ldentify three types of sensitive information involved with each situation. Then, describe three ways in which each information item could be misused or harmed. For each of these, note at least one likely finding that you would include in a risk analysis report of the organization. Finally, answer the questions at the end.
Situation 1 – Online Banking System Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Bank Account Numbers Can be used to steal the user’s funds. Low/medium risk, high probability
Can be used by terrorist organizations for money laundering. Very high risk, medium possibility
Loss of brand reputation to the bank as being less secure. medium risk, medium possibility Account Numbers of Bills stored in Bill Pay Used to access bill information and change information as personal attack on individual. Low/medium risk, medium probability
Used to access additional information about user through user’s profile through that particular bill. Medium risk, medium/high probability
Close account without user’s approval or them being aware as a personal attack against them. Medium/high risk, high probability. Stock/investment information Investments can be transferred to someone else’s name without users knowing or approval. High risk/low probability
Additional investments can be made in user’s name that are likely to fail, or to illegally support the investment company. High risk/low probability
Investments can be donated to charity without user’s consent or knowledge, leaving user with $0 left. High risk/low probability
The Essay on The More The Risk, The Higher Your Confidence
Have you ever thought about how often we part by urging each other to be careful? ‘Take care’, we say or ‘Look after yourself’. It seems friendly and well meaning and of course, we want to see our friends again. However, we might actually be doing them a disservice. We are sending them a message that they should not take any risks. That is a similar message to the ones we have probably been ...
Situation 2 – Facebook Page (organization or personal – specify which) Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Access to friends list. Can allow undesired persons to gain knowledge about someone that does not want their information seen by anyone but people they specify. Medium risk, low/medium probability
List can be emptied, severely affecting marketing for the organization. Very high risk, medium/high probability
Unapproved, negative, or undesired posts can be sent to large amounts of the target audience. False information being provided to organization’s target audience. High risk, medium high probability
Loss of brand reputation to the organization. Medium risk, medium probability
Inappropriate or unauthorized photographs being uploaded to organization’s profile, viewable to the public. Loss of trust with customer base, negatively affecting business for the organization. High risk, medium probability.
Potential copyright infringement if images are legally protected. Very high risk, medium probability.
Negative media coverage broadcasting the intrusion to larger audiences, negatively affecting business for the organization. Very high risk, high probability.
Situation 3 – Picture Phones in the Workplace Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Pictures taken of proprietary designs being taken and leaked to the public. Loss of competitive advantage. Very high, low probability
Loss of revenue due to competition having similar design. Very high, low probability
Loss of trust of internal employees High, medium probability Pictures of customer information taken and stolen. Loss of customer trust and as a result, their business. Medium impact, medium probability
Legal ramifications from victimized customers High impact, medium probability
Loss of trust of internal employees High, medium probability Images of classified documents being taken and released to the public. Loss of customer support and business. Medium/high impact, medium probability
The Business plan on Case Study: An Information System Management Model
Summary This article presents the purchase management information system, finance management information system and security information system, their interdependence and tight correlation. Furthermore, we state the goals of the purchase management information system that must be achieved in any organisation, as the purchase (sub)process is carried out in every organisation. P-K matrix gives a ...
Depending on what information was released, could lead to political controversy and legal ramifications. Very high risk, medium probability
Loss of contracts, and thus revenue, from existing clients. Very high risk, medium probability
Situation 4 – E-Commerce Shopping Site Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Credit card information Can be used to steal the customer’s funds. Low/medium risk, high probability
Can be used to fund terrorist organizations. Very high risk, medium possibility
Loss of reputation for business as being not secure. medium risk, medium possibility Product database Prices can be altered without authorization, causing loss of revenue and unhappy customers. High risk, low probability
All product information can be deleted causing major problems for the company. Very high risk, medium probability
Product details can be altered or deleted to misinform customers or discourage them from purchasing products Medium risk, medium probability Personal customer information (SSNs, addresses, email addresses, etc.).
