Chapter 1: Risk Management

Ancient History: My, How Time Passes when You're Having Fun

There was a time when computers occupied entire buildings with their support units staffed by hundreds of workers. Instead of model numbers, these computers were given names like the Bombe, Colossus, and Eniac. In those primitive times, it was sufficient to have a risk management process with the objective of protecting an organization's assets after a natural disaster struck. Protective measures usually consisted merely of having extra business supplies stockpiled in a supply closet. Having malicious employees on staff was unthinkable. Formalized program assessments, testing, and revising were not part of those early processes; they were afterthoughts assigned as a lesser part of official responsibilities. It seems risk management processes were guided by the attitude of "hope for the best, and pray for the rest."

Recent Events

A few days after the September 11, 2001, attack on the World Trade Center, computer systems around the world felt the destructive and economically significant attack of the NIMDA computer virus. It propagated across the world with remarkable speed and attempted several different ways to infect computer systems until it achieved entry and began destroying files. NIMDA went from nonexistence to worldwide in less than a week. In the United States alone, it attacked 86,000 computers and caused significant problems in seemingly well-protected industries. It forced businesses and individuals offline and required some organizations to entirely rebuild their systems.

While the actual damage of NIMDA is unknown, industry sources estimate that the overall financial impact of system attacks resulting from malicious code reached $13 billion in 2001 alone. At Carnegie-Mellon University, the CERT (Computer Emergency Response Team) reported approximately 3700 computer attacks in 1998; in 2002, CERT reported more than 110,000 attacks.

In the span of less than 20 years, the world shifted control of essential business processes in manufacturing, utilities, finance, and communications to networked information systems. All sectors of the world economy are being affected: energy production, transportation, public health, emergency services, defense industrial-base, shipping, agriculture, food, and education. This shift resulted in lowering the cost of doing business and significantly raised productivity.

Attacks concentrating on information systems occur frequently and have serious consequences, causing loss of revenue, loss of life, and disruption of critical services. Effectively countering these attacks requires a concerted effort on the part of public and private organizations.

The following trends are emerging:

• Computer systems are increasing in sophistication and becoming more integrated in our lives.

• Computer-system-related incidents are increasing in number, sophistication, severity, and cost.

• Critical incidents occur every day.

• Risk management programs will significantly reduce risks and result in continuing profitable operations.

• It is a mistake to assume that current levels of system damage caused by inside and outside attackers are indicators of the future. It is anticipated that significantly worse events will occur.

• It is the responsibility of each organization to secure its systems.

Organizations must be aware that the process of securing and protecting systems must be continuous as new vulnerabilities are created or discovered almost daily. CERT has noted that not only are cyber incidents and the number of attacks occurring at an increasing rate, but the number of vulnerabilities that an attacker can exploit is also increasing. Organizations faced with problems that allow unauthorized entry or damage to a computer system more than doubled in recent years.

In 2000, there were 1090 separate system vulnerabilities, with 2437 reported in 2001. In a recent survey conducted by the Computer Security Institute (CSI), 90 percent of the respondents used antivirus software, yet more than 85 percent had experienced damage attributed to a virus. In this same survey, 89 percent of the survey respondents had installed network firewalls and 60 percent had installed intrusion detection systems, but 90 percent reported network security breaches and 40 percent had their systems accessed from outside the network. This CSI survey indicates that good security practices include not just installing security devices, but that policies and procedures must be observed in business operations as well.

Game Plan

As part of the critical incident management process, there is a need to develop a risk management program beginning with planning models, critical asset identification, risk assessment, disaster recovery, protective measures, and reporting. Building on this process, it will be integrated into the areas of policy formulation, auditing, critical incident response, critical incident team development, law enforcement relations, and privacy. Approaching this process is going to require some forward thinking about conventional risk management models while being introduced to some new topics.

Too often organizations form asset protection strategies focused on perceived rather than actual weaknesses. They protect those things they perceive as important. At times critical assets are those that are "pet" projects of the boss or they appear important to the risk team, but when examined they are actually not as critical as they seem. Organizations often spend significant resources protecting "junk." They fail to compare negative-event impact with the need for continuing profitable operations.

Here is an example worth remembering: after the terrible destruction of September 11, 2001, the New York Stock Exchange was operational within five days. Many ask how the NYSE was able to recover and restore services in such a short time. The answer is simple. The NYSE had an effective and efficient plan, and the plan was executed.

In the successful implementation of a critical incident management program, assets, threats and their frequency, and vulnerabilities are considered along with their degree of impact. Simply stated, risk management is the process of proactively addressing risks before they occur, when they occur, and the process of resuming profitable operations after they occur. It is important to consider all relevant risks when planning for safeguards and disaster recovery.

Maginot Line

Early in the 20th century, France spent millions of francs constructing the Maginot Line defenses, anticipating an invasion similar to previous land invasions. At that time, these defensive fortifications were considered impregnable. During the 1940 German Army invasion, blitzing soldiers bypassed the Maginot Line, traveling through Holland and Belgium, thereby rendering these expensive fortifications useless.

Senior Management Responsibilities

As a senior manager, it is your task to know your organization, assets, threats and their frequency, vulnerabilities, and safeguards. Managers usually think of risks originating outside the company's walls. They tend to think of critical incidents as pesky attackers attempting to enter their networks or malicious persons targeting their businesses with denial-of-service (DoS) attacks. As damaging as these threats may be, they are small when compared with the internal threats that are more financially damaging. Too often businesses trust employees because they are co-workers, friends, and family members who would not damage their employer. Think again.