About Hilary Tuttle

Hilary Tuttle is the editor of the Risk Management Monitor and Risk Management magazine.

Examining U.S. Immigration’s Economic Impact

In last night’s third and final presidential debate of the 2016 election cycle, immigration again emerged as a defining topic in discussion of both regulatory reform and the economy. With an increasing amount of immigration by highly skilled laborers—and, of course, the potential reputation impact on companies seen as giving more jobs to non-citizens or moving out of the country in pursuit of labor—changes in such policy have clear implications for risk professionals.

Last month, the National Academies of Sciences, Engineering and Medicine released one of the most comprehensive studies to date on the economic impact of immigration in the United States. Overall, the researchers found that immigration over the past couple of decades has done more good than harm, creating positive impacts on the national economy and causing little lasting impact on the wages or employment levels of native-born Americans. “Immigration enlarges the economy while leaving the native population slightly better off on average,” the study said, also pointing out increases in innovation, entrepreneurship and technological change across the economy. “The prospects for long run economic growth in the United States would be considerably dimmed without the contributions of high-skilled immigrants,” the researchers reported.

Some of the study’s key findings and conclusions include:

  • When measured over a period of 10 years or more, the impact of immigration on the wages of native-born workers overall is very small. To the extent that negative impacts occur, they are most likely to be found for prior immigrants or native-born workers who have not completed high school—who are often the closest substitutes for immigrant workers with low skills.
  • There is little evidence that immigration significantly affects the overall employment levels of native-born workers. As with wage impacts, there is some evidence that recent immigrants reduce the employment rate of prior immigrants. In addition, recent research finds that immigration reduces the number of hours worked by native teens (but not their employment levels).
  • Some evidence on inflow of skilled immigrants suggests that there may be positive wage effects for some subgroups of native-born workers, and other benefits to the economy more broadly.
  • Immigration has an overall positive impact on long-run economic growth in the U.S.
  • In terms of fiscal impacts, first-generation immigrants are more costly to governments, mainly at the state and local levels, than are the native-born, in large part due to the costs of educating their children. However, as adults, the children of immigrants (the second generation) are among the strongest economic and fiscal contributors in the U.S. population, contributing more in taxes than either their parents or the rest of the native-born population.
  • Over the long term, the impacts of immigrants on government budgets are generally positive at the federal level but remain negative at the state and local level — but these generalizations are subject to a number of important assumptions. Immigration’s fiscal effects vary tremendously across states.

“The panel’s comprehensive examination revealed many important benefits of immigration—including on economic growth, innovation, and entrepreneurship—with little to no negative effects on the overall wages or employment of native-born workers in the long term,” said Francine D. Blau, Frances Perkins Professor of Industrial and Labor Relations and professor of economics at Cornell University, and chair of the panel that conducted the study and wrote the report. “Where negative wage impacts have been detected, native-born high school dropouts and prior immigrants are most likely to be affected.”

Check out the April cover story from Risk Management, “Welcome to America: Why Immigration Matters for Business,” for more on the risk management implications of immigration into the United States.

Defending Against the Cyberrisk of Malicious Insiders

An overwhelming number of businesses increasingly see their greatest cyber threats coming from within, but figuring out what to do about the risk poses a formidable gap, according to a recent study from Mimecast. The email and data security company found that 90% of organizations globally consider malicious insiders a major threat to security, yet 45% report they are ill-equipped to cope with the risk. Indeed, one in seven IT security decision-makers view malicious insiders as their number one threat.

Current measures to guard against this risk may still leave significant exposure, and IT managers appear to know it. Those who say they are very equipped on cybersecurity feel virtually just as vulnerable to insider threats as those who believe they are not equipped at all (16% vs. 17%), “indicating that the risk of malicious insiders trumps perceptions of security confidence,” Mimecast reported.

Mimecast recommends the following strategies to guard against the risk of malicious insiders:

  1. Assign role-based permissions to administrators to better control access to key systems and limit the ability of a malicious insider to act.
  2. Implement internal safeguards and data exfiltration control to detect and mitigate the risk of malicious insiders when they do strike, to cut off their ability to send confidential data outside the network.
  3. Offer creative employee security training programs that deter potential malicious insiders in the first place and help others to spot the signs so they can report inappropriate activity to their managers. Then, back that up with effective processes to police and act swiftly in the event of an attack.
  4. Nurture a culture of communication within teams to help employees watch out for each other and step in when someone seems like they’ve become disenchanted or are at risk of turning against the company.
  5. Train your organization’s leadership to communicate with employees to ensure open communication and awareness.

