Risk Mitigation Techniques In Information Security
Information Security is a subset of Information assurance. It is based on the confidentiality, integrity and availability triad. The purpose of this paper is to investigate how managers perceive risks associated with sharing information with trading partners and how they attempt to mitigate them. The paper provides an overview of the role and feasibility of Information Security in supply chain. Risk mitigation basically involves prioritizing, calculating and applying the suitable risk-reducing controls recommended from the risk assessment process.
Introduction
Information is important for the company in order to make decisions and for its success. It can be related to products, technological know-how, services, resources available as well business associates, which basically are the factors determining the successful operation of the company. If any information is missing or incorrect and if it is accessed by unauthorized person, it may cause major damage to the company. So this means that information must be secured. This can also be defined as confidentiality (information must be available only to authorised persons), integrity (preventing data from being changed in an undesirable manner) and availability (authorised users may access data whenever needed). Information security is vital for companies that involve collating, processing raw information and exchanging data with other entities or persons (e. g. supply chain firms, logistics). In today’s world, businesses greatly depend on the safe flow of information within the organisation. An organisation where supply chain management has been implemented, a secured environment is very important since the risk of information leak is high when more than one entity or people are involved. Supply chain management means the set of procedures used to link the suppliers, manufacturers, distributors, retailers and customer with an objective to minimize the system costs and maximize customer satisfaction. According to Kaplan & Garrick 1981, risk is defined as a trio which consists of what can go wrong, the certainty of it happening, and the consequences of it happening. The risks associated with information sharing in a supply chain depends on the extent to which critical information can be shared across the flow. The Information and communication technology (ICT) risk means deteriorating the quality of information or public disclosure of private information can cause major loss for the company. Hence, automation of ICT oriented security solutions is important in order to assure confidentiality, privacy of shared information and availability of information whenever needed by authorised person. As per Cohen and Kunreuther, 2007; Ghoshal, 1987; Tomlin, 2006, primary objective of managing supply chain risks needs to be integration of risk management in each and every part of supply chain flow. A common risk management process is divided into three steps: risk identification, risk assessment and risk mitigation. Risk mitigation basically involves prioritizing, calculating and applying the suitable risk-reducing controls recommended from the risk assessment process.
Information sharing in suppply chain
It is essential to provide basic data items in order to ensure a minimum level of operational activity like stock levels, sales data and forecasts, customer order status, production and delivery scheduling, capacity data. The participants involved in the supply chain flow must get clear information and documentation regarding the internal information security requirements of the company. When there is advanced level of data integration, common and integrated information systems are introduced. This helps the members of the supply chain to freely access information regarding their products, customers and the market. According to surveys conducted, number of information technology incidents rises with multiple companies taking part in the supply chain flow. In such cases, setting up of common information security management systems is advisable. It is quite essential for the members of supply chain to know about their suppliers, with what conditions and costs input arrives, and also what will happen to the output and through what suppliers it will reach the final consumer. Lot of companies now depend on information sharing for better co-ordination and integration in the supply chain process. For example, Dell depends on information exchange to help diverse members of a supply chain work together efficiently and effectively. Wal-Mart and Proctor and Gamble (P&G) have been sharing Point-of-Sale and real-time inventory information for a long time now. Other companies such as, Cisco, Dillard Department Stores, JC Penney, and Lucent Technologies have also initiated similar information sharing strategies.
Risks involved
Sources are common concerning supply chains. As per Faisal et. al. , 2007, Information risk can be defined as “the probability of loss arising because of incorrect, incomplete, or illegal access to information”. Hence the information risk factors can be a condition or any activity in information sharing that may adversely affect the supply chain performance. There are several factors which are related to information technology hardware security. Common threats to information systems are the Viruses, Trojans. Spyware is a program that is linked to internet and collects one’s personal information. Employee frauds can also happen due to unintentional public disclosure of private information, or some personal grudge. Natural disasters should also be taken into consideration, as it has brought forth the importance of maintaining data backups, disaster recovery activities in order to ensure that critical data is secured [6]. Organisations that do not use Information and Communication technology simply refuse to share their confidential data or share some selected information with those they do not trust. One of the major risk which can hamper the process of information sharing is trust [4]. Data and information security threats are largely under the control of the organisation, although it is not the same in all cases. Following case studies examine some aspects of information security and the way how small and medium entities tried to deal with the risks.
