Coping with systems risk: Security planning models for management decisionmaking

The likelihood that the firm's information systems are insufficiently prote cted against certain kinds of damage or loss is known as "systems risk." Ri sk can be managed or reduced when managers are aware of the full range of c ontrols available and implement the most effective controls. Unfortunately, they often lack this knowledge, and their subsequent actions to cope with systems risk are less effective than they might otherwise be. This is one v iable explanation for why losses from computer abuse and computer disasters today are uncomfortably large and still so potentially devastating after m any years of attempting to deal with the problem. Results of comparative qu alitative studies in two information services Fortune 500 firms identify an approach that can effectively deal with the problem. This theory-based sec urity program includes (I) use of a security risk planning model, (2) educa tion/training in security awareness, and (3) Countermeasure Matrix analysis .