See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/361982989

An example of ICT risk management

Preprint · July 2022

CITATIONS READS

0 447

1 author:

Velibor Božić

131 PUBLICATIONS   7 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Management View project

Innovative Researchers View project

All content following this page was uploaded by Velibor Božić on 14 July 2022.

The user has requested enhancement of the downloaded file.

An example of ICT risk management

This example is based on a real situation, but it does not reflect it completely truthfully. The aim of the example
is to show one approach in risk management (created on the basis of theoretical knowledge about risk
management).

1. Characterization (description) of the system

PEOPLE
 Production company, 920 employees, computer centre with 8 employees
 Structure: system administrator, network administrator, two information systems designers
(one is also the database administrator), 3 programmers and the manager of the computer
centre
 More than 50% of employees have secondary school, 35% elementary school, 10% college
and 5% university

Technologically well supported:

HARDWARE AND NETWORK

 254 personal computers

 two main servers (application and data), client server architecture
 there are so-called thick clients (they are not only terminals, but some processing is also done on them)
 developed LAN; the company is dislocated
 it is part of a larger Group and the company is networked with the centre of the Group
 over 50% of employees who have a PC also have access to the Internet
 over 75% of employees who have a PC use e-mail (there is a mail server and internal e-mail addresses
through which communication is made)

APPLICATIONS

 of the applications there is ERP, the main server for ERP is dislocated and not under the control of the
computing centre (located in the centre of the Group)
 in addition to ERP, there are additional applications that complement the functionality of ERP, and
these applications and the databases for them are located on "local" servers (these servers are under the
control of the computing centre)
 there are applications on the old VAX/VMS system
 there are independent applications and unformatted records (Word, Excel)
 there is an intranet as a medium for information exchange
 there is a website
 application for receiving orders from partners via e-mail

DATA

 transactional business data is located on a dislocated server in the centre of the Group
 part of the data is on "local" servers (data on production, procurement, compensations...); those data that
are "produced" by applications that complement ERP
 part of the data related to the comparison of planned and actual costs and the flow of money are in a
separate database (because they are extracted from the transaction database daily)

SECURITY POLICY

 there is basic protection (antivirus programs on PCs).

Let's say that these are the main characteristics of the IT system. They were arrived at experientially, i.e. by
counting computers, equipment lists, questionnaires to users, conversations with them.

2. Risk identification
Risk identification consists of:

 Defining possible threats and system vulnerabilities

 Analysis of existing and necessary controls
 Determining the probability of threats and exploitation of vulnerabilities
 Determining the size of the impact of threats and vulnerabilities on system operation
 Formal definition of risks and determination of their rank

 Defining possible threats and system vulnerabilities

On the basis of the facts established in the first step, on the basis of records of errors (the company has ISO
9001:2000, so it is obliged to keep records of non-compliance in the IT area as well) and on the basis of
experience (previous non-functioning of the system for any reason), they should be identified sources of possible
threats on the one hand and system vulnerabilities that these threats can exploit. This can be done in different
ways, but it is crucial that this step is done well so that risks can be better determined later.
There are four outputs in this step:
 List of sources of threats to the IT system
 List of threats to the IT system
 List of IT system vulnerabilities
 Threat source list - threat - vulnerability

List of threat sources

People Hardware and network Applications

1. insufficiently trained users
2. unlimited Internet access
3. intent to destroy servers and
network devices
List of threats to the IT system
1. Failure of the industrial 1. Insufficiently tested
computer application
2. Unprotected network 2. Inadequate operating
system
3. Physical damage to the
optical cable or failure of
the network device

People Hardware and network Applications

1. wrong data entry or no entry;
not using e-mail
2. downloading inappropriate
content from the Internet
3. physical destruction of the
system room
1. No production data input 1. The possibility of entering
incorrect data and obtaining
incorrect information
2. Getting viruses and spam 2. Impossibility of using the
network application
3. Impossibility of using the
ERP system (it has nothing
to do with the centre of the
Group)
List of IT system vulnerabilities

People Hardware and network Applications

1. lack of systematic user training
2. absence of formal prohibitions
and penalties
3. free access to the system room
for the unemployed
1. the absence of a spare 1. insufficient input controls in
computer or part that applications and defective
broke code
2. Absence of hardware- 2. WinXP (10 access limit),
software protection not Windows Server
3. Absence of a "back up"
connection

