Hackers and Other Hazards.New risks demand new risk-management techniques. Risk management has always concerned itself with critical enterprise infrastructures -- processes and assets essential to basic business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets . In the past, such critical enterprise infrastructure represented physical plant, equipmer and inventory. But in a technology-based environment, an enterprise's core operations depend on electronic information and computer networks. Everything a business knows and has besides its creative people resides on its databases and systems. Although an intangible asset Intangible Asset An asset that is not physical in nature. Notes: Examples are things like copyrights, patents, intellectual property, and goodwill. These are the opposite of tangible assets. , electronic information, notably knowledge databases and intellectual property, is a key driver of revenue and worth. Key processes and connections to customers and partners will be web-based -- whether they involve value chain integration, procurement The fancy word for "purchasing." The procurement department within an organization manages all the major purchases. , bill presentment See EBPP. , fulfillment ful·fill also ful·fil tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils 1. To bring into actuality; effect: fulfilled their promises. 2. , benefits management or legal services legal services n. the work performed by a lawyer for a client. . What particularly troubles those entrusted with risk management is the lack of definition and quantification quan·ti·fy tr.v. quan·ti·fied, quan·ti·fy·ing, quan·ti·fies 1. To determine or express the quantity of. 2. of these risks -- in particular because there's little historic data available for calibrating them. Thus, information technology risk management now should involve the identification, assessment, control, mitigation and financing of probable risks commensurate com·men·su·rate adj. 1. Of the same size, extent, or duration as another. 2. Corresponding in size or degree; proportionate: a salary commensurate with my performance. 3. with the enterprise's brand, reputation, assets and operations. Consider the risk of electronic data destruction, corruption or disclosure by internal or external computer attackers. This cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. peril The designated contingency, risk, or hazard against which an insured seeks to protect himself or herself when purchasing a policy of insurance. Among the various types of perils for which insurance coverage is available are fire, theft, illness, and death. PERIL. is critical -- especially to the financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. and health care industries. Remember the youth of the technologies and uncertain direction of Internet-related litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. and regulations. And businesses are reluctant to reveal information about cyber crime or cyber attacks, as the public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most and investor fallout Investor fallout In the mortgage pipeline, risk that occurs when the originator commits loan terms to the borrowers and gets commitments from investors at the time of application, or if both sets of terms are made at closing. could damage brand and reputation. Then, too, businesses are less likely to notify law enforcement about known cyber crime and its perpetrators. And it's difficult to catch and convict To adjudge an accused person guilty of a crime at the conclusion of a criminal prosecution, or after the entry of a plea of guilty or a plea of nolo contendere. An individual who has been found guilty of a crime and, as a result, is serving a sentence as punishment for the act; such attackers, as it's relatively easy to hide under false addresses, electronically mask the route of the attack and escape from limited federal resources. However, conviction under the Computer Fraud and Abuse Act The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986 intended to reduce "hacking" of computer systems. It was amended in 1994, 1996 and in 2001 by the USA PATRIOT Act. can entail entail, in law, restriction of inheritance to a limited class of descendants for at least several generations. The object of entail is to preserve large estates in land from the disintegration that is caused by equal inheritance by all the heirs and by the ordinary prison sentences of up to five years per incident (10 years for second-time offenders) and a $250,000 fine. Still, prosecutions and convictions won't approach the soaring number of computer attacks, which more than doubled to 8,268 incidents last year, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. reports filed with the Computer Emergency Response Team at Carnegie Mellon University Carnegie Mellon University, at Pittsburgh, Pa.; est. 1967 through the merger of the Carnegie Institute of Technology (founded 1900, opened 1905) and the Mellon Institute of Industrial Research (founded 1913). . And these incidents -- reported voluntarily -- are the tip of the iceberg tip of the iceberg n. pl. tips of the iceberg A small evident part or aspect of something largely hidden: afraid that these few reported cases of the disease might only be the tip of the iceberg. . An important first risk-management step is to identify and understand cyber perils (see pages 32 and 48). Although they're labeled as direct risks and liability risks, one security breach may result in both a direct loss and a liability loss. Some of these perils existed pre-Internet, but their likelihood and magnitude have changed. If we focus on the three critical concerns of risk management -- the frequency of claims, severity