INFORMATION SECURITY RISK MANAGEMENT - Ensuring the continuity of it in SMEs

Abstract

This thesis studies information security risk management from small and medium-sized organizations' point of view. The purpose was to discover ways to improve the continuity of the implemented information security risk management practices.

The thesis was a practice-based thesis commissioned by the Union of Professional Engineers in Finland, where information security risk management was implemented recently. Very soon, it became obvious that the continuity of the risk management process is at risk of being ignored. This is also the observation of experts involved in information security risk management.

In the theoretical part of the thesis, the risk management process and ISO 31000 standard focused on the benefits they offer for information security management. Also, in one of the chapters, four experts in the field were interviewed, and their answers, observations, and opinions about information security risk management and the importance of continuity were analyzed. The continuity perspective was also studied in the empirical part, where the implementation of information security risk management for the Union of Professional Engineers in Finland, was introduced.

The importance of the role of top management in information security was emphasized by many sources. Because of this, the thesis includes a theoretical chapter focused on the engagement of top management.

In conclusion, there seem to be many ways to improve the continuity of the information security risk management from the top management to the employees. Awareness of the benefits of risk management is the key to improve the process and its outcome.