Week 2A

Question 1

Why risk management?

Answer 1

• Of some things in life we never enough: safety, security, …, but they come at a cost: investment in controls, opportunity costs, reduction of usability, reduction of flexibility, etc.
• So there is always a trade-off. Risk management helps to make such trade-offs in a systematic way.

Question 2

Time-based model of Information Security

Answer 2

P > D + R

P = time it takes an attacker to break through the various controls that protect the  organization’s information assets
D = time it takes for the organization to detect that an attack is in progress
R = time it takes to respond to and stop the attack

If the equation is satisfied (P > D + R is true), then the organization’s information security procedures are effective. Otherwise, security is ineffective.

Question 3

The main purpose of monitoring and review process are:

Answer 3

• Ensure that controls are effective and efficient
• Obtain further information to improve risk assessment
• Analyse and learn lessons from incidents, but also from changes, trends, successes, and failures
• Detect changes
• Identify emerging risks

Question 4

Criticism on COSO ERM

Answer 4

Michael Power:

In particular, he observes that risk management did little to prevent or slow down the financial crisis.
•Nothing about systemic risks
•Nothing about comparability of risk across departments
•Tends to be based on risks that are easy to measure and record

•Real risks are about human decision:

Question 5

Conclusions

Answer 5

• Monitor risks (external), and monitor risk managament (internal)
• Detect: situation awareness
• Qualitative versus quantitative risk analysis metrics
• Continuous monitoring:n research topics