of loss and cost of resolution -- we can identify at least five ways Internet technologies affect the management of liability risks and exposures: Rise in the number of claims. New portals and falling PC prices have increased Internet access See how to access the Internet. globally. Studies say the number of Internet users Internet user n → internauta m/f Internet user Internet n → internaute m/f doubles every 100 days. Upsurge in the severity of claims. The growing dependence of global business on Internet applications multiplies the risk of severe claims in relation to the potential revenue stream of critical business systems. Increases in the number of defendants. Internet technologies support the economies of outsourcing (1) Contracting with outside consultants, software houses or service bureaus to perform systems analysis, programming and datacenter operations. Contrast with insourcing. See netsourcing, ASP, SSP and facilities management. critical business functions and product components. Plaintiffs can pursue more defendants with significant or peripheral involvement in the alleged torts torts in law a wrong other than a criminal wrong, e.g. defamation, negligence. . Increases in the complexity of "traditional claims" and procedural issues. Claims become more complex because the parties may assert aspects of Internet technology that make the case more difficult factually or legally. Venue also is hard to resolve, Should the case be tried where the server is located, where the customer is located, etc.? Internet technology cases are expensive to litigate and create uncertainty regarding potential resolution by judges and juries. New claims and remedies. Internet technologies create new categories of potential defendants (such as online access providers) and beg new questions of duty and proximate cause An act from which an injury results as a natural, direct, uninterrupted consequence and without which the injury would not have occurred. Proximate cause is the primary cause of an injury. . New remedies issues also will arise pertaining per·tain intr.v. per·tained, per·tain·ing, per·tains 1. To have reference; relate: evidence that pertains to the accident. 2. to the recovery of consequential damages Injury or harm that does not ensue directly and immediately from the act of a party, but only from some of the results of such act, and that is compensable by a monetary award after a judgment has been rendered in a lawsuit. and punitive damages Monetary compensation awarded to an injured party that goes beyond that which is necessary to compensate the individual for losses and that is intended to punish the wrongdoer. . Audit Vulnerability A vulnerability analysis In information operations, a systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such involves finding and documenting the exposure to identified perils or threats. Some perils require experts in network business continuity or security to evaluate policies, procedures, monitoring and enforcement. Security itself involves policies, people and technology working together. Security audits also involve electronic scanning and full-blown systems penetration testing A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, (also called ethical hacking See hack and hacker. ). The latter finds "open windows" and vulnerabilities and recommends ways to address them. One tendency is to hire outside consultants to advise on this or that issue -- firewalls, use of public key infrastructure and others. These studies should be part of an enterprise-wide assessment of the use of and dependence on Internet technologies, Organizations should be able to lower overall vulnerabilities, institutionalize in·sti·tu·tion·a·lize v. To place a person in the care of an institution, especially one providing care for the disabled or mentally ill. in replicable best practices and audit their approaches. New applications, business models and acquisitions are part of the territory; external testing provides only a snapshot (1) A saved copy of memory including the contents of all memory bytes, hardware registers and status indicators. It is periodically taken in order to restore the system in the event of failure. (2) A saved copy of a file before it is updated. of a moment in Internet time In the early days of the public Internet, Internet time referred to the breakneck speed with which companies scrambled to gain traffic and market share on the Web. A new business could come and go within a matter of weeks. . Risk Management Analysis One consulting service Noun 1. consulting service - service provided by a professional advisor (e.g., a lawyer or doctor or CPA etc.) service - work done by one person or group that benefits another; "budget separately for goods and services" many businesses want is risk identification and mapping by frequency and severity. Threats with the most potential impact on profitability and reputation need to be tracked. These initiatives must weigh Internet or network activities and associated critical information assets, such as a trade secret, source code for a software product or strategic marketing or customer information. The results will yield a more efficient use of resources for adopting risk control and risk mitigation strategies. We need best practices in legal approaches to prevent or allay al·lay tr.v. al·layed, al·lay·ing, al·lays 1. To reduce the intensity of; relieve: allay back pains. See Synonyms at relieve. 