Professional Documents
Culture Documents
net/publication/361982989
CITATIONS READS
0 447
1 author:
Velibor Božić
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Velibor Božić on 14 July 2022.
This example is based on a real situation, but it does not reflect it completely truthfully. The aim of the example
is to show one approach in risk management (created on the basis of theoretical knowledge about risk
management).
PEOPLE
Production company, 920 employees, computer centre with 8 employees
Structure: system administrator, network administrator, two information systems designers
(one is also the database administrator), 3 programmers and the manager of the computer
centre
More than 50% of employees have secondary school, 35% elementary school, 10% college
and 5% university
APPLICATIONS
of the applications there is ERP, the main server for ERP is dislocated and not under the control of the
computing centre (located in the centre of the Group)
in addition to ERP, there are additional applications that complement the functionality of ERP, and
these applications and the databases for them are located on "local" servers (these servers are under the
control of the computing centre)
there are applications on the old VAX/VMS system
there are independent applications and unformatted records (Word, Excel)
there is an intranet as a medium for information exchange
there is a website
application for receiving orders from partners via e-mail
DATA
transactional business data is located on a dislocated server in the centre of the Group
part of the data is on "local" servers (data on production, procurement, compensations...); those data that
are "produced" by applications that complement ERP
part of the data related to the comparison of planned and actual costs and the flow of money are in a
separate database (because they are extracted from the transaction database daily)
SECURITY POLICY
2. Risk identification
Risk identification consists of:
On the basis of the facts established in the first step, on the basis of records of errors (the company has ISO
9001:2000, so it is obliged to keep records of non-compliance in the IT area as well) and on the basis of
experience (previous non-functioning of the system for any reason), they should be identified sources of possible
threats on the one hand and system vulnerabilities that these threats can exploit. This can be done in different
ways, but it is crucial that this step is done well so that risks can be better determined later.
There are four outputs in this step:
List of sources of threats to the IT system
List of threats to the IT system
List of IT system vulnerabilities
Threat source list - threat - vulnerability
This is not a complete list, but it is sufficient to implement an example and show the idea of risk management.
Insufficiently trained users - they know how to manage in a regular situation, if something unplanned happens,
they get lost.
IT IS NECESSARY:
additionally train users
improve applications in the input control part
Unlimited Internet access - too many employees have access to the Internet, unnecessarily
IT IS NECESSARY:
deny access (through network settings) to those who do not need it for work
adopt formal rules of conduct (prohibition of access to inappropriate content and punishment for it)
the acquisition of a software tool that will monitor who goes to which pages
Failure of an industrial computer - since there are more of them in operation, the failure can be compensated if
it does not last too long
IT IS NECESSARY:
have spare parts
have a trained man to repair this type of machine
at best, have a spare industrial computer
Insufficiently tested application - there is often pressure from users to quickly develop applications, so errors
occur
IT IS NECESSARY:
consider defining the position of 'Application Tester', who would be involved in testing applications in
the working environment
Unprotected network - there is a great danger of hacker attacks, viruses, spam, and data destruction
IT IS NECESSARY:
Intention to destroy servers and network devices - it is possible that someone for any reason wants to destroy
servers or main network devices
IT IS NECESSARY:
Physical damage to the fibre optic cable or failure of the network device - this is only about the connection to
the Group headquarters. Dangerous, because if we don't have connections, it has to be done manually, this is
almost impossible.
IT IS NECESSARY:
Through this or a similar analysis, a kind of inventory can be made of which controls we have and which should
be installed so that threats to the system and the vulnerability of the system are as unlikely as possible, i.e. so that
they have as little impact on the system as possible.
low impact 1 (loss of some resources, disruption to work that is not essential for business)
medium impact 2 (failure to fulfil part of obligations, monetary losses, loss of part of reputation)
major impact 3 (impossibility of functioning, irreversible loss of information, monetary losses)
Here, risks are formally defined as a function of threats to the IT system and vulnerabilities of the IT system. So
the risks in our example are:
No. RISK
R01 Incorrect data entry or lack of entry due to insufficient user training.
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses and
destroying data. All this due to the absence of formal prohibitions and penalties.
R03 Absence of production data due to a failure of the industrial computer that cannot be rectified
in time.
R04 Entering incorrect data and obtaining incorrect information due to poorly made applications
R05 Inability to use online applications due to using the wrong operating system.
R06 Infection with viruses and spam due to lack of hardware-software protection.
R07 Physical destruction of the system room due to free access to it by the unemployed
R08 Impossibility of using the ERP system due to the interruption of the optical connection with
the Group's headquarters
Each risk is a function of the probability of the threat occurring and the impact of the threat and vulnerability on
the system.
RISK = PROBABILITY * IMPACT
The ranking of the effect on the IT system of realized threats and vulnerabilities
o IMPACT 1. 2
o IMPACT 2. 3
o IMPACT 3. 2
o IMPACT 4. 2
o IMPACT 5. 1
o IMPACT 6. 3
o IMPACT 7. 3
o IMPACT 8. 3
RISK RANK:
No . RISK RANK=PROBABILITY*IMPACT
R01 Incorrect data entry or lack of entry due to 4
insufficient user training.
R02 Downloading content and browsing inappropriate 9
content on the Internet. Getting viruses and
destroying data. All this due to the absence of
formal prohibitions and penalties.