Threat source list - threat - vulnerability

The source of the threat Threat Vulnerability (the threat

Insufficiently trained users
Unlimited Internet access
Failure on the industrial
computer
Insufficiently tested application
Inadequate operating system
An unprotected network
Intention to destroy servers and
network devices
Physical damage to the fibre
optic cable or failure of the
network device
Incorrect data entry or no
entry
Downloading and "surfing"
inappropriate contents.
Getting viruses and
destroying data.
No production data input
The possibility of entering
incorrect data and obtaining
incorrect information
Inability to use the network
application
Getting viruses and spam
Physical destruction of the
system room
Impossibility of using the
ERP system (has nothing to
do with the centre of the
Group)
exploits it)
Lack of systematic user
training
Absence of formal penalties
and prohibitions
No spare industrial computer
or part that broke
Insufficient input controls in
applications and faulty code
WinXP (10 access limit), not
Windows Server 200x
Absence of hardware-software
protection
Free access to the system
room for the unemployed
Absence of a "back up"
connection

This is not a complete list, but it is sufficient to implement an example and show the idea of risk management.

 Analysis of existing and necessary controls

The input to this activity is the "source threats-threats-vulnerability" table. For each record, we need to analyze
whether we have an answer, i.e. some control mechanism to prevent or reduce the threat or vulnerability of the
system. This is important in order to be able to determine as accurately as possible the probability of the threat
being realized.

Insufficiently trained users - they know how to manage in a regular situation, if something unplanned happens,
they get lost.
IT IS NECESSARY:
 additionally train users
 improve applications in the input control part

Unlimited Internet access - too many employees have access to the Internet, unnecessarily
IT IS NECESSARY:
 deny access (through network settings) to those who do not need it for work
 adopt formal rules of conduct (prohibition of access to inappropriate content and punishment for it)
 the acquisition of a software tool that will monitor who goes to which pages
Failure of an industrial computer - since there are more of them in operation, the failure can be compensated if
it does not last too long
IT IS NECESSARY:
 have spare parts
 have a trained man to repair this type of machine
 at best, have a spare industrial computer

Insufficiently tested application - there is often pressure from users to quickly develop applications, so errors
occur
IT IS NECESSARY:
 consider defining the position of 'Application Tester', who would be involved in testing applications in
the working environment

Inadequate operating system - the problem is access to online applications

IT IS NECESSARY:
 provide a server with a server operating system (Windows Server 200x) that has the possibility of
multiple simultaneous accesses and place databases and network applications there

Unprotected network - there is a great danger of hacker attacks, viruses, spam, and data destruction
IT IS NECESSARY:

 provide a hardware firewall

 get an online antivirus program
 get an anti spam device

Intention to destroy servers and network devices - it is possible that someone for any reason wants to destroy
servers or main network devices
IT IS NECESSARY:

 never leave the system room unattended

 lock it outside of working hours
 provide video surveillance

Physical damage to the fibre optic cable or failure of the network device - this is only about the connection to
the Group headquarters. Dangerous, because if we don't have connections, it has to be done manually, this is
almost impossible.
IT IS NECESSARY:

 ensure a permanent connection in any way (e.g. by leasing an alternative line).

Through this or a similar analysis, a kind of inventory can be made of which controls we have and which should
be installed so that threats to the system and the vulnerability of the system are as unlikely as possible, i.e. so that
they have as little impact on the system as possible.

 Determining the probability of threats and exploitation of vulnerabilities

In this step, the probability of the occurrence of a threat and the vulnerability of the system is assessed. Here it is
very important to estimate the probability as realistically as possible. It takes into account the motivation and
capability of the threat source, the nature of the vulnerability and the controls in place. The output from this
phase should be a list of probabilities by rank for each threat-vulnerability pair.
Probability:
 1-33% - small
 34-66% - medium
 67-100% - large
Threat Vulnerability (the threat Probability Description of Numerical
exploits it) - what makes probability rank
the threat possible

Incorrect data entry or no Lack of systematic user about 50% SECONDARY 2

entry training
Downloading and Absence of formal penalties about 70% TALL 3
"surfing" inappropriate and prohibitions
contents.
Getting viruses and
destroying data.
No production data input No spare industrial about 20% SMALL 1
computer or part that broke
The possibility of Insufficient input controls about 30% SMALL 1
entering incorrect data in applications and faulty
and obtaining incorrect code
information
Inability to use the WinXP (10 access limit), about 50% SECONDARY 2
network application not Windows Server 200x
Getting viruses and spam Absence of hardware- about 80% BIG 3
software protection
Physical destruction of Free access to the system about 10% SMALL 1
the system room room for the unemployed
Impossibility of using the Absence of a "back up" about 50% SECONDARY 2
ERP system (has nothing connection
to do with the centre of
the Group)

