The IS risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of information/technology solutions (Application, Hardware, Network and People) within an organization. IS risk consists of IS-related events that could potentially impact the business. It is also the management of uncertainty within the functions of IS so as to provide the organization with assurance that:
the possibility of a threat occurring is reduced or minimized, and
the impact, direct and consequential, is reduced or minimized.
To provide this assurance, threats must be identified and their impact on the organization evaluated so that appropriate control measures can be effected to reduce the possibility or frequency of a threat occurring and to reduce or minimize the impact on the business.
Information is a key business resource which, in order to be of value, must be correct, relevant and applicable to the business process and delivered in a timely, consistent and usable manner; it must be complete and accurate and provided through via the best use of resources (planned or unplanned), and if sensitive it must have its confidentiality preserved. Information is the result of the combined application of data, application systems, technology, facilities and people. IS Risk Management ensures that the threats to these resources are identified and controlled so that the requirements for information are met.
Despite the fact that sound system design and installation methodologies have been well known for decades, the IT profession is still plagued by troubled or failed projects, colloquially called “an Ox in the ditch.” Studies like the Chaos Reports published by the Standish Group over the years have documented the extent of IT project successes and failures. For example, the latest publicly available report, "CHAOS Summary 2009," states:
"This year's results show a marked decrease in project success rates, with 32% of all projects succeeding which are delivered on time, on budget, with required features and functions" says Jim Johnson, chairman of The Standish Group, "44% were challenged which are late, over budget, and/or with less than the required features and functions and 24% failed which are cancelled prior to completion or delivered and never used."
"These numbers represent a downtick in the success rates from the previous study, as well as a significant increase in the number of failures", says Jim Crear, Standish Group CIO, "They are low point in the last five study periods. This year's results represent the highest failure rate in over a decade" (Standish 2009). So, you have to be aware of figure like these before you give the go-ahead for an IT project. Failed IT projects can be disastrous to an organization, even forcing them to go out of business.
Some of the reasons IT projects fail are:
An inadequate understanding of what functions and features (i.e. requirements) the organization needs in the new system. It would be like trying to build a building before its design has been completed.
Poor project planning, task identification, and task estimation. Usually this means that essential tasks have been overlooked or under-estimated meaning the project’s time and cost estimates are too optimistic.
Lack of proper skills on the project team. This would be like assigning carpentry tasks to an electrician. Some IT professionals think they can do anything and this is almost always not true.
Failure to address problems and/or no project champion. Just about every IT project has problems. If they are not dealt with on a timely basis they don’t go away by themselves, they just get worse. It is helpful in addressing problems if a highly-placed executive is a “champion” of the project and can step in and get problems solved if the project team is struggling.
Inadequate testing. All too often, a new system is put into operation before it has been adequately tested to be sure it handles all conditions it is likely to encounter. A system failure after conversion can cause normal business processes (like accepting customer orders, for example) to fail.
No fall-back plan. Before converting to a new system, the project team should have a tested fall-back plan they can revert to in order to keep business processes working while the new system is adjusted.
Executive champions should be aware that IT project risks are all too often known to the IT professionals but are not always shared with others. Therefore, you should always ask that a formal project risk assessment be done at the beginning of a project and that plans are in place to keep risks at a minimum.
The biggest challenge companies’ face in tackling IS security risks is the growing sophistication of hackers and other cyber-criminals. Organizations must now contend with a range of hi-tech attacks orchestrated by well-organized, financially-motivated criminals. While large organizations often have independent IS security staffs, it is likely that your start-up can focus on just a couple of basic items, such as:
Identifying the value of information stored on your computer(s) and making sure that access to such information is restricted to employees who need to use for legitimate business purposes. For example, your customer database and customer profitability analyses should be protected as you would not want such information to fall into the hands of a competitor as the result of actions taken by a disloyal employee.
Computers sometimes break down (“crash”). This is why it is important to have a procedure of backing up critical files on a daily basis, and have written, tested procedures to recover needed information from backup files quickly. Organizations have gone out of business as a result of failed computer systems that were not properly backed-up.