2. the risks of intellectual property infringement or to enforce the company's intellectual property rights. Dealing with complex Internet technology risks often calls for a cross-enterprise risk committee with representatives from legal, IT/IS, marketing, the e-commerce director's office and risk management. The barriers are the silos between treasury/finance and technology in many organizations and the misperception mis·per·ceive tr.v. mis·per·ceived, mis·per·ceiv·ing, mis·per·ceives To perceive incorrectly; misunderstand. mis that technology alone will fix problems. These risks need to be managed as business risks, as they'll appear as risk factors on financial statements and will be the center of legal or regulatory action, Attacks, crimes and loss-of-web disruptions increasingly cause fallout fallout, minute particles of radioactive material produced by nuclear explosions (see atomic bomb; hydrogen bomb; Chernobyl) or by discharge from nuclear-power or atomic installations and scattered throughout the earth's atmosphere by winds and convection currents. with customers and investors. Other challenges relate to outsourcing. In analyzing the perils of web disruptions, the critical point of failure may be communications or hosts. Outsourcing doesn't transfer liabilities, as companies have learned on reading customer service agreements and vendor contracts. Users of Internet technology also may have deeper financial pockets than the creators and enablers. Decision-making Decision-making is an ongoing process that involves best risk-management practices. Analysis will change with new technologies, new forms of attacks to a company or industry, new applications, regulatory and legal modifications and changes in corporate structure and direction. The key is to continue the process given these changes -- and, of course, continual testing and assessment. Certainly, one decision is whether to retain or transfer none, some or most of the risks associated with Internet technologies. New insurance products address some of these areas. For large enterprises, manuscripted catastrophic coverage for operational risk may be an attractive alternative. Also consider whether to staff the infrastructure to manage security internally or to outsource all or part of this function. Development of a robust audit program may require a decision on whether and how to use internal staff or external consultants. New customer-directed web sites may require a more extensive risk review process, the specifics of which need to be developed and approved. Decision-making may also result in changes in legal strategies related to intellectual property or privacy. Most of these decisions will involve senior management or board signoff, as these issues may require significant expenditures or strategic business judgments. Emily Q. Freeman is practice leader for e-business risk solutions at Marsh & McLennan. She can be reached at Emily.Freeman@marshmc.com.
Identification of Cyber Risks
Direct Risks Threat to enterprise's own operations or assets.
Computer fraud Wrongful taking of tangible assets and
intangible assets by employees or non-employees.
Includes trade fraud, credit-card fraud,
financial fraud.
Theft of electronic Wrongful taking of software code, supplier
information or information, confidential or proprietary
information assets information, including intellectual property,
source code, customer data, electronic data as a
result of unauthorized access or unauthorized
use of computer networks.
Theft of computer Using computing or telecommunications resources
system resources for other than official, approved business
purposes.
Threats/extortion Threat to commit a computer crime or to use
information gained from a computer crime for
money, personal gain or to embarrass the
company.
Malicious acts (attacks) Modification or damage for nuisance, sabotage,
revenge, political or social motivation, pranks
or entertainment.
Disclosure of electronic Disclosure of proprietary or confidential
information and electronic information stored in an electronic form as a
information assets result of a computer crime, malicious act or
mistake by authorized IT/IS personnel in the
normal performance of their jobs.
Electronic information Damage to computer programs and electronic data
and programs (human error) by a mistake by authorized IT/IS personnel in
the normal performance of their jobs.
Mechanical breakdown Electrical or mechanical breakdown that damages
equipment, programs or data; possible network
disruption.
Physical loss Damage to equipment, media and data due to
physical peril (fire, water damage, vandalism,
etc.). Catastrophies (earthquake, windstorm,
flood).
Harmful Code Implantation, introduction and spread of
viruses, logic bombs, Trojan horses, other
malicious code.
Denial of service Attack causes a degradation of performance or
loss of service to a web site or network
application.
Loss of service Outage, crash, degradation of performance from
an error by authorized personnel in the normal
performance of their jobs.
Loss of connectivity Physical perils (such as hurricane, fire),
(service interruption) attacks, accidents and malfunctioning of network
communications infrastructure, including
satellites, telephone lines, cable, electrical
lines and fiber-optic cable.
Dependent businesses All of the perils above can occur to a critical
supplier, vendor (e.g., web-hosting service) or
customer, resulting in loss of connectivity,
loss of revenue and extra expense.
Liability Risks Third-party claims, lawsuits and regulatory
action.
Errors and omissions Financial harm to third parties without bodily
injury or tangible property damage. Exposure
depends on role and level of involvement and
scope and nature of the contractual
relationship. Likely plaintiffs: consumers,
business partners, customers, vendors,
e-merchants, financial institutions. Likely
exposures: service outages and interruptions;
faulty technical support; insufficient security
measures to protect third-party data or code.
