1. Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke

2. CE22-2 Study Questions What is management’s role for computer security? What are the elements of security policy? What is the difference between risk and uncertainty? How do managers assess risk? Why are risk management decisions difficult?

3. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-3 What Is Management’s Role for Computer Security? Management plays crucial role – Sets policies – Balances costs against risks – Responsible for information security Security should have cost-benefit analysis Security responsibilities and accountabilities must be explicit – Problems can have far-reaching consequences No magic bullet or single safeguard Security is a continuing process Social factors may limit security programs

4. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-4 Elements of Computer Security Figure CE 22-1

5. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-5 What Are the Elements of a Security Policy? Senior management must define policy and manage risk Security policy elements – General statement of security program Foundation for more specific security measures – Issue-specific policies Employees should know policies – System-specific policy Addressed as part of standard systems development process

6. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-6 What Is the Difference Between Risk and Uncertainty? Risk is likelihood of adverse occurrence – Known threats and consequences Management must manage likelihood of threats being successful – Limit consequences – Reduces risk comes at a cost Uncertainty is different from risk – Unknown

7. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-7 Security Privacy Gramm-Leach-Bliley (GLB) Act protects consumer financial data stored by financial institutions and financial service providers Privacy Act of 1974 protects individuals’ records maintained by government agencies Health Insurance Portability and Accountability Act (HIPAA) protects data stored by health care professionals and providers State laws protect student data Other countries have stronger laws Retailers are not covered by any of these laws – Do they have an ethical duty to protect customer information ?

8. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-8 Security Privacy, continued Other countries have stronger laws Retailers are not covered by any of these laws – Do they have an ethical duty to protect customer information?

9. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-9 How Do Managers Assess Risk? Define assets – Determine potential threats – Likelihood of occurrence – Consequences of occurrence Assess threats Identify safeguards – Residual risks Reduce vulnerability

10. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-10 How Do Managers Assess Risk?, continued Consider consequences – Tangible and intangible Likelihood – Probability given assets will be compromised Probable loss – Bottom line of risk assessment – Likelihood multiplied by cost of consequences

11. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-11 Risk Assessment Figure CE 22-2

12. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-12 Why Are Risk Management Decisions Difficult? Some assets can be protected by inexpensive and easily implemented safeguards Some vulnerabilities are expensive to eliminate Effectiveness of safeguard may be unknown Management has fiduciary responsibility – Must make prudent decisions

13. © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke CE22-13 Active Review What is management’s role for computer security? What are the elements of security policy? What is the difference between risk and uncertainty? How do managers assess risk? Why are risk management decisions difficult?