IS/IT and Business Risk 31

If the board and senior management understand the vulnerabilities and threats of IS/IT in their organisation, this would help the organisation to identify, assess and mitigate the risks effectively.

Identifying the corporation’s risks such as vulnerabilities and threats at governance level alongside other risks faced by the corporation is important. This can facilitate the board and senior management in dealing with the potential effects on the organisation and consequent impacts that might flow through to shareholders, the share price and competition (Institute, 2004).

Control Objective for Information and Related Technologies or COBIT is an IT Governance standard which is primarily used as an educational resource for CIO, senior management, IT management and professional controllers (ITGI, 2005). In 1998, the IT Governance Institute (ITGI) established the publication of COBIT (now is version 4.0). The standard aims to ensure the following goals are achieved: IT aligns with business objectives, IT enables the business and maximises benefits, IT resources are used responsibly and IT risks are managed appropriately.

COBIT is a standard framework to be used exclusively for supporting IT governance (COBIT, 2000). COBIT is organised into four domains which are: Planning and Organisation; Acquisition and Implementation; Delivery and Support; Monitor and Evaluate. Across these domains, there are 34 high-

level control objectives and 318 detailed control objectives to be identified for IT governance -related initiatives.

Even though it is not exclusively used for IT Security, it addresses the broad spectrum of IS/IT security governance within a wider IT Governance framework (Solms, 2005). As can be seen from the preceding sections, IS/IT security governance is an integral part of corporate governance, it involves all issues including management and governance issues in relation to IS/IT security.

As reported in the publication of IT Governance Institute (2005), COBIT provides a range of benefits as follows:

 better alignment, based on business focus;

 a view, understandable to management, of what IT does;

 clear ownership and responsibilities, based on process orientation;

 general acceptability with third parties and regulators;

 shared understanding amongst all stakeholders, based on a common language; and

 fulfilment of the COSO requirements for the IT control environment.

Hardy (2006) has conducted one case study at Unisys, a large IT services corporation in the US. Unisys conducts business in more than 100 companies with 36,400 employees. Unisys adopted COBIT in 2003 to achieve a standardised IT strategy across global operations. After the implementation of COBIT, Unisys has revolutionised some key attributes including communication, quality, consistency, credibility and maturity (Hardy, 2006). The success of COBIT was evidenced in Hardy’s study of the Unisys organisation. The major success of Uniysis was the improvement of IT processes, where the board and senior management of Unisys had successfully aligned the IT infrastructure with the company business goals. The Informal component, namely, commitment from all management levels including the board and senior management, has been identified as one of the critical success factors. Hardy found that they were responsible and accountable in the IT processes.

Furthermore, COBIT covers the entire roles of organisational structure which range from the boards to data operators (Hardy, 2006). Even though COBIT does not specifically address IS/IT security COBIT has provided ways for IS security researchers and professionals to improve the effectiveness of IT implementation in organisations. Therefore, the COBIT framework has become a necessary reference for IS/IT security governance nowadays.

A researcher found that the COBIT standard also has limitations. The complexity of tasks such as how things must be done is not shown in the publication of COBIT. It is rather looking at what must be done (Solms, 2005). More detail about the complexity of the task including guidance is needed

because it might help IT people to understand the technical orientation of COBIT.

Having IT standards in place has offered many benefits but it is still dependent on the IS/IT direction by the board and senior management, whether the goal is to manage the IT processes effectively and efficiently or only to comply. COBIT is just an example and can be used as a reference for achieving IT processes at all layers of management.

Risk is the probability that an undesirable loss may result from actions (or inactions) of the firm (Blakley, 2002). It is an event which could reduce the value of the business were it to occur.

IS/IT risk is the same as any other business risk and needs to be taken seriously as the consequence of failure can involve substantial loss (Straub, 1998; Blakley, 2002; Radianti, 2007). The risk arising from security vulnerability of IS/IT should be addressed in a pragmatic and effective fashion as vulnerability opens the door to threats and attacks on the IS/IT.

The variety of incidents and threats that have occurred in the past indicate that the protection of IS/IT needs to be prioritised within corporate boards as risks such as system vulnerability would reduce the value of the business were it to occur (Blakley, 2002).

IS/IT risk exists when IS/IT assets are vulnerable to threats (Icove et al., 1999; Yeh et al., 2007). Yeh stated that there are two categories of assets: these assets may be IT led (software, hardware, data and networks) or non-IT led (personnel, physical and security regulations and policies). Both categories play a significant role in IS/IT security.

Normally, vulnerabilities occur in the event of the attacks such as denial of service attacks to critical parts of IS/IT including fundamental operating units, coordinating functions and controlling functions (Bhagwan et al., 2004). A recent study found that critical IS/IT assets such as networks and personnel have received inadequate protection in some corporations in developing countries in Asia (Yeh et al., 2007). Yeh et al. selected Asia because it was the region currently holding the largest number of developing nations.