Lesson 6

Question 1

Risk =

Answer 1

probability * impact

Question 2

Two conceptualizations of IT risk

Answer 2

1. Risk as a probable negative impact
2. Risk as both negative and positive impact
   - Downside risk: probable negative outcome
   - Upside risk: probable positive outcome

Question 3

IT Risk definition

Answer 3

The potential for an unplanned event involving Information Technology (IT) to threaten an enterprise objective.

Question 4

4 types of risk

4A Framework: IT Risk from Business Perspective

Answer 4

Availability
Access (confidentiality)
Accuracy (integrity)
Agility

Question 5

Availability risk

Answer 5

Keeping systems (and their business processes) running. And recovering from interruptions.

Question 6

Access (confidentiality) risk

Answer 6

Ensuring appropriate access to data and systems, so that the right people have the access they need, the wrong people don’t, and sensitive information is not misused.

Question 7

Accuracy (integrity) risk

Answer 7

Providing correct, timely, and complete information that meets the requirements of management, staff, customers, suppliers, and regulators.

Question 8

Agility risk

Answer 8

Being able to make necessary business changes with appropriate cost and speed.

Question 9

Technical response to malicious codes

Answer 9

1. Do nothing
2. Shutdown and rebuild
3. Build a mirror

Question 10

Disclosure Strategy, 5 questions

Answer 10

1. Disclosure to?
2. Medium?
3. Who contact them?
4. When?
5. What to say?

Question 11

CIO’s Communication of IT Incident with? (IVK)

Answer 11

• CEO
  Always tell the CEO the bad news as soon as the possibility is known
• (external) Analysts
  Don’t bring up the attack unless an analyst does so.

Question 12

Managing risks 2 dimensions

Answer 12

1. Cost of protection (high vs. low)

2. Downside risk (cost if happens) (tolerable vs. intolerable)

Question 13

Managing risks 4 strategies

Answer 13

1. Lowest priority (low/tolerable)
2. Bear the risk (high/tolerable)
3. Capitalize costs of risk mitigation (high/intolerable)
4. Mitigate risk ASAP (low/intolerable)

Question 14

Identity and Access Management (IAM)

Answer 14

Identifying, authenticating, and authorizing people to have access to applications, systems, or networks.

Question 15

Identity and Access Management (IAM) - 2 types

Answer 15

1. Category-based (everything in the same category is equally safe)
   Some monitoring, but more trusting
2. Service & data-based (unique security for a data/service)
   Monitor access to important data (some may not like that)

Question 16

IT Risk Management: Three Core Disciplines

Answer 16

Create risk governance processes (identify & manage risk)

Create a risk-aware culture

Reduce IT complexity (e.g., spaghetti systems)

Question 17

Customer Contact Strategies (what to say)

Answer 17

Defensive
Accommodative
Moderation
Image Renewal

Question 18

Customer Contact Strategies: Defensive Strategy components

Answer 18

Denial (frame that no breach crisis exists)

Excuses (minimize organization’s responsibility)

Question 19

Customer Contact Strategies: Accommodative Strategy components

Answer 19

Apology (explicitly apologizing)

Remedial action (take steps to repair and control the damage)

Question 20

Customer Contact Strategies: Moderation Strategy components

Answer 20

Ingratiation (make stakeholders like the organization)

Justification (minimize perceived damage)

Question 21

Customer Contact Strategies: Image Renewal Strategy components

Answer 21

Correction commitment (reassure stakeholders that firm takes whatever steps are necessary to avoid similar breach incidents in the future)

Stakeholder commitment (reassuring stakeholders that firm is committed to providing the best services and/or product)

Value commitment (reassuring stakeholders that the firm is committed to its core values)

Question 22

Effect of crisis strategies on stock price change - Highly-reputable firms

Answer 22

None of the customer contact strategies has a significant influence on stock price

Question 23

Effect of crisis strategies on stock price change - Normal firms

Answer 23

Defensive: Negative but non-significant influence
Accommodative: Negative but non-significant influence
Moderation: Positive influence
Image Renewal: Positive influence