 Determining the size of the impact of threats and vulnerabilities on system

operation
Here, the impact of threats and vulnerabilities on the IT system is assessed. Again, a team of people should
assess monetary losses, loss of data, importance of lost data, ability to function with the resulting damage, loss of
user trust. Considering all these aspects, the size of the impact could look like this:

 low impact 1 (loss of some resources, disruption to work that is not essential for business)
 medium impact 2 (failure to fulfil part of obligations, monetary losses, loss of part of reputation)
 major impact 3 (impossibility of functioning, irreversible loss of information, monetary losses)

Threat Vulnerability (the threat exploits it) Influence

Incorrect data entry or no entry Lack of systematic user training 2
Downloading and "surfing" Absence of formal penalties and prohibitions 3
inappropriate contents.
Getting viruses and destroying data.
No production data input No spare industrial computer or part that 2
broke
The possibility of entering incorrect Insufficient input controls in applications and 2
data and obtaining incorrect information faulty code
Inability to use the network application WinXP (10 access limit), not Windows 1
Server 200x
Getting viruses and spam Absence of hardware-software protection 3
Physical destruction of the system room Free access to the system room for the 3
unemployed
Impossibility of using the ERP system Absence of a "back up" connection 3
(has nothing to do with the centre of the
Group)
  Formal definition of risks and determination of their rank

Here, risks are formally defined as a function of threats to the IT system and vulnerabilities of the IT system. So
the risks in our example are:

No. RISK
R01 Incorrect data entry or lack of entry due to insufficient user training.
R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses and
destroying data. All this due to the absence of formal prohibitions and penalties.
R03 Absence of production data due to a failure of the industrial computer that cannot be rectified
in time.
R04 Entering incorrect data and obtaining incorrect information due to poorly made applications
R05 Inability to use online applications due to using the wrong operating system.
R06 Infection with viruses and spam due to lack of hardware-software protection.
R07 Physical destruction of the system room due to free access to it by the unemployed
R08 Impossibility of using the ERP system due to the interruption of the optical connection with
the Group's headquarters

In this step, the so-called risk ranking.

Each risk is a function of the probability of the threat occurring and the impact of the threat and vulnerability on
the system.
RISK = PROBABILITY * IMPACT

We use the ranking results:

 The rank of the probability of the realization of threats:
o THREAT 1. 2
o THREAT 2. 3
o THREAT 3. 1
o THREAT 4. 1
o THREAT 5. 2
o THREAT 6. 3
o THREAT 7. 1
o THREAT 8. 2

 The ranking of the effect on the IT system of realized threats and vulnerabilities

o IMPACT 1. 2
o IMPACT 2. 3
o IMPACT 3. 2
o IMPACT 4. 2
o IMPACT 5. 1
o IMPACT 6. 3
o IMPACT 7. 3
o IMPACT 8. 3
  RISK RANK:

No . RISK RANK=PROBABILITY*IMPACT
R01 Incorrect data entry or lack of entry due to 4
insufficient user training.
R02 Downloading content and browsing inappropriate 9
content on the Internet. Getting viruses and
destroying data. All this due to the absence of
formal prohibitions and penalties.
R03 Absence of production data due to a failure of the 2
industrial computer that cannot be rectified in
time.
R04 Entering incorrect data and obtaining incorrect 2
information due to poorly made applications
R05 Inability to use online applications due to using the 2
wrong operating system.
R06 Infection with viruses and spam due to lack of 9
hardware-software protection.
R07 Physical destruction of the system room due to 3
free access to it by the unemployed
R08 Impossibility of using the ERP system due to the 6
interruption of the optical connection with the
Group's headquarters

Risk level:
 The risk is high if the risk rank is 6 or 9
 The risk is medium if the risk rank is 3 or 4
 The risk is low if the risk rank is 1 or 2.

Therefore, very dangerous, high risks that require an immediate reaction are:

R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses and
destroying data. All this due to the absence of formal prohibitions and penalties.
R08 Impossibility of using the ERP system due to the interruption of the optical connection with the
Group's headquarters
R06 Infection with viruses and spam due to lack of hardware-software protection.

