System thinking on Risk Analysis

• The word risk originates from the Italian word risicare which means to dare and from this point of view, risk is more of a choice than a fate. Risk is about the actions that we dare to take and these in turn depend on the freedom we have to make choices (Bernstein, 1998). It can also be defined as the possibility of harm or loss to any resource within an information system, which accentuate the importance of identifying the organisation's assets (Ramachandran, 2002).The obvious fact that information is one of the most important asset within a company, results in that it is necessary to try to predict the risks that exists against these and consequently also against the organisation's goals and visions. It is impossible to identify all potential risks but a very good tool for identifying as many as possible and then assigning them appropriate protective measures, is the risk analysis.Since many significant security processes are built upon risk analysis and also security planning, it is necessary that the analysis is accomplished in an accurate way. This meaning that factors in the inner and outer surrounding environment that could affect the final result also must be taken into consideration, e.g. different communication channels. Thus, a holistic perspective is necessary when performing a risk analysis but also when working with security issues in general.Today, security solutions are often focused on technology and not on the system as a whole (Schneier, 2000) and considering that development and use of technology has lead us to think in terms of systems, we mean that this should hold for the information security area as well. Also the fact that the concept of wholeness is very important in information security and that general system theory is a general science of wholeness (v. Bertalanffy, 1969), makes us wonder: what could be more suitable to apply on security issues?For that reason, we present some ideas for a modified risk analysis method in this paper, based upon an existing risk analysis used by the case study object The Corporation of Swedish Pharmacies, Apoteket AB. They has recently added two customer care centres to its organisation and as a result of this, also a number of communication channels that are integrated with different information sources that contains classified information, e.g. personal particulars. The ideas of a modified risk analysis could be used by customer care centre organisations using several communication channels. These ideas are influenced by general systems theory that has been combined with a method used to analyse information flows in organisations. We have studied the company's existing risk analysis method and in combination with qualitative data, e.g. interviews, we have some suggestions of a risk analysis that emphasises the holistic perspective and the relations between the different entities in the overall information system.The suggested ideas will be reviewed together with the department of IT-security at Apoteket AB and after that tested within the organisation. It is noticeable that like all work with information security, the suggested method is a cyclic process that constantly develops and undergoes changes in relation to its dynamic context. Results and feedback from this implementation will be presented in forthcoming papers during 2004.

Subject headings

SAMHÄLLSVETENSKAP  -- Medie- och kommunikationsvetenskap -- Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning (hsv//swe)

SOCIAL SCIENCES  -- Media and Communications -- Information Systems, Social aspects (hsv//eng)

Keyword

risk analysis

information security

customer care centre

system theory

Apoteket AB

Informatik

Information Systems

Publication and Content Type

ref (subject category)

kon (subject category)