Risk Management
15.1 Risk Management Strategies
Risk management consists of the four main risk strategies below.
| Activity | Category |
| Risk Mitigation | Implementing security controls to reduce the likelihood of the risk occurring and lower the magnitude of the impact. |
| Risk Avoidance | Changing business activities to completely eliminate the risk; eliminating the risk often comes with significant drawbacks. |
| Risk Transference | Transfering the risk and potential impact to another organization or third party. |
| Risk Acceptance | Deliberately choosing to continue business operations as normal despite the potential risk. |
15.2 Risk Identification and Assessment
In this section I will think of a business process critical to the operation of an organization and identify the risks associated to that process. Once risks are identified, I will select one and conduct a risk assessment.
Risk Identification
For this risk assessment, I will consider a university in the United States. A critical business process for any university is
achieving or exceeding enrollments. Here is a diagram brainstorming some risks associated with this.
Risk Assessment
The risk I will focus on is the damage to a university’s reputation. I will conduct a rough quantitative risk estimate here. I will select Yale University as a case study to narrow the scope of this exercise. How many times over the past 10 years has Yale experienced significant damage to their reputation? The more difficult question answer will be: have these events effected Yale’s enrolment?
Note: Obviously this is not an actual quantitative assessment as I do not have the data and resources required to properly conduct one. Rather, I see this as a rough-draft-sprint-pratice excercise for thinking about risk.
- 2021
- 2020
- 2019
- 2018
- 2016 -Basketball Captain Expelled for sexual assault
- 2015
- 2014
- 2013
- 2012
Quantitative Risk Assessment
- Determine the Asset Value (AV) of the asset affected by the risk. In 2021 Yale admitted 1322 students. The average yearly tuition is 55,500. This results in an AV of 73,371,000 annually.
- Determine the Annualized Rate of Occurrence (ARO), i.e. how likely the risk will occur over a given year. As per above, a damaging PR event occurred 12 (by my estimate after 30 minutes of googling) times over 10 years. Dividing these two numbers produces an ARO of 1.2.
- Determine the percent of damage which will occur to the asset if the risk happens. This referred to as the Exposure Factor (EF). Past scandals appear to have little effect on enrolment. I will set the EF at 0.001, although I imagine it could be set even lower.
- Determine the single loss expectancy (SLE), the amount of damage expected each time a risk materializes. The SLE is calculated by multiplying EF and AV, so 0.001 X 73,371,000 results in 73,371.
- Calculate the annualized loss expectancy (ALE), the amount of damage expected from a risk in a given year. This is calculated by multiplying the ARO and SLE, so 1.2 x 73,371 results in an Annual Loss Expectancy of 88,045.
15.3 Risk Management
Now that I have conducted a risk assessment, I will look at how the previously identified risk management strategies could be used to address this risk:
- Risk mitigation: Develop several PR strategies and playbooks for handling common reputation events to handle an actual event.
- Risk avoidance: Drastically reduce enrolment numbers and rely on other sources of cash flow to fund the university.
- Risk acceptance: Set aside the ALE amount in budget every year for handling damaging PR events.
- Risk transference: Outsource the management of admissions to a third party.
Glossary
A glossary of all the terms, acronyms and slang I run across for this chapter.
| ERM | Enterprise Risk Management |
| Threat | Possible event which may have an effect on Confidentiality, Integrity or Availability |
| Vulnerabilities | Weakenesses in systems which could be exploited by a threat |
| Risk | The combination of a threat and a vulnerability |
| Risk Identification | Identifying the risks and vulnerabilities which exist in your environment |
| Probability | The likelihood the risk will occur |
| Magnitude | The impact the risk will have on the organization if it does occur |
| Risk Formula | Risk Severity = Probability * Magnitude |
| BIA | Business Impact Analysis - Formalized approach to risk analysis. |
| Quantitative Risk Analysis | User numeric data to assess risk |
| Qualitative Risk Analysis | Use subjective judgements and categories to assess risk |
| ARO | Annualized Rate of Occurrence; The likelihood an event will occurr in a given year |
| EF | Exposure Factor - The amount of damage, percent of an assest to be damaged if a risk occurrs |
| SLE | Single Loss Expectancy - The amount of damage expected each time a risk happens |
| ALE | Annualized Loss Expectancy - Amount of damage expected from a risk every year. Multiply the SLE and ARO |
| Risk Management | Process of addressing risks that face an organization; Seeks to prioritize risks with high probability and magnited; Also determines if the potenital impact of the risk justifies a certain amount of spending |
| Risk Mitigation | The process of applying security controls to reduce the probability and magnitude of a risk - most commone approach towards risk management |
| Risk Avoidance | Risk management strategy where business practices are changed to eliminate a risk - may result in unrealistic sacrifices |
| Risk Transference | Shifts some of the risk impact from the organization to another entity |
| Risk Acceptance | Deliberately accepting a risk after thorough consideration. May be warranted if the cost of mitigation is higher than the risk itself. |
| Data Ownership | Policy where specific senior executives are designated as owners of different data types and must work with other experts to manage/protect the data |
| Information Classification | Top Secret > Secret > Confidential > Unclassified; Data classification allows organizations to clearly specify the security controls required to protect information |
| Data Minimization | Strategy where an organization collects the minimum amount of data to meet their business needs |
| Purpose Limitation | Data should only be used for the original purpose it was collected for and that was conseted to by the data subjects |
| Data retention | Adopt standards that guide the end of the of the lifecycle - data should only be kept for as long as remains necessarry to fulfill its original colletion purpose |
| Data Sovergeignty | data is subject to the legal restrictions of any jurisdiction where it is collected, stored or processed |
| Red Team | Attackers who attempt to gain access |
| Blue Team | Defenders who attempt to stop the attackers |
| White Team | Observers and judges of the exercise |
| NDA | Non-disclosure agreement |
| DLP | Data Loss Prevention; Systems which help organizations enforce inof handling policeis and procedure or prevent the loss or theft of data. |
| Host-based DLP | Uses agents on systems to detect sensitive info |
| Network-based DLP | Dedicated devices that sit on the network and monitor outbound traffic, checking for the exfiltration of data. |
| Watermarking | Applying electronic tags to sensitive data so it is recognized by DLP systems |
| Pattern Matching | DLP systems whtat watch for specific sinds of sensitive data |
| Deidentification | Removing the ability to lind data back to an individual |
| Data Obfucscation | Changing data into a format where the original cannot be retrieved |
| Data Obfucscation Methods | Hashing, Tokenization, Masking |
| Tokenization | Replacing sensitive values with a unique identifier using a lookup table |
| Masking | Partially redacting sensitive info |