Your organization has developed a website and is ready to conduct business
via the Internet. Your information technology department has taken the usual
security precautions, and everyone is excited about the new business opportunities.
But is your site really secure? What are the risks?
Internet commerce has put new demands on organizations' risk management departments
and created new loss exposures for organizations' business. If your company
plans to provide services or sell products via the Internet, system downtime
can result in significant losses in revenue.
Even if your company does not plan to offer products or services, unauthorized
access to your organization's internal data may prove to be a serious threat.
Corrupted data can have a profoundly negative effect on your business, and the
unauthorized release of confidential customer information can carry significant
liability. Information systems can add to the risk if they contain computerized
flaws that lead to the repetition of errors, illogical processing, and cascading
inaccuracies. What can be done?
How Can Companies Address E-Commerce website Risks?
Since the Internet is here to stay, the best approach is to conduct a risk
analysis of your information systems, paying particular attention to those associated
with your website. The purpose of this risk analysis will be threefold:
- Identify the risks
- Quantify their impact, and
- Balance the economic impact with the cost of countermeasures.
Beyond the obvious benefit of identifying exposure to loss within the organization,
a risk analysis provides long range planning guidance to your company concerning
hardware configuration and procurement, software systems, and internal controls.
It can also make valuable contributions to the criteria for contingency and
security plans for the organization.
What Kinds of Analysis Can Be Done?
Two basic types of risk analysis to consider are Quantitative Risk Analysis
and Qualitative Risk Analysis. Quantitative Risk Analysis attempts to assign
independently objective monetary values to the components of the risk assessment
and to the assessment of the potential loss. Conversely, a Qualitative Risk
Analysis is scenario oriented.
To conduct a Quantitative Risk Analysis, you must first estimate the value
of the potential losses associated with delayed processing or the theft or destruction
of property or data. The next step is to determine the probability of the occurrence
and calculate the annual loss expectancy. Input sources for the analysis can
be gathered from interviews with users, system administrators, auditors, security
officers, and by reviewing facility and industry sources, such as Gartner Group.
By assembling the data, you may assign a monetary value to the risks and compare
the cost of countermeasures against the expected loss reductions.
Qualitative Risk Analysis does not attempt to assign numeric values to the
components. In this method, scenarios are created that outline the potential
threats to the business and rank these threats according to their seriousness.
The procedure includes writing scenarios for the major risks, estimating the
effects of the occurrences, and evaluating the use of countermeasures and safeguards.
As one of your scenarios, you may develop an electronic attack situation
that results in business interruption due to system request overload. This type
of attack was in the news recently after it was launched against several well-known
websites. With the help of your information technology staff, you can determine
how and when system penetration could occur, evaluate the potential effect on
target systems, determine your organization's ability to protect itself, and
decide what countermeasure are warranted. After development, you'll rank your
scenarios according to the seriousness of threats and the sensitivity or financial
losses associated with them.
How Do You Establish a Financial Value for Identified Risks?
In order to complete any risk analysis, it is necessary to develop a value
rational for information worth. This is not always an easy task but it is critical
in the analysis process. This information is used in cost benefit analyses for
countermeasures and as a basis for possible risk transfer through insurance.
Three bases for evaluating information worth include the following.
- The costs to acquire, develop, and maintain the information
- The value to its owners, custodians and users
- The value the information currently has in the present in the world
Current price refers to what others are willing to pay for the information,
such as mailing lists, and the value of intellectual property, such as trade
secrets, patents, and copyrights. Methods for collecting this data include developing
a questionnaire, conducting interviews, and reviewing accounting documents as
well as statistical information.
Be aware that the value of information is often influenced by its attributes.
Some of the questions you should consider while making your evaluation include
the following.
- Is the information exclusive to your organization?
- How useful is it to the organization?
- What is the cost of recreating the information?
- What is the liability to the organization if it is disclosed or made
available to the public?
- What is the impact to the organization if it is unavailable?
In addition, in our business interruption scenario sited above, it would
be necessary to determine the financial impact to your company of your website
being unavailable to customers for various timeframes. Would the financial losses
differ for different times of day? How long could your website be down before
it would seriously affect your organization?
