Management of risk in the information age

Linked together, organisations can exchange information and engage in transactions in ways unanticipated before, the emphasis being on information, which became core to most business activities and without which business will fail to operate [Owens S. Information security management :an introduction. London: British Standards Institution; 1998. pp. 1–2]. Consequently, to contribute to ensuring business continuity, the protection of information resources had to be pursued. Risk analysis was traditionally used to analyse risks posing a threat to mostly IT assets [Jung C, Han I, Suh B. Risk analysis for electronic commerce using case-based reasoning. International Journal of Intelligent Systems in Accounting, Finance & Management 1999;8:61–73. John Wiley & Sons, Ltd., p. 62]. Resulting in recommendations for the implementation of appropriate security measures, to reduce those identified high priority risks to an acceptable level. However, Bandyopadhyay et al. [Bandyopadhyay K, Mykytyn PP, Mykytyn K. A framework for integrated risk management in information technology. Management Decision 1999;37(5):437–44. MCB Press, p. 440] state that the evaluation of risk related to IT alone is unrealistic. A holistic view of assessing risks should instead be adopted, moving away from the isolated and partial view of today's “closed world assumption” of searching only within a specific domain to evaluate the risks associated to IT, to consider the entire spectrum related to the IT environment. Thus an alternative approach to risk analysis might have to be developed, to assist in analysing risks to information-specific resources.