**Understanding Components of IT Risks and Enterprise Risk Management**

Abdul Rahman Ahlan and Yusri Arshad

*Department of Information Systems, Kulliyyah of Information and Communication Technology International Islamic University Malaysia, Malaysia* 

#### **1. Introduction**

There is no doubt that information technology (IT) or information system (IS) improves the efficiency and efficacy of our daily lives. IT derives much of its usefulness from the ability to link systems together to improve functionality and communications (Ahlan, 2005). Inherent in these links are interdependence, interoperability and interconnectedness (O'Brien, 1996). Traditionally, IT is perceived to take the role of back-end support system to an organisation and thus, has little strategic value. Nowadays, this perception has changed primarily due to the potentials that pervasive IT can provide to all aspects of daily profitable organisations', communities' or individuals' efficiencies and efficacies and ultimately to achieve strategies and objectives. IT innovations facilitate all these ever increasing sophistication of IT users (Ahlan, 2005).

Nonetheless, the rapid adoption of IT poses organisations particularly to increasing and excruciating complex and sophisticated risks whether inherent or external. IT security, or risk, has been a highlight of every organisation since the inception of computer systems. Different organisations bear different sensitivity to particularly data and information risks and exposures to technical, organisational, project and human's risks (Wei *et al*., 2010; Ahlan *et al.,* 2011). Manufacturing environment, for example, is less sensitive to information risk compared to healthcare and education sectors which in turn less sensitive compared to banking and finance sector. Universities data and information are highly sensitive and the risks are high. The more IT-laden organisations the more IT risks they are subjected to. Moreover, IT hardware, software and systems are becoming more sophisticated and expensive. Likewise, hackers or computer intruders and fraudsters are also becoming more sophisticated and constantly one step ahead of technology (Gerace and Cavusoglu, 2009). Hence, this puts pressure on manufacturers and service providers as well as IT managers to continuously increase the quality and security of their products and services.

Hence, this study aims to synthesise the risk factors associated with IT/IS and categorise or classify them into a few main major themes to guide the IT management in their risk management exercises. This chapter is organised into five main sections. First, the chapter begins with introduction to IT and risk in general. Second is the description of

Understanding Components of IT Risks and Enterprise Risk Management 299

the safety analysis applied on an IS is to identify and evaluate threats, vulnerabilities and safety characteristics. Moreover, IT assets are exposed to risk of damages or losses. In addition, IT/IS security also involves protecting information stored electronically. That

For example, numerous government reports in United States published over the last few years indicate that federal automated operations and electronic data are inadequately protected against information risks. These reports show that poor security program management is one of the major underlying problems (GAO, 1999). A principal challenge many agencies face is identifying and ranking the information security risks to their operations which is the first step in developing and managing an effective security program. Taking this step helps ensure that organisations identify the most significant risks and

In addition to information risks, most security incidents today are caused by flaws in software, called vulnerabilities. It is estimated that there are as many as 20 flaws per thousand lines of software code. Computer Emergency Response Team/Coordination Center (CERT/CC), United States statistics reveal that the number of vulnerabilities reported has increased dramatically over the years, from only 171 in 1995 to 8,064 in 2006. Along with vulnerabilities, the sophistication of attack tools has also advanced over time. Using the interconnected nature of the Internet and automated attack tools, attackers exploit software vulnerabilities at an alarming rate to cause serious damage to organisations

Nowadays, there are many types of computer crimes reported in the United States such as money theft (44%), damage of software (16%), theft of information (16%), alteration of data (12%), theft of services (10%) and trespass (2%) (Boran, 2003). This is also happening in other countries. Hence, in order to minimise losses, it is necessary to introduce risk management and risk assessment in the areas of IT and operational risks. The objective of IT/IS risk management is to protect IT/IS assets such as data, hardware, software, personnel and facilities from all external (e.g. natural disasters) and internal (e.g. technical failures, sabotage and unauthorised access) threats so that the costs of losses resulting from the

There are myriad dimensions to the complexity associated with protecting our interconnected IS from the technical, managerial, organisational, institutional, cultural, and international political perspectives. This reality makes it difficult to understand the complex interconnectedness of these IS (Longstaff *et al.*, 2000). Modelling and subsequently assessing and managing the risks that face these infrastructures are thus a formidable task. Each dimension is important and must be addressed. However, only when we analyse all the important aspects and perspectives in a complete vision can we make appreciative progress towards the infrastructures' protection and sustained operation. According to (Longstaff *et al.* 2000), we can broadly categorise the complexity of interconnected infrastructures as structural-based, which includes hardware, structures and facilities, and human-based, which includes institutions, organizations, culture and language. There is a dangerous disconnect among the professionals from the multiple disciplines that conceive, plan, design, construct, operate, maintain, and manage these

protection implies data integrity, availability and confidentiality.

realisation of such threats are minimised (Gottfried, 1989).

(Gerace and Cavusoglu, 2009).

complex infrastructures.

determines what actions are appropriate to mitigate them (Ahlan *et al.*, 2011).

methodological approach, review of literature on and description of IT risk, factors and enterprise risk management. Third is the result and discussion of IT risk classification identified from the reviewed articles. Finally, the chapter ends with a brief description of future work.

### **2. Literature review**

Extant literature shows that IT/IS has improved significantly compared to twenty years ago. As technology and systems become more complex and sophisticated, the risks associated to them are also increasingly growing and sometimes more difficult to detect. Different organisations bear different sensitivity to data and information risks and exposures to technical, organisational, project and human's risks (Wei *et al*., 2010; Ahlan *et al.,* 2011).

To ensure a systematic review of the state of the art literature, we follow the approach suggested by Webster and Watson (2002). In a first step, we searched the online database Proquest or ABI/INFORM, ScienceDirect, Emerald and the ACM Digital Library using the search terms "IT risk", "IT security" and "IT risk management" in the abstract, title and keywords. We had to limit to "information technology" in the search in order to reduce the number of articles found which are not relevant to "IT". The articles selected were published from 2001 to 2011. However, a review of the articles revealed that not many articles focused specifically on IT risk factors and enterprise risk management. In a second step we filtered the identified articles according to those in Association for Information System (AIS) journal rankings and book publications. In addition, we also included a few important relevant articles published earlier than 2001 and those from other field such as business, management, operation research journals and conference proceedings. Hence, we reviewed in total 46 relevant articles directly related to IT risks which are tabulated in Table 2 in Appendix. The summary of IT risks categories are tabulated in Table 1. Next sections briefly present review on IT/IS risks and management from literature. The sections are organized according to topics found in the literature.

#### **2.1 Information system and technology roles and risk exposures**

Information system plays an important role in any modern organisations to support its strategic, tactical and operational levels activities. These systems are at the core of the information management of the organisations and allow them to operate efficiently and maintain their competitive advantage. Three vital roles of IS, but not limited to, include (i) Support of business operations; (ii) Support of managerial decision making; and (iii) Support of strategic competitive advantage. According to (O'Brien 1996, p.7), ''if IS do not properly support the strategic objectives, business operations or management needs of an enterprise, they can seriously damage its prospects for survival and success''.

Recently, advances in IT have exposed the IT departments, infrastructures, functions and services to more threats from internal and external risks. These threats can be detrimental to not only technical aspects but also the data and information in the organisations which can be costly and even cause terminal loss or bankruptcy. Hence, recognising IT as a technology with the fastest rate of development and application in all branches of business, requires adequate protection to provide high security and quality products and services. The aim of

methodological approach, review of literature on and description of IT risk, factors and enterprise risk management. Third is the result and discussion of IT risk classification identified from the reviewed articles. Finally, the chapter ends with a brief description of

Extant literature shows that IT/IS has improved significantly compared to twenty years ago. As technology and systems become more complex and sophisticated, the risks associated to them are also increasingly growing and sometimes more difficult to detect. Different organisations bear different sensitivity to data and information risks and exposures to technical, organisational, project and human's risks (Wei *et al*., 2010; Ahlan *et al.,* 2011).

To ensure a systematic review of the state of the art literature, we follow the approach suggested by Webster and Watson (2002). In a first step, we searched the online database Proquest or ABI/INFORM, ScienceDirect, Emerald and the ACM Digital Library using the search terms "IT risk", "IT security" and "IT risk management" in the abstract, title and keywords. We had to limit to "information technology" in the search in order to reduce the number of articles found which are not relevant to "IT". The articles selected were published from 2001 to 2011. However, a review of the articles revealed that not many articles focused specifically on IT risk factors and enterprise risk management. In a second step we filtered the identified articles according to those in Association for Information System (AIS) journal rankings and book publications. In addition, we also included a few important relevant articles published earlier than 2001 and those from other field such as business, management, operation research journals and conference proceedings. Hence, we reviewed in total 46 relevant articles directly related to IT risks which are tabulated in Table 2 in Appendix. The summary of IT risks categories are tabulated in Table 1. Next sections briefly present review on IT/IS risks and management from literature. The sections are organized

Information system plays an important role in any modern organisations to support its strategic, tactical and operational levels activities. These systems are at the core of the information management of the organisations and allow them to operate efficiently and maintain their competitive advantage. Three vital roles of IS, but not limited to, include (i) Support of business operations; (ii) Support of managerial decision making; and (iii) Support of strategic competitive advantage. According to (O'Brien 1996, p.7), ''if IS do not properly support the strategic objectives, business operations or management needs of an

Recently, advances in IT have exposed the IT departments, infrastructures, functions and services to more threats from internal and external risks. These threats can be detrimental to not only technical aspects but also the data and information in the organisations which can be costly and even cause terminal loss or bankruptcy. Hence, recognising IT as a technology with the fastest rate of development and application in all branches of business, requires adequate protection to provide high security and quality products and services. The aim of

future work.

**2. Literature review** 

according to topics found in the literature.

**2.1 Information system and technology roles and risk exposures** 

enterprise, they can seriously damage its prospects for survival and success''.

the safety analysis applied on an IS is to identify and evaluate threats, vulnerabilities and safety characteristics. Moreover, IT assets are exposed to risk of damages or losses. In addition, IT/IS security also involves protecting information stored electronically. That protection implies data integrity, availability and confidentiality.

For example, numerous government reports in United States published over the last few years indicate that federal automated operations and electronic data are inadequately protected against information risks. These reports show that poor security program management is one of the major underlying problems (GAO, 1999). A principal challenge many agencies face is identifying and ranking the information security risks to their operations which is the first step in developing and managing an effective security program. Taking this step helps ensure that organisations identify the most significant risks and determines what actions are appropriate to mitigate them (Ahlan *et al.*, 2011).

In addition to information risks, most security incidents today are caused by flaws in software, called vulnerabilities. It is estimated that there are as many as 20 flaws per thousand lines of software code. Computer Emergency Response Team/Coordination Center (CERT/CC), United States statistics reveal that the number of vulnerabilities reported has increased dramatically over the years, from only 171 in 1995 to 8,064 in 2006. Along with vulnerabilities, the sophistication of attack tools has also advanced over time. Using the interconnected nature of the Internet and automated attack tools, attackers exploit software vulnerabilities at an alarming rate to cause serious damage to organisations (Gerace and Cavusoglu, 2009).

Nowadays, there are many types of computer crimes reported in the United States such as money theft (44%), damage of software (16%), theft of information (16%), alteration of data (12%), theft of services (10%) and trespass (2%) (Boran, 2003). This is also happening in other countries. Hence, in order to minimise losses, it is necessary to introduce risk management and risk assessment in the areas of IT and operational risks. The objective of IT/IS risk management is to protect IT/IS assets such as data, hardware, software, personnel and facilities from all external (e.g. natural disasters) and internal (e.g. technical failures, sabotage and unauthorised access) threats so that the costs of losses resulting from the realisation of such threats are minimised (Gottfried, 1989).

There are myriad dimensions to the complexity associated with protecting our interconnected IS from the technical, managerial, organisational, institutional, cultural, and international political perspectives. This reality makes it difficult to understand the complex interconnectedness of these IS (Longstaff *et al.*, 2000). Modelling and subsequently assessing and managing the risks that face these infrastructures are thus a formidable task. Each dimension is important and must be addressed. However, only when we analyse all the important aspects and perspectives in a complete vision can we make appreciative progress towards the infrastructures' protection and sustained operation. According to (Longstaff *et al.* 2000), we can broadly categorise the complexity of interconnected infrastructures as structural-based, which includes hardware, structures and facilities, and human-based, which includes institutions, organizations, culture and language. There is a dangerous disconnect among the professionals from the multiple disciplines that conceive, plan, design, construct, operate, maintain, and manage these complex infrastructures.