If you have a website, you will need to be sure that it is adequately protected from both internal and external threats. We discuss Internet risks in the next section.
Companies considering a web site or Internet-based services need to be aware of the various risks and regulations that may apply to these services. Over the past few decades, the Internet has become critical to businesses, both as a tool for communicating with other businesses and employees as well as a means for reaching customers. Each day of the week and every month, there are new internet threats. These threats range from attacks on networks to the simple passing of offensive materials sent or received via the internet. The risks and particular regulations that apply may vary depending on the types of services offered. For example, Institutions offering informational websites need to be aware of the various consumer compliance regulations that may apply to the products and services advertised online. Information needs to be accurate and complete to avoid potential liability. Security of the website is also an important consideration. Companies and some individuals traditionally have relied on physical security such as locks and safes to protect their vital business information now face a more insidious virtual threat from cyber-criminals who use the Internet to carry out their attacks without ever setting foot in an establishment or someone’s home. More often than not, these crimes are conducted from outside the United States. Security measures should protect the site from defacement and malicious code.
It is clear that no single risk management strategy can completely eliminate the risks associated with Internet use and access. There is no one special technology that can make an enterprise completely secure. No matter how much money companies spend on cyber-security, they may not be able to prevent disruptions caused by organized attackers. Some businesses whose products or services directly or indirectly impact the economy or the health, welfare or safety of the public have begun to use cyber risk insurance programs as a means of transferring risk and providing for business continuity.
Managing IS Risk is a daily decision making process aimed at reducing the amount of losses and threats to a company. It is a pro-active approach to reducing ones exposure to data/information loss and ensuring the integrity of the applications used day-to-day. An IS security plan should include at minimum a description of the various security processes for specified applications, procedural and technical requirements, and the organizational structure to support the security processes. A risk assessment should be performed first. Identifying risks provides guidance on where to focus the security requirements. Security requirements and controls should reflect the business value of the information assets involved and the consequence from failure of security. Security mechanisms should be ‘cost beneficial’, i.e., not exceed the costs of risk. It should also include what is expectable for risk within the overall IS security plan
Objectives:
To become acquainted with high risk and special populations in disaster management
To raise awareness of diversity issues in disaster management
We learn why vulnerability matters in disaster management and gain an overview of the different schools of thought that have formed the field of disaster management. We consider the definition, scope, and measurement of hazards risk and pay particular attention to high risk and special populations, including displaced people (refugees), ethnic minorities, economically disadvantaged populations, children, and the elderly.
Description of Principle: “The patterns of everyday life put certain people at greater risk from disasters than others” (Gillespie, 2010, p. 3)
Justification: This principal is exceedingly important because only when we understand what puts individuals and groups at risk during a disaster can we begin to find ways to reduce the risk and prepare an appropriate disaster response. For example, “in disasters, low-income households are highly vulnerable because of less insurance protection, older housing, and fewer material resources for recovery” (Zakour & Harrel, 2003, p. 28). By having an understanding of the various risks, social workers and others involved in disaster management can focus their efforts on minimizing the risks and providing resources for those most directly affected by the disaster. Likewise, understanding about vulnerability “increases the capacities of responders by delegating authority to the local level, avoiding overly stringent bureaucratic operating procedures, encouraging self-reliance among the affected population, improving decision making in crisis situations, and discouraging the creation of dependency through well-intentioned but sometimes counterproductive relief operations” (McEntire, 2004, p. 27).
Social Work Relevance: Part of the work of social workers is serving those who are most vulnerable within our community. This professional emphasis must extend to the area of disaster management. The social work profession is “committed to serving vulnerable populations at risk for social and economic disadvantage, including exposure to hazards in the social and physical environment” (Zakour & Harrel, 2003, p. 28). Discovering the patterns of vulnerability helps social workers be better prepared for their jobs, because “social workers who understand those patterns are better able to direct and manage scarce resources” (Gillespie, 2010, p. 3).
