As a regional US grocery chain based in a major metropolitan area, FamilyGrocer (name changed) had experienced rapid growth through new store openings and acquisitions. With a focus on supply-chain efficiencies, FamilyGrocer distributes most products to its stores through a warehouse facility that also houses key offices and IT resources. In light of the risk associated with such a consolidated operation, the IT organization received a mandate from its board of directors to formally manage IT-related risk. The mandate specifically called for an initial high-level assessment of IT organizational risk, drawing largely from internal expertise. The board also requested that the IT organization demonstrate an ongoing program to manage risk.
Read more: Risk Assessment Management Using COBIT 5 >
Information risk and security practitioners are facing a significant problem: A lack of meaningful metrics.
Wouldn’t it be nice to be able to tell senior managers, “The risk that a significant information security incident will happen this month is 9 percent.” Meteorologists have been doing this for many years; however, they are often wrong and the majority of people receiving this information don’t actually understand what it means.
Information risk should be thought of as an uncertainty. Risk can, and is, quantified using heat maps or risk matrices with green, yellow and red boxes, which are, at best, informed guesses. Worse, these maps/matrices do not properly reflect the situation of an unthinkable, extremely low probability event that if it happened, would have a huge impact.