Case Studies
- Virus attacks. A large company had an anti-virus installed on a network server and virus database was updated daily. Incoming emails were automatically scanned for viruses. This appeared to be a well-managed setup, however, the e-mail scanner did not monitor the Web servers. A hacker was easily able to place a Trojan on the web server and this not detected for a long period of time. This could have been avoided if the virus scanner was integrated with the firewall so that all messages passing through the firewall would be scanned.
- User accounts/passwords. A consultant working at a large company was given a user account on the company’s network. However, the consultant was unable to access one of the folders on a network drive. The consultant called the IT support for additional access rights. Without verification, he was given access to the whole of network including financial data, board meetings. This is a major threat for the company. As the above examples show, not many companies understand the extent to which their business depends on the systems. If there is no proper monitoring, control and security of these systems, the consequences can be dangerous. This concern should be taken seriously if the companies are connected electronically. Therefore, companies must assess and manage such risks effectively.
Risk Mitigation Strategies
Risk management uses past data to address the potential risks with the right set of actions. This includes the classic mitigation strategies which means actions to be taken before the risk event and the emergency plans which is done after the risk event. A suitable mitigation strategy needs to be developed and implemented for every relevant risk. Risk managers must prioritize and understand their tasks so that prompt actions can be taken. Risk mitigation activities helps to enhance the supply chain flow.
Different teams in the firms are involved in preparing risk mitigation strategies. Senior executives of the firm also need to provide their inputs which would help in making informed decisions and quick implementation activities. In short, risk mitigation activities aim at reducing the certainty of risk occurrence and helps to lessen the adverse impact of an occurred risk. Risk identification and risk assessment support the development of an ideal risk mitigation strategy and thus helps to enhance risk performance. A continuous monitoring and improvement process is a part of any iterative risk management process. Real-time monitoring is required to mitigate the risk, analyse the effectiveness of the strategy and alter the measures if necessary. This helps to focus on the potential areas for improvement and recognize the contribution of effective measures of identification. Mostly the strategies applied by the organisation involves knowing, what risks it can handle using their capabilities. Various variables that can help in mitigating risks in supply chain are Information sharing, Agility, Trust, Information security, Strategic risk planning and Continuous risk analysis. Generally, there exists six risk management strategies. Postponement (delay the availability of resources to maintain flexibility), Speculation (planning everything in advance, all in anticipation of future demand), Control/Share/Transfer of Risks (in the form of vertical integration, as per agreements), Supply Chain Security (includes information system security, freight breaches, vandalism, crime), Avoidance and Hedging (applied only if supply chain faces high supply risks like currency fluctuation or a natural disaster).
Conclusion
Based on relevant journals and conference papers, we have learnt that risk mitigation strategies changes with technology advances and as new threat vectors are identified. Organisation must ensure that the risk mitigation plan evolve as the threats evolve. This helps to ensure that organisation is capable of handling any new risk that evolves in the environment. These reviews also show the importance of implementing continuous risk assessments and considering the need for business continuity planning in a supply chain flow where multiple associates are involved. This study focuses on the social aspects and thereby demonstrates that the majority of the information sharing issues which arise are due to a basic lack of trust between trading partners. It also shows how company managers attempt to maintain close and personal collaborative relationships with key trading partners. This study also offers a range of strategic initiatives undertaken to carry out the operational duties smoothly. Hence, analysts can now make decisions regarding risk mitigation strategies that address the challenges effectively.