Information security is a compound profession. The practitioners must, however, have a constant hunger for knowledge, technologies and procedures. This profession at management level, is a responsibility of the entire organizational workforce and not something to be handled by a single person. Every company may wish to have its sensitive information and business activities to be protected at all costs (Suby, 2013). Competing firms like Ferrari and Lamborghini do secure their car manufacturing processes to avoid industrial espionage which will lead to imitation of design and technology.
The first challenge facing the implementation of sound security policies is the existence of resistors among the employees, who may wish to act in violation of the company security measures and leak the information to competitors.
Cybercrime is another setback to information security issues as they break the firewalls to access private information. It is difficult to solve this problem because most hackers are cleverer than the IT department specialists in many companies.
Risk assessment can be done qualitatively, quantitatively or at a hybrid approach. Quantitative risk assessment is the use of mathematical formulae to find the exposure factor, the probability of a threat or expectancy. Alternatively, a manager can use his experience, judgment and intuition to evaluate a risk by via interviews, questionnaires and group discussions. Lastly, a mix of qualitative and quantitative risk analysis can be utilized (hybrid).
In asset evaluation, for instance, quantitative risk analysis is the best. Assuming a firm has a total of $3 million in assets and assuming further that the risk exposure factor is 2%. By calculation, the risk is 0.02*3000000 = $60,000, which is a lot. The manager may wish to undertake counter-loss procedures to lower this to $20,000 per year. If say $13000 would be enough to undertake all the counter-loss measures to reduce it to $20,000, then more money would be saved. That is, $60000-($20,000+ $13,000) = $27,000 per annum and this amount can be channeled into taking care of constructive expenses (Vanderburg, 2010).
Suby, M. (2013). The 2013 (ISC). Global Information Security Workforce Study. Retrieved on. Oct. 8, 2013.
Vanderburg, E. (Dec 10, 2010). Criteria for Selecting an Information Security Risk Assessment Retrieved on. Oct 8, 2013.