Customer’s identities can be stolen. High risk, high probability
Can provide stalkers with additional information about their “prey”. High risk, medium probability
Information can be deleted, severely impacting marketing of the organization. Medium/high risk, medium probability
Situation 5 – Real-World Application (such as CRM, ERP, other internal or external organizational systems – pick one and specify) Internal Payroll System Information Affected Potential Harm (Risk) Likely Finding in Risk Analysis Report Employee Checking Account numbers Can be changed so employee paychecks are sent to wrong account where money can be stolen. High risk, medium probability
Can be deleted so employees do not get paid. Medium risk, low probability
Can be stolen, so money in employee’s checking account is stolen. High risk, medium probability Employee pay scales Can be changed so employee gets paid less than what they are supposed to. Low risk, low probability
Can be changed so employee gets paid More than they are supposed to, costing the company more than budgeted. Low risk, low probability
The Term Paper on Consumer Behaviour In The Purchase Of High And Low Involvement
Consumer behaviour is defined as the behaviour that consumers display in seeking, purchasing, using, evaluating and disposing of products and services that they expect will satisfy their personal needs. Consumer behaviour includes how consumers think (their mental decisions) and feel, and the physical actions that result from these decisions (the purchase). [7] Abraham Maslow’s &# ...
Can be accessed and information can be released to the rest of the employees of the company, causing internal turmoil. Medium risk, low probability Company payroll account information All funds in account can be stolen. Very high risk, low probability
Account number can be deleted from system so all employees of the company do not get paid on time. High risk, low probability
Account information can be given to terrorist organizations where they can use the account to launder money, or Very high risk, medium probability
Questions
1. What is the most effective way to identify risks like those you noted in the tables?
The most effective way to identify risks like those noted in the tables above is to perform a risk assessment on the system or website and to hire a top notch security manager and team of developers.
2. What are some important factors when weighing the depth of a formal risk analysis? How would you balance the interruption needed for depth and the need to continue ongoing organizational activity?
While there are many factors that come into play when weighing the depth of a formal risk analysis, some of the most important of those factors are the impact to the business, the probability of attack, and the difficulty and cost of repair. To balance the interruption needed for depth and the need to continue ongoing organizational activity, I would weigh each of the factors independently, and then rank them by the level of risk they present.
3. What should an organization’s risk management specialist do with the information once a potential risk has been identified? What information would be needed for senior management to know the danger of each risk and the proper way to handle the risk?
The Term Paper on Risk Management Plan 4
... Senior management at Defense Logistics Information Service has decided that the risk management plan for the organization is out of date. Because of the importance of risk management ... Risk Management Planning Process: The Defense Logistics Information Services team will provide detailed documentation that includes mitigation techniques explaining the risks that have been identified, ...
Once an organization’s risk management specialist identifies a potential risk, the next step would be to analyze the risk and evaluate the impact that risk would have on the company, the probability that the threat will occur (Dr. Wm. Arthur Conklin, Dr. Gregory White, Dwayne Williams, Roger L. Davis, and Chuck Cothren, 2012).
Next, a plan must be put into place that specifies what actions are to occur to mitigate the identified risk. Going forward, systems need to be monitored closely to identify trends that lead to occurrences of the risk, and periodically measure the progress of this mitigation.
When dealing with senior management, it is important to remember that is not likely that they are as technical as the risk management specialist. With this in mind, the information provided to senior level management should be an understandable, but thorough overview of the risk, and also a recommendation of how to “fix” the problem.
4. How would this specialist properly prioritize these risks to make sure the most important ones were mitigated first?
There are two methods that this specialist could use to properly prioritize these risks to make sure the most important ones are mitigated first. These methods are qualitatively assessing risk, and quantitatively assessing risk, and both can (and should) be used in conjunction as much as possible. By using both of these methods, the severity of each risk can be objectively “ranked” so that the most important risks can be handled first.
5. Who is responsible for ensuring that an identified risk is addressed by the organization? What role does the analyst play? What role does senior management play? What roles do the analyst and senior management each play in addressing organizational risks?
Responsibility falls to Senior IT management to make sure that identified risks are addressed by the organization. The analyst’s role is to assess the risk on the systems for the organization.