Check out more of the study’s findings in the infographic below:


Chipotle Provides Yet More Reminders of D&O and Food Safety Risks

chipotle food borne illness outbreaks

If the average food safety crisis or product recall forces companies to weather a storm, Chipotle has spent the past year trying to weather a category 4 hurricane. Now months into their recovery effort, it seems they are still seeing significant storm surges.
Last week, a group of Chipotle shareholders filed a federal lawsuit accusing executives of “failing to establish quality-control and emergency-response measures to prevent and then stop food-borne illnesses that sickened customers across the country and proved costly to the company,” the Denver Post reported. The suit accuses executives, the board of directors, and managers of unjust enrichment and seeks compensation from Chipotle’s co-CEOs, while also asking for corporate-governance reforms and changes to internal procedures to comply with laws and protect shareholders.

Sales remain significantly impacted by the series of six foodborne illness outbreaks last year. The company reported in July that same-store sales fell another 23.6% in Q2, marking the third straight quarter of declines for performance even lower than analysts had predicted. The company’s stock remains drastically impacted, currently trading at about $394 compared to a high of $749 before the outbreaks came to light a year ago.

In addition to the most recent shareholder lawsuit, the bad news for directors and officers specifically has also been further compounded recently. Shareholder lawsuits were filed earlier this year alleging the company had misled investors about its food safety measures, made “materially false and misleading statements,” and did not disclose that its “quality controls were not in compliance with applicable consumer and workplace safety regulations.” In June, a group of shareholders sued a number of top executives for allegedly violating their fiduciary responsibilities and engaging in insider trading. Relying on insider knowledge about insufficient food safety protocols, the suit alleges that the executives sold hundreds of thousands of shares in the first half of 2015 before the food poisoning scandal was made public.

Check out previous coverage of the Chipotle crisis in the Risk Management March cover story “Dia de la Crisis: The Chipotle Outbreaks Highlight Supply Chain Risks.”

A Risk-Based Approach to Rating and Correcting Individual Cyberrisk

LAS VEGAS—At this week’s Black Hat conference, some information security professionals turned to a key issue to control enterprise-wide cyberrisk: hacking humans. As phishing continues to be one of the top threats for businesses, hackers and security professionals here continue to try and make sense of why this threat vector is so successful and how to better defend against these attacks.

In a session called “Blunting the Phisher’s Spear: A risk-based approach for defining user training and awarding administrative privileges,” Professor Arun Vishwanath presented some of his research on the “people problem” of cybersecurity, proposing a new model for quantifying the cyberrisk posed by individuals within the enterprise and tailoring training to best mitigate the risk they pose. While many corporate training programs stage fake phishing emails and then lecture those who fail, he said, this model continues to be ineffective, as proven by the increase in these attacks and their efficacy across all industries. People are not the problem, Vishwanath asserted, rather it is in our understanding of people.

Vishwanath and his colleagues have come up with a model to explain how users think, the Suspicion, Cognition, Automaticity Model (SCAM). Faulty ideas about cybersecurity practices, popular myths and other irrational beliefs lead to illogical and unsafe practices. Automatic behaviors also play a significant role in risky behavior, particularly with mobile devices and the ritualistic checking of email – users open messages mindlessly and get so used to clicking links, downloading files or entering credentials that they do not really factor logic into these decisions.

Based on this model of why individuals act in risky ways, he recommends developing a Cyber Risk Index (CRI) based on a short, 40-question survey given to individual employees to evaluate the cyberrisk they specifically pose, which can also be aggregated across divisions, sectors and organizations. As the results highlight different areas of weakness that lead to the employee’s risky behaviors, the CRI can dictate the best ways to that individual and mitigate the risk.
phishing risk training What’s more, this quantitative score of individual cyber hygiene can be used to track changes in risk posture over time and to improve current decision processes regarding privileged access to the organization’s systems to better control data at risk.

Check out Dr. Vishwanath’s whitepaper for more on this approach.