Abstract
IT Risk Management is a very complex process that primarily requires heavy human intervention. It also requires the use of different types of specialized knowledge about the threat domain and the vulnerability / threat matrix. Furthermore, addressing it takes many different steps where we combine different types of knowledge into a single solution. This paper intends to evaluate and highlight the absence of risk management strategies or risk management phase in AI-based systems.
INTRODUCTION
In computer science, artificial intelligence, sometimes called machine intelligence, is the intelligence demonstrated by machines, in contrast to the natural intelligence displayed by humans. IT Risk Management is a knowledge-intensive activity, requiring extensive knowledge of the threat and vulnerability domains, and of the target systems. Lack of adequate consensus on the overall IT Risk Management Process and the resulting lack of features in the software products can be attributed to the ineffectiveness of current techniques for managing this knowledge, and artificial intelligence techniques can help alleviate this situation.
RISK MANAGEMENT
The Risk Management process is a method of identifying risks in advance and establishing methods of avoiding those risks and /or reducing the impact of those risks, should they occur.
The process of risk management begins during the analysis phase of the overall IT Project lifecycle, irrespective of whether it is related to infrastructure, software or the system development. The IT Risk Management process is also associated with overall Audit and Compliance Management activities and together makes up the core of the IT Governance, Risk & Compliance (IT-GRC) Program. However, the actual process of managing risks continues throughout the IT systems lifecycle from project planning to decommissioning and post decommissioning reports.
The given figure displays the steps of the risk management process. Formally articulated, risk management process consists of four steps:
The AI based systems generally don’t integrate risk management well in their overall schema of things because they have a flexible approach built into the system and software. AI is enabled with amalgamation of another automation features of machine learning that considers how the computer systems learn from the specifications supplied through the knowledge base of “Known Occurrences” and how to deal with those “Known Situations”. This factors in a finite number of iterations that are processed by the AI that is built into the automation aspects through the machine learning feature. This calls for “certainty of occurrences” for the AI to succeed.
However, when we evaluate the IT Risk Management program features, this very aspect of certainty is missing, and the finite iterations of the threat and vulnerability combination doesn’t really establish the 100% cases for risk assessment. Here, to a certain extent the vulnerability remediation can be addressed based on the AI to drive self-healing of systems. But that may not be the same for all the business systems, as in certain cases this self-healing may break business processes causing disruption. This will then require manual intervention to reverse the process.
There are similar instances in overall risk management processes where the AI would always need human intervention. This ensures that the AI-ML combination is researched well in the risk management program for certain finite set of cases and is deployed only for those cases. This will help to ensure that the risk management cycle has reduced timelines since certain risks that that need intensive human intervention and skills to resolve are addressed and reported well in advance.
CONCLUSION
To conclude we can safely say that risk management for IT systems needs to be better researched, tested and verified. This will help ensure that the features which use AI-ML techniques pose a reduced risk to systems and programs work as intended without disrupting overall business operations. The technique of using AI-ML will continue to evolve before it can be of 100% use to IT risk management professionals.
