Chapter Extension 22
Managing Computer
Security Risk
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Study Questions





CE22-2
What is management’s role for computer
security?
What are the elements of security policy?
What is the difference between risk and
uncertainty?
How do managers assess risk?
Why are risk management decisions difficult?
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
What Is Management’s Role for
Computer Security?

Management plays crucial role
–
–
–


Security should have cost-benefit analysis
Security responsibilities and accountabilities must be
explicit
–



CE22-3
Sets policies
Balances costs against risks
Responsible for information security
Problems can have far-reaching consequences
No magic bullet or single safeguard
Security is a continuing process
Social factors may limit security programs
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Elements of Computer Security
Figure CE 22-1
CE22-4
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
What Are the Elements of a
Security Policy?


Senior management must define policy and manage
risk
Security policy elements
–
General statement of security program

–
Issue-specific policies

–
Employees should know policies
System-specific policy

CE22-5
Foundation for more specific security measures
Addressed as part of standard systems development process
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
What Is the Difference Between
Risk and Uncertainty?

Risk is likelihood of adverse occurrence
–

Management must manage likelihood of
threats being successful
–
–

Limit consequences
Reduces risk comes at a cost
Uncertainty is different from risk
–
CE22-6
Known threats and consequences
Unknown
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Security Privacy






Gramm-Leach-Bliley (GLB) Act protects consumer
financial data stored by financial institutions and financial
service providers
Privacy Act of 1974 protects individuals’ records
maintained by government agencies
Health Insurance Portability and Accountability Act
(HIPAA) protects data stored by health care professionals
and providers
State laws protect student data
Other countries have stronger laws
Retailers are not covered by any of these laws
–
CE22-7
Do they have an ethical duty to protect customer information?
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Security Privacy, continued


Other countries have stronger laws
Retailers are not covered by any of these
laws
–
CE22-8
Do they have an ethical duty to protect customer
information?
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
How Do Managers Assess Risk?

Define assets
–
–
–


Assess threats
Identify safeguards
–

CE22-9
Determine potential threats
Likelihood of occurrence
Consequences of occurrence
Residual risks
Reduce vulnerability
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
How Do Managers Assess Risk?,
continued

Consider consequences
–

Likelihood
–

Probability given assets will be compromised
Probable loss
–
–
CE22-10
Tangible and intangible
Bottom line of risk assessment
Likelihood multiplied by cost of consequences
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Risk Assessment
Figure CE 22-2
CE22-11
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Why Are Risk Management
Decisions Difficult?




Some assets can be protected by
inexpensive and easily implemented
safeguards
Some vulnerabilities are expensive to
eliminate
Effectiveness of safeguard may be unknown
Management has fiduciary responsibility
–
CE22-12
Must make prudent decisions
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke
Active Review





CE22-13
What is management’s role for computer
security?
What are the elements of security policy?
What is the difference between risk and
uncertainty?
How do managers assess risk?
Why are risk management decisions difficult?
© 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke