The key to determining how to approach your exposure to risk associated with Internet websites ultimately lies with a thorough risk analysis. If your risk analysis proves that certain threats to your Web sites can prove costly to your business, it may make sense to take action to limit your exposure.
Your organization has developed a website and is ready to conduct business via the Internet. Your information technology department has taken the usual security precautions, and everyone is excited about the new business opportunities. But is your site really secure? What are the risks?
Internet commerce has put new demands on organizations' risk management departments and created new loss exposures for organizations' business. If your company plans to provide services or sell products via the Internet, system downtime can result in significant losses in revenue.
Even if your company does not plan to offer products or services, unauthorized access to your organization's internal data may prove to be a serious threat. Corrupted data can have a profoundly negative effect on your business, and the unauthorized release of confidential customer information can carry significant liability. Information systems can add to the risk if they contain computerized flaws that lead to the repetition of errors, illogical processing, and cascading inaccuracies. What can be done?
Since the Internet is here to stay, the best approach is to conduct a risk analysis of your information systems, paying particular attention to those associated with your website. The purpose of this risk analysis will be threefold:
Beyond the obvious benefit of identifying exposure to loss within the organization, a risk analysis provides long range planning guidance to your company concerning hardware configuration and procurement, software systems, and internal controls. It can also make valuable contributions to the criteria for contingency and security plans for the organization.
Two basic types of risk analysis to consider are Quantitative Risk Analysis and Qualitative Risk Analysis. Quantitative Risk Analysis attempts to assign independently objective monetary values to the components of the risk assessment and to the assessment of the potential loss. Conversely, a Qualitative Risk Analysis is scenario oriented.
To conduct a Quantitative Risk Analysis, you must first estimate the value of the potential losses associated with delayed processing or the theft or destruction of property or data. The next step is to determine the probability of the occurrence and calculate the annual loss expectancy. Input sources for the analysis can be gathered from interviews with users, system administrators, auditors, security officers, and by reviewing facility and industry sources, such as Gartner Group. By assembling the data, you may assign a monetary value to the risks and compare the cost of countermeasures against the expected loss reductions.
Qualitative Risk Analysis does not attempt to assign numeric values to the components. In this method, scenarios are created that outline the potential threats to the business and rank these threats according to their seriousness. The procedure includes writing scenarios for the major risks, estimating the effects of the occurrences, and evaluating the use of countermeasures and safeguards.
As one of your scenarios, you may develop an electronic attack situation that results in business interruption due to system request overload. This type of attack was in the news recently after it was launched against several well-known websites. With the help of your information technology staff, you can determine how and when system penetration could occur, evaluate the potential effect on target systems, determine your organization's ability to protect itself, and decide what countermeasure are warranted. After development, you'll rank your scenarios according to the seriousness of threats and the sensitivity or financial losses associated with them.
In order to complete any risk analysis, it is necessary to develop a value rational for information worth. This is not always an easy task but it is critical in the analysis process. This information is used in cost benefit analyses for countermeasures and as a basis for possible risk transfer through insurance. Three bases for evaluating information worth include the following.
Current price refers to what others are willing to pay for the information, such as mailing lists, and the value of intellectual property, such as trade secrets, patents, and copyrights. Methods for collecting this data include developing a questionnaire, conducting interviews, and reviewing accounting documents as well as statistical information.
Be aware that the value of information is often influenced by its attributes. Some of the questions you should consider while making your evaluation include the following.
In addition, in our business interruption scenario sited above, it would be necessary to determine the financial impact to your company of your website being unavailable to customers for various timeframes. Would the financial losses differ for different times of day? How long could your website be down before it would seriously affect your organization?
Okay, now that you know how to conduct a risk analysis, exactly what type of risks are you looking for? These can generally be defined as losses by people or losses by acts. Losses by people refer to physical access as well as access to capabilities. Losses by acts involve the concepts of modification, destruction, disclosure, stealing assets, and denial of use.
Malicious code and viruses have recently cost companies large amounts of revenue as they have shut down distribution channels for hours, resulting in lost business. Viruses have been used to destroy valuable data as well. Customer credit card information may be unlawfully obtained either by the monitoring of unsecured transmissions or by the unauthorized access to computer databases. Disgruntled employees may sabotage key systems or embezzle money or information from their employers using Internet accesses. Natural disasters, equipment damage, and failure of computer hardware may produce profound losses in revenue by making Internet access unavailable to your customers.
In order to deal with these risks to your organization, an inventory of countermeasures needs to be prepared. The most effective countermeasures consist of the following elements.
What are some specific countermeasures that may be used to deal with the risks? The most common security measure in place for dealing with Internet security is to erect a barrier to your internal systems, called a "firewall." If your organization already has Internet access, it most probably has a firewall. Firewalls can be implemented either physically or by the use of software. Not all firewalls are created equal, however, and it is important to determine if your organization has adequate firewall protection in place. One way to judge is by working with your internal information technology staff or by hiring an outside security professional.
Additional security systems may also be used to augment your current computer network. Security systems can be implemented in either hardware or software, and provide access control either physically or by the use of passwords or tokens. The decision to purchase additional security systems depends on the sensitivity of data within your organization.
Most organizations can benefit by the either the creation or augmentation of security policies. Depending on the size of your organization, it may be important to create a position--security officer--to be responsible for creating, implementing, and maintaining a security plan. Risk analysis can pinpoint the areas on which to concentrate in the security plan. A security officer provides accountability for security policies and will regularly monitor the risks associated with computer systems in your organization.
Contingency or disaster recovery plans are invaluable in providing a smooth recovery in the case of system outages or failures that result in business interruption. Plans should include the resources, actions, and personnel needed to minimize the downtime and recover from business interruptions. Risk analyses can provide the framework for designing your contingency plans by identifying the risk exposures.
An additional remedy that may be considered by your organization is risk transfer through insurance. If your organization anticipates acute losses resulting from extended downtime of your computer networks, it may be cost effective to purchase additional insurance coverage for these business channels. As with all countermeasures, this alternative needs to be evaluated for its cost effectiveness.
The key to determining how to approach your exposure to risk associated with Internet websites ultimately lies with your risk analysis. If the monetary or liability risk to your organization is small, it may not make sense to invest in expensive countermeasures to additionally secure your systems. However, if your risk analysis proves that certain threats to your websites can prove costly to your business, it may make sense to take action to limit your exposure. A thorough risk analysis holds the answers as to how to address your website risk management needs.
Jean C. Miller is a consultant with Tillinghast-Towers Perrin in its Chicago office. She is a member of the Insurance and Technology Practice, specializing in insurance information technology consulting. She holds an Associate in Risk Management (ARM) designation, a master's degree in computer science from DePaul University, a bachelor of arts degree in education from the University of Illinois, and a Webmaster certification from the Illinois Institute of Technology. Prior to joining Tillinghast, Ms. Miller was a vice president of the risk management information department of a major international insurance brokerage.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.