Security risk management refers to programs and processes set up to protect security against potential threats. Managing security risks may be part of an overall plan to protect against threats to a business's livelihood that includes employee training, quality assurance, and safety programs. Security risk management usually involves the analysis of security risks, the creation and implementation of security measures, and an ongoing review process that can expose holes in the system or allow for new security measures to be integrated.
Risk analysis is an important part of any security risk management plan. Analysis may include not only an understanding of the vulnerabilities of the business, but also what the potential impact of security breaches may be. For instance, in a small gift store, hiring a 24 hour armed guard to protect against shoplifting may be impractical if the salary of the guard exceeds the likely loss of income due to shoplifting. Similarly, a posted sign asking people not to steal is probably not enough of a deterrent or safety measure to protect a high-risk location such as a bank from robbery attempts.
Security risk management may be handled internally, by a group of trained employees, or may be passed on to third party risk analysis and solution companies. Some people prefer to hire an internal security team since they will have valuable insight into the internal workings of the company and may feel more loyal to the business. On the other hand, outside security teams may have more advanced training and be better equipped to understand the technology and methodology of security risk management.
The goal of most security risk management teams is to provide adequate protection from risk without costing the business more money than exposure to risk might. This may not simply be a matter of business profits versus security concerns, however, as it is important to consider what a high-profile robbery or break in could do to company reputation and future profitability. Security risk management may also be more important to a business that has suffered a security breach, as no visible changes to security systems may inspire copycat thieves or fraudsters to try to repeat the breach.
Though measures such as camera systems, guards, response teams, employee background checks, and staff training for security problems are important to the risk management of physical businesses, the world of digital commerce requires an entirely different system. In information technology or IT security risk management, analysis and response is far less concerned with physical break ins or thefts, and more worried about the use of viruses and the potential for hacking and identity theft. For IT security at the highest level, businesses frequently rely on outside contractors or create a security team made up of IT professionals.