Understanding Components of IT Risks and Enterprise Risk Management 301

 On the other hand, finance field adopts a different perspective of risk. They view risk as equated to the variance of the distribution of outcomes. The extent of the variability in results (whether positive or negative) is the measure of risk (Aubert *et al.*, 2005). Risk is defined here as the volatility of a portfolio's value (Levine, 2000). Risk management means arbitrating between risk and returns. For a given rate of return, managers will prefer lower volatility but would be likely to tolerate higher volatility if the expected return was thought to be superior. Portfolio managers therefore aim to build a portfolio that is on the efficient frontier, meaning it has the highest expected return for a given level of risk, and the lowest level of risk for a given expected return (Schirripa and

 Other fields, such as casualty insurance, adopt a perspective of risk as expected loss. They define risk as the product of two functions: a loss function and a probability function (Aubert *et al.*, 2005). Car insurance is a good example. In the eventuality of an accident, there is a loss function that represents the extent of the damages to the car, which can range from very little damage to the total loss of the car. There is also a probability function that represents the odds that an incident will occur. The expected

 Another important distinction in risk analysis is the notion of endogenous versus exogenous risk. Exogenous (or external) risks are risks over which we have no control and which are not affected by our actions. Earthquakes or hurricanes are good examples of exogenous risks. Although we have some control over the extent of damage by selecting construction standards, we have no control over the occurrence of such natural events. Endogenous (internal) risks, on the other hand, are risks that are dependent on our actions. A car accident is an example of risk where a strong portion is endogenous. While a driver has no control over other drivers (the exogenous portion), the probability of an accident is strongly influenced by the driver's behaviour and ability (endogenous). The driver also controls part of the loss function, by deciding to drive an expensive car or a cheap car. This could explain why there is always a deductible amount with car insurance, to ensure that the driver will behave in a way that will minimize the endogenous portion of the risk. By being made responsible for a portion of the damages, the driver is enticed to act with caution (Aubert *et al.*, 2005). In IT/IS studies, risk has been heavily researched in the areas of software development (see, for example, Boehm 1991; Charette, 1991; Griffiths and Newman, 1996; Lyytinen *et al.*, 1998; Ropponen, 1999) and project management (as examples only see Keil, 1995; Morris, 1996;

Bahli and Rivard (2003) propose a scenario-based conceptualisation of the IT outsourcing (ITO) risk, wherein risk is defined as a quadruplet comprising a scenario, the likelihood of that scenario, its consequences and the risk mitigation mechanisms that can attenuate or help avoid the occurrence of a scenario. This definition draws on and extends a risk assessment framework that is widely used in engineering. The proposed conceptualisation of risk is then applied to the specific context of ITO using previous research on ITO as well as transaction cost and agency theory as a point of departure. Agency theory and

of risk as a possible reduction of utility discussed by (Arrow 1983).

loss (risk) is the product of these two functions (Bowers *et al.*, 1986).

Tecotzky, 2000).

Willcocks and Griffiths, 1996).

occurs. They can also be managed using contingency planning, thus providing a path to follow if an undesirable event occurs. This definition of risk is analogous to the concept

#### **2.2 IT risk and management**

IT risk management (RM) and risk assessment (RA) are the most important parts of Information Security Management (ISM). The important step in risk management cycle is risk identification which is to be done comprehensively and iteratively. This chapter, therefore, aims to synthesise the risk factors associated with IT and categorise or classify them into a few main major themes to guide the IT management in their risk management exercises.

#### **2.2.1 IT risk definitions**

Various fields such as IT, Engineering, Banking, Insurance, Economics, Management, Medicine and Operations Research have studied risk and risk management in their own domains. Nonetheless, each field addresses risk in a fashion relevant to its object of analysis and, hence, adopts a particular lens of viewpoint. Therefore, the authors will present here some of the risk definitions used in the different fields and relate them to IT risk used in this study.


IT risk management (RM) and risk assessment (RA) are the most important parts of Information Security Management (ISM). The important step in risk management cycle is risk identification which is to be done comprehensively and iteratively. This chapter, therefore, aims to synthesise the risk factors associated with IT and categorise or classify them into a few main major themes to guide the IT management in their risk management

Various fields such as IT, Engineering, Banking, Insurance, Economics, Management, Medicine and Operations Research have studied risk and risk management in their own domains. Nonetheless, each field addresses risk in a fashion relevant to its object of analysis and, hence, adopts a particular lens of viewpoint. Therefore, the authors will present here some of the risk definitions used in the different fields and relate them to IT risk used in this

 Generally, risk occurs in a situation when decisions are made knowing the probability of a risk event which shows that the decision maker has more information available

 Furthermore, risk, a measure of the probability and severity of adverse effects, is a quantitative entity and in order to manage it we must be able to quantify it. However, quantifying the efficacy of risk assessment and management for software and information assurance in a well-defined metric (one that others can apply, duplicate and compare) has proven difficult. We have made great progress in quantifying all kinds of risk but not in quantifying the true value of risk to information integrity or to infrastructure protection (Longstaff *et al.*, 2000). In other words, risk is also taken to be a negative outcome or event that has a known or estimated probability of occurrence based on experience or some theory (see, for example, Charette, 1991;Willcocks and

 For example, medicine often focuses solely on the probability of a disease's occurrence (e.g., heart attack), since the negative consequence is death in many cases. It would be useless to focus on the consequence itself since it is irreversible. Odds of occurrence are the key element. Data is used to determine which factors can influence those probabilities (heredity, smoking habits, cholesterol level and others). In its definition of sentinel events (occurrence involving death or serious injury), the Joint Commission on the Accreditation of Healthcare Organisations uses "risk" as "the chance of serious adverse outcome" (Kobs, 1998 as cited by Longstaff *et al.*, 2000). Life insurance adopts this approach and uses mortality tables to estimate probabilities. In this context, a "good risk" will be a person with a low probability of dying within a given period (and hence, for the insurance company, a low probability of having to pay a compensation) and a "bad risk" would be a person with a high probability of dying within the period. Levin and Schneider (1997 as cited by Aubert *et al.*, 2005) define risks as "… events that, if they occur, represent a material threat to an entity's fortune" (p.38). Using this definition, risks are the multiple undesirable events that may occur. Applied in a management context, the "entity" would be the organisation. Given this perspective, risks can be managed using insurance, therefore compensating the entity if the event

**2.2 IT risk and management** 

**2.2.1 IT risk definitions** 

Margetts, 1994).

than if he did not (Frame, 2003).

exercises.

study.

occurs. They can also be managed using contingency planning, thus providing a path to follow if an undesirable event occurs. This definition of risk is analogous to the concept of risk as a possible reduction of utility discussed by (Arrow 1983).


In IT/IS studies, risk has been heavily researched in the areas of software development (see, for example, Boehm 1991; Charette, 1991; Griffiths and Newman, 1996; Lyytinen *et al.*, 1998; Ropponen, 1999) and project management (as examples only see Keil, 1995; Morris, 1996; Willcocks and Griffiths, 1996).

Bahli and Rivard (2003) propose a scenario-based conceptualisation of the IT outsourcing (ITO) risk, wherein risk is defined as a quadruplet comprising a scenario, the likelihood of that scenario, its consequences and the risk mitigation mechanisms that can attenuate or help avoid the occurrence of a scenario. This definition draws on and extends a risk assessment framework that is widely used in engineering. The proposed conceptualisation of risk is then applied to the specific context of ITO using previous research on ITO as well as transaction cost and agency theory as a point of departure. Agency theory and

Understanding Components of IT Risks and Enterprise Risk Management 303

software alter the way that the organisation orders supplies?" or "will this software be

Based on open-ended interviews of six Chief Information Officers (CIOs), project managers and similar positions, the informants have already indicated the complexities that these decisions entail, as well as the areas that are most difficult to assess. Notably, they have stressed the difficulty in assessing the full impact of the compatibility issue, as well as the difficulty in predicting the future of technologies. Furthermore, they discussed the consequential effects that previous infrastructure decisions can have on current and future

Thus, without thorough understanding of the factors that must be considered, outcomes of the selection decisions are more uncertain. Once the factors are understood, strategies for better assessment and mitigating risk can be developed. The following section describes the

Decision-making takes place in an environment which has three components – certainty, uncertainty and risk (Flanagan and Norman, 1993). While certainty can be thought of as a situation in which all the factors causing a possible event can be exactly specified and known by a decision-maker, uncertainty entails the exact opposite, making an uncertain

Risk management tools take into account whether risk is endogenous or exogenous. In finance, for example, risk is considered exogenous. The methods used to manage risk are concerned with diversification, insurance and allocation of assets. There is no direct action that managers can take to reduce the probability of a given event. In engineering or medicine, a portion of the risk is always endogenous. Risk management takes this into account. Patients are informed of the portion they control and are proposed healthier diets and lifestyles; employees are provided with security guidelines and actions are taken to

risk management application in IT field decision making process.

situation impossible to describe in terms of its probability of occurrence.

**2.2.2 IT Risk management decision making** 

compatible with the existing knowledge of the end user?"

Fig. 1. Technology Evaluation Axis

decisions.

transaction cost theory suggest four main risk scenarios that can be associated with outsourcing: (1) lock-in, (2) contractual amendments, (3) unexpected transition and management costs and (4) disputes and litigation. Resource based view theory identify risks on competences and capabilities of stakeholders while social exchange theory looks from service receiver-provider relationship exchange during ITO project arrangements (Arshad, 2011).

IT risks are perceived to culminate from the potentials that any undesirable events which can bring losses, threats to privacy and security of data and information and life of organisations and individuals. Raftery (1994) suggests that risk can be quantifiable, and proposes that risk is the actual outcome of an activity deviating from its estimate or forecast value. Risk may, therefore, be expressed as an exposure to economic loss and gain. As can be seen, the differences between risk and uncertainty events lie in the (in)ability to know their probability and to quantify their attributes.

In other words, IS has long been at some risk from malicious actions or inadvertent user errors and from natural and man-made disasters. In recent years, systems have become more susceptible to these threats because computers have become more interconnected and, thus, more interdependent and accessible to a larger number of individuals. In addition, the number of individuals with computer skills is increasing, and intrusion, or "hacking," techniques are becoming more widely known via the Internet and other media (GAO, 1999).

Let us consider a technology selection scenario. In a study, (Cochran 2006) suggests that when consumers are confronted with technology decisions, these technology attributes (interdependence, interoperability, and interconnectedness) must be considered. As the numbers and types of information technologies continue to multiply every year, selecting the "right" product is getting more difficult. Thus, for academics, for instance, trying to understand the factors motivating particular technology selection decisions, this becomes a significant yet complex issue.

Cochran (2006) asserts that there are three high level assessment areas in making technology decisions: "standalone" product assessment, technical compatibility assessment, and technology survivability assessment. This is shown in Figure 1. This is because practitioners making technology selection decisions cannot afford to make selection decisions based on the product alone. They must be concerned with whether the product will be compatible with or disrupt existing technologies already in place in the organisation. For example, the "best" technology according to its features and functionality may be extremely expensive to implement if it has incompatibilities. Decision makers must also worry about the survivability of the technology in the marketplace in order to avoid being "stranded" without support. An implemented technology could lose much of its value if the vendor folds or is acquired by another company. Furthermore, there are switching costs inherent in these technology decisions that must be considered. The model, however, does not focus on IT risk criteria or risk theories.

Furthermore, (Cochran 2006) differentiates between technical- and social compatibility. Technical compatibility refers to the capability of multiple products to work together. For example, "will this software package operate on the computer systems we have?" Social compatibility refers to "the degree which an innovation is perceived as consistent with the existing values, past experiences, and needs of potential adopters." For example, "will this software alter the way that the organisation orders supplies?" or "will this software be compatible with the existing knowledge of the end user?"

Fig. 1. Technology Evaluation Axis

302 Risk Management for the Future – Theory and Cases

transaction cost theory suggest four main risk scenarios that can be associated with outsourcing: (1) lock-in, (2) contractual amendments, (3) unexpected transition and management costs and (4) disputes and litigation. Resource based view theory identify risks on competences and capabilities of stakeholders while social exchange theory looks from service receiver-provider relationship exchange during ITO project arrangements (Arshad,

IT risks are perceived to culminate from the potentials that any undesirable events which can bring losses, threats to privacy and security of data and information and life of organisations and individuals. Raftery (1994) suggests that risk can be quantifiable, and proposes that risk is the actual outcome of an activity deviating from its estimate or forecast value. Risk may, therefore, be expressed as an exposure to economic loss and gain. As can be seen, the differences between risk and uncertainty events lie in the (in)ability to know

In other words, IS has long been at some risk from malicious actions or inadvertent user errors and from natural and man-made disasters. In recent years, systems have become more susceptible to these threats because computers have become more interconnected and, thus, more interdependent and accessible to a larger number of individuals. In addition, the number of individuals with computer skills is increasing, and intrusion, or "hacking," techniques are becoming more widely known via the Internet and other media (GAO, 1999). Let us consider a technology selection scenario. In a study, (Cochran 2006) suggests that when consumers are confronted with technology decisions, these technology attributes (interdependence, interoperability, and interconnectedness) must be considered. As the numbers and types of information technologies continue to multiply every year, selecting the "right" product is getting more difficult. Thus, for academics, for instance, trying to understand the factors motivating particular technology selection decisions, this becomes a

Cochran (2006) asserts that there are three high level assessment areas in making technology decisions: "standalone" product assessment, technical compatibility assessment, and technology survivability assessment. This is shown in Figure 1. This is because practitioners making technology selection decisions cannot afford to make selection decisions based on the product alone. They must be concerned with whether the product will be compatible with or disrupt existing technologies already in place in the organisation. For example, the "best" technology according to its features and functionality may be extremely expensive to implement if it has incompatibilities. Decision makers must also worry about the survivability of the technology in the marketplace in order to avoid being "stranded" without support. An implemented technology could lose much of its value if the vendor folds or is acquired by another company. Furthermore, there are switching costs inherent in these technology decisions that must be considered. The model, however, does not focus on

Furthermore, (Cochran 2006) differentiates between technical- and social compatibility. Technical compatibility refers to the capability of multiple products to work together. For example, "will this software package operate on the computer systems we have?" Social compatibility refers to "the degree which an innovation is perceived as consistent with the existing values, past experiences, and needs of potential adopters." For example, "will this

2011).

their probability and to quantify their attributes.

significant yet complex issue.

