Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3357 Managing Cyber Risk

Published by豌昌 和 Modified over 5 years ago

Similar presentations

Presentation on theme: "COMP3357 Managing Cyber Risk"— Presentation transcript:

1 COMP3357 Managing Cyber Risk
Richard Henson University of Worcester January 2019

2 By the end of this module you should be able to:
Identify strategic, financial and operational benefits and issues of Cyber Risk Management Review current and future trends of the technical and non-technical risks and aspects of Information Risk Management and security, including laws, regulations, and human factors Analyse how firms can mitigate cyber risk and differentiate from competition to increase market share Devise a risk assessment plan for an organisation, and use this to create a business continuity/disaster recovery plan

3 Week 1 – Management of Information & Cyber Risk
Objectives: Explain risk – qualitatively, in basic (human survival) terms Explain risk to organisations – re. survival… Explain the areas of organisational risk historically (pre digital processing) Explain why security of information was often left off the organisation risk list, and consequences in the digital age…

4 Risk and Survival Human race survived millions of years
“survival of the fittest” what does that mean? Threats… to survival! predators lack of food & drink lack of shelter

5 Human Response to Threat?
Genetically based on… trigger of chemicals (e.g. adrenalin) “Fight or Flight” (lol….) Also based on organised behaviour: find food & water sources build a home

6 Appropriateness of Adrenalin to humans in 21st century UK?
Survival much less about flight and fight, food and shelter unless living on the street… BUT human imagination (e.g. films/clever adverts) can make it seem that way! In practice for most of us… survival is about 21st century parameters enough money/assets a reasonably well paid job but still we produce adrenalin!

7 Adrenalin and 21st century Risk
Most of our adrenalin is produced as a result of watching a screen! May well not relate to “fight and flight” news? advertising? Insult by Facebook “friend”? Evolution takes a long time… Biochemically… we still in the stone age!

8 Organisations and Survival
Like living things, organisations have to keep functioning adequately to survive depends on inputs if insufficient… whether big or small… liquidation… Environment… affects activities… including inputs businesses need to react appropriately or die…

9 Risks to Organisations
Anything that could lose them: customers… suppliers! Typically: faulty equipment unreliable/departing employees slow payment by (other) customers increased overheads…

10 Response? Organisation doesn’t have adrenalin (!) Up to management…
need to: assess risk protect against a risky activity happening!

11 How much is a Business Worth?
Based on… profit? customers? equipment? people? systems? How Assessed?

12 Data losses do not look good for the business!
Depending on which data a business loses… it may not be able to trade efficiently, or even at all! worst case scenario: 10 days maximum to recover, or out of business! If business data is stolen, they may ALSO lose trade secrets, customer image, supplier information, market share…

13 NfP (Not-for-Profit) Organisations
Charities based on fund-raising! if inputs insufficient can still be liquidated… Public sector based on providing service e.g. swimming, education, healthcare input insufficient? Service reduced…(!)

14 Data Losses & not-for-profit organisations
Personal data may not be regarded as so important, other than in legal terms hence the catastrophic sequence of errors that led to 25 million records being lost by HMRC in 2007 HOWEVER… customers do expect their personal/sensitive data to be safeguarded increasing concern about privacy in recent years source of great embarrassment if data lost

15 Differences between Public & Private Sectors?
Is there a difference regarding data? if strategic business data is lost, with no back up cannot do new business cannot fulfil existing business the business will fold If public organisation data similarly lost service level drops or becomes zero people get angry, write to media public sector body gets lots of bad publicity system gets patched up and limps on enquiry suggests deficiencies & changes to be made…

16 Assets Valuation of assets… evidence “Physical” assets: market value
Systems: auditing records Human assets: cvs/achievements Customer base: database and sales records Profits: year-on-year accounts

17 Loss of Data? No value, no risk?
Business always dependent on data… but historically not perceived as of value… (!) unless “intellectual property” So traditionally ignored in assets!!! Why? evidence for valuation needed to keep systems working!

18 Management of Data Important function in any organisation
loss of data/inappropriate processing? systems failure breach of the law Loss of data threatens survival any handling of information need to be risk assessed, then managed may be a cost but doing nothing could be fatal!!!

19 Management of Risk Whether human (survival) or organisation survival…
threats are there because of weaknesses (vulnerabilities) identify the threats… & vulnerabilities that threat agents wish to exploit adopt a strategy to mitigate vulnerabilities

20 The Threats to organisational data…
Divides neatly into: “internal”… actors: employees accidentally/deliberately exploit vulnerabilities “external”… actors: hackers deliberately/accidentally exploit vulnerabilities

21 Internal Data Losses Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. Employees or temps with bad intent…

22 External (hacking…) Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it People hacking in from outside, usually via the Internet

23 Do “we” have a problem? Perceptions “from the inside” quite different from “outside looking in”

24 What is a Data Breach? Loss of organisational data to a 3rd party
Particular problem if: financial data (FCA: severe penalties) personal data (ICO: penalties) sensitive data (ICO: big penalties) intellectual property data (competitors could steal designs, etc.)

25 Reasons to look after Data: 1. The Law
All UK organisations that hold data on people must register with the Information Commissioner's Office (ICO) criminal offence not to do so... Personal and sensitive data must be kept in accordance with eight principles of the Data Protection Act (1984, updated 1998) not to do so can result in hefty fines or even imprisonment

26 Reasons to look after Data: 1. The Law - continued
Financial data also covered under the law, through the Financial Services Authority (FSA)… rebadged to become FCA in 2013 much more severe penalties than the ICO… e.g. Nationwide fined in 2007 approx £1million e.g. HSBC fined in 2009 £ several MILLION e.g. Zurich Insurance fined 2010 £ >1 million

27 1. The Law - continued 2003: EU Privacy & Electronic Communications Regulation (PECR) misuse of customer information for marketing purposes 1990: Computer Misuse Act unauthorised access to “computer material” is a criminal offence! most convictions under DPA civil

28 Moving forward… Or catching up (!)
EU legislation came into effect May 25th 2018 requires organisations to take a risk-based approach to privacy new applications need to be risk assessed!!

29 Further Research Business-oriented recent white papers:
What SHOULD have happened as the 1998 DPA was implemented…: Information Commissioner’s current website – huge collection of documents:

Download ppt "COMP3357 Managing Cyber Risk"

Similar presentations

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,

Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,
Data Protection Act.

Data Protection Act.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
An overview of the Data Protection Act 1998. Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.

An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.

Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.

Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.

OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.

Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.
Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.

Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.
COMP3371 Cyber Security Richard Henson University of Worcester September 2015.

COMP3371 Cyber Security Richard Henson University of Worcester September 2015.
COMP3371 Cyber Security Richard Henson University of Worcester November 2015.

COMP3371 Cyber Security Richard Henson University of Worcester November 2015.
Www.ICT-Teacher.com. Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

Similar presentations

Ads by Google