Professional Documents
Culture Documents
AT THE HEART
OF MOST TECHNOLOGY-BASED RISK
Less
More
Less
More
Increased
Crossover
Point moves
based on
Security
Needs, etc.
Less
More
Increased
Shift in
Crossover
PointMore
Convenience
Allowed
Less
Buy Insurance /
Transfer Risk
More
Increased
Add
Security
Controls
Shift
Less
More
Information
Security
Strategic
Security
Risk Management
Firewalls
Intrusion Detection
Network Security
Viruses, Worms,
Crimeware
System Hardening
Encryption
Engineering
Technology
Problems
Business Continuity
/ Disaster Planning
Regional Interests
(Including Cyber and Natural
Disasters)
Intellectual Property
Business / Financial
Integrity
Regulatory Compliance
Professional Alliances
Industrial Espionage
Privacy
Politics
Business
Problems
Critical Security
Problems
R E S E A R C H
Chart Based on Forrester, April 2005
And Enhanced/Modified by Kirk Bailey and Ernie Hayden
UW
Information
Systems
Security
Risk Mapping
RISK AREAS
UW ERM program has
identified four (4) general
Risk Areas for defining,
grouping and analyzing
risks. They are:
Compliance
Financial
Operational
Strategic
RISK REGISTER
example
example
Rank
Description
Injuries
Financial Loss
Asset Loss
Catastrophic
Multiple
deaths or
severe
permanent
disabilities
Disastrous
Death or
extensive
injuries
$3M - $10M or 6%
of
Operational
Budget
Serious
Medical
treatment
$250K - $3M or 2%
of
Operational
Budget
Major damage
to assets
Minor
First aid
treatment
$50K - $250K or 1%
of Operational
Budget
Minor loss or
damage to
assets
Insignificant
No injuries
Complete loss
of assets
Significant
loss of assets
Little or no
impact on
assets
Interruption
of Services
Reputation &
Image
Performance
Loss
1 month >
Substantiated, public
embarrassment, very
high multiple
impacts, high
widespread news
profile, third party
actions
>50%
variation to
Key
Performance
Indicators
(KPIs)
1 week - 1
month
Substantiated, public
embarrassment, high
impact, high news
profile, third party
actions
25 - 50%
variation to
KPI
Substantiated, public
embarrassment,
moderate impact,
moderate news
profile
10 - 25%
variation to
KPI
1/2 - 1 day
Substantiated, low
impact, low news
profile
5 - 10%
variation to
KPI
Unsubstantiated, low
impact, low profile or
no news items
Up to 5%
variation to
Key
Performance
Indicators
(KPI)
Almost
Certain
10
15
20
25
Likely
12
16
20
Possible
12
15
Unlikely
10
Rare
Insignificant
Minor
Serious
Disastrous
Catastrophic
LIKELIHOOD
IMPACT
RISK MAP
WITH CURRENT CONTROLS
11
1
4
8
7
12
9
5
10
RISK MAP
MTIGATION PLAN
11
7
4
6
11
9
10
12
6
10
12
Thanks!