Risk Management

Risk is manageable

A common mathematical and scientific phrase that is used to describe information security is “Risk can’t be measured”. Although some risk measurements can be subjective, it is not unreasonable to assume that measurements cannot be achieved. Risk is not a number. It is a measure of risk.

You can, for example, measure:

* The percentage of vendors meeting an organization’s standards,

* A percentage level of compliance to regulations, and

* The number of vulnerabilities present in an environment.

Credit unions must be able to recognize, prioritize and manage risk. Both technical and management must agree on criteria to measure information security performance. These measures should be aligned with business goals.

Avoid technical, legal and subject-matter jargon when developing measurement criteria. The services rendered should be measured. Define goals, strategies, measurements. This will facilitate open communication, prudent planning, financial rewards, and transparent communication.

These are some common excuses to avoid risk measurement

* “Management doesn’t understand.” Information security covers both technical and physical security concerns. In order to ensure confidentiality, integrity, accessibility, and availability, you need to have a deep understanding of technology, law, regulations, risk modeling, physical security and laws. Complex technicalities often make it difficult to communicate between managers and IT staff. The IT staff’s challenge: Communicate complex information clearly and easily. Management must be open to change.

* “Security measurement is for large credit unions only.” The process of incorporating information security risk measurement into an organization’s processes requires persistence, time, and sometimes a cultural shift. People can feel threatened, dislike change, and have other social motivations that may slow down the process. Credit unions of any size can benefit from risk measurement activities. Although it may take some time, persistence is worth the effort when measurements support budget requests or provide valuable return-on investment data.

* “Security moves too fast.” Technology is constantly changing at an alarming rate. Many people believe that information security measurement cannot keep up with technological changes. The problem may actually be in poorly designed measurements. Measurement is used to align corporate strategies with IT. It is important to clearly define the organization’s objectives and goals. Measure information security relative to these goals.

Measurements using SMART

Prudent decisions depend on simple, repeatable (SMART), information that is measurable, attainable and repeatable. Keep information security risk measurements:

* Simple. All parties must understand the objective of each measurement. A list of key performance indicators should be created. Avoid legal, technical and other jargon. Avoid data overload, and keep your eyes on the specific performance measurements.

* Measurable. Many aspects of security or risk are difficult to quantify. Instead, you should focus on what is easily quantifiable, such as the number and severity of vulnerabilities, or the number and number of incidents.

* Attainable. Some measurements are directly outputs from existing systems or reports. Others may require analysis to get the value. You must ensure that your measurement goals can be achieved over time. They should also be continuously evaluated and managed at a minimal cost.

* Repeatable. You will want to show trends in order to generate useful data. Make sure that the measurements are simple to take over time, and easily repeatable.

* Timely. Information that is out of date can cause problems in analysis and have a direct impact on decisions. It is often the timeliness that determines data’s value. It is important that measurements are easily delivered as required. You want maximum automation with minimum manual work. At the outset, communicate clearly and set access rights.

Your credit union can assess your information security performance. You can use financial metrics, risk models, key performance indicator, and other measures to help align information security with your organizational goals and strategies.


We are a team of professionals with each having two decades of experience in start-ups, sales, marketing, finance, HR, large scale project and profit centre management and running mature cross functional operations. At Molw.net we are big believers that knowledge transfer is critical to our industry’s evolution. We love to share our experiences and learnings through our online resources.

Related Articles

Back to top button