IT risk criteria or risk theories.

Based on open-ended interviews of six Chief Information Officers (CIOs), project managers and similar positions, the informants have already indicated the complexities that these decisions entail, as well as the areas that are most difficult to assess. Notably, they have stressed the difficulty in assessing the full impact of the compatibility issue, as well as the difficulty in predicting the future of technologies. Furthermore, they discussed the consequential effects that previous infrastructure decisions can have on current and future decisions.

Thus, without thorough understanding of the factors that must be considered, outcomes of the selection decisions are more uncertain. Once the factors are understood, strategies for better assessment and mitigating risk can be developed. The following section describes the risk management application in IT field decision making process.

#### **2.2.2 IT Risk management decision making**

Decision-making takes place in an environment which has three components – certainty, uncertainty and risk (Flanagan and Norman, 1993). While certainty can be thought of as a situation in which all the factors causing a possible event can be exactly specified and known by a decision-maker, uncertainty entails the exact opposite, making an uncertain situation impossible to describe in terms of its probability of occurrence.

Risk management tools take into account whether risk is endogenous or exogenous. In finance, for example, risk is considered exogenous. The methods used to manage risk are concerned with diversification, insurance and allocation of assets. There is no direct action that managers can take to reduce the probability of a given event. In engineering or medicine, a portion of the risk is always endogenous. Risk management takes this into account. Patients are informed of the portion they control and are proposed healthier diets and lifestyles; employees are provided with security guidelines and actions are taken to

Understanding Components of IT Risks and Enterprise Risk Management 305

Thus, implementing a proper risk management approach or technique to manage risks are necessary in today's organisations. The process of risk management is usually divided into risk identification, risk analysis, risk response planning and risk monitoring and control (Hillson, 2002). These steps are sometimes iterative and not always taken in sequence. Generally, it is necessary to express these steps in terms of activities and methods undertaken in the organisations. Once these activities are identified, it is then possible to

The effective management of risk lies in understanding the probability of a risk occurring, and if it does occur, how severe the adverse effect of the risk is likely to be. Between these two domains, risk may therefore be mitigated, accepted, avoided or transferred. In the context of construction, risks may affect cost, quality, safety, environment and time, among

External, or global risk, is the risk that falls outside an organisation's control because they arise outside the realm of the organisation's operations (Frame, 2003). Although external risks arise from sources that are different from internal risks, the same risk management principles can be applied to manage them. The management decision pertaining to risks would be dependent on the severity and probability of each particular case of risk. In this context, some risks may be extremely severe if these occur but the probability of their occurrence could be very remote. Consequently, risks may be mitigated, accepted, avoided or transferred as the case may be. In some instances, all aspects of a risk management framework may apply; while in other instances, only selected risk management principles within a framework would suffice. For this reason, it is not possible to tabulate responses to risk management because the spectrum of risks encountered in real life is too diverse and wide ranging to make any tabulation meaningful and succinct. Risk management decisions should therefore be determined on the facts and circumstances of each particular case.

The Project Risk Analysis and Management Guide (PRAM) compiled by the members of the Special Interest Group on Risk Management (APM, 2007) states that implementing a risk management system helps the formulation of more realistic plans in terms of both cost and time estimates. An increased understanding of the risks that might occur and their possible impact which can lead to the minimization of such risks and/or the allocation of these risks to the party best able to handle them is also possible. In addition, an independent view of the risks which can help to justify the decisions and enable the more efficient and effective management of risks are facilitated. Finally, a contribution to the building up of statistical data of historical risks that will assist in such future operations and the facilitation of greater but more rational risk taking and thus increasing the benefits that can be gained from doing so. Sadgrove (1996) adds that risk management helps a company avoid additional costs and disruptions to their operations and identify the risks that are worth pursuing and those that should be shunned. External risk management is especially important also because the firm's operations are now exposed to a dynamic environment influenced by macro-

In any organisations nowadays, IT risk management is enforced at different stage of criticality. In medium to large organisations, enterprise risk management is normally practised in order to mitigate the organisational exposures related to IT risks. This is further

assess the risk management practices implemented.

economic, political and social factors.

explained in the following section.

others.

reduce directly the probability of undesirable consequences. In IT field, generally, risk management involves analysis or risk identification, planning, implementation, control and monitoring of implemented measurements. Risk Assessment, as part of Risk Management, consists of several processes: (1) Risk identification; (2) Relevant risk analysis; and (3) Risk evaluation. In addition, (Rosman 2008) asserts that the four important aspects of risk management processes include: (1) understanding risk and risk management; (2) risk identification; (3) risk analysis and assessment; and (4) risk monitoring.

Risk management recognises risk, accesses risk and takes measures to reduce risk, as well as measures for risk maintenance on an acceptable level. The main aim of risk assessment, however, is to make a decision whether a system is acceptable and which measures would provide its acceptability. For every organisation using IT in its business processes, it is important to conduct the risk assessment exercise. Numerous threats and vulnerabilities are presented and their identification, analysis, and evaluation enable evaluation of risk impact, and proposing of suitable measures and controls for its mitigation on the acceptable level (Nikolić and Ružić-Dimitrijević, 2009).

In the process of risk identification, its sources are distinguished by a certain event or incident. In that process, the knowledge about the organisation, both internal and external, has an important role. Besides that, past experiences from this or a similar organisation about risk issues are also very useful. There are many techniques for identifying risks available such as checklists, experienced judgments, flowcharts, brainstorming, Hazard and Operability studies, scenario analysis and others (Nikolić and Ružić-Dimitrijević, 2009). In order to assess the level of risks, likelihood and the impact of incidental occurrences could be estimated. This estimation can be based on experience, standards, experiments, expert advice and others. Since every event has various and probably multiple consequences, the level of risk is calculated as a combination of likelihood and impact. Risk analysis or assessment can be either or a mix of quantitative, semi-quantitative or qualitative approaches (Macdonald, 2004).

There are numerous methods applied in risk assessment. In different countries, there are different methods. Even in the same area, there are various methods and applying each depends on a particular occasion. However, the methodology is similar that is system characterisation and description, threat and vulnerability identification, risk assessment, recommended measures and others. The differences in methods are due to the level of development of methodology items. All methods should present common descriptions of threats, vulnerabilities, assets groups and finally, a classification of risks. In that way, they can be compared and in order to achieve the best results, it is useful to apply the combination and optimization of methods. ISO standards for IT security (13335, 17799, and 27001) are general guidelines for implementing the IT security management process but there are no solutions provided on how to conduct it specifically (Nikolić and Ružić-Dimitrijević, 2009). In addition, Sarbanes Oxley (SOX) also requires organisations to assess their IT compliance for reporting purposes. COSO and COBIT are commonly used IT control assessment guidelines in organisations nowadays. Solms (2005) suggest that COBIT (2000) and ISO 17799 (ISO/IEC 17799, 2000) frameworks are complementary and, therefore, are actually very good choices as reference frameworks for Information Security governance. Used together, they provide a synergy which can be very beneficial to organisations.

reduce directly the probability of undesirable consequences. In IT field, generally, risk management involves analysis or risk identification, planning, implementation, control and monitoring of implemented measurements. Risk Assessment, as part of Risk Management, consists of several processes: (1) Risk identification; (2) Relevant risk analysis; and (3) Risk evaluation. In addition, (Rosman 2008) asserts that the four important aspects of risk management processes include: (1) understanding risk and risk management; (2) risk

Risk management recognises risk, accesses risk and takes measures to reduce risk, as well as measures for risk maintenance on an acceptable level. The main aim of risk assessment, however, is to make a decision whether a system is acceptable and which measures would provide its acceptability. For every organisation using IT in its business processes, it is important to conduct the risk assessment exercise. Numerous threats and vulnerabilities are presented and their identification, analysis, and evaluation enable evaluation of risk impact, and proposing of suitable measures and controls for its mitigation on the acceptable level

In the process of risk identification, its sources are distinguished by a certain event or incident. In that process, the knowledge about the organisation, both internal and external, has an important role. Besides that, past experiences from this or a similar organisation about risk issues are also very useful. There are many techniques for identifying risks available such as checklists, experienced judgments, flowcharts, brainstorming, Hazard and Operability studies, scenario analysis and others (Nikolić and Ružić-Dimitrijević, 2009). In order to assess the level of risks, likelihood and the impact of incidental occurrences could be estimated. This estimation can be based on experience, standards, experiments, expert advice and others. Since every event has various and probably multiple consequences, the level of risk is calculated as a combination of likelihood and impact. Risk analysis or assessment can be either or a mix of quantitative, semi-quantitative or qualitative

There are numerous methods applied in risk assessment. In different countries, there are different methods. Even in the same area, there are various methods and applying each depends on a particular occasion. However, the methodology is similar that is system characterisation and description, threat and vulnerability identification, risk assessment, recommended measures and others. The differences in methods are due to the level of development of methodology items. All methods should present common descriptions of threats, vulnerabilities, assets groups and finally, a classification of risks. In that way, they can be compared and in order to achieve the best results, it is useful to apply the combination and optimization of methods. ISO standards for IT security (13335, 17799, and 27001) are general guidelines for implementing the IT security management process but there are no solutions provided on how to conduct it specifically (Nikolić and Ružić-Dimitrijević, 2009). In addition, Sarbanes Oxley (SOX) also requires organisations to assess their IT compliance for reporting purposes. COSO and COBIT are commonly used IT control assessment guidelines in organisations nowadays. Solms (2005) suggest that COBIT (2000) and ISO 17799 (ISO/IEC 17799, 2000) frameworks are complementary and, therefore, are actually very good choices as reference frameworks for Information Security governance. Used together, they provide a synergy which can be very beneficial to

identification; (3) risk analysis and assessment; and (4) risk monitoring.

(Nikolić and Ružić-Dimitrijević, 2009).

approaches (Macdonald, 2004).

organisations.

Thus, implementing a proper risk management approach or technique to manage risks are necessary in today's organisations. The process of risk management is usually divided into risk identification, risk analysis, risk response planning and risk monitoring and control (Hillson, 2002). These steps are sometimes iterative and not always taken in sequence. Generally, it is necessary to express these steps in terms of activities and methods undertaken in the organisations. Once these activities are identified, it is then possible to assess the risk management practices implemented.

The effective management of risk lies in understanding the probability of a risk occurring, and if it does occur, how severe the adverse effect of the risk is likely to be. Between these two domains, risk may therefore be mitigated, accepted, avoided or transferred. In the context of construction, risks may affect cost, quality, safety, environment and time, among others.

External, or global risk, is the risk that falls outside an organisation's control because they arise outside the realm of the organisation's operations (Frame, 2003). Although external risks arise from sources that are different from internal risks, the same risk management principles can be applied to manage them. The management decision pertaining to risks would be dependent on the severity and probability of each particular case of risk. In this context, some risks may be extremely severe if these occur but the probability of their occurrence could be very remote. Consequently, risks may be mitigated, accepted, avoided or transferred as the case may be. In some instances, all aspects of a risk management framework may apply; while in other instances, only selected risk management principles within a framework would suffice. For this reason, it is not possible to tabulate responses to risk management because the spectrum of risks encountered in real life is too diverse and wide ranging to make any tabulation meaningful and succinct. Risk management decisions should therefore be determined on the facts and circumstances of each particular case.

The Project Risk Analysis and Management Guide (PRAM) compiled by the members of the Special Interest Group on Risk Management (APM, 2007) states that implementing a risk management system helps the formulation of more realistic plans in terms of both cost and time estimates. An increased understanding of the risks that might occur and their possible impact which can lead to the minimization of such risks and/or the allocation of these risks to the party best able to handle them is also possible. In addition, an independent view of the risks which can help to justify the decisions and enable the more efficient and effective management of risks are facilitated. Finally, a contribution to the building up of statistical data of historical risks that will assist in such future operations and the facilitation of greater but more rational risk taking and thus increasing the benefits that can be gained from doing so. Sadgrove (1996) adds that risk management helps a company avoid additional costs and disruptions to their operations and identify the risks that are worth pursuing and those that should be shunned. External risk management is especially important also because the firm's operations are now exposed to a dynamic environment influenced by macroeconomic, political and social factors.

In any organisations nowadays, IT risk management is enforced at different stage of criticality. In medium to large organisations, enterprise risk management is normally practised in order to mitigate the organisational exposures related to IT risks. This is further explained in the following section.

Understanding Components of IT Risks and Enterprise Risk Management 307

potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Value is then maximised when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks and efficiently and effectively deploys

These capabilities inherent in ERM help management achieve the entity's performance and profitability targets and prevent loss of resources. ERM helps ensure effective reporting and compliance with laws and regulations and helps avoid damage to the entity's reputation and associated consequences. In summary, ERM helps an entity get to where it wants to go

For example, risk management is performed at three levels within Department of Education

1. Strategic – this relates to risks associated with DET carrying out its business objectives as articulated in the DET Corporate Plan. These risks are identified, documented and managed in the organisation's business plans down to the business unit level (Regions and Directorates). Existing reporting systems are used to report achievement of

2. Operational – this relates to the management of risks associated with the DET business units (Regions and Directorates) meeting their specific objectives. These risks are identified, documented and managed in the unit's operational plans. Existing reporting systems are used to report achievement of objectives and management of identified

3. Specialist Areas – to support both Strategic and Operational risk management, DET has established specific policies, procedures and guidelines to ensure effective management

Section 3 presents the result from the IT risk categorisation and elaborates on each risk

From the literature analysis, we attempt to provide comprehensive IT risk factors into major IT risk categories. The findings suggest that IT risks generally originate from (I) technical or operational (hardware, software and systems); (II) data and information security; and (III) organisation, project, legal and human or people sides. This is further elaborated under each category in the following sections. Due to a large number of relevant literatures available, we only provide a non-exhaustive list of selected literature for the categorical risk example

categories and examples of situations which the risks might occur.

resources in pursuit of the entity's objectives.

and avoid pitfalls and surprises along the way (COSO, 2004).

and Training (DET) (NSW DEC, 2011). These include:

objectives and management of identified risks.

risks.

of risks relating to: occupational health and safety

environmental management

**3. Results and discussion** 

which is shown in Table 1 below.

 child Protection serious incidents safety and security corruption prevention business continuity

#### **2.3 Enterprise risk management**

The earlier sections elaborated on the importance and steps of IT risk assessment and management in organisations. IT risks are avoidable and unavoidable and therefore, must be managed to minimise the risks. In any organisations, this is known as enterprise risk management (ERM). According to COSO (2004), it is:


The underlying premise of ERM is that every entity exists to provide value for its stakeholders. All entities face uncertainty and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity with the potential to erode or enhance value. ERM enables management to effectively deal with uncertainty and associated risk and opportunity and thereby enhancing the capacity to build value (COSO, 2004).

Furthermore, according to COSO (2004, p.1), ERM encompasses:


ERM deals with risks and opportunities affecting value creation or preservation. It is defined as a process effected by an entity's board of directors, management and other personnel and applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Value is then maximised when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks and efficiently and effectively deploys resources in pursuit of the entity's objectives.

These capabilities inherent in ERM help management achieve the entity's performance and profitability targets and prevent loss of resources. ERM helps ensure effective reporting and compliance with laws and regulations and helps avoid damage to the entity's reputation and associated consequences. In summary, ERM helps an entity get to where it wants to go and avoid pitfalls and surprises along the way (COSO, 2004).

For example, risk management is performed at three levels within Department of Education and Training (DET) (NSW DEC, 2011). These include:


306 Risk Management for the Future – Theory and Cases

The earlier sections elaborated on the importance and steps of IT risk assessment and management in organisations. IT risks are avoidable and unavoidable and therefore, must be managed to minimise the risks. In any organisations, this is known as enterprise risk

Applied across the enterprise, at every level and unit, and includes taking an entity-

Designed to identify potential events that, if they occur, will affect the entity and to

Able to provide reasonable assurance to an entity's management and board of directors;

Geared towards achievement of objectives in one or more separate but overlapping

The underlying premise of ERM is that every entity exists to provide value for its stakeholders. All entities face uncertainty and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity with the potential to erode or enhance value. ERM enables management to effectively deal with uncertainty and associated risk and

 Aligning risk appetite and strategy – Management considers the entity's risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms

 Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction,

 Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated

 Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated

Seizing opportunities – By considering a full range of potential events, management is

 Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. ERM deals with risks and opportunities affecting value creation or preservation. It is defined as a process effected by an entity's board of directors, management and other personnel and applied in strategy setting and across the enterprise, designed to identify

opportunity and thereby enhancing the capacity to build value (COSO, 2004).

Furthermore, according to COSO (2004, p.1), ERM encompasses:

positioned to identify and proactively realize opportunities.

**2.3 Enterprise risk management** 

Applied in strategy setting;

and

categories

level portfolio view of risk;

to manage related risks.

sharing, and acceptance.

responses to multiple risks.

costs or losses.

manage risk within its risk appetite;

management (ERM). According to COSO (2004), it is: A process, on-going and flowing through an entity; Effected by people at every level of an organisation;


Section 3 presents the result from the IT risk categorisation and elaborates on each risk categories and examples of situations which the risks might occur.

#### **3. Results and discussion**

From the literature analysis, we attempt to provide comprehensive IT risk factors into major IT risk categories. The findings suggest that IT risks generally originate from (I) technical or operational (hardware, software and systems); (II) data and information security; and (III) organisation, project, legal and human or people sides. This is further elaborated under each category in the following sections. Due to a large number of relevant literatures available, we only provide a non-exhaustive list of selected literature for the categorical risk example which is shown in Table 1 below.

Understanding Components of IT Risks and Enterprise Risk Management 309

**(Year) Risk types/issues Categories** 

Network system threats [(1)Threat agent: Environmental Factors, Authorized users and Unauthorized users and (2) Penetration technique: Physical, Personnel, Hardware, Software and Procedural].

Technological newness (need for new hardware, software), application size (project scope, number of users, team diversity), expertise (lack of development expertise, task of application-specific expertise, lack of user experience), application complexity (technical complexity, links to existing legacy systems), organizational environment (task complexity, extent of changes, resource insufficiency, and magnitude of potential loss).

Software risk factors, including personnel shortfalls, unrealistic schedules and budgets, developing the wrong functions, developing the wrong user interface, "gold-plating," a continuing stream of changes in requirements, shortfalls in externally furnished components, shortfalls in externally performed tasks, performance shortfalls, and strained technical capabilities.

Dimensions of project risk based upon project size, experience with the technology, and project structure.

Four quadrants of risks including risks associated with customer mandate, scope and requirements, execution, and environment.

Risk in systems integration: software development, temporal, leadership, environment, acquisition, quality and technology

Table 1. Risk types/factors (includes IT/IS outsourcing, investment, project management)1

1 Note: For Summary of Risk Factors in Information Systems Projects (1983-1997), see Mary Sumner (2000), 'Risk Factors in Enterprise Wide Information Management Systems Projects'. Association of

Principal, agent and transaction categories. II, III

I, III

I, II, III

I, III

I, III

II, III

I, II, III

**Author(s) Journal/Book** 

Boehm, B.W. IEEE Software

McFarlan, F.W. Harvard Business

Information Technology & Management (2005)

The DATA BASE for Advances in Information Systems (2005)

Journal of Management Information Systems (1993)

(1991)

Review (1981)

Communications of the ACM (1998)

Journal of Computer (2000)

Fariborz Farahmand, Shamkant B. Navathe, Gunter P. Sharp and Philip H. Enslow

Benoit A. Aubert, Michel Patry and Suzanne Rivard

Barki, H., Rivard, S., and Talbot, J.

Keil, Mark., Cule, Paul E., Lyytinen, Kalle and Schmidt, Roy C.

Thomas A. Longstaff., Clyde Chittister, Rich Pethia and Yacov Y. Haimes

Computing Machinery (ACM).


**(Year) Risk types/issues Categories** 

Type and scope of outsourcing, vendor selection criteria and process, the role of the contract, retained capabilities and management processes, and partnering and relationship dimensions

Strategic and operational risks which may have

Not achieving the planned benefits, not meeting agreed deadlines, using more resources than initially foreseen, change in functional an procedural requirements, budget overrun and deficient change over of systems and problems associated with the operation and maintenance of these systems.

Contracts, privacy and security, technical returns, loss of IT expertise, hidden costs and outsourcing decision process.

Incorrect data modification, data disclosure

Application level, organizational level and

Environmental conditions and changes, organisational conditions and changes, managerial cognition, managerial actions, changes in the content of strategy and organisational outcomes.

Omega (2005) Transaction,client and supplier sources II, III

considerable financial and reputation costs. I, III

IS outsourcing contracts I, II, III

and technological security I, II, III

and legal/political issues II, III

interorganizational level. I, III

issues I, III

II, III

I, II, III

I, II, III

III

**Author(s) Journal/Book** 

Griffiths Book (2001)

Journal of Strategic Information Systems (1999)

> International Journal of Information Management (2004)

European Journal of Operational Research (2006)

Industrial Management & Data Systems (2005)

Journal of American Academy of Business (2006)

Management Decision (1999)

Journal of business and economic research (2010)

Kroenke Book (2009) Incorrect data modification, data disclosure

Rao EDPACS (2004) Technological security and legal/political

L.P. Willcocks, M.C. Lacity and T. Kern

Bunmi Cynthia Adeleye, Fenio Annansingh and Miguel Baptista Nunes

Ward and

Kweku-Muata Osei-Bryson and Ojelanki K. Ngwenyama

Tafti, M

Ramanujan & Jane

Bouchaib Bahli and Suzanne Rivard

Kakoli Bandyopadhyay, Peter P. Mykytyn and Kathleen Mykytyn

Melinda Cline, Carl S. Guynes and Andrew Nyanoga


Table 1. Risk types/factors (includes IT/IS outsourcing, investment, project management)1

<sup>1</sup> Note: For Summary of Risk Factors in Information Systems Projects (1983-1997), see Mary Sumner (2000), 'Risk Factors in Enterprise Wide Information Management Systems Projects'. Association of Computing Machinery (ACM).

Understanding Components of IT Risks and Enterprise Risk Management 311

 For instance, the common threats to IS and computer networks can be classified into the Accidental, Intentional, Passive and Active categories. Accidental threats are losses due to malfunctions or errors. Some examples of accidental threats are power failures, hardware vulnerabilities in network switches, routers and other hardware components,

 Intentional threats cause damage or corruption to computer assets. Sabotage is a type of intentional threat that uses small virus programs often propagated by unsuspecting users. Denial of Service (DoS) is another form of intentional threat that causes loss of availability of service. Some examples of DoS include e-mail spamming and network

 Passive threats do not change the state of the system. They may include loss of confidentiality but not the loss of integrity or availability. An example of a passive threat is traffic analysis, a form of eavesdropping in which an analysis of traffic patterns is used to infer information that is not explicit. Another instance of a passive threat is replay which is the repetition of valid messages in order to gain unauthorised access

 Unlike passive threats, active threats change the state of the system. These include changes to the data and software. Some examples of active threats are Trojan horses and trapdoor software, both of which alter parts of the system to allow unauthorised access. Security threats that are common today differ from those in earlier times. With worldwide Internet connections, anyone can gain access into an organisation's computer system from anywhere in the world and steal passwords although the

 Thus, even though physical security accomplished its objective in this scenario, the network is still not secure. Viruses and worms can be passed from machine to machine. Global autonomous networks provide an opportunity for "electronic thieves" to open windows and doors in the computer system's architecture. This "virtual thief" can detect

 In this information and knowledge era, organisational and individual data and information are available in digital forms. In many instances they are available on networked environement. Thus, they are susceptible to theft, misuse, abuse, modification, improper disclosure, fraud and others. It is, therefore, important that this risk is minimised in any organisation. One important method to curb this risk is through digital certificates and signatures whereby only certified authorised names are allowed to access any particular privileged authorised data and information. Moreover, most organisations nowadays also impose access level security controls on their networks and enterprise resource planning or other systems such as accounting, operations, human resource, marketing and management. Data administrator levels are also controlled between higher, middle and lower level staff. Nevertheless, sophisticated hackers, spyware and other sniffing tools are always on the lookout for data and information intrusions. Thus, IT managers must be constantly alert on any

and then exploit vulnerabilities in hundreds of machines in a matter of hours.

economic costs associated with software vulnerabilities.

packet attacks aimed at host vulnerabilities.

and masquerade as another entity.

building may be physically secured.

**3.2 Data and information security risks** 

software failures and natural threats such as fires and flooding.

and other tangible and intangible assets. An effective security procedure reduces the

#### **3.1 Technical and operational risks**


 Large IT risks originate from technical or operational risks in hardware, software and systems. In hardware, this can be in terms of faulty or defect products that can affect other hardware and systems within the same or networked environment. Even though manufacturing warranties do cover products defects after purchases, electrical short circuit in the hardware, for instance, could pose threats to other hardware, software and

 Furthermore, the complexity of our technological organisation and society has forced us to deal with coupled and interconnected systems of systems whose likelihood of failure is ever increasing. The dominance of IT in our business and commerce has also created an almost critical-path dependency across our interconnected IS and critical infrastructures. For example, banking and finance institutions depend on the information infrastructure to operate their systems, reliable telecommunications depend on electricity and the electric utilities depend on a reliable source of energy. This networked systems and environments apply to most organisations nowadays even to small businesses with peer to peer or client-server and shared computers and

 Therefore, computer security has become an important issue in this networked environment. The proliferation of personal computers, local area networks and distributed processing has drastically changed the way we manage and control information resources. Internal controls that were effective in the centralised, batchoriented mainframe environment of yesteryears are inadequate in the distributed computing environment of today. Attacks on computer systems and networks are on the rise and the sophistication of these attacks continues to escalate to alarming levels. As more organizations share information electronically and autonomous computer networks work their way into our everyday lives, a common understanding of what is

needed and expected in securing information technology resources is required. This is because the world of computers has changed dramatically over the decades. Twenty years ago, most computers were centralised and managed by data centers. Computers were kept in locked rooms and staffs of people made sure they were carefully managed and physically secured. However, in the computing world of today, autonomous network communications are setting the standards on how we interact with one another in a global environment. An effective security plan can successfully provide adequate safeguards to protect an organization's vital resources and assets. An ineffective security plan increases the economic costs associated with software vulnerabilities. It decreases the efficiency of an organisation and does not protect the resources and assets of the organisation. Inadequate protection of system resources compromises information obtained through email, research data and configuration data, services obtained via IS and applications and equipment such as computers and networking components. In addition, components vital to an organisation such as

confidentiality, integrity, authenticity and availability are also compromised. Hence, an effective computer security plan protects an organisation's valuable resources, such as information, hardware and software. Furthermore, it also strengthens the aforementioned vital components of an organisation. Through the selection and application of appropriate safeguards, a security plan helps the organization's mission by protecting its physical and financial resources, reputation, legal position, employees

**3.1 Technical and operational risks** 

peripherals.

systems as well as data and information.

and other tangible and intangible assets. An effective security procedure reduces the economic costs associated with software vulnerabilities.


#### **3.2 Data and information security risks**

 In this information and knowledge era, organisational and individual data and information are available in digital forms. In many instances they are available on networked environement. Thus, they are susceptible to theft, misuse, abuse, modification, improper disclosure, fraud and others. It is, therefore, important that this risk is minimised in any organisation. One important method to curb this risk is through digital certificates and signatures whereby only certified authorised names are allowed to access any particular privileged authorised data and information. Moreover, most organisations nowadays also impose access level security controls on their networks and enterprise resource planning or other systems such as accounting, operations, human resource, marketing and management. Data administrator levels are also controlled between higher, middle and lower level staff. Nevertheless, sophisticated hackers, spyware and other sniffing tools are always on the lookout for data and information intrusions. Thus, IT managers must be constantly alert on any

Understanding Components of IT Risks and Enterprise Risk Management 313

could become major sources of risks in IT and ITO projects (Arshad, 2011).

IS project risk factors).

and opportunity, enhancing the capacity to build value.

organisations.

 Furthermore, since ITO projects involve relevant stakeholders within and outside the organisations, these human or people risks add more to inherent IT risks in the projects. Lack of commitments, understanding, competence and capabilities and communications, for example, can increase ITO project risks. In addition, staff within an organisation can also involve in stealing private and confidential information, hardware and software, improper usage, maltreatments, carelessness and other damages to IT hardare, software, systems and information. (See Sumner (2000) for further reading on

 Finally, IT risks originating from human or people could be attributed to human errors and misbehaviours. Competence and capabilities distinguish each staff in their work professionalism. As in ITO projects, human or service provider-receiver relationship is crucial for ITO project success. These can be found in many ITO literature. Human's attitude such as greedy, carelessness, selfish and others can increase IT risks in any

The previous section divides and elaborates IT/IS risks into three types: 1) Technical and operational risks; 2) Data and information security risks; and 3) Organisation, project and human or people risks. IT risk nature depends largely on types of assets or projects. Each IT hardware, software, system or project has its own inherent and incidental risk associated to it. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Therefore, any organisation must undertake a risk assessment and management initiative to minimise risks that could result in big potential losses. Enterprise risk management enables management to effectively deal with uncertainty and associated risk

feasibility of projects to reduce risks. IT project management consists of several important stages as stated in Project Management Body of Knowledge (PMBOK® Guide), which is the standard put forward by the Project Management Institute (PMI). They include Initiation, Planning, Execution/Managing and Closing. The guide lists nine elements of project management encompassing Project Integration Management, Scope Management, Time Management, Cost Management, Quality Management, Human Resources Management, Communications Planning, Risk Management and Procurement Management. This stages and processes also apply in any ITO projects. While ITO is associated with significant benefits, it can also be a risky endeavour. Researchers and practitioners also recognise that, in some circumstances, ITO entails risk, and that it sometimes leads to undesirable consequences that are the opposite of the expected benefits. In ITO projects, either onshore or offshore, more risks are posed depending on the nature of ITO projects themselves. Among the major risks are in selecting the right providers, win-win terms and conditions in contractual documents, access to organisational buildings and information privileges and project management service deliveries. In many ITO literatures, many projects failed due to poor project management, contract clauses and cultural differences in the case of offshoring. Relationship between service receiver and provider is also crucial for ITO success. ITO failure is not much attributed to technology but more on human competence, capabilities and relationship. Moreover, risk in systems integration, including software development, temporal, leadership, environment, acquisition, quality and technology,

unusual logging activities in their organisations' systems and servers. Any irregularities must be reported and taken action immediately to avoid foreseeable losses due to data and information theft and intrusions either from inside or outside the organisations.


#### **3.3 Organisation, project and human or people risks**


of the information from loss, corruption, or inappropriate disclosure.

precise results that are of questionable reliability.

**3.3 Organisation, project and human or people risks** 

others.

 Understanding the risks involved in handling information in digital form includes an appreciation of the greatly increased vulnerability made possible by technological conveniences that offer portability, easy copying, and wide—potentially global distribution. The lack of reliable and current data often precludes precise determinations of which information security risks are the most significant and comparisons of which controls are the most cost-effective. Because of these limitations, it is important that organizations identify and employ methods that efficiently achieve the benefits of risk assessment while avoiding costly attempts to develop seemingly

 Thus, all organisations and individuals information must be handled with appropriate security and access controls, and with attention to safeguarding confidentiality. No information should be exposed inappropriately. Many data elements and other types of information are protected by each country's current statute or regulation or in Malaysia case such as Malaysia legal acts, Malaysia Communication and Multimedia Commission (MCMC), university acts and others. Information that is not protected by law or regulation should, nonetheless, be protected against inappropriate exposure.

 These types of risks originate from or within the organisations, projects and people. In an organisational environment, the policies, procedures, regulations, cultures and others, if not carefully designed, can pose risks to IT environment. Building security, access controls, electrical fittings, for example, can become sources of threats to IT hardware and software. Organisational type, vertical or hierachical, sizes, structures and building occupational health and safety implementation can result in different level of risks. In many organisations that create a proper IT division or department, the risks are minimised by the hands of professionally-trained staff. It is important for all staff to adhere to all IT security and controls policies and guidelines imposed by the management. Therefore, many small organisations are at risk of having their computer systems, hardware and software misused, abused, fraud, improperly installed and

 On project risk, the sources of risks can originate from any sources in the project cycles or processes. Project panel and stakeholders must carry out due diligence exercise on

unusual logging activities in their organisations' systems and servers. Any irregularities must be reported and taken action immediately to avoid foreseeable losses due to data and information theft and intrusions either from inside or outside the organisations. Hence, organisations must follow some acceptable international standards and compliance regulations on IT risks and security controls such as ISO, COBIT, COSO and SOX. The purpose of any IT standard is, for example, to provide steps that employees must take to avoid inappropriate release of private and confidential organisational information. The focus of the standard is on the sensitive information that exists in a digital form, whether stored in a database, used in an application, transmitted over a network, or used in a report. Organisations and individuals information must be protected from any inappropriate sharing, releasing or use. When the information exists in a digital or electronic format, additional steps must be taken to ensure the protection feasibility of projects to reduce risks. IT project management consists of several important stages as stated in Project Management Body of Knowledge (PMBOK® Guide), which is the standard put forward by the Project Management Institute (PMI). They include Initiation, Planning, Execution/Managing and Closing. The guide lists nine elements of project management encompassing Project Integration Management, Scope Management, Time Management, Cost Management, Quality Management, Human Resources Management, Communications Planning, Risk Management and Procurement Management. This stages and processes also apply in any ITO projects.


The previous section divides and elaborates IT/IS risks into three types: 1) Technical and operational risks; 2) Data and information security risks; and 3) Organisation, project and human or people risks. IT risk nature depends largely on types of assets or projects. Each IT hardware, software, system or project has its own inherent and incidental risk associated to it. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Therefore, any organisation must undertake a risk assessment and management initiative to minimise risks that could result in big potential losses. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.

Understanding Components of IT Risks and Enterprise Risk Management 315

**Journal / Book / Proceedings Year**  Book - Course Technology, Cengage Learning 2011 Wireless Network 2011 ACM Computing Surveys 2011 Information Privacy & Security 2010 Business & Economics Research 2010 Proceeding of ACM New Security Paradigms Workshop (NSPW) 2010 IEEE Security and Privacy 2009 Consortium for Computing Sciences in Colleges 2009

Intelligent Agent Technology - Workshops <sup>2009</sup> Systems and Software 2008 Communications of the ACM 2008 Information security technical report 2008 The VLDB 2008 Consortium for Computing Sciences in Colleges 2008 Assocation of Computing Machinery 2006 Consortium for Computing Sciences in Colleges 2006 Proceeding of ACM International Conference on Privacy, Security and Trust 2006 ACM Special Interest Group on Management Information Systems 2006 Proceeding of InfoSecCD Conference 2006 European Journal of Operational Research 2006 Strategic Information Systems 2005 Computers & Security 2005 Omega 2005 Information Technology and Management 2005 Information Security Curriculum Development (InfoSecCD) Conference 2005 Proceeding of 7th International Conference on Electronic Commerce, ICEC 2005 The DATA BASE for Advances in Information Systems 2005 Computers & Security 2004 International Journal of Information Management 2004 Sixth International Conference on Electronic Commerce, ICEC 2004 International Journal of Information Management 2004 Information Management & Computer Security 2003 Pers Ubiquit Computing 2003 Consortium for Computing Sciences in Colleges 2003 Information Technology 2000 IEEE Computer 2000 ACM SIGCPR Computer Personnel 2000 Supply Chain Management: An International Journal 2000 Information Management & Computer Security 1999 Management Decision 1999 Strategic Information Systems 1999 Supply Chain Management: An International Journal 1999 MIS Quarterly 1998 ACM Computing Surveys 1993 Management Information Systems 1991 IEEE Software 1991

Proceeding of IEEE/WIC/ACM International Conference on Web Intelligence and

Table 2. Related articles under review

### **4. Future work and closure**

Risk is a common terminology adopted in every field including IT/IS. While many definitions offered from different perspectives, IT risk in this study adopt the definition of IT risk being the uncertainty that a foreseeable loss or damage can result for such uncertain probabilistic events.

IT risk nature depends largely on types of assets or projects. Each IT hardware, software, system or project has its own inherent and incidental risk associated to it. This chapter classifies IT risk into three types, namely: 1) technical and operational risk; 2) data and information security risk; and 3) organisation, project and human risk.

Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Therefore, any organisation must undertake a risk assessment and management initiative to minimise risks that could result in big potential losses. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.

In short, aligning organisational strategy with IT strategy could help manage IT risks in the organisation. Organisational strategy must acknowledge the potential IT risks associated to all organisational assets that can increase its liabilities. Continuous IT risk assessment and management exercise, not only identify and minimise IT risks at an early stage and manage them, but also facilitate and help achieve the overall organisational short, medium or longterm goals and strategies.

Finally, organisations may opt to undertake ERM exercise for better control IT risks and security. The sooner, continuous and consistent applications of ERM can significantly minimise calculated risks and increase the profitability of organisations which in turn will be ploughed back into the organisations, staff, communities and stakeholders.

