Building resilience through risk management: methodology and strategy
DOI:
https://doi.org/10.46299/j.isjea.20240304.08Keywords:
resilience, information security, risk management, nonlinear dissipative system, risk appetite, adaptation mechanisms, stochastic risksAbstract
This article presents a risk management methodology designed to enhance the resilience of organisations as complex nonlinear dissipative socio-technical systems. These systems are distinguished by intricate interrelationships, information exchanges, self-organisation, and adaptability to changes in the external environment. A central tenet of this methodology is a quantitative analysis of the likelihood that specific risks could lead to the complete dysfunction of critical processes, potentially resulting in catastrophic outcomes for the organisation. Furthermore, the methodology employs a combined qualitative and quantitative approach to evaluate critical risk mitigation scenarios, acknowledging the stochastic or sporadic nature of these threats. The risk prioritisation process is driven by an assessment of the expected utility of risk mitigation, which facilitates the strategic allocation of resources in accordance with the organisation's risk appetite as defined by its budget. In alignment with the modern resilience paradigm, the proposed methodology prioritises the maintenance of critical operations continuity, rapid recovery from disruptions and the enhancement of the system’s capacity to adapt to unforeseen changes. This methodology can be integrated seamlessly into existing information security management systems, providing a robust framework for sustainable organisational resilience.References
Louisot, J. (2015). Risk and/or resilience management. Risk governance & control: Financial markets & institutions, 5(2-1), 84-91. https://doi.org/10.22495/rgcv5i2c1art2
NIST Special Publication 800-160, Volume 2. Developing cyber-resilient systems: A systems security engineering approach. (2021). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-160v2r1
Necci, A., Cozzani, V., Spadoni, G., & Khan, F. (2015). Assessment of domino effect: State of the art and research Needs. Reliab. Eng. Syst. Saf., 143, 3-18. https://doi.org/10.1016/j.ress.2015.05.017
Korobeynikov, F. (2023b). Using the Wald Maximin Criterion for Risk Analysis of Hard-To-Predict Threats in the Context of Resilience. Èlektronnoe modelirovanie, 45(6), 31–40. https://doi.org/10.15407/emodel.45.06.031
Bodeau D., Graubart R. Cyber Resiliency Engineering Framework. 2011. The MITRE Corporation. URL: https://www.mitre.org/sites/default/files/media/publication/11_4436_2.pdf
Mallak, L. A. (1998). Measuring resilience in health care provider organizations. Health Manpower Management, 24(4), 148–152. https://doi.org/10.1108/09552069810215755
Haimes, Y. Y. (2009). On the Definition of Resilience in Systems. Risk Analysis, 29(4), 498–501. https://doi.org/10.1111/j.1539-6924.2009.01216.x
Hale, AR., & Heijer, H. Defining resilience. In E. Hollnagel, D. D. Woods, & N. Leveson (Eds.), 2008, Resilience Engineering, P. 35-40. Ashgate. ISBN 075464641 6
Stephenson, A., Seville, E., Vargo, J. and Roger, D. Benchmark Resilience: A Study of the Resilience of Organisations in the Auckland Region. 2010. In: Resilient Organisations Research Report 2010/03b, Resilient Organisations Research, Auckland. URL: http://hdl. handle.net/10092/4275
McDonald, N. Organisational Resilience and Industrial Risk. 2017. In: Resilience Engineering by David D. Woods, Erik Hollnagel, P. 155-180, CRC Press. ISBN: 9781317065289
Grote, G. Rules Management as a Source of Loose Coupling in High-Risk Systems. 2008. In: Hollnagel, E., Nemeth, C.P. and Dekker, S.W.A., Eds., Resilience Engineering Perspectives Volume 1: Remaining Sensitive to the Possibility of Failure, Ashgate, Aldershot. ISBN 9780754671275
What is risk? (2023). У Risk Management and ISO 31000 (с. 12–20). IT Governance Publishing. https://doi.org/10.2307/jj.1094269.6
Mokhor, V., Bakalynskyi, O., & Tsurkan, V. (2018). Risk assessment presentation of information security by the risks map. Collection "Information technology and security", 6(2), 94–104. https://doi.org/10.20535/2411-1031.2018.6.2.153494
NIST Special Publication 800-37. Risk management framework for information systems and organizations. (2018). National Institute of Standards and Technology. https://doi.org/10.6028/nist.sp.800-37r2
Cyber Resiliency Engineering Framework (CREF) Navigator. The MITRE Corporation. Online framework. URL: https://crefnavigator.mitre.org/navigator
Korobeynikov, F. (2023). Using the Wald Maximin Criterion for Risk Analysis of Hard-To-Predict Threats in the Context of Resilience. Èlektronnoe modelirovanie. https://doi.org/10.15407/emodel.45.06.031.
Wang, Y. (2023). Review on greedy algorithm. Theoretical and Natural Science, 14(1), 233–239. https://doi.org/10.54254/2753-8818/14/20241041
Korobeynikov, F. O. (2024). Resilience in Focus: Rethinking the Risk Matrix. Electronic modeling, 46(2), 35–42. https://doi.org/10.15407/emodel.46.02.035
Prigogine, I. (1976). L’Ordre par Fluctuations et le Système Social. In L’Ordre par Fluctuations et le Système Social / Entropie einst und jetzt (pp. 7–48). VS Verlag für Sozialwissenschaften. https://doi.org/10.1007/978-3-663-00234-5_1
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Fedir Korobeynikov
This work is licensed under a Creative Commons Attribution 4.0 International License.