I am familiar with several private firms wherein IT security is handled by Risk Management. These tech firms (the examples I know are ebusinesses) are taking the lead in this area. They tend to divide risk management into operational risk management (IT security functions), financial risk management (treasury controls), and traditional risk management (insurance, self insurance, loss control, and safety) within an enterprise risk management scheme. For these firms, the operational risk involves IT security.
IT security is grounded in trust and technology. As such, the primary operational risks result from breakdowns in trust or technology. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. Operational risk can involve breakdowns in internal controls and corporate governance. Such breakdowns can lead to financial losses through error, fraud, or failure to perform in a timely manner or cause the interests of the corporation to be compromised in some other way, for example, by its staff exceeding their authority or conducting business in an unethical or risky manner. Other aspects of operational risk include major failure of information technology systems or events such as fires, earthquakes, or other disasters.
Risks consist of the risk of erroneous results, no results, untimely results, or high costs due to bugs, information security breaches, intrusion detection failures, DoS attacks, other intruders, usability issues, development delays, and/or misunderstood community requirements. Analysis of risks involves statistical and quantitative methods including predictive modeling and performance measurement based on sampling.
Methods of addressing and optimizing value include review and consideration of avoidance, control, transfer, and retention tools including, but not limited to, contractual risk transfer, insurance, captives, and financial derivative products. Techniques that might apply include evaluations and reviews of the following:
1. Business continuity planning
2. System access control
3. System development and maintenance
4. Physical environment
5. Regulatory environment and compliance
6. Personnel security protocols and compliance
7. Organizational structure and composition
8. Computer/network design and integration
9. Asset classification and appraisal
10. Security policy and performance
Needless to say, design of an effective IT security risk management program would involve talking with many people and reviewing many documents and procedures. And, design of an "optimal" program would be a moving target that evolves as IT grows and changes and as externalities change.