkins, 2012). As such, the
company will lose resources and time and will not achieve optimal productivity.
Moreover, the workers in a company or Organisation are usually entitled to safe working
environments. This is normally achieved by foreseeing future events that may deny the workers
this right. Therefore, the best way to handle such is not only incorporating qualitative risk
assessment but also quantitative. With such safety environments, workers will remain committed
and happier (Nilsson, 2008). This will result in a boost in the company’s production.
There is also a great need to integrate both the qualitative and quantitative risk
assessments especially when it comes to identification of highly risky areas in an organization.
Such areas are usually difficult when only one risk assessment is used. Hence, integrating the
two not only help in highlighting the highest risk areas in the organization's project but also
increases the confidence among the team in the overall project execution plan. Typically, this

Information Security & Risk Management 4
assists the project management team to focus and concentrate some of the resources to where
much attention is required.
Generally, both the risk assessment techniques put a great attention towards the
mitigation of future disasters. Once the list of risky areas is identified with the two techniques,
the project team collectively reviews the risk and a rational decision on the best-suited mitigation
plan arrives. Moreover, the model provides a platform in which the project planner can use so as
to analyze the impact of the mitigation plans and therefore provide ongoing monitoring plans to
analyze future changes.
By balancing the two risk assessments, it is usually possible to come up with concrete
data through combining figure, comparing data and examining the rate of change among others.
In addition, it is possible also to process the relevant information in a systematic way so as to
produce trendy extrapolations among other forecasts (Yonas and Pindzola, 1998). Further, the
balancing allows for comparison in various scales of developments under different
circumstances. For instance, estimating the number of people in different areas that stand a risk
of getting a disease, or susceptible to a given risk. Such comparison can be very important during
the decision making the process for mitigation.
Conclusion
Whereas in qualitative assessment involves careful analysis of each risk to determine its
probabilities and consequences, quantitative assessment focuses on filtered risks which are high
on impact or probability analyzed for proper risk analysis and deals mostly with numerical (Love
and Burn, 2005). However, the two assessments need to be implemented hand in hand so as to
achieve the desired outcome.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security & Risk Management 5
Reference
Coleman, M.E. and Marks, H.M., 1999. Qualitative and quantitative risk assessment. Food
Control, 10(4), pp.289-297.
Han, Z.Y. and Weng, W.G., 2010. An integrated quantitative risk analysis method for natural gas
pipeline network. Journal of Loss Prevention in the Process Industries, 23(3),
pp.428-436.
Love, P.E., Irani, Z., Standing, C., Lin, C. and Burn, J.M., 2005. The enigma of evaluation:
benefits, costs and risks of IT in Australian small–medium-sized enterprises. Information
& Management, 42(7), pp.947-964.
Nilsson, R., 2008. A qualitative and quantitative risk assessment of snuff dipping. Regulatory
Toxicology and Pharmacology, 28(1), pp.1-16.
Smit, Y. and Watkins, J.A., 2012. A literature review of small and medium enterprises (SME)
risk management practices in South Africa. African Journal of Business
Management, 6(21), p.6324.
Steinbach, S., Hummel, T., Böhner, C., Berktold, S., Hundt, W., Kriner, M., Heinrich, P.,
Sommer, H., Hanusch, C., Prechtl, A. and Schmidt, B., 2009. Qualitative and
quantitative assessment of taste and smell changes in patients undergoing
chemotherapy for breast cancer or gynecologic malignancies. Journal of Clinical
Oncology, 27(11), pp.1899-1905.

Information Security & Risk Management 6
Yonas, H., Pindzola, R.R., Meltzer, C.C., Meltzer, C.C. and Sasser, H., 1998. Qualitative
versus quantitative assessment of cerebrovascular reserves. Neurosurgery, 42(5),
pp.1005-1010.

Information Security & Risk Management 7
Q.2 Effective Information Security & Risk Management Strategy for Small & Medium
Enterprise
Uncertainty and risks are continuously growing due to the increased dynamic, complex
and interrelated economy alongside increased threats from information security and risk
management. This situation over the recent past has been seen to affect most both the small and
the medium businesses. However, the small-scale business does not usually give a higher
preference to the information security as opposed to big and established businesses.
One of the greatest information securities that the small and medium enterprises face is
the risk of being prone to cyber-attacks. The small businesses are usually unaware of the risk that
is presented by poor information security. Social media, for instance, is normally vulnerable to
viruses and malware (Nilsson, 2008). This is because it solely depends on the user generated
content. By just a click on the contents on social media, the small scale businessmen are
subjected to risks of being infected with malware. Besides the cookies that are attached to the
websites, there are also add on which may be prone to malware infection. However, the small
business enterprises mostly do not formalize their security policies since they do not normally
accept the risk posed. Therefore, they need to understand the importance of information security
as it helps a lot in their running of the business without incurring much cost (Haimes, 2015).
Today, different small scale organizations are continuously working on their plans so as
to handle information securities and effective risk management procedures within their business.
There have been increased cyber-attacks and hence the task of securing information has become
the center of attention for most small and medium businesses. The importance of developing
information security strategy is in most cases ignored. An information security serves as a

