Cyber Crime: Risk Assessment

Cyber Crime: A Clear and Present Danger

This is the excel file used for this post –>   Risk-Registry.xlsx

Information systems give great ways to communicate and learn, but also allow nefarious others access to exploit the power of the Internet for terrorist and/or criminal purposes. Criminal warfare has moved to the virtual world were more damage can be done in less time with a better potential of getting away with it. The term used for criminals that use the Internet as there method for committing crimes is know as cyber criminals. Moor’s Law describes how the number of transistors that can be placed on inexpensive integrated circuitry double every two years. Since a new generation of faster computers can be processed every two years, it also allows for criminals to afford faster, more complex computers to leverage against your organization

Analyzing and avoiding risk should be a part of any organization who, especially if transactions are made on the Net. Include\ing: email, web browsing, online stores, etc.

The rest of this article is an example of what may be used to start your own risk register.

Qualitative Risk Assessment

Threats that have been identified through the risk it holds to the organizations have been qualified in the attached risk register spreadsheet. Download the actual Excel File –>   Risk-Registry.xlsx

Risk RegisterWhile all risk poses a level of threat there are certain ones that can be identified as low medium or high risk based on the severity of risk against cost and time loss to our origination. Damage to reputation from faulty security is actually a side effect of not being able to protect our customer’s assets and personal information. Side by side comparison of the risk register with the risk matrix will give a better forecast of risk as it impacts our organization.

Quantitative Risk Matrix

Qualitative

On average credit scam counts for $260 dollars per customer per year and we can mitigate that price through the use of heuristic programs that can detect unusual purchases as they happen instead of reading reports after the fact.

While the risk of finances from cyber attacks can be measured after the fact the most damaging effects of cyber attacks is the lack of trust from our customers. Irreversible damage could be imposed upon are organization as customer retreat to companies that they believe can manage their finances better. The contingency budget set forth below would save us from going completely under in the future. The quantity of the budget needed is minimally estimated to be around 1% of what we risk loosing. We must be ready to budget at least 30% of our organizations earned income after taxes and deductions.

Contingency Budget

Contingency BudgetColors reflect the same qualitative selection as the risk Matrix and should be considered top priority when considering budgeting amounts. The contingency cost has been lowered based on the probability of the risks occurrence and is 65% of the total budget needed to address all risks.

 

Recommendations

When money is used it is gone, data is more valuable than money. Our data and systems are worth more than can be quantified in any report. Data can be reused over and over again. In order to protect our data we need to spend our budget targeting mitigation of the highest ranked risks. Targeting unknown risks through monitoring assets as they are accessed and having a fast corrective action time to save the organization from unknown intrusions. All internal and external metrical information that can help target cyber activities should be used to the up-most efficiently to be as effective as possible. Continually vigilance in our security reaction time, as we move towards future technologies to communicate and process information on the Internet, is imperative to our survival.

Additional Resources

Martin H. Bosworth. (2008). Losses From Cybercrime Nearly $240 Million in 2007. Consumer Affairs. Retrieved from: http://www.consumeraffairs.com/news04/2008/04/cybercrime.html

Tom Mochal. (2006, May). Creating a risk contingency budget using expected monetary value (EMV). TechRebulic. Retrieved July 24, 2011, from http://www.techrepublic.com/article/create-a-risk-contingency-budget-using-expected-monetary-value-emv/6069576

United States Department of Justice. Computer Crime & Intellectual Property Section. Cyberethics. Retrieved from: http://www.cybercrime.gov/cyberethics.htm

Risk Management Planning

Risk Management Plan

Risk Management Planning

Risk management typically follows four stages in an iterative process. These are identification, assessment, planning and monitoring. They should be followed at project start-up and then monitored in response to change, completion of project stages. One of the main reasons why risk-management activities fail to deliver as well as they should is because they get treated as a one-time exercise. Once the full heat of the project battle is underway, plans and contingencies get left to gather dust on the shelf. This is a sad waste; the initial assessment will have helped identify where the project is most at risk and will have helped focus attention on how to mitigate these risks (or accept them). However, the lack of monitoring allows new risks to emerge, or old ones to grow more serious, without anyone actually noticing. It then comes as a surprise that the roof has fallen in on the project.

indentify risk

The above picture demonstrates the dimensions of where risk comes into play when dealing with project risk management that must be dealt with.

Identification of Risk

Identification is the first step. Ideally, it involves asking anyone and everyone (within reason) to identify any risks they consider might apply to the project, a checklist may be involved like the one on the next page.