Liability Risks Third-party claims, lawsuits and regulatory
action.
Intelleclual property Patent infringement (especially software and
infringement business process patents); copyright
(direct and contributory) infringement (e.g., plagiarism and framing);
trademark infringement, including trade dress
(e.g., use of domain names, cyber squatting,
meta tags); missappropriation of trade secrets
(i.e., research and marketing studies,
processes, customer lists, undisclosed new
product or service offerings, etc.).
Content and Defamation, especially online commentary
advertising-related and discussion, including employee statements
offenses made over the Internet about third parties.
Trade libel and product disparagement.
Pornography, obscenity, hate sites. Testimonials
or endorsements. Invasion of privacy; cyber
stalking. Misappropriation of publicity rights
or ideas under implied contract. Unfair
competition (comparative claims, talse or
deceptive advertising, trademark dilution,
etc.). Editorial errors and omissions (i.e.,
hermful imitation, reckless inducement).
Privacy Using information that identifies a person or
entity for a purpose that wasn't intended and
for which permission wasn't received. There are
major differences in privacy regulations
throughout the world (the most serious of which
is the European Data Directive vs. U.S. privacy
regulations) and specific state privacy
protection laws (e.g., Virginia Privacy
Protection Act). Also refer to the Child Online
Privacy Protection Act of 1998. Inadequate
privacy policy on web site. Failure to disclose
what information is being collected or what use
will be made of it, failure to allow the
consumer a way to view and modify that
information. Unauthorized release of
confidential data (i.e., financial, medical,
etc.) and failure to let the consumer opt out of
the use of private information. Violation of a
stated privacy policy may result in regulatory
action or litigation.
Other e-commerce- Authentication (validity of a transmission,
specific risks message, or originator Non-repudiation (a
cryptographic service that legally prevents the
originator of a message or purchase from denying
authoriship or denying the transaction at a
later date). A legitimate customer denies
responsibility for a transaction. Merchndise
misrepresentation and fulfillment. Regulatory
violations (e.g., of the Uniform Commercial
Code). Breach of/enforceability of clip-wrap
agreements. Enforceability of disclaimers.
Product liability. Warranties and
contractual guarantees.
Corporate e-mail Type of information and content contained in
e-mails; will be discoverable in litigation from
third parties and employees, Failure of security
(e.g., passwords and encryption) may result in
disclosure of proprietary information (possible
industrial espionage) or public embarrassment.
Unauthorized access to stored e-mail E-mail
harassment, pornography, threats to innocent
Internet users.
Let's Play Jeopardy jeopardy, in law, condition of a person charged with a crime and thus in danger of punishment. At common law a defendant could be exposed to jeopardy for the same offense only once; exposing a person twice is known as double jeopardy. ! CATEGORY: Representative questions pursued in risk management analyses. ANSWERS: * How much would it cost to minimize the risk posed by the vulnerability? Are the costs commensurate with the activity's or assets importance? * What's the critical recovery window to restore connectivity after an outage out·age n. 1. A quantity or portion of something lacking after delivery or storage. 2. A temporary suspension of operation, especially of electric power. or disruption? How does it vary by application, time of day or season? Can this window be correlated cor·re·late v. cor·re·lat·ed, cor·re·lat·ing, cor·re·lates v.tr. 1. To put or bring into causal, complementary, parallel, or reciprocal relation. 2. in financial terms to a time interval? You'll need an in-depth evaluation to define the most critical business processes, functions, applications, tech nologies and resources. That includes calculating the actual cost of an outage by the hour, day and week to determine the acceptable application recovery window for critical distributed applications An application made up of distinct components running in separate runtime environments, usually on different platforms connected via a network. Typical distributed applications . It also defines the maximum outage a business process can sustain before a company's well-being is affected; the financial and non-financial impacts of an extended IT outage; and recovery strategies and alternatives, balancing recovery cost with acceptable risks. * How secure and how redundant are the services critical vendors provide? * How effective is the incident planning and security response capability? How can contingency or emergency response be improved? * What risk mitigation or risk recovery solutions should you use, given the recovery window and its financial consequences? How can business continuity costs be justified to senior management? * How do current risk transfer strategies (principally insurance) address these risks? What gaps or limitations exist in the current insurance program? What's the best/worst/anticipated financial loss? |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion