Monthly Archives: January 2012

The Risks of Social Media: The Evolution of Social Media Law

Posted on by

We’ve spent a lot of time — both on this blog and in our magazine — trying to better educate risk managers about the risks of social media. The long and the short of it is that, for most industries, social media opportunities far outweigh the potential downside. There must be a policy in place and there is the possibility of self-inflicted reputational harm that never would have occurred otherwise. But in 2012, not having any social media presence, for most companies, is like not having a website in 2002.

But for all our long-winded efforts to show what legal risks there may be, it looks like we could have done it better with just a chart. Check out this amazing infographic from Morrison & Foerster’s Socially Aware Blog. (via Social Times)

Yup, there are still legal, among other, risks to manage.

But you’re a risk manager, right? So they should be no problem. Just use this as a guide.

Global Pirate Attacks Down Due to Naval Deterrence

Posted on by

The good news is that the number of pirate attacks on the high seas was slightly lower in 2011 than in 2010. The bad news is that they’re are still a ton of them occurring around Africa. The 439 attacks recorded last year were just 6 fewer than the amount in 2010, according to the latest report from the International Chamber of Commerce’s International Maritime Bureau (IMB).

And this isn’t a result that is just naturally trending (slightly) downward, says the IMB. The agency claims that the numbers would have been higher if naval patrols near the the coast of Somali, the global hotbed of pirate attacks.

In the last quarter of 2011 alone, pre-emptive strikes by international navies disrupted at least 20 Pirate Action Groups (PAGs) before they could become a threat to commercial fleets. The last quarter of 2010 saw 90 incidents and 19 vessels hijacked; in 2011, those numbers fell to 31 and four, respectively.

“These pre-emptive naval strikes, the hardening of vessels in line with the Best Management Practices and the deterrent effect of Privately Contracted Armed Security Personnel, have all contributed to this decrease,” said Captain Pottengal Mukundan, Director of the IMB Piracy Reporting Centre (IMB PRC), which has been monitoring piracy worldwide since 1991. “The role of the navies is critical to the anti-piracy efforts in this area.”

There are more positive findings.

“Only” 802 crewmembers were taken hostage in 2011, down from more than 1,000 in both of the past two years and a high of 1,174 in 2010. And only 10 crewmembers were taken hostage/kidnapped, which was down from the 27 who suffered that fate last year and way below the combined 105 taken hostage in 2007 and 2008.

Here is a chart showing the attacks by the type of violence the criminals used on the crew in recent years.

As I noted in Risk Management magazine in November, the positive naval efforts to deter pirates around Somali has has led to somewhat of a whack-a-mole situation. As Somali pirates have been curtailed, a new threat has emerged in the Gulf of Guinea off Benin on the other side of Africa.

That is one of many reasons that these mildly positive numbers shouldn’t be celebrated. Piracy remains a major challenge, and it has taken a significant naval presence just to essentially stop the figures from increasing. The real goal, of course, is to start creating a real downward trend — not just a possible statistical blip of 6 fewer attacks.

Lastly, here are two graphs showing where the 439 recorded attacks in 2011 occurred and one that shows what types of ships are being attacked.

Pirate Attacks in 2011 by Location

Pirate Attacks in 2011 by Vessel Type

Measuring Risk: The AMIS Algorithm

Posted on by

(Joseph E. Henderson, CSP, is IT Specialist at the Office of Information Technology for the Department of Veterans Affairs.)

Everyone uses risk management daily. The measurement and use may be very obvious, such as the threat posed by a speeding train. However, the hazard posed outside the train is naturally more profound. Those individuals inside the train have some vulnerability, but it is mitigated to an extent by the professional operators and mechanisms used to control the train. So your risk is less inside the train, than outside the train. This is an example of mitigating risk by professional regulation of systems or environment.

How do we measure the actual probability of exposure to real world liabilities and threats, as balanced against presumed or assumed liabilities? Flying is actually a very low-risk scenario when logically examined. Some would say driving is a much more dangerous means of travel. So, assumed or presumed, threats are not always valid concerns.

Can we balance the actual risk of exposure? The equation would be forced into the highly probable range in some cases. Some IT systems could have daily releases intended for defense of systems and data.

On the other hand, examination of other platforms or software could show it is much less likely to fall victim, and the equation is weighted in the opposite direction. Balanced against actual probability, the risk may not exist to be mitigated. Overkill or misdirection of resources could result from over examination of security exposure, where no or little exposure exists.

Below is the AMIS (Accurately Measure Information Security) Algorithm:

In example: (X+Y) x Z=R

X = Risk of attack, which is developed from actual attack figures supplied by industry.
Ranked 1 through 10 where 10 would be equal to very likely to be attacked or actual attacks take
place daily. A zero would indicate no attacks have ever taken place.

+

Y = Number of evasive maneuvers required to divert attack (i.e., firewalls and anti-malware).
Ranked 1 through 10 where 10 is a heavy concentration of necessary defense measures. A zero would indicate none are required.

x (multiply)

Z = Value of data to be protected. Is there personal or valuable information to be secured? We may say
a value of 5 if populated with personal or valuable information. On the other end of the spectrum, a
value of zero would be given in the absence of personal or valuable information.

=

R = Result or risk, given that a maximum number of 100 is high risk and zero would be no risk at
all.

Example 1. Undefended personal computer risk exposure (10+10)x5 = 100

X = 10 (multiple daily attacks are likely)
Y = 10 (undefended systems are probed and attacked within seconds of internet connection)
Z = 5   (personal information stored on the device)

R = 100 “High Risk”

Example 2. Undefended LAN switch risk exposure (1+2)x0 = 3

X = 1 (no exposure to little exposure to attack)
Y = 2 (little, if any, ability to attack a LAN switch device except perhaps to corrupt a configuration)
Z = 0 (no capability to capture or store personal/valuable information)
R = 3 (extremely low risk)

A higher number reflects more security is required.

•    100 <- The risk is high so extra measures are warranted.
•    90
•    80
•    70
•    60
•    50
•    40
•    30
•    20
•    10 <- The risk is slight so we may refocus our efforts to other, more vulnerable areas.

An attempt to protect everything, even that which requires little or no protection, is not cost effective.

Data center security of the core operating systems could be increased by several orders of magnitude, making them individually and collectively equal to a virtual data Fort Knox. This would be possible by enabling the entire security suite available under most C2, or higher, certified operating systems. We could have a net deficit risk, where intrusion could be extremely unlikely.

AMIS says measure the risk and meter the effort.

 

What We Talk About When We Talk About Risk Culture

Posted on by

In our little risk management fiefdom, there is a seemingly never-ending abyss of buzzwords and jargon used to explain simple concepts. Lately, one of everybody’s favorites is “risk culture.” This, of course, isn’t so much a real thing as it is a wishy-washy word to describe the general mentality that an organization’s employees have towards risk. Do the people in the company care about risk? Do they even know what it is? Those are really the only questions the concept of “risk culture” is trying to answer. It just sounds a lot more official.

Of course, since it is a qualitative term that has its foundations in “processes” and “methodologies” and “tone from the top” and all sorts of other barely-real-things, there is never any actual answer to the question “what is the company’s risk culture?” It’s just kind of a general, nebulous idea that people like to throw around. “We should be more proactive in the optimization of our risk culture,” is something I wouldn’t be shocked to hear an executive say.

This isn’t to marginalize the use of the phrase.

It’s not useless by any means, and what it actually stands for is very valuable to ensuring that the organization is paying attention to risk. If talking about “risk culture” is what you need to do in meetings to get people to listen, then that’s fine. But if you’re the one who is actually trying to better embed risk management into an organization’s decision making, you should just have a good idea of what you actually mean. Because unless you realize what actually drives risk culture, you may as well just being trying to improve “corporate happiness” or “employee satisfaction levels.”

Over at the blog Operational Risk Management, Ed provides a good breakdown of what we’re actually talking about when we talk about risk culture. Namely, it is about honest communication and employing workers who don’t fear reprisal for telling the truth.

buy abilify online imed.isid.org/wp-content/uploads/2023/10/jpg/abilify.html no prescription pharmacy

A risk culture begins and ends with a human ability to communicate effectively with other humans. The human behaviors associated with communicating risk has all to do with the ability of one person to know the truth and to effectively tell the other accurately and effectively what the risk is and how it could impact the business. The trouble is, most organizations fail to spend enough time doing exactly that and doing it without fear.

What kind of fear? The fear that by telling your supervisor you might offend them. The fear that by questioning the co-worker about their decision that you will alienate them. The fear that by uncovering a fellow workers risky behaviors to the rest of the team that you will jeopardize the overall mission.

buy ivermectin online imed.isid.org/wp-content/uploads/2023/10/jpg/ivermectin.html no prescription pharmacy

Guess what people; the ability or lack of ability by a human to communicate risk factors to each other with the truth and without the fear of judgement or retribution is why you either live or die. This is the reason why your organization continues to flourish or rots from the inside out. You see, the risk management environment in your team, unit, office location or FOB has all to do with communicating the truth in an effective way.

This is a good way to think about your “risk culture.” Do your employees talk truthfully, and often, about risk?

As the concept of risk management increasingly becomes less isolated from the concept of simply running a business, the need for terms like risk culture will diminish. Eventually, we will realize that saying something like “that company has a poor risk culture” is synonymous with saying “that company is dysfunctional.

buy lipitor online imed.isid.org/wp-content/uploads/2023/10/jpg/lipitor.html no prescription pharmacy

” And if nobody is talking to one another honestly about potential problems — or missed opportunities — then that’s exactly what the company is.