R03 Absence of production data due to a failure of the 2
industrial computer that cannot be rectified in
time.
R04 Entering incorrect data and obtaining incorrect 2
information due to poorly made applications
R05 Inability to use online applications due to using the 2
wrong operating system.
R06 Infection with viruses and spam due to lack of 9
hardware-software protection.
R07 Physical destruction of the system room due to 3
free access to it by the unemployed
R08 Impossibility of using the ERP system due to the 6
interruption of the optical connection with the
Group's headquarters
Risk level:
The risk is high if the risk rank is 6 or 9
The risk is medium if the risk rank is 3 or 4
The risk is low if the risk rank is 1 or 2.
Therefore, very dangerous, high risks that require an immediate reaction are:
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses and
destroying data. All this due to the absence of formal prohibitions and penalties.
R08 Impossibility of using the ERP system due to the interruption of the optical connection with the
Group's headquarters
R06 Infection with viruses and spam due to lack of hardware-software protection.
Medium risks, which would be good to address, but not necessarily immediately:
R01 Incorrect data entry or lack of entry due to insufficient user training.
R07 Physical destruction of the system room due to free access to it by the unemployed
Low risks, with which it can function, but must be under control are:
R03 Absence of production data due to a failure of the industrial computer that cannot be rectified in
time.
R04 Entering incorrect data and obtaining incorrect information due to poorly made applications
R05 Inability to use online applications due to using the wrong operating system.
3. Recommendations for risk reduction
The input to this step is the risk ranking. Here, for each risk, it is assessed whether there are controls for
reduction, whether controls are needed and what kind. In addition, it is necessary to do a cost-benefit analysis.
The cost benefit analysis should contain data on what is obtained by control, what is not obtained by control, and
this should be presented financially. The result of this step should help management to make a decision on
whether or not to take actions related to risk reduction.
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses
and destroying data. All this due to the absence of formal prohibitions and penalties.
R08 Impossibility of using the ERP system due to the interruption of the optical connection
with the Group's headquarters
R06 Infection with viruses and spam due to lack of hardware-software protection.
Risk R02 :
Recommended control: PHYSICAL PROHIBITION OF ACCESS TO THE INTERNET
o Cost: HRK 0, because the company has an employee who administers the network well and will
prohibit access through the network settings. A list of people to whom access should be banned
should be made.
o Failure to implement this control means the possibility of getting a virus and ultimately losing
important data
o Formal rules and penalties for non-compliance should be prescribed
o You need to get a software tool to check who, how much and which addresses are moving on the
Internet (e.g. the so-called Sniffer, which costs approximately 2,000.00 units)
Cost-Benefit:
o Cost of introducing controls: about 2,000.00 units
o The potential loss of information, downtime due to a virus attack is immeasurable - if you look
only at the fact that 4 people cannot work for 8 hours (formatting the machine, reinstalling
Windows, saving data) and add to that the 8 hours of work of two people from the computer
centre, if we know that average hourly rate 60 units, then it is a cost of: 6 people * 8 hours * 60 =
2,880.00 units. If they introduced controls, we would save 880.00 units.
Risk R08 :
Recommended control: ADDITIONAL LEASE LINE, ADDITIONAL ROUTER on both sides, UPS
o By implementing this control, we ensure the possibility of uninterrupted work and constant
service to our customers
o Not having control means that, in the event of a loss of connection, we cannot do anything
related to customers. We cannot ship products, invoice.
Cost-Benefit
o Cost: one-time around 50,000.00 units and monthly for line lease 5,000.00 units or 110,000.00
units for the first year, and 60,000.00 units each subsequent year
o If we don't work for just one day, we lose an average of 540,000.00 units. So potentially, the
entire cost is paid off in just one day.
Risk R06:
Recommended control: PURCHASE OF HARDWARE FIREWALL, NETWORK ANTI-VIRUS
PROGRAM AND ANTI-SPAM DEVICE
o Carrying out the control avoids the risk of data destruction by viruses, and enables the normal
use of e-mail
o Failure to implement control can mean the loss of business-critical information, the
impossibility of operational use of applications, which may call into question the fulfilment of
organizational goals.
o Controls for this risk are also related to risk R02.
Cost-Benefit1
o Implementation cost: 14,000.00 units one time and 32,000.00 units every year for licenses.
o Benefits: one type of saving is the same as for risk R02. So: the potential loss of information,
the downtime due to a virus attack is immeasurable - if you look only at the fact that 4 people
cannot work for 8 hours due to "PC recovery" and add to that the 8 hours of work of two
people from the computer centre, if we know that is the average hourly rate 60 units, then it is
a cost of: 6 people * 8 hours * 60 = 2,880.00 units. If they introduced controls, we would save
880.00 units.
o Every day all users waste a lot of time to clear spams (about 200 people * their hourly rate of
60 units = 1200 units * e.g. 200 working days = 240,000 units of money just for cleaning
spam).
They should set a deadline for the introduction of each control. Because of the high risks described above, the
deadline for introducing controls should be as soon as possible.
Over time, medium risks should also be resolved, and low ones should be continuously assessed so that
they do not turn into medium or large ones.
Finally, it should be said that the example described above is not entirely true, but it is illustrative in the
sense that it shows the application of theoretical knowledge in practice.
1
The values shown here do not correspond to the truth and serve only for the purposes of this example, but they
allow the idea to be seen.