您的位置: 首页  >  文章  >  How to do risk analysis in IS

How to do risk analysis in IS

分类: 文章 2023-11-02 14:33:16

文章目录

Here are some of my study reports on system risk analysis,hope it will help you.

Background:

With the development of the network technology, the role information system plays in the organization become more and more important. At the same time, the problem of information system gradually surfaces. The security, integrity, feasibility and some different kind of aspects are facing great threats, which means the managers of the organization have to be more sensitive to the risk management of information system, and spend more energy on it. For this purpose, we need a technology to help the manager to deal with these problems, and that is what risk analysis do.

Introduction:

What is risk analysis? It is a step that the risk control manager should do when doing the information system planning to find out the uncertainty of the plan which could directly or potentially lead to damage or lost. Then, after have collected enough data about the risk, what should be done next is to make the correct approaches to manage risk to prevent or decrease the potential damage. So, we can divide the risk analysis into two parts, one part is risk evaluation, and another one is *risk manage.*

Risk:

Before we talk about the risk evaluation, we should confirm what is risk. Risk is the project loophole in the organization which may threat the information system, cause economic loss, or even shutdown all the project. There could be many different kinds of risk. Here we can divide it by its source into nature, human, political, software, project, user.

  • Nature: The risk of nature even is caused by the nature power instead of human, it could be the nature disasters like flood, heavy storm, or it could be the indirect loss caused by the weather.
  • Human: The human event risk could be divided into two, one is on purpose, like the hacker attack, the industrial spy attack, or some other data stolen caused by the competitor on purpose. Another one is the human loss caused by accident, like employee get illness cause staff shortage, or some mistake happened during the work.
  • Financial:Financial risks can be manifested in lower incomes or higher cost than expected. The causes can be many, for instance, the hike in the price for raw materials, the influence of various market supply and demand relations, economic and trade terms error, emergence of a serious competitor on the market.
  • Political: when the government change the policy, it will lead to political risk, like the increased tax means less benefit for the organization. Another example is some important goods may be suspended due to wars and civil strife in the importing country; the import or foreign exchange control is implemented in the importing country.
  • Project: caused by the change of the project, like changing the key point of the project, or stop the project. The project cost has been over the max point that the organization could effort, or the project could be no longer make the enough benefit through spend the resource.

Risk evaluation:

Risk evaluation is the part we find the risk, the level of the risk and how it causes the risk. Here are the steps in risk evaluation:

First, we should prepare for the evaluation, we should discuss the main point of mission and make the assessment plan, at the same time, all member should clear and define their own responsibilities to ensure the plan could be implemented smoothly. Make sure the communication is free of obstacles between different position. All the source should be allocated in position.

Next, it’s time to do a research in the organization to find the risk, division managers conduct a risk assessment survey, the survey is a questionnaire that helps identify gaps and potential risks. It is developed based on experience and project type, the survey should be sent to the employees, it’s the best method to get the risk report from the common employee.

  • Checklist analysis:
    Analysis the survey we make before, and conclude the key point from the survey, in this case, we can find out the most worried problems in the system.
  • EXPERT judgement:
    With the data from the survey, the next step is to have a meeting between different manager, Apart from the bottom employee’s feeding back, risk identification is also done by brainstorming with or interviewing experienced project participants, stakeholders, and subject matter experts. we can find out whether the implementation of internal security management is working well, and find if there is anything can be improved for the management.
  • State report:
    the status report includes project status meeting reports, system status report, progress reports, and quality reports. These reports provide the current project progress, issues faced, and threshold violations. These provide insight into the status of the project and potential new risks.
  • RISK database:
    The risk database is the history data containing the list of risks identified for completed projects. The risk repository can be used to arrive at a list of potential risks for the project.
    The risk repository can also be filtered based on risk sources, categories, and projects

With the research work done, we should have gotten enough data which point to the risk, and the potential risk, all the risk in the information system and the organization appear, what we will do next is the real evaluation.

Here we will use the FTA method to help the evaluation, FTA is a top-down evaluation method. It will analysis the human, nature and other different reason of risk. Then uses the tree diagram to perform the evaluation result. And link the security risk of the system with the risk from other part of components which connect with the information system. In this approach, the key is to find the logical relationship between the information system risk and the factors that cause the risk in the form of tree diagram, and use the sign in the diagram to express the abstract logical relationship. In this approach, we shall first define the most unwanted events, which means the worst result the risk will lead to. This risk will be placed at the root of the tree, and this risk event may occur in two different ways. After selecting the risk event, all the causes and probability of the risk should be analyzed. It should start from the root, every time we consider a new risk event, we need to add a node to the tree and list the probability of each branch. The probability of root event is calculated from the other node probability. After all the evaluation done, we need to ensure whether some of the risk events is in the scope that could be accepted.How to do risk analysis in IS

According to the actual situation and the expected of the information system, we should analysis and then change the result from the research into number by the importance of the risk to show how the risk can affect the information system, if it is an important risk, then the number should be high. To achieve this, we should put the result of various assessment we made before into a matrix and then measure these risks and divide the them into different level by the risk level. At the same time, focus on the importance of different parts of the system, and determine which part should be list to the higher one. After doing this, we need to determine the possibility of the risk, and how the risks may affect to the information system. The Common model of calculating the risk is V=P * I, in this model, V means the value of the risk, it’s a score to measure the risk. P means the probability of the risk event may happen in the information system. I means the risk Impact or the risk weight, it is the affection level that the risk will bring to the information system. There are many methods for doing the risk evaluation, here we are going to talk about the Fault Tree Analysis.

Risk management

Risk management is the process after risk evaluation, to control the risk by using the correct methods to reduce the probability of the risk events. The risk management could be divided into three parts: risk avoiding, risk sharing, and risk controlling. For avoiding risk, what could be done is try not to do the things that may bring risk, once you avoid all the events that bring risk, you avoid the risk. Nevertheless, as the risk is missing, the benefit goes too. When preventing the risk event, you can not get any benefit from it as well, and in general, that’s impossible to avoid all the risk event. When some risk can not be avoided, we can try to decrease the risk or reduce the lost, if the risk event happens and affect the information system. Risk sharing is just a great method, we can share the risk with insurance company by buying their product. When the losing has been caused, we can get some back from the insurance company to reduce the damage. Or, it can also be shared between different members of the organization. Risk controlling means to choose the appropriate method to minimize all kinds of risk and the affection it brings, like optimizing the management mode.

Conclusion

This article introduces the whole process of the risk analysis by divided it into two parts, and in two different part, and discusses the method about how to complete the risk evaluation and risk management and how it works. Risk is the uncertainty stored in the organization, once the risk event happens, it will cause serious affect to the information system. Risk analysis is the right process to evaluate the risk, access the affection scope of the risk event, and find out the right method to reduce the threaten for the information system.

相关推荐