Medium risks, which would be good to address, but not necessarily immediately:

R01 Incorrect data entry or lack of entry due to insufficient user training.
R07 Physical destruction of the system room due to free access to it by the unemployed

Low risks, with which it can function, but must be under control are:

R03 Absence of production data due to a failure of the industrial computer that cannot be rectified in
time.
R04 Entering incorrect data and obtaining incorrect information due to poorly made applications
R05 Inability to use online applications due to using the wrong operating system.
3. Recommendations for risk reduction
The input to this step is the risk ranking. Here, for each risk, it is assessed whether there are controls for
reduction, whether controls are needed and what kind. In addition, it is necessary to do a cost-benefit analysis.
The cost benefit analysis should contain data on what is obtained by control, what is not obtained by control, and
this should be presented financially. The result of this step should help management to make a decision on
whether or not to take actions related to risk reduction.

In the specific example, only high risks will be considered, so:

R02 Downloading content and browsing inappropriate content on the Internet. Getting viruses
and destroying data. All this due to the absence of formal prohibitions and penalties.
R08 Impossibility of using the ERP system due to the interruption of the optical connection
with the Group's headquarters
R06 Infection with viruses and spam due to lack of hardware-software protection.

Risk R02 :
 Recommended control: PHYSICAL PROHIBITION OF ACCESS TO THE INTERNET
o Cost: HRK 0, because the company has an employee who administers the network well and will
prohibit access through the network settings. A list of people to whom access should be banned
should be made.
o Failure to implement this control means the possibility of getting a virus and ultimately losing
important data
o Formal rules and penalties for non-compliance should be prescribed
o You need to get a software tool to check who, how much and which addresses are moving on the
Internet (e.g. the so-called Sniffer, which costs approximately 2,000.00 units)
 Cost-Benefit:
o Cost of introducing controls: about 2,000.00 units
o The potential loss of information, downtime due to a virus attack is immeasurable - if you look
only at the fact that 4 people cannot work for 8 hours (formatting the machine, reinstalling
Windows, saving data) and add to that the 8 hours of work of two people from the computer
centre, if we know that average hourly rate 60 units, then it is a cost of: 6 people * 8 hours * 60 =
2,880.00 units. If they introduced controls, we would save 880.00 units.
Risk R08 :
 Recommended control: ADDITIONAL LEASE LINE, ADDITIONAL ROUTER on both sides, UPS
o By implementing this control, we ensure the possibility of uninterrupted work and constant
service to our customers
o Not having control means that, in the event of a loss of connection, we cannot do anything
related to customers. We cannot ship products, invoice.
 Cost-Benefit
o Cost: one-time around 50,000.00 units and monthly for line lease 5,000.00 units or 110,000.00
units for the first year, and 60,000.00 units each subsequent year
o If we don't work for just one day, we lose an average of 540,000.00 units. So potentially, the
entire cost is paid off in just one day.

Risk R06:
 Recommended control: PURCHASE OF HARDWARE FIREWALL, NETWORK ANTI-VIRUS
PROGRAM AND ANTI-SPAM DEVICE
o Carrying out the control avoids the risk of data destruction by viruses, and enables the normal
use of e-mail
o Failure to implement control can mean the loss of business-critical information, the
impossibility of operational use of applications, which may call into question the fulfilment of
organizational goals.
o Controls for this risk are also related to risk R02.
 
Cost-Benefit1
o Implementation cost: 14,000.00 units one time and 32,000.00 units every year for licenses.
o Benefits: one type of saving is the same as for risk R02. So: the potential loss of information,
the downtime due to a virus attack is immeasurable - if you look only at the fact that 4 people
cannot work for 8 hours due to "PC recovery" and add to that the 8 hours of work of two
people from the computer centre, if we know that is the average hourly rate 60 units, then it is
a cost of: 6 people * 8 hours * 60 = 2,880.00 units. If they introduced controls, we would save
880.00 units.
o Every day all users waste a lot of time to clear spams (about 200 people * their hourly rate of
60 units = 1200 units * e.g. 200 working days = 240,000 units of money just for cleaning
spam).
They should set a deadline for the introduction of each control. Because of the high risks described above, the
deadline for introducing controls should be as soon as possible.
Over time, medium risks should also be resolved, and low ones should be continuously assessed so that
they do not turn into medium or large ones.

Finally, it should be said that the example described above is not entirely true, but it is illustrative in the
sense that it shows the application of theoretical knowledge in practice.

1
The values shown here do not correspond to the truth and serve only for the purposes of this example, but they
allow the idea to be seen.

View publication stats