Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3357 Managing Cyber Risk

Published byCrystal Houston Modified over 6 years ago

Similar presentations

Presentation on theme: "COMP3357 Managing Cyber Risk"— Presentation transcript:

1 COMP3357 Managing Cyber Risk
Richard Henson University of Worcester January 2017

2 By the end of this module you should be able to:
Identify strategic, financial and operational benefits and issues of Cyber Risk Management Review current and future trends of the technical and non-technical risks and aspects of Information Risk Management and security, including laws, regulations, and human factors Analyse how firms can mitigate cyber risk and differentiate from competition to increase market share Devise a risk assessment plan for an organisation, and use this to create a business continuity/disaster recovery plan

3 Week 1 – Management of Information & Cyber Risk
Objectives: Explain risk – qualitatively, in basic (human survival) terms Explain risk to organisations – re. survival… Explain the areas of organisational risk historically (pre digital processing) Explain why security of information was often left off the organisation risk list, and consequences in the digital age…

4 Risk and Survival Human race survived millions of years
“survival of the fittest” what does that mean? Threats… to survival! predators lack of food & drink lack of shelter

5 Human Response to Threat?
Genetically based on… trigger of chemicals (e.g. adrenalin) “Fight or Flight” Also based on organised behaviour: find food & water sources build a home

6 Appropriateness of Adrenalin in 21st century UK?
Survival much less about flight and fight, food and shelter unless living on the street… BUT human imagination (e.g. clever adverts) can make it seem that way! In practice… survival about keeping off the streets… parents with enough money/assets a reasonably well paid job

7 Organisational Risk Lose customers Lose suppliers Faulty equipment
Unreliable/departing employees What about its data?

8 Valuing a Business Based on… equipment? Profit? People? Systems?
how assessed,,, Profit? how assessed… People? Systems?

9 Analysing Organisational Risk
Not all are businesses… not always about profit Many NfP (Not-for-Profit) charities based on fund-raising? threats to “giving” Public sector based on service e.g. swimming, education threats to providing a safe swimming pool or school offering good education & pupil safety

10 That’s another fine mess… (!)
Until recently, value of a business based on assets no/quality of customers/partners Profit (and projections…) Assets? value = the market value of physical assets data not a physical asset… ignored!

11 Loss of Data? No value, no risk?
As data not perceived as of value… not even on the asset register (!) Business always dependent on data… somehow overlooked as an asset Digital data treated the same way (!!!)

12 Management of Information Security
(Senior) Management... used to the spoken or written word often misconceptions about digital data… e.g. what is data, what is information and the relationship between the two security of data may therefore not be given sufficient prominence... (!) Result: digital data is often not properly managed figures… …

13 The Threats to organisations…
Divides neatly into: “internal”… employees “external”… hackers

14 Types of Business Data (1)
Administration internal use information to government bodies Customer & Supplier information customer information PERSONAL some customer information SENSITIVE both protected through Data Protection Act

15 Types of Business Data (2)
Transaction Information regarded as financial data protected by the Financial Service Authority Management decision-making information internal use only System Data

16 Reasons to look after Data: 1. The Law
All UK organisations that hold data on people must register with the Information Commissioner's Office (ICO) criminal offence not to do so... Personal and sensitive data must be kept in accordance with eight principles of the Data Protection Act (1984, updated 1998) not to do so can result in hefty fines or even imprisonment

17 Reasons to look after Data: 1. The Law - continued
Financial data also covered under the law, through the Financial Services Authority (FSA)… rebadged to becomeFCA in 2013 much more severe penalties than the ICO… e.g. Nationwide fined in 2007 approx £1million e.g. HSBC fined in 2009 £ several MILLION e.g. Zurich Insurance fined 2010 £ >1 million

18 2. Data losses do not look good for the business!
Depending on which data a business loses… it may not be able to trade efficiently, or even at all! Worst case scenario: 10 days maximum to recover, or out of business! If business data is stolen, they may ALSO lose trade secrets, customer image, supplier information, market share…

19 1. The Law - continued 2003: EU Privacy & Electronic Communications Regulation (PECR) Misuse of customer information for marketing purposes 1990: Computer Misuse Act unauthorised access to “computer material” is a criminal offence! most convictions under DPA civil

20 Data Losses & not-for-profit organisations
Personal data may not be regarded as so important, other than in legal terms hence the catastrophic sequence of errors that led to 25 million records being lost by HMRC HOWEVER… customers do expect their personal data to be safeguarded increasing concern about privacy in recent years source of great embarrassment if data lost

21 Internal Data Losses Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. Employees or temps with bad intent…

22 External (hacking…) Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it People hacking in from outside, usually via the Internet

23 Do “we” have a problem? Perceptions “from the inside” quite different from “outside looking in”

24 Fixing Data Security… Where to start?
Identify risks, threats vulnerabilities… Put together a top-level information security policy

25 Risk, Threat, Vulnerability…?
Group Exercise… what are the risks (to data)? what are vulnerabilities (of system)? what are threats (internal/external influences)?