Related Definitions:
Vulnerability: the degree of internal risk in a society in relation to the level of resilience of those societies or communities in danger (Zakour, 2010, p. 16)
Distributive Justice: the condition in which all populations in a community, and all communities in a society, have equal access to resources and capactiy needed for overall well-being and resilience in the face of adversity (Zakour, 2010, p. 17)
Physical environment: the natural, built, or technological environment (Zakour, 2010, p. 17)
Social environment: the social organization of a community or society, with an emphasis on the psychological and cultural characteristics of a social organization (Zakour, 2010, p. 17)
Risk: the effects of environmental liabilities on the physical structures and assets of a community (Zakour, 2010, p. 18)
Resilience: the ability of a social system such as a society, community, group, or household to recover or bounce back after a disaster (Zakour, 2010, p. 18)
Illustrations:
This diagram shows how a vulnerable population, such as one who has a low level of assets, can have an increased risk when it is presented with a disaster. Policies, Institutions and Processes, as well as long term trends, can either increase or decrease a groups’ vulnerability.
This model shows how a risk assessment and vulnerability analysis can be used to help mitigate and respond to a disaster.
Principle: Vulnerability is the product of many variables. (McEntire (2004). Tenets of vulnerability: An assessment of a fundamental disaster concept. Journal of Emergency Management 2 (2), Pp. 23-29. (pg 24)
Justification: If we could pin vulnerability down to one thing, like location or government structure, we could fix it easily and therefore prevent many more disasters to vulnerable populations. However, each community and each family in those communities have their own unique sets of vulnerabilities.
Social Work Relevance: This is important to social work for many reasons. First, we need to be sensitive to the fact that many families may have many conditions that make them vulnerable, and may not be aware of all of them. Because of this, we as social workers need to look at each situation and see the family in their environment with its hazards. We also need to be understanding and teach people about their hazards, as they may not know they are vulnerable, and educate them on how to be safer.
Definition: Vulnerability - Ratio of risk to susceptibility. (Gillespie (2010). Vulnerability: The central concept of disaster curriculum. Disaster Concepts and Issues. Pp. 3)
Illustration:
These links will help you to explore different topics related to this module's contents.
- Epidemological studies are "natural" experiments. But allowing naturally occurring harms to continue without abatement and withholding information from risk bearers creates serious ethical problems. Read the Tuskegee case as presented at the Western Michigan University Ethics Center to learn about a nororious case in which patient rights were egregiously violated for the sake of "continuing the experiment." - Risk has meaning only in relation to the socio-technical system in which it operates. Click on the link above to find out more about STS analysis and how it can be used to anticipate problems. - Informed consent is a fundament right in the responsible management of risk. Click on the link to the Belmont Report to find out more about this right and its historical importance. - The Online Ethics Center's definition of informed consent includes the conditions necessary for fulfilling this right.
The company, Windmar, has purchased land adjacent to the Bosque Seco de Guanica in Puerto Rico. Their plan is to build a small windmill farm to generate electricity that can be sold to the public utility, the Autoridad de Energia Electrica. Windmill technology is considered desirable because wind is an abundant, clean, and renewable resource. But local opposition has stalled this effort. Concerned citizens object, first of all, to being excluded from the public hearings that were held to assess Windmar's windmill project. Opponents also claim that windmill technology can kill birds on the endangered species list and damage the fragile ecosystems protected in the Boseque Seco de Guanica, an important nature preserve in Puerto Rico. They also suspect that the windmill project has the ulterior motive of attracting industrial development into southern Puerto Rico. What risks accompany windmill technology, and how can they be dealt with ethically?
Recently, a series of microwave antennas have been built in Puerto Rico in the Atalaya hills between the western cities of Mayaguez and Moca. Different kinds of antennas serve different purposes; some provide citizens with cell phone service while others make it possible to track hurricanes and other weather developments. The problem is the impact on the people who live in the surrounding areas. Many antennas have been built within five hundred yards of private residences with some as close as one hundred yards. Local residents were not consulted when the decision was made to build them. They claim that they have suffered a disproportionate number of health problems caused by the EMFs (electro-magnetic fields) generated by the antennas. Construction and repair activities occur at all hours, day and night, disrupting sleep and other normal activities. How should the cell phone companies, government agencies, and other stakeholders respond to these health and safety concerns? How should the possible risks to health and safety associated with antennas be assessed and communicated?