This study provides the theoretical foundation on IT risk components. While IT risk studies have been carried out based on a researcher's theoretical framework, our next initiative is to perform multiple case study using mixed and multi method research in Malaysian organisations context to explore on the IT risks in practices. Another possible study is to perform comparative practices between developing and developed world organisational contexts.

#### **5. Acknowledgment**

This study is funded by Malaysia Ministry of Higher Education (MOHE) under Fundamental research grant scheme FRGS 10-029-0148. We would like to thank to International Islamic University Malaysia, Research Management Centre (RMC) for their kind assistance. Finally, our sincere gratitude goes to the organisations and respondents who contribute to the study directly or indirectly.

### **6. Appendix**

Table 2 below lists the relevant articles reviewed in this study. While most of them represent articles found in the AIS journals, the authors, however, also include other relevant articles found in books and conference proceedings in order to enrich the sources for the literature review. The articles were published from 1991 to 2011.

Risk is a common terminology adopted in every field including IT/IS. While many definitions offered from different perspectives, IT risk in this study adopt the definition of IT risk being the uncertainty that a foreseeable loss or damage can result for such uncertain probabilistic events. IT risk nature depends largely on types of assets or projects. Each IT hardware, software, system or project has its own inherent and incidental risk associated to it. This chapter classifies IT risk into three types, namely: 1) technical and operational risk; 2) data and

Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Therefore, any organisation must undertake a risk assessment and management initiative to minimise risks that could result in big potential losses. Enterprise risk management enables management to effectively deal with uncertainty and associated risk

In short, aligning organisational strategy with IT strategy could help manage IT risks in the organisation. Organisational strategy must acknowledge the potential IT risks associated to all organisational assets that can increase its liabilities. Continuous IT risk assessment and management exercise, not only identify and minimise IT risks at an early stage and manage them, but also facilitate and help achieve the overall organisational short, medium or long-

Finally, organisations may opt to undertake ERM exercise for better control IT risks and security. The sooner, continuous and consistent applications of ERM can significantly minimise calculated risks and increase the profitability of organisations which in turn will

This study provides the theoretical foundation on IT risk components. While IT risk studies have been carried out based on a researcher's theoretical framework, our next initiative is to perform multiple case study using mixed and multi method research in Malaysian organisations context to explore on the IT risks in practices. Another possible study is to perform comparative practices between developing and developed world organisational

This study is funded by Malaysia Ministry of Higher Education (MOHE) under Fundamental research grant scheme FRGS 10-029-0148. We would like to thank to International Islamic University Malaysia, Research Management Centre (RMC) for their kind assistance. Finally, our sincere gratitude goes to the organisations and respondents

Table 2 below lists the relevant articles reviewed in this study. While most of them represent articles found in the AIS journals, the authors, however, also include other relevant articles found in books and conference proceedings in order to enrich the sources for the literature

be ploughed back into the organisations, staff, communities and stakeholders.

information security risk; and 3) organisation, project and human risk.

and opportunity, enhancing the capacity to build value.

**4. Future work and closure** 

term goals and strategies.

**5. Acknowledgment** 

who contribute to the study directly or indirectly.

review. The articles were published from 1991 to 2011.

contexts.

**6. Appendix** 


Table 2. Related articles under review

Understanding Components of IT Risks and Enterprise Risk Management 317

Frame, J.D. (2003). Managing risk in organizations: A guide for managers, Jossey-Bass, NY,

GAO/AIMD-00-33 (1999). Information Security Risk Assessment, Practices of Leading

Gerace, T. & Cavusoglu, H. (2009). The Critical Elements of the Patch Management Process.

Gottfried, I.S. (1989). When disaster strikes. Journal of Information Systems Management,

Hillson, D. (2002). Extending the risk process to manage opportunities. International Journal

June Wei, Jason O'Connell, & Meiga Loho-Noya (2010) Information Technology Offshore

Kakoli Bandyopadhyay, Peter P. Mykytyn & Kathleen Mykytyn (1999) A framework for

Keil, Mark., Cule, Paul E., Lyytinen, Kalle & Schmidt, Roy C. (1998). A framework for identifying software project risks. Communications of the ACM, 41(11), pp.76–83.

Kweku-Muata Osei-Bryson & Ojelanki K. Ngwenyama (2006) Managing risks in information

Macdonald, D. (2004). Practical machinery safety. Pondicherry, India: Integra Software

McFarlan, F.W. (1981). Portfolio approach to information systems. Harvard Business

Melinda Cline, Carl S. Guynes & Andrew Nyanoga (2010) The impact of organisational

Nikolić, B. & Ružić-Dimitrijević, L. (2009). Risk Assessment of Information Technology Systems. Issues in Informing Science and Information Technology. 6, pp.595-615. NSW DEC (2011). Enterprise Risk Management in the Department of Education and

https://www.det.nsw.edu.au/policies/general\_man/erm/PD20040036.shtml

O'Brien, J. A. (1996). Management information systems: Managing information technology

Ramanujan, S. & Jane, S. (2006). A legal perspective on outsourcing and offshoring. Journal

Rao, M. (2004). Key issues for global IT sourcing: country and individual factors. EDPACS,

change on information systems security. Journal of business and economic

Kroenke, D. (2009). Using MIS. Upper saddle river: Pearson prentice hall.

of Information Technology? Journal of Computer.

in the networked enterprise. Boston: McGraw-Hill.

Raftery, J. (1994). Risk analysis in project management, E & FN Spon, London.

Outsourcing Security Risks and Safeguards. Journal of Information Privacy &

integrated risk management in information technology. Management Decision,

systems outsourcing: An approach to analyzing outsourcing risks and structuring incentive contracts. European Journal of Operational Research, 174, pp.245–264. Longstaff, T.A., Chittister, C, Pethia, R. & Haimes, Y.Y. (2000). Are We Forgetting the Risks

Organizations. A Supplement to GAO's May 1998 Executive Guide on Information Security Management. United States General Accounting Office, 1999 [ai00033.pdf]

US.

pp.86-9.

Communications of the ACM, 52(8).

of Project Management, 20, pp.235–240

Security, 6(3), pp.29-46.

37(5), pp.437-444.

Services.

Review, 59(5), pp.142–50.

research, 8(1), pp.59-64.

accessed on 31st October 2011.

of American academy of business, 8(2).

Communities.

32(4), pp.1-12.

#### **7. References**


Ahlan, A. R. (2005). Information technology implementations: Managing IT innovation in

Ahlan, A. R., Arshad, Y. & Lubis, M. (2011). Implication of Human Attitude Factors Toward

APM (2007). Project Risk Analysis and Management Guide, second edition. Association for

Arshad, Y. (2011). IT Outsourcing decisions and implementations in Malaysia public

Aubert, B. A., Patry, M & Rivard, S. (2005). A Framework for Information Technology

Bahli, B. & Rivard, S. (2003). The information technology outsourcing risk: a transaction cost

Bahli, B. & Rivard, S. (2005). Validating measures of information technology outsourcing

Barki, H., Rivard, S., & Talbot, J. (1993). Toward an assessment of software development risk. Journal of Management Information Systems, 10(2), pp.203-225. Benoit A. Aubert, Michel Patry & Suzanne Rivard (2005) A Framework for Information

Boehm, B.W. (1991). Software Risk Management: Principles and Practices. IEEE Software, 12,

Bouchaib Bahli & Suzanne Rivard (2005) Validating measures of information technology

Bunmi Cynthia Adeleye, Fenio Annansingh & Miguel Baptista Nunes (2004) Risk

Nigeria. International Journal of Information Management, 24, pp.167–180. Cochran, J. (2006). A Comprehensive Model for Understanding Technology Selection

COSO (2004). Enterprise Risk Management — Integrated Framework: Executive Summary. By Committee of Sponsoring Organizations of the Treadway Commission. Fariborz Farahmand, Shamkant B. Navathe, Gunter P. Sharp & Philip H. Enslow (2005) A

Flanagan, R. & Norman, G. (1993). Risk management and construction, Blackwell Scientific

University of Cardiff, United Kingdom.

Lumpur, Malaysia.

Malaysia.

Systems, 36,4.

pp.211–221.

pp.32–41.

Publications, London.

project management (APM).

risk factors. Omega, 33, pp.175 – 187

Information Systems, 36(4), pp.9-28.

Boran, S., (2003). IT security cookbook. Boran Consulting.

outsourcing risk factors. Omega, 33, pp.175 – 187.

CPR'06, April 13–15, 2006, Claremont, California, USA.

Information Technology and Management, 6, pp.203–225.

the Malaysian commercial banking industry. Unpublished doctoral dissertation,

Information Security Awareness in Malaysia Public University. Proceedings in International Conference on Innovation and Management (IAM2011), Kuala

healthcare sector agencies: Grounding an ITO relationship model using qualitative approach. Unpublished doctoral dissertation. International Islamic University

Outsourcing Risk Management. The DATA BASE for Advances in Information

and agency theory-based perspective. Journal of Information Technology, 18,

Technology Outsourcing Risk Management. The DATA BASE for Advances in

management practices in IS outsourcing:an investigation into commercial banks in

Decisions of Interconnected Information Technologies, Proceedings of SIGMIS-

Management Perspective on Risk of Security Threats to Information Systems.

**7. References** 


https://www.det.nsw.edu.au/policies/general\_man/erm/PD20040036.shtml accessed on 31st October 2011.


**14** 

*USA* 

*University of Texas at Austin* 

**Enterprise Cyber Risk Management** 

Patrick L. Brockett, Linda L. Golden and Whitley Wolman

Cyber risk represents an ever-growing threat to public and private institutions alike due to its potentially disastrous effects on organizational information systems, reputational risk, and potential loss of consumer- and stakeholder's confidence. With the advent of the internet and the corresponding proliferation of information technology, firms, non-profits, and governmental entities were generally unprepared for identifying and addressing this risk, but the threat has increased in both frequency and severity over time, and the nature of attacks has also changed. In many early cases, the perpetrators of cyber attacks and information disruption campaigns interrupted business operations simply for their own amusement, or viewed breaking into the corporate information technology (IT) infrastructure as a challenge. They would deface websites or take down servers in order to aggravate or simply to challenge other cyber professionals in order to prove they could do it, not to profit (Hallam-Baker, 2008). However, as the Internet has grown and e-commerce has blossomed, employee access to company data has increased, and remote access to internal computer systems has become commonplace, cyber attackers have evolved, becoming more sophisticated and their effects becoming more devastating (Rhemann, 2011). Current cyber threats and attackers are increasingly focused on profiting from the consequences of their attack actions and either exploit the data they illicitly obtain for private gain or require payments from the victimized enterprise to restore service, access, or

The focus of this chapter will be on enterprise cyber risk management and risk mitigation (as opposed to individual consumer cyber risk, an extensive connected topic which is of interest in its own right but not addressed here). In this chapter we will investigate cyber risk of importance to enterprise to include information theft, compromise of consumer information, and the interruption of e-commerce. This chapter will focus on several important aspects of cyber risk and how these affect the economics and security of organizations. Cyber risk is unique among other operational enterprise risks due to its mobile location, scope of threat, and high-profile impact. With the proliferation of business services, systems, and data accessible via the Internet, cyber threats to enterprises (public and private) have grown immensely. Furthermore, companies have now realized that they run the risk of creating liabilities from any cyber event that could affect related services and products (e.g. the theft of email addresses from Epsilon on April 2011 also affected customers of numerous other businesses, such as Hilton Hotels, Citibank, etc., and has cast reputational risk on not only the original company but also on their clients, and has created increased potential legal liability as well.).

websites back to operational functionality (Maillart & Sornette, 2010).

**1. Introduction** 


## **Enterprise Cyber Risk Management**

Patrick L. Brockett, Linda L. Golden and Whitley Wolman *University of Texas at Austin USA* 

#### **1. Introduction**

318 Risk Management for the Future – Theory and Cases

Rosman, R. (2008). Risk Management and Performances of Islamic Banks: A Proposed Conceptual Framework. 2008 EABR & TLC Conferences Proceedings. Sadgrove, K. (1996). The Complete Guide to Business Risk Management. Aldershot: Gower. Solms, B. V. (2005). Information Security governance: COBIT or ISO 17799 or both?

Straub, D.W., & Welke, R.J. (1998). Coping with Systems Risks: Security Planning Models for

Tafti, M. (2005). Risks factors associated with offshore IT outsourcing. Industrial

Thomas Gerace & Huseyin Cavusoglu (2009). The Critical Elements of the Patch

Ward, J., & Griffiths, P. (2001). Strategic planning for information systems. Chichester:Wiley. Webster, J., & Watson, R. T. (2002). Analysing the past to prepare for the future: Writing a

Whitman, M. E., & Mattord, H. J. (2004). Management of Information Security. Boston:

Willcocks, L.P., Lacity, M.C. & Kern, T. (1999). Risk mitigation in IT outsourcing strategy

revisited: longitudinal case research at LISA, Journal of Strategic Information

Management Decision Making, MIS Quarterly, 22(4), pp.441-469.

management and data systems, 105(5), pp.549-560.

literature review. MIS Quarterly, 26(2), pp.13-23.