26 Start at the top…an Information Security Policy
Information is so important to organisations, security of information should be central to organisation’s strategic plan… therefore part of organisational policy… Problem: organisations (especially small ones) are very reluctant to do this…

27 How can organisations be encouraged to have a policy?
Over to you again…

28 An Information Security Policy
Fortunately, now becoming a commercial imperative for do any on-line business with a credit card thanks to recent PCI DSS guidelines… other information assurance schemes require this (e.g. ISO27001, COBIT, IASME) more rigorously enforced by ICO ONCE the organisation has finally accepted that they need a policy, they should base it on existing organisational strategy can then implemented tactically and operationally through the organisational structure

29 Stakeholders A number of jobs involve security of data in one way or another e.g.: Data Controller (Data Protection Act) Head of Personnel/HR Department Heads (especially Finance) Who should bear the responsibility/carry the can?? ISO27001 requirement… tion/iso-survey.htm

30 Who are “stakeholders” in organisational Information Security?
Who should be responsible for what? (no responsibility… no accountability) Exercise again in groups…

31 Differences between Public & Private Sectors?
Is there a difference regarding data? if strategic business data is lost, with no back up cannot do new business cannot fulfil existing business the business will fold If public organisation data similarly lost service level drops or becomes zero people get angry, write to media public sector body gets lots of bad publicity system gets patched up and limps on enquiry suggests deficiencies & changes to be made…

32 Economics of Information Security
Academic research area seeks to produce economic models for organisations to attribute value to data Back to basics of Information Security: Confidentiality – relationship between confidentiality & intrinsic value? Integrity – very difficult to quantify Availability – if loss of particular data: causes system failure puts the business temporarily out of business must have intrinsic value

33 Value of Business Data More success to date with organisational data that affects business availability than with personal data... can put a monetary value on loss to the organisation of e.g. a day’s lost production a 10% fall in share price If customer details are leaked, who cares??? Members of the public? The Information Commissioner… would this affect: the business’s availability in the market place the business’s share price?

34 Moving forward… Or catching up (!)
EU legislation comes into effect 2018. requires organisations to take a risk-based approach to privacy a

35 Further Research Business-oriented recent white papers:
What SHOULD have happened as the 1998 DPA was implemented…: Information Commissioner’s current website – huge collection of documents:

Download ppt "COMP3357 Managing Cyber Risk"

Similar presentations

Information Security and Common Sense Richard Henson University of Worcester October 2008.

Information Security and Common Sense Richard Henson University of Worcester October 2008.
Unit 4- Assignment 3 P5, P6, M2 BTEC Business Level 3.

Unit 4- Assignment 3 P5, P6, M2 BTEC Business Level 3.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.

Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Data Protection Act.

Data Protection Act.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
1 Freedom of Information (Scotland) Act 2002 A strategic view.

1 Freedom of Information (Scotland) Act 2002 A strategic view.
STANDARD 5.3 Objective 3 Students will explain and understand the need for confidentiality.

STANDARD 5.3 Objective 3 Students will explain and understand the need for confidentiality.
Professional Values and Basic Business Legislation.

Professional Values and Basic Business Legislation.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.

OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.

Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.
Reporting to Stakeholders. What are Stakeholders? An individual or group with an interest in an organisation An individual or group with an interest in.

Reporting to Stakeholders. What are Stakeholders? An individual or group with an interest in an organisation An individual or group with an interest in.
COMP3371 Cyber Security Richard Henson University of Worcester September 2015.

COMP3371 Cyber Security Richard Henson University of Worcester September 2015.
COMP3371 Cyber Security Richard Henson University of Worcester November 2015.

COMP3371 Cyber Security Richard Henson University of Worcester November 2015.
7062664 Information Management in Retail: A Legal Perspective Chris Hill Barlow Lyde & Gilbert LLP 17 September 2009.

Information Management in Retail: A Legal Perspective Chris Hill Barlow Lyde & Gilbert LLP 17 September 2009.
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.

Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.

GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.

Similar presentations

Ads by Google