Canadian Companies Reassess Risk Management

The risk of everyday life, from crossing the street against the light to getting on an airplane, is well understood. But when it comes to assessing risk at the corporate level, ignorance is often bliss.

In the post 9/11 world, the concept of risk assessment was a top priority. But to some extent, corporate complacency has re-surfaced.

"I think 9/11 had its impact, but being Canadians, I think we still think we are some what immune to those issues," said Bryce Mitchell, executive vice-president of sales with Securac in Toronto.

The economic slowdown in 2002 didn’t help, Mitchell added. But on the plus side, Mitchell said he is hearing corporate rumblings about the security portion of Canadian IT budgets making a comeback. Risk- and security-related budgets are up three to five times in large corporate Canada, and "2003 seems like a better year," Mitchell said.

IT risk assessment traditionally looks at all possible scenarios involving the loss, damage, inaccessibility (due to a server being down) or theft of information. It is calculated as a dollar value. This is done by multiplying the value of the data times the likelihood of its loss or destruction. Though the process can sometimes be done in a matter of days, it usually takes weeks.

Today almost all companies are behind the proverbial eight ball. "I would say that we are further along than we were but we are nowhere near where we need to be," said Michael Rasmussen, director of research, information security with Giga Information Group in Chicago.

Certain industries are more mature in their approach to risk assessment. The insurance and the financial industries are at the top of the list, Rassmussen said.

But "they are the most paranoid," said Dan McLean, research analyst with IDC Canada in Toronto. Nevertheless, McLean agrees that the vast majority of Canadian companies are doing little in the way of implementing a corporate-wide risk management and assessment system.

Part of the problem lies in the process of accurately assessing risk for a specific company. Most risk assessment is not a corporeal as flying in a plane.

Software exists to help with the risk assessment process, and industry data is available on certain types of cybercrimes. But how well it moulds to a given company is still up for debate.

"I think those kinds of products are designed to give companies a sense of what is at stake," McLean said. "But…if I were a large company, a large bank, I wouldn’t necessarily base what I do around risk by a software solution where I plug in a bunch of numbers."

The key to properly assessing risk and vulnerability is to define behaviour within a company, he said. "To me…it is much more a behaviour question than it is a technical question."

Another problem, McLean points out, is that far too often discussions about security become discussions about technology. "It kind of misses the point, the real vulnerability is around how people behave."

Starting with policy

Getting a grasp on this requires sound (and followed and implemented) corporate policy. But if it is perceived as too "Big Brother," it will fail.

One very large Canadian IT company required all employees to physically sign out their own laptops when they left the building with them. There were line-ups at the exit as the laptops were manually documented. The result? Thousands of off-the-clock work hours were lost as employees refused to take the laptops home at night.

But if a policy is sound, and there are dozens of consulting firms to help companies formulate one, then technology does have a place in quantifying corporate risk.

Marc Dabros is an IT security officer with the National Research Council of Canada in Ottawa. As a federal agency it adheres the security policy for the federal government, which requires risk assessments. So the NRC uses software to help. Dabros admits that, in his department, empirical data carries more weight than it might carry in another department, so using a quantitative tool is not really frowned upon.

"It just makes more sense to do it this way," he said.

His department uses technology from RiskWatch. The software asks users to essentially fill out a long series of detailed questions, and gives risk assessments in dollar values. For instance, a server valued at $150,000 with a probability of loss to fire at one per cent (RiskWatch gives users the probabilities) has an annual loss evaluation of $1500.

Though Dabros admits the tool is useful, he is a little uncertain how RiskWatch comes up with its probabilities. RiskWatch told ComputerWorld Canada that the data comes from it own research coupled with government data.

There are "areas where you are not sure it is really helpful to be able to default to the industry standards," he said. But he likes the tool and, as McLean suggests, does not rely on it as the sole source of assessing risk. The NRC also checks their vulnerability using such techniques as password cracking, network scans and war dialling.

"It is a piece of the solution, a tool," McLean said.