Question/comment Yes/no
Has a complete risk identification/assessment/planning exercise been conducted?
Is there an ‘owner’ for this process?
If not, have all the areas of risk been considered? As below:

Commercial?

Technical?

People?

Politics?

Process?

Change?

For all the risks identified, is there a realistic assessment of impact and probability?
Have these risks been ranked (prioritized) according to impact and probability

Identifying and classifying risk.

probability of occurrence

Risk Analysis

Once risk has been identified they can then be rated according to severity and probability. Normally, this is done on the basis of low, medium or high for both categories as seen in the above diagram.

We try to base on ranking the risks according to combined impact and probability. The first filter employed would be to eliminate all the very low risks. These need only be considered if their ranking changes in the future, it is not a good thing to to simply file and forget risks. The ranking process can then be applied to give increasingly higher profiles to high-impact/probability risks. During this assessment process, we could associate/review ranking numbers with the impact on budget and time. This can then be used to keep a track of how risks evolve with time as a result of project progress, risk reduction and contingency plans, plus events in the outside world.

 Risk Response

Following on logically, once the nature of the risk has been fully assessed, the next step is to develop a plan for dealing with each risk. These typically include: ignore it, take mitigating action to reduce the chance of it happening or minimize the impact, and have a contingency plan in case it actually comes to pass.

These are the four main solutions to risk for when they can potentially occur:

1. Avoidance

Includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the liability that comes with it. Another would be not flying in order to not take the risk that the airplane were to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits.

2. Reduction

Involves methods that reduce the severity of the loss or the likelihood of the loss from occurring. Examples include sprinklers designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.

3.   Retention

Involves accepting the loss when it occurs. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.

4. Transfer

Means causing another party to accept the risk, typically by contract or by hedging. Insurance is one type of risk transfer that uses contracts. Other times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. Liability among construction or other contractors is very often transferred this way. On the other hand, taking offsetting positions in derivatives is typically how firms use hedging to financially manage risk.

 The risk identification, assessment and planning stages need to be re-evaluated when things change. This can either be done by having regularly timed reviews (with the overhead that you might have reviews when you don’t need them). Alternatively, risk reviews can be implemented whenever there is a request for a change, however trivial, or by setting criteria that determine the extent of the reviews according to the extent of the change.

Risk Monitoring and Control

The monitoring process will be to systematically tracks and evaluate the effectiveness of risk handling actions against established metrics. Monitoring results may also provide a basis for developing additional risk handling options and approaches, or updating existing risk handling approaches, and reanalyzing known risks. In some cases monitoring results may also be used to identify new risks and revise some aspects of risk planning. The key to the risk monitoring process is to establish a cost, performance, and schedule management indicator system over the program that the program manager and other key personnel use to evaluate the status of the program. The indicator system should be designed to provide early warning of potential problems to allow management actions. Risk monitoring is not a problem-solving technique, but rather, a proactive technique to obtain objective information on the progress to date in reducing risks to acceptable levels.

“Best practices” acknowledges that all of the traps have not been identified for each risk issue. The traps are intended to be suggestive, and other potential issues should be examined as they arise. It is also important to recognize that sources and types of risk evolve over time. Risks may take a long time to mature into problems. Attention must be properly focused to examine risks and lessons learned.

Lessons learned should be documented so that future project managers can learn from past mistakes.

From past companies, and education, I have developed  risk management plans. That included risk management planning, identification of risk, risk analysis, risk response (including avoidance reduction transfer and retention), and risk monitoring and control.

As I find time, I will post more information.

WORKS CITED

Andersen, Erling S.; Grude, Kristoffer V.; Haug, Tor.; Katagiri, Mike.; Turner, J. Rodney
Goal Directed Project Management: Effective Techniques and Strategies
3Rd Ed. / Edited By Mike Katagiri, Rodney Turner. : London ; Sterling, VA : Kogan Page, 2004.

Ben-David and T. Raz An Integrated Approach for Risk Response Development in Project Planning; The Journal of the Operational Research Society, Vol. 52, No. 1 (Jan., 2001), pp. 14-25

Kerzner, Harold; Project Management: A Systems Approach to Planning, Scheduling, and Controlling : New York John Wiley & Sons, Inc. (US), 2001.

Nickson, David.; Siddons, Suzy;Project Disasters & How to Survive Them;: London ; Sterling, VA : Kogan Page, 2005.

Smith, Nigel J.; Managing Risk in Construction Projects : Oxford ; Malden, Mass. Blackwell Science, 1999.

[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]