Management Process. Communications of the ACM, 52(8).

Computers & Security, 24, pp.99-104.

Thompson Course Technology.

Systems, 8, pp.285–314.

Cyber risk represents an ever-growing threat to public and private institutions alike due to its potentially disastrous effects on organizational information systems, reputational risk, and potential loss of consumer- and stakeholder's confidence. With the advent of the internet and the corresponding proliferation of information technology, firms, non-profits, and governmental entities were generally unprepared for identifying and addressing this risk, but the threat has increased in both frequency and severity over time, and the nature of attacks has also changed. In many early cases, the perpetrators of cyber attacks and information disruption campaigns interrupted business operations simply for their own amusement, or viewed breaking into the corporate information technology (IT) infrastructure as a challenge. They would deface websites or take down servers in order to aggravate or simply to challenge other cyber professionals in order to prove they could do it, not to profit (Hallam-Baker, 2008). However, as the Internet has grown and e-commerce has blossomed, employee access to company data has increased, and remote access to internal computer systems has become commonplace, cyber attackers have evolved, becoming more sophisticated and their effects becoming more devastating (Rhemann, 2011). Current cyber threats and attackers are increasingly focused on profiting from the consequences of their attack actions and either exploit the data they illicitly obtain for private gain or require payments from the victimized enterprise to restore service, access, or websites back to operational functionality (Maillart & Sornette, 2010).

The focus of this chapter will be on enterprise cyber risk management and risk mitigation (as opposed to individual consumer cyber risk, an extensive connected topic which is of interest in its own right but not addressed here). In this chapter we will investigate cyber risk of importance to enterprise to include information theft, compromise of consumer information, and the interruption of e-commerce. This chapter will focus on several important aspects of cyber risk and how these affect the economics and security of organizations. Cyber risk is unique among other operational enterprise risks due to its mobile location, scope of threat, and high-profile impact. With the proliferation of business services, systems, and data accessible via the Internet, cyber threats to enterprises (public and private) have grown immensely. Furthermore, companies have now realized that they run the risk of creating liabilities from any cyber event that could affect related services and products (e.g. the theft of email addresses from Epsilon on April 2011 also affected customers of numerous other businesses, such as Hilton Hotels, Citibank, etc., and has cast reputational risk on not only the original company but also on their clients, and has created increased potential legal liability as well.).

Enterprise Cyber Risk Management 321

The cyber risk threat to enterprises is large and growing (Hallam-Baker, 2008; Rhemann, 2011). The Federal Bureau of Investigation (FBI) in the USA, universities, and other research organizations have delved deeply into the issues surrounding cyber security as a threat to public governments as well as private corporations. A 2002 Computer Security Institute/FBI joint study on cyber risk found that 90 percent of respondents had detected computer breaches within the past year, with an average loss of over \$2M per organization (Power, 2002). In the then relatively new age of information technology and the Internet, most companies were not adequately prepared to face these types of costly losses. By 2008, however, the Computer Security Institute/FBI study found that the average loss had decreased to approximately \$300,000, suggesting that companies and the security software they use have become more sophisticated in an effort to deal with the increasing threat of criminal cyber activity (Computer Security Institute, 2008). The 2008 CSI/FBI survey also found that companies significantly boosted their internal budgets associated with cyber security, which further implies that companies are spending more money, time, and manpower to mitigate these risks (Computer Security Institute, 2008). Cyber threats can shut down power grids, steal information and intellectual property, uncover competitors' bids, and disable web sites needed for business activity, causing substantial financial harm to unprepared enterprises. Accordingly, it is likely that companies will need to continue to focus on these cyber risk security issues as hackers continue to get more sophisticated causing more losses to business, on-line services, and operations, and especially as companies become more dependent on the Internet for e-commerce, mobile (or m-) commerce, or simply for daily operations, administration, and field contact with employees. As the proliferation of information technology, the increasing facilitation of remote access to enterprise computers, and the corresponding risk of cyber threats have increased, so has the attention paid to these issues also increased. When focusing on these threat issues, for this chapter it is useful to broadly dichotomize cyber risk into 1) cyber risks that arise internal to the organization and 2) those that arise external to the organization. While certain risk mitigation techniques are common to both sources of cyber risk threats (e.g., securitization and password protection of sensitive information or technology, segmentation of information and its access within an organization, etc.), other techniques are more appropriate for one risk source rather than the other. The threats that each source of risk poses can be different and may often require different approaches. Moreover, as developing nations fight for parity with the more developed countries in terms of electronic Internet access and technological and industrial development, firms, non-profits and governmental entities and institutions are likely to see an increase in cyber threats from these sources outside the control or jurisdiction

of the enterprise's host country. We shall discuss each risk source in turn.

Ironically, a very high risk of cyber crimes comes from within rather than outside the organization. While an employee can be a company's greatest asset, employees are constantly exposed to vast amounts of confidential information and are, by necessity, trusted with proprietary company information, inventory and property. Sometimes the temptation for individual gain can be too great. Or, an employee who spent time developing the important proprietary company information can feel they have a right to this company

**2.1 Internal cyber risk threats** 

**2. Cyber risk threats** 

The ripple effect that cyber attacks can engender can influence suppliers, end users, and the organization itself, and could even have the potential to destabilize large swaths of the economy if the target of the cyber attacks were systemically important (such as a systemically important financial institutions, a utility operators, a water treatment facility, a transportation network, etc.). Additionally, cyber espionage techniques are developing rapidly, making enterprise trade secrets also vulnerable to competitor theft.

As with many other hazards faced by businesses, insurance companies who specialize in risk assumption and risk pooling saw a potential financial opportunity in filling the cyber risk hazard management needs of enterprises by providing insurance policies designed to protect or indemnify against the financial consequences of these Internet-related threats. Several insurance companies have started to offer connectivity-related policies that cover cyber information and security breaches. Early on, as the insurers tentatively waded into this new market, it was difficult to generate data on electronic losses. Although Internetrelated insurance coverage is still in its infancy (as compared to other insurance classes), insurance companies over the past few years have now improved their ability to more accurately price policies and predict potential losses. These companies, including AIG, Chubb, Fidelity, Marsh, and Lloyds of London, have written policies that can hedge or transfer varying aspects of cyberspace risk (Gordon *et al.*, 2003). Further aspects of cyberrelated insurance will be discussed in detail later in this chapter.

The chapter starts with a general discussion of cyber risk threats to organizations including trends and costs. These threats will be dichotomized into those cyber risk threats that arise internal to the organization (e.g., employee cyber-based financial theft, employee data theft, identity theft using internal company data, etc.), and those risk that arise external to the organization (e.g., hackers stealing data, money or trade secrets, or adversaries shutting down or disabling internal information technology, vulnerability of IT systems to external power surges, blackouts, etc.). Next in the chapter we shall discuss emerging cyber risk threats and trends, with particular attention on risk consequences of the emerging trend of organizations and individuals to use wireless mobile technology (smart phones, iPads, etc.) to conduct business to business transactions, access enterprise networks, do banking, and accomplish retail consumer purchases.

Having identified these major cyber risks, in this chapter we subsequently investigate the underlying economic considerations (and theory) related to cyber risk, including the extent to which these threat costs are internalized in stock prices and who bears the costs for such risks. One of the most important risk financing mechanisms utilized by enterprises for all the risks they face is insurance risk transfer. This is also the case to a certain (but more limited) degree with cyber risks as well. Consequently, after discussing the economic aspects of cyber threats, we next discuss cyber risk insurance, its availability, coverage and the economic issues related to cyber risk insurance such as moral hazard/adverse selection and issues concerning systemic risk causing correlation in the insurer's portfolio, such as the dominant use of particular software by multiple users (e.g., Microsoft Windows, Adobe Reader) so that hackers exploiting vulnerabilities in a single software product can cause losses for numerous insured clients. This reduces the risk pooling and diversification benefits that insurers depend upon when pricing their products (i.e., their estimates of aggregate loss probabilities based on independent loss occurrences which may differ substantially from those actually experienced when risks are highly correlated). The chapter concludes with comments about future trends and research.

#### **2. Cyber risk threats**

320 Risk Management for the Future – Theory and Cases

The ripple effect that cyber attacks can engender can influence suppliers, end users, and the organization itself, and could even have the potential to destabilize large swaths of the economy if the target of the cyber attacks were systemically important (such as a systemically important financial institutions, a utility operators, a water treatment facility, a transportation network, etc.). Additionally, cyber espionage techniques are developing rapidly, making

As with many other hazards faced by businesses, insurance companies who specialize in risk assumption and risk pooling saw a potential financial opportunity in filling the cyber risk hazard management needs of enterprises by providing insurance policies designed to protect or indemnify against the financial consequences of these Internet-related threats. Several insurance companies have started to offer connectivity-related policies that cover cyber information and security breaches. Early on, as the insurers tentatively waded into this new market, it was difficult to generate data on electronic losses. Although Internetrelated insurance coverage is still in its infancy (as compared to other insurance classes), insurance companies over the past few years have now improved their ability to more accurately price policies and predict potential losses. These companies, including AIG, Chubb, Fidelity, Marsh, and Lloyds of London, have written policies that can hedge or transfer varying aspects of cyberspace risk (Gordon *et al.*, 2003). Further aspects of cyber-

The chapter starts with a general discussion of cyber risk threats to organizations including trends and costs. These threats will be dichotomized into those cyber risk threats that arise internal to the organization (e.g., employee cyber-based financial theft, employee data theft, identity theft using internal company data, etc.), and those risk that arise external to the organization (e.g., hackers stealing data, money or trade secrets, or adversaries shutting down or disabling internal information technology, vulnerability of IT systems to external power surges, blackouts, etc.). Next in the chapter we shall discuss emerging cyber risk threats and trends, with particular attention on risk consequences of the emerging trend of organizations and individuals to use wireless mobile technology (smart phones, iPads, etc.) to conduct business to business transactions, access enterprise networks, do banking, and

Having identified these major cyber risks, in this chapter we subsequently investigate the underlying economic considerations (and theory) related to cyber risk, including the extent to which these threat costs are internalized in stock prices and who bears the costs for such risks. One of the most important risk financing mechanisms utilized by enterprises for all the risks they face is insurance risk transfer. This is also the case to a certain (but more limited) degree with cyber risks as well. Consequently, after discussing the economic aspects of cyber threats, we next discuss cyber risk insurance, its availability, coverage and the economic issues related to cyber risk insurance such as moral hazard/adverse selection and issues concerning systemic risk causing correlation in the insurer's portfolio, such as the dominant use of particular software by multiple users (e.g., Microsoft Windows, Adobe Reader) so that hackers exploiting vulnerabilities in a single software product can cause losses for numerous insured clients. This reduces the risk pooling and diversification benefits that insurers depend upon when pricing their products (i.e., their estimates of aggregate loss probabilities based on independent loss occurrences which may differ substantially from those actually experienced when risks are highly correlated). The chapter concludes with comments about future trends and research.

enterprise trade secrets also vulnerable to competitor theft.

related insurance will be discussed in detail later in this chapter.

accomplish retail consumer purchases.

The cyber risk threat to enterprises is large and growing (Hallam-Baker, 2008; Rhemann, 2011). The Federal Bureau of Investigation (FBI) in the USA, universities, and other research organizations have delved deeply into the issues surrounding cyber security as a threat to public governments as well as private corporations. A 2002 Computer Security Institute/FBI joint study on cyber risk found that 90 percent of respondents had detected computer breaches within the past year, with an average loss of over \$2M per organization (Power, 2002). In the then relatively new age of information technology and the Internet, most companies were not adequately prepared to face these types of costly losses. By 2008, however, the Computer Security Institute/FBI study found that the average loss had decreased to approximately \$300,000, suggesting that companies and the security software they use have become more sophisticated in an effort to deal with the increasing threat of criminal cyber activity (Computer Security Institute, 2008). The 2008 CSI/FBI survey also found that companies significantly boosted their internal budgets associated with cyber security, which further implies that companies are spending more money, time, and manpower to mitigate these risks (Computer Security Institute, 2008). Cyber threats can shut down power grids, steal information and intellectual property, uncover competitors' bids, and disable web sites needed for business activity, causing substantial financial harm to unprepared enterprises. Accordingly, it is likely that companies will need to continue to focus on these cyber risk security issues as hackers continue to get more sophisticated causing more losses to business, on-line services, and operations, and especially as companies become more dependent on the Internet for e-commerce, mobile (or m-) commerce, or simply for daily operations, administration, and field contact with employees.