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security & Risk Management 8
guideline for establishing security practices that can be implemented to solve future challenges
affecting small enterprises. The strategy assists organizations to achieve both the short and long-
term objectives. As the threat becomes worse, the small enterprises that majorly depend on the
internet are continuing to incur losses and this, therefore, becomes their focus. The small and
medium enterprises are usually at risk when it comes to information security simply because they
often lack the personnel and financial resources that can help them implement website security
protection measures (Klipper, 2011). Therefore, for effective and efficient information security
to prevail, the small and medium enterprise owners need to be proactive and invest in the
security sector so as to build a strong defense mechanism.
On the other hand, risk management is necessary for small and medium enterprises as
they assist in the identification, assessing and controlling of the risks that are imposed by
information insecurity. These risks may originate from diverse sources including financial
uncertainty, accidents, disasters and IT-related threats (Zhang and Zhang, 2010). However, the
modern and digitized companies have continued to strategize methods to eliminate the majority
of these threats including cyber-attacks and data related risks. This has been achieved by
identifying and controlling threats to the digital assets such as proprietary data, customer
identifiable information, and intellectual properties. Moreover, several companies have come up
with strategies to help solve the issue of information insecurity for the small-medium enterprises.
At first, there should be risk identification techniques (Peltier, 2005). Here, the potential risks
that have a negative impact on the enterprise’ operation are noted. This is followed by a thorough
risk analysis once the specific risks have been identified. The odds of the risks, as well as its
consequences, are determined so as to know the extent to which it would affect the small and
medium enterprises’ objectives. Thereafter, the risk is assessed and evaluated to determine the

Information Security & Risk Management 9
general likelihood of future occurrence. A decision on whether the risk is acceptable is derived
(Catteddu, 2010). Then, the possible measures for mitigation are formulated. The threat is
eliminated and a subsequent follow-ups and monitoring plan implemented. With this strategy in
place, all the small and medium-sized enterprises will have a leeway towards the solution of
information security. Also, the small-scale business people should always consider installing
backups which is essential for their effective information security (Anderson, 2001). Any
mismanagement or mishandling of these backups may make them to become exposed or be
susceptible to attacks. This could negatively affect their operation. Moreover, the small and
middle business people should consider educating their employees on matters pertaining cyber
security.by doing this, they are able to achieve maximum protection and effective information
security (Von, 2005). Despite this, they should also develop a habit of continuous update of their
software so as to counteract the changing malware.
Conclusion
The majority of small and medium enterprises do ignore risks that are associated with
information security. This, however, has been one of the drawbacks towards achieving their
objectives in one way or the other. Therefore, they need to invest in the sector if they need an
improvement. With the above-stipulated strategies, the small and medium enterprises stand a
better chance for effective information security and assured risk management for their
operations.

Information Security & Risk Management 10
Reference
Finch, P., 2004. Supply chain risk management. Supply Chain Management: An International
Journal, 9(2), pp.183-196.
Anderson R. why information security is hard an economic perspective for small business. In
computer security applications conference,2001. Acsac 2001.proceedings 17th annual
(pp. 358-365). IEEE.
Catteddu, D., 2010. Cloud computing: benefits, risks and recommendations for information
security. In web application security (pp. 17). Springer, Berlin, Heidelberg.
Haimes, Y.Y., 2015. Risk modeling, assessment, and management. John Wiley & Sons.
Klipper, S., 2011. Information Security Risk Management. Verlag Vieweg+ Teubner.
Wiesbaden.
Peltier, T.R., 2005. Information security risk analysis. CRC press.
Von Solms, B. and Von Solms, R.,2005. From information security to business security?
Computers and security, 24(4), pp.271-273.
Zhang, X., Wuwong, N., Li, H. and Zhang, X., 2010, June. Information security risk
management framework for the cloud computing environments. InComputer and
Information Technology (CIT), 2010 IEEE 10th International Conference on (pp.
1328-1334). IEEE.