Starting in the mid-1950's, several international mining companies have attempted to receive permission from the Puerto Rican government to construct mines for gold and copper. Orebodies located in the mountainous central region of the island, have attracted several proposals for mining projects ranging from large to small scale. Concerns about water pollution (produced by tailings or mining waste products), air pollution (accompanying the proposed copper smelting plants), and disruption of the agrarian lifestyle still alive in central Puerto Rico became focused into considerable political and environmental opposition. Several mining proposals were defeated as citizens' interest groups formed and intensively lobbied the government not to permit mining. One mining site, located in the Cala Abajo region, has been reclassified as a nature preserve to block further attempts at mining. Mining could benefit the areas around the proposed mining sites by generating much needed jobs and tax revenue. But these benefits come accompanied by increased risks to the environment as well as public safety and health. How should these risks be assessed? Under what conditions, if any, could they be deemed acceptable? What processes should be set into place by the government to ensure adequate public participation in determining whether these risks are acceptable? How should risk information be communicated to a public which is isolated and still largely illiterate?
In the early to mid-1990's, a consortium of U.S. and Spanish power generation companies proposed an electricity-generating plant for the Mayaguez area that employed co-generation technology fueled by coal. Not only would this privately owned plant sell the electricity it produced to the Autoridad de Energia de Electrica; it would also sell the steam by-product to the two local tuna canning plants that had been operating in the area since the 1960s. But local opposition arose to derail the project. Coal is a non-renewable resource that produces noxious by-products that contribute to acid rain and global warming. Geologists pointed out that the plant would be located dangerously close to an active earthquake fault. Environmental groups raised concerns about water pollution, especially further deterioration of the already endangered coral reef in the Mayaguez Bay due to the discharge of the heated water employed to cool the components of the proposed plant. In televised public hearings, company engineers testified on design modifications to keep endangered species such as manatee from being sucked into the plant through water intake pipes. On the other side of the debate, the Puerto Rico energy utility, the Authoridad de Energia Electrica, predicted energy shortages beginning around the year 2000. (These warnings have been vindicated by the frequent brown-outs and black-outs that residents currently suffer through.) They also argued that the western part of the island needed its own energy-generating facilities to hold onto crucial industries like the textile and tuna canning plants located in the area. Finally, they turned to the use of coal to generate electricity as an effective substitute for petroleum which is used to generate most of the electricity used by Puerto Ricans. Since the rejection of the project, the textile industry has all but disappeared and one of the two tuna canning plants has relocated to Taiwan. Can government play the role of "honest broker" between private industry and a suspicious public? Should public utilities contract with private industry to meet energy and other infrastructure needs? What are the environmental risks of co-generating technology? How can these be responsibly communicated to the public? How should all stakeholders weigh environmental, safety, and health risks against infrastructure expansion and economic development?
Each of these cases raises risk issues that cannot be settled by process alone but require substantive debate focusing on the fragile ethical values embedded in the surrounding socio-technical system. The stakeholders have at times worked together but more often engage in conflict over seemingly incompatible yet essential interests. Private industry has designed these projects to respond to real, market-based needs. For example, Puerto Rico desparately needs clean, renewable and sustainable sources of energy to protect its fragile environment and reduce its dependency on foreign oil. Yet other stakeholders, especially a public with complex and vital interests, have banded together to oppose these and other initiatives. Local residents demand a right to a livable environment, raise health and safety concerns, and assert civil rights based on distributive justice, free and informed consent, and due process. Past experiences with ambitious but poorly designed and executed business and government projects have consumed social capital and undermined public trust. Continuing development under these conditions has proven difficult. The Puerto Rican government has consistently been in the middle attempting to mediate between these contending parties. Can government play the role of "honest broker" and help lead conflicting stakeholders to political and social consensus? Can government lead the substantive ethical debate into applications of distributive justice, informed consent, and sustainable environmental value? Or should it step out of the way and let the public and private industry fight it out on their own? What role do free (or semi-controlled) markets have to play in mediating this conflict? This module will help you explore these proble