Risk =
probability * impact
Two conceptualizations of IT risk
- Risk as a probable negative impact
- Risk as both negative and positive impact
- Downside risk: probable negative outcome
- Upside risk: probable positive outcome
IT Risk definition
The potential for an unplanned event involving Information Technology (IT) to threaten an enterprise objective.
4 types of risk
4A Framework: IT Risk from Business Perspective
Availability
Access (confidentiality)
Accuracy (integrity)
Agility
Availability risk
Keeping systems (and their business processes) running. And recovering from interruptions.
Access (confidentiality) risk
Ensuring appropriate access to data and systems, so that the right people have the access they need, the wrong people don’t, and sensitive information is not misused.
Accuracy (integrity) risk
Providing correct, timely, and complete information that meets the requirements of management, staff, customers, suppliers, and regulators.
Agility risk
Being able to make necessary business changes with appropriate cost and speed.
Technical response to malicious codes
- Do nothing
- Shutdown and rebuild
- Build a mirror
Disclosure Strategy, 5 questions
- Disclosure to?
- Medium?
- Who contact them?
- When?
- What to say?
CIO’s Communication of IT Incident with? (IVK)
- CEO
Always tell the CEO the bad news as soon as the possibility is known - (external) Analysts
Don’t bring up the attack unless an analyst does so.
Managing risks 2 dimensions
- Cost of protection (high vs. low)
2. Downside risk (cost if happens) (tolerable vs. intolerable)
Managing risks 4 strategies
- Lowest priority (low/tolerable)
- Bear the risk (high/tolerable)
- Capitalize costs of risk mitigation (high/intolerable)
- Mitigate risk ASAP (low/intolerable)
Identity and Access Management (IAM)
Identifying, authenticating, and authorizing people to have access to applications, systems, or networks.
Identity and Access Management (IAM) - 2 types
- Category-based (everything in the same category is equally safe)
Some monitoring, but more trusting - Service & data-based (unique security for a data/service)
Monitor access to important data (some may not like that)
IT Risk Management: Three Core Disciplines
Create risk governance processes (identify & manage risk)
Create a risk-aware culture
Reduce IT complexity (e.g., spaghetti systems)
Customer Contact Strategies (what to say)
Defensive
Accommodative
Moderation
Image Renewal
Customer Contact Strategies: Defensive Strategy components
Denial (frame that no breach crisis exists)
Excuses (minimize organization’s responsibility)
Customer Contact Strategies: Accommodative Strategy components
Apology (explicitly apologizing)
Remedial action (take steps to repair and control the damage)
Customer Contact Strategies: Moderation Strategy components
Ingratiation (make stakeholders like the organization)
Justification (minimize perceived damage)
Customer Contact Strategies: Image Renewal Strategy components
Correction commitment (reassure stakeholders that firm takes whatever steps are necessary to avoid similar breach incidents in the future)
Stakeholder commitment (reassuring stakeholders that firm is committed to providing the best services and/or product)
Value commitment (reassuring stakeholders that the firm is committed to its core values)
Effect of crisis strategies on stock price change - Highly-reputable firms
None of the customer contact strategies has a significant influence on stock price
Effect of crisis strategies on stock price change - Normal firms
Defensive: Negative but non-significant influence
Accommodative: Negative but non-significant influence
Moderation: Positive influence
Image Renewal: Positive influence