Okay, now that you know how to conduct a risk analysis, exactly what type
of risks are you looking for? These can generally be defined as losses by people
or losses by acts. Losses by people refer to physical access as well as access
to capabilities. Losses by acts involve the concepts of modification, destruction,
disclosure, stealing assets, and denial of use.
Malicious code and viruses have recently cost companies large amounts of
revenue as they have shut down distribution channels for hours, resulting in
lost business. Viruses have been used to destroy valuable data as well. Customer
credit card information may be unlawfully obtained either by the monitoring
of unsecured transmissions or by the unauthorized access to computer databases.
Disgruntled employees may sabotage key systems or embezzle money or information
from their employers using Internet accesses. Natural disasters, equipment damage,
and failure of computer hardware may produce profound losses in revenue by making
Internet access unavailable to your customers.
How Do You Identify Effective Countermeasures?
In order to deal with these risks to your organization, an inventory of countermeasures
needs to be prepared. The most effective countermeasures consist of the following
elements.
- Cost effectiveness--a cost benefit analysis of the safeguards, including
selection, acquisition, placement, maintenance, testing, and repair
- Minimal human intervention--aids in the prevention of tampering since
manual functions are the weakest point in any safeguard
- Completeness and consistency--contribute to universal application imposing
uniform safeguards
- Sustainability--the ability to maintain the system
- Audibility--permits the system to be monitored and tested
- Accountability--allows for at least one person to be directly responsible
for performance
- Recoverability--designed to avoid asset destruction
What are some specific countermeasures that may be used to deal with the
risks? The most common security measure in place for dealing with Internet security
is to erect a barrier to your internal systems, called a "firewall." If your
organization already has Internet access, it most probably has a firewall. Firewalls
can be implemented either physically or by the use of software. Not all firewalls
are created equal, however, and it is important to determine if your organization
has adequate firewall protection in place. One way to judge is by working with
your internal information technology staff or by hiring an outside security
professional.
Additional security systems may also be used to augment your current computer
network. Security systems can be implemented in either hardware or software,
and provide access control either physically or by the use of passwords or tokens.
The decision to purchase additional security systems depends on the sensitivity
of data within your organization.
Most organizations can benefit by the either the creation or augmentation
of security policies. Depending on the size of your organization, it may be
important to create a position--security officer--to be responsible for creating,
implementing, and maintaining a security plan. Risk analysis can pinpoint the
areas on which to concentrate in the security plan. A security officer provides
accountability for security policies and will regularly monitor the risks associated
with computer systems in your organization.
Contingency or disaster recovery plans are invaluable in providing a smooth
recovery in the case of system outages or failures that result in business interruption.
Plans should include the resources, actions, and personnel needed to minimize
the downtime and recover from business interruptions. Risk analyses can provide
the framework for designing your contingency plans by identifying the risk exposures.
An additional remedy that may be considered by your organization is risk
transfer through insurance. If your organization anticipates acute losses resulting
from extended downtime of your computer networks, it may be cost effective to
purchase additional insurance coverage for these business channels. As with
all countermeasures, this alternative needs to be evaluated for its cost effectiveness.
Conclusion
The key to determining how to approach your exposure to risk associated with
Internet websites ultimately lies with your risk analysis. If the monetary
or liability risk to your organization is small, it may not make sense to invest
in expensive countermeasures to additionally secure your systems. However, if
your risk analysis proves that certain threats to your websites can prove costly
to your business, it may make sense to take action to limit your exposure. A
thorough risk analysis holds the answers as to how to address your website
risk management needs.
Jean
C. Miller is a consultant with Tillinghast-Towers Perrin in its Chicago
office. She is a member of the Insurance and Technology Practice, specializing
in insurance information technology consulting. She holds an Associate in Risk
Management (ARM) designation, a master's degree in computer science from DePaul
University, a bachelor of arts degree in education from the University of Illinois,
and a Webmaster certification from the Illinois Institute of Technology. Prior
to joining Tillinghast, Ms. Miller was a vice president of the risk management
information department of a major international insurance brokerage. She can
be reached by email at