Situation 1 – Online Banking System Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Bank Account Numbers Can be used to steal the user’s funds. Low/medium risk, high probability
Can be used by terrorist organizations for money laundering. Very high risk, medium possibility
Loss of brand reputation to the bank as being less secure. medium risk, medium possibility Account Numbers of Bills stored in Bill Pay Used to access bill information and change information as personal attack on individual. Low/medium risk, medium probability
Used to access additional information about user through user’s profile through that particular bill. Medium risk, medium/high probability
Close account without user’s approval or them being aware as a personal attack against them. Medium/high risk, high probability. Stock/investment information Investments can be transferred to someone else’s name without users knowing or approval. High risk/low probability
Additional investments can be made in user’s name that are likely to fail, or to illegally support the investment company. High risk/low probability
Investments can be donated to charity without user’s consent or knowledge, leaving user with $0 left. High risk/low probability
Situation 2 – Facebook Page (organization or personal – specify which) Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Access to friends list. Can allow undesired persons to gain knowledge about someone that does not want their information seen by anyone but people they specify. Medium risk, low/medium probability
List can be emptied, severely affecting marketing for the organization. Very high risk, medium/high probability
Unapproved, negative, or undesired posts can be sent to large amounts of the target audience. False information being provided to organization’s target audience. High risk, medium high probability
Loss of brand reputation to the organization. Medium risk, medium probability
Inappropriate or unauthorized photographs being uploaded to organization’s profile, viewable to the public. Loss of trust with customer base, negatively affecting business for the organization. High risk, medium probability.
Potential copyright infringement if images are legally protected. Very high risk, medium probability.
Negative media coverage broadcasting the intrusion to larger audiences, negatively affecting business for the organization. Very high risk, high probability.
Situation 3 – Picture Phones in the Workplace Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Pictures taken of proprietary designs being taken and leaked to the public. Loss of competitive advantage. Very high, low probability
Loss of revenue due to competition having similar design. Very high, low probability
Loss of trust of internal employees High, medium probability Pictures of customer information taken and stolen. Loss of customer trust and as a result, their business. Medium impact, medium probability
Legal ramifications from victimized customers High impact, medium probability
Loss of trust of internal employees High, medium probability Images of classified documents being taken and released to the public. Loss of customer support and business. Medium/high impact, medium probability
Depending on what information was released, could lead to political controversy and legal ramifications. Very high risk, medium probability
Loss of contracts, and thus revenue, from existing clients. Very high risk, medium probability
Situation 4 – E-Commerce Shopping Site Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Credit card information Can be used to steal the customer’s funds. Low/medium risk, high probability
Can be used to fund terrorist organizations. Very high risk, medium possibility
Loss of reputation for business as being not secure. medium risk, medium possibility Product database Prices can be altered without authorization, causing loss of revenue and unhappy customers. High risk, low probability
All product information can be deleted causing major problems for the company. Very high risk, medium probability
Product details can be altered or deleted to misinform customers or discourage them from purchasing products Medium risk, medium probability Personal customer information (SSNs, addresses, email addresses, etc.). Customer’s identities can be stolen. High risk, high probability
Can provide stalkers with additional information about their “prey”. High risk, medium probability
Information can be deleted, severely impacting marketing of the organization. Medium/high risk, medium probability
Situation 5 – Real-World Application (such as CRM, ERP, other internal or external organizational systems – pick one and specify) Internal Payroll System Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Employee Checking Account numbers Can be changed so employee paychecks are sent to wrong account where money can be stolen. High risk, medium probability
Can be deleted so employees do not get paid. Medium risk, low probability
Can be stolen, so money in employee’s checking account is stolen. High risk, medium probability Employee pay scales Can be changed so employee gets paid less than what they are supposed to. Low risk, low probability
Can be changed so employee gets paid More than they are supposed to, costing the company more than budgeted. Low risk, low probability
Can be accessed and information can be released to the rest of the employees of the company, causing internal turmoil. Medium risk, low probability Company payroll account information All funds in account can be stolen. Very high risk, low probability
Account number can be deleted from system so all employees of the company do not get paid on time. High risk, low probability
Account information can be given to terrorist organizations where they can use the account to launder money, or Very high risk, medium probability
1. What is the most effective way to identify risks like those you noted in the tables?
The most effective way to identify risks like those noted in the tables above is to perform a risk assessment on the system or website and to hire a top notch security manager and team of developers.
2. What are some important factors when weighing the depth of a formal risk analysis? How would you balance the interruption needed for depth and the need to continue ongoing organizational activity?
While there are many factors that come into play when weighing the depth of a formal risk analysis, some of the most important of those factors are the impact to the business, the probability of attack, and the difficulty and cost of repair. To balance the interruption needed for depth and the need to continue ongoing organizational activity, I would weigh each of the factors independently, and then rank them by the level of risk they present.
3. What should an organization’s risk management specialist do with the information once a potential risk has been identified? What information would be needed for senior management to know the danger of each risk and the proper way to handle the risk?
Once an organization’s risk management specialist identifies a potential risk, the next step would be to analyze the risk and evaluate the impact that risk would have on the company, the probability that the threat will occur (Dr. Wm. Arthur Conklin, Dr. Gregory White, Dwayne Williams, Roger L. Davis, and Chuck Cothren, 2012). Next, a plan must be put into place that specifies what actions are to occur to mitigate the identified risk. Going forward, systems need to be monitored closely to identify trends that lead to occurrences of the risk, and periodically measure the progress of this mitigation.
When dealing with senior management, it is important to remember that is not likely that they are as technical as the risk management specialist. With this in mind, the information provided to senior level management should be an understandable, but thorough overview of the risk, and also a recommendation of how to “fix” the problem.
4. How would this specialist properly prioritize these risks to make sure the most important ones were mitigated first?
There are two methods that this specialist could use to properly prioritize these risks to make sure the most important ones are mitigated first. These methods are qualitatively assessing risk, and quantitatively assessing risk, and both can (and should) be used in conjunction as much as possible. By using both of these methods, the severity of each risk can be objectively “ranked” so that the most important risks can be handled first.
5. Who is responsible for ensuring that an identified risk is addressed by the organization? What role does the analyst play? What role does senior management play? What roles do the analyst and senior management each play in addressing organizational risks?
Responsibility falls to Senior IT management to make sure that identified risks are addressed by the organization. The analyst’s role is to assess the risk on the systems for the organization.