Over time there has been a shift in how organizations have handled security risk management owing to evolving security challenges influenced by emerging and evolving crime descriptors. For instance the risk of cybercrime is growing rampant as organisations adopt modernized digitalized applications and software to navigate business operations. Similarly crimes associated with terrorism have evolved over time as organised crimes revolutionise themselves. This has called for a shift in the way organizations handle business where security has been perceived to be an important component of doing successful business and ought to be adopted in every business function as opposed to have it run in isolation. This shift is termed as the paradigm shift.
Over time some experts have differed with some inferring that in order to protect a company and its assets the very first step is to perform a threat and vulnerability analysis, the outcome of the analysis leads to the implementation by security team of the physical protection systems.
This approach is also referred to the security approach. The security approach is specific, narrow focus on threats and vulnerabilities. It’s been an exclusive approach in which activities have usually been confined to security professionals.
Whiles some experts have taken a contemporary approach that states that security planning starts with a detailed analysis of potential areas of loss, their probability, their impact scale should loss occur and affect business goals and assets. This approach is referred to the risk approach. The risk approach takes into account organizational context and objectives, assets and how they are used, it identifies threats to assets and the success of the mission. It quantifies the potential impact of those threats, identifies and addresses vulnerabilities, and establishes a framework to manage risks to as low as reasonably practicable. It’s an inclusive approach designed to involve the business risk management decision making with specialist advice provided by security professionals who lead or own the process.
The risk approach has been ideal in security management and has been adopted by many organizations aiming to merge security risks and vulnerabilities to their cultures for mitigation ensuring they achieve desired business gains.
The risk approach is advocated and also adopted by ISO 31000 standard guidelines, where organization protection is characterized by the risk source. ISO 31000 aims to establish the risks that have the potential to impact on the organization’s goals and what can be done about it.