As the proliferation of information technology, the increasing facilitation of remote access to enterprise computers, and the corresponding risk of cyber threats have increased, so has the attention paid to these issues also increased. When focusing on these threat issues, for this chapter it is useful to broadly dichotomize cyber risk into 1) cyber risks that arise internal to the organization and 2) those that arise external to the organization. While certain risk mitigation techniques are common to both sources of cyber risk threats (e.g., securitization and password protection of sensitive information or technology, segmentation of information and its access within an organization, etc.), other techniques are more appropriate for one risk source rather than the other. The threats that each source of risk poses can be different and may often require different approaches. Moreover, as developing nations fight for parity with the more developed countries in terms of electronic Internet access and technological and industrial development, firms, non-profits and governmental entities and institutions are likely to see an increase in cyber threats from these sources outside the control or jurisdiction of the enterprise's host country. We shall discuss each risk source in turn.

#### **2.1 Internal cyber risk threats**

Ironically, a very high risk of cyber crimes comes from within rather than outside the organization. While an employee can be a company's greatest asset, employees are constantly exposed to vast amounts of confidential information and are, by necessity, trusted with proprietary company information, inventory and property. Sometimes the temptation for individual gain can be too great. Or, an employee who spent time developing the important proprietary company information can feel they have a right to this company

Enterprise Cyber Risk Management 323

Another fanciful name for a different, serious cyber theft risk is "pod-slurping". This involves using an iPod or MP3 type player to rapidly steal gigabytes of information from an enterprise's computer system (Giannoulis 2011). iPods are widely used by employees and often played (with approval) while attached to enterprise or office computers. However, they also can be used to download massive amounts of confidential company information. According to Mello (2005), a 2004 research report on security risks (conducted by Gartner technology research and advisory company) stated that portable devices posed serious threats for companies, and this report inspired a security engineer named Abe Usher to write a "proof of concept" program called "slurp.exe" that allows an iPod or other removable device to be used to "suck" 100 MB worth of data from the Windows "Documents and Settings" directory in a matter of minutes (Giannoulis 2011). Mello (2005) reports that Usher wrote in his blog (www.sharp-ideas.net) "Using slurp.exe on my iPod, it took me 65 seconds to copy all document files (\*.doc, \*.xls, \*.htm, \*.url, \*.xml, \*.txt, etc.) off of my computer as a logged in user. Without a username and password, I was able to use a boot CD-ROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes, 15 seconds." While this "proof of concept" program illustrates the potential for data theft using these devices (virtually the entire set of business records of a small to medium sized company could be downloaded in minutes), there is also empirical evidence of its actual use. In 2005 a Chinese spy sought asylum from the Australian security forces saying that over a period of several months he had stolen confidential data using his MP3 player (Hughes & Allard 2005). Also, there have been

several court cases involving using such devices to steal confidential company data.

Identification theft (ID-theft) is another well publicized cyber risk vulnerability of enterprises, from both internal and external sources. Employees (and successful external hackers) can obtain access to customer records such as names, phone numbers, addresses, usernames, passwords and PINs, credit card and other account numbers, as well as Social Security numbers (Miller 2008). This information can then be sold on the Internet or used by the intruder him/herself to commit identity fraud (or for blackmail or extortion purposes to the enterprise via threatening data exposure). For example, when an employee, in the normal course of business, gains access to credit card numbers they may be tempted to use this information to make purchases or obtain other lines of credit for their own benefit (Stroup 2011). The risk is not small. According to the identity theft research center (ITRC 2011), in 2011 there have been a total of 112 breaches and 5,460,925 records exposed, as of April 5, 2011. Moreover, using data from various sources such as social media sites (Facebook, etc.) the identity thief can gather sufficient information to match data records allowing them to break password cryptology security, obtain credit card numbers and make purchases using another's identity or credit cards. As a concrete illustration of the above mentioned internal cyber risk threat, we relate that in January 2009, Johns Hopkins University began receiving reports of identity theft activities in the Baltimore area surrounding their University (McMillan 2009). Ultimately, Johns Hopkins Hospital ended up having to warn over 10,000 patients about a woman that worked for the hospital who had access to Social Security numbers, names, addresses, dates of birth, telephone numbers, parents' names, and medical insurance information and who had used this information to commit fraud. Yet another example of this internal source of cyber risk is a Wells Fargo Bank employee (Roberta Dunsworth) convicted in federal court for identity fraud. She was charged on December 1, 2010 with ten counts of bank fraud, two counts of aggravated

intelligence as a result of their time spent in research and development, product development, or technology transfer activities. Consequently, a company can be exposed to data or intellectual property theft from within rather than without.

Data theft is the term used when information is illegally copied or taken from a business or other individual. Employee theft of data, formulae, and process information can compromise the enterprise as readily as an external data theft attack, however because of their privileged position, the employee has more ability to act as the perpetrator since they already have trusted permission or password admittance into the cyber system of the enterprise for legitimate reasons, a permission that they may then turn against their employer. In fact, the FBI reports that employee theft is the fastest growing crime in America. The US Chamber of Commerce estimates about 75 percent of employees steal from their employer, with approximately 30 percent of corporate bankruptcies being the direct result of employee theft. The majority of involved individuals are higher level employees, and, on average, the time until discovery is approximately 18 months, giving substantial time for financial damage (Burke & Cooper 2010 p.433). Enterprises must be as vigilant against internal cyber threats as they are to external threats.

Removable media devices are the number one internal cyber security threat vehicle. Research conducted by Centennial Software in May 2007 found IT managers believe removable media devices now pose a larger security threat than either malware or viruses. In this 2007 survey quoted in Feig (2007), 38.4 percent of more than 370 respondents listed portable devices as their number one risk, up from the 25.7 percent in 2006. Due to this reality, in "IT Acceptability Policies" manuals, more organizations are now including security considerations of removable media devices in their risk management endeavors. Eighty percent of respondents reported that their organizations now dictate protocols for unauthorized use of removable media devices, with some prohibiting their use entirely. Other enterprises have modified their IT systems to either disable the USB ports or have installed software to prohibit downloading or uploading data without authorization via USB ports. The survey also found that 67 percent of IT staff use some form of removable media device on a daily basis and that the most popular type of device (65 percent) is the USB flash drive (Feign 2007). Never-the-less, despite the low cost, ease of use, ready availability to employees, and small size of USB devices, these devises were only used in 9 percent of data theft cases (Patel & Mischon De Reya 2011). Other larger, more sophisticated or faster devises are now also being used, such as iPods and MP-3 players.

Colorful names are often given by security professionals to the ingenious use of removable media drives for data theft. "Thumbsucking", for example, is the name given to data theft using a USB mass storage device, such as a USB flash (or thumb) drive to download confidential network information, literally "sucking" the data out of the network and onto the USB drive (Walsh 2011). This type of internal data theft threat has increased over the years. Whereas a previous limitation to the use of USB flash (or thumb) drives was one of memory space on the USB drive, this has been largely removed with modern USB drives. Price constraints have also been significantly alleviated on USB flash drives. Moreover flash drives are highly portable, compact, easily concealed, and instillation does not require the user to restart the computer system, making it a cheap and convenient tool for cyber theft (Walsh 2011).

intelligence as a result of their time spent in research and development, product development, or technology transfer activities. Consequently, a company can be exposed to

Data theft is the term used when information is illegally copied or taken from a business or other individual. Employee theft of data, formulae, and process information can compromise the enterprise as readily as an external data theft attack, however because of their privileged position, the employee has more ability to act as the perpetrator since they already have trusted permission or password admittance into the cyber system of the enterprise for legitimate reasons, a permission that they may then turn against their employer. In fact, the FBI reports that employee theft is the fastest growing crime in America. The US Chamber of Commerce estimates about 75 percent of employees steal from their employer, with approximately 30 percent of corporate bankruptcies being the direct result of employee theft. The majority of involved individuals are higher level employees, and, on average, the time until discovery is approximately 18 months, giving substantial time for financial damage (Burke & Cooper 2010 p.433). Enterprises must be as

Removable media devices are the number one internal cyber security threat vehicle. Research conducted by Centennial Software in May 2007 found IT managers believe removable media devices now pose a larger security threat than either malware or viruses. In this 2007 survey quoted in Feig (2007), 38.4 percent of more than 370 respondents listed portable devices as their number one risk, up from the 25.7 percent in 2006. Due to this reality, in "IT Acceptability Policies" manuals, more organizations are now including security considerations of removable media devices in their risk management endeavors. Eighty percent of respondents reported that their organizations now dictate protocols for unauthorized use of removable media devices, with some prohibiting their use entirely. Other enterprises have modified their IT systems to either disable the USB ports or have installed software to prohibit downloading or uploading data without authorization via USB ports. The survey also found that 67 percent of IT staff use some form of removable media device on a daily basis and that the most popular type of device (65 percent) is the USB flash drive (Feign 2007). Never-the-less, despite the low cost, ease of use, ready availability to employees, and small size of USB devices, these devises were only used in 9 percent of data theft cases (Patel & Mischon De Reya 2011). Other larger, more sophisticated

data or intellectual property theft from within rather than without.

vigilant against internal cyber threats as they are to external threats.

or faster devises are now also being used, such as iPods and MP-3 players.

(Walsh 2011).

Colorful names are often given by security professionals to the ingenious use of removable media drives for data theft. "Thumbsucking", for example, is the name given to data theft using a USB mass storage device, such as a USB flash (or thumb) drive to download confidential network information, literally "sucking" the data out of the network and onto the USB drive (Walsh 2011). This type of internal data theft threat has increased over the years. Whereas a previous limitation to the use of USB flash (or thumb) drives was one of memory space on the USB drive, this has been largely removed with modern USB drives. Price constraints have also been significantly alleviated on USB flash drives. Moreover flash drives are highly portable, compact, easily concealed, and instillation does not require the user to restart the computer system, making it a cheap and convenient tool for cyber theft Another fanciful name for a different, serious cyber theft risk is "pod-slurping". This involves using an iPod or MP3 type player to rapidly steal gigabytes of information from an enterprise's computer system (Giannoulis 2011). iPods are widely used by employees and often played (with approval) while attached to enterprise or office computers. However, they also can be used to download massive amounts of confidential company information. According to Mello (2005), a 2004 research report on security risks (conducted by Gartner technology research and advisory company) stated that portable devices posed serious threats for companies, and this report inspired a security engineer named Abe Usher to write a "proof of concept" program called "slurp.exe" that allows an iPod or other removable device to be used to "suck" 100 MB worth of data from the Windows "Documents and Settings" directory in a matter of minutes (Giannoulis 2011). Mello (2005) reports that Usher wrote in his blog (www.sharp-ideas.net) "Using slurp.exe on my iPod, it took me 65 seconds to copy all document files (\*.doc, \*.xls, \*.htm, \*.url, \*.xml, \*.txt, etc.) off of my computer as a logged in user. Without a username and password, I was able to use a boot CD-ROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes, 15 seconds." While this "proof of concept" program illustrates the potential for data theft using these devices (virtually the entire set of business records of a small to medium sized company could be downloaded in minutes), there is also empirical evidence of its actual use. In 2005 a Chinese spy sought asylum from the Australian security forces saying that over a period of several months he had stolen confidential data using his MP3 player (Hughes & Allard 2005). Also, there have been several court cases involving using such devices to steal confidential company data.

Identification theft (ID-theft) is another well publicized cyber risk vulnerability of enterprises, from both internal and external sources. Employees (and successful external hackers) can obtain access to customer records such as names, phone numbers, addresses, usernames, passwords and PINs, credit card and other account numbers, as well as Social Security numbers (Miller 2008). This information can then be sold on the Internet or used by the intruder him/herself to commit identity fraud (or for blackmail or extortion purposes to the enterprise via threatening data exposure). For example, when an employee, in the normal course of business, gains access to credit card numbers they may be tempted to use this information to make purchases or obtain other lines of credit for their own benefit (Stroup 2011). The risk is not small. According to the identity theft research center (ITRC 2011), in 2011 there have been a total of 112 breaches and 5,460,925 records exposed, as of April 5, 2011. Moreover, using data from various sources such as social media sites (Facebook, etc.) the identity thief can gather sufficient information to match data records allowing them to break password cryptology security, obtain credit card numbers and make purchases using another's identity or credit cards. As a concrete illustration of the above mentioned internal cyber risk threat, we relate that in January 2009, Johns Hopkins University began receiving reports of identity theft activities in the Baltimore area surrounding their University (McMillan 2009). Ultimately, Johns Hopkins Hospital ended up having to warn over 10,000 patients about a woman that worked for the hospital who had access to Social Security numbers, names, addresses, dates of birth, telephone numbers, parents' names, and medical insurance information and who had used this information to commit fraud. Yet another example of this internal source of cyber risk is a Wells Fargo Bank employee (Roberta Dunsworth) convicted in federal court for identity fraud. She was charged on December 1, 2010 with ten counts of bank fraud, two counts of aggravated

Enterprise Cyber Risk Management 325

found it put it in their computer. The computer was connected to the US Central Command and, according to Deputy Defense Secretary William J. Lynn in *Foreign Affairs*, the malware that was embedded on the device was able to spread and pass "undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control." The same could occur with corporate or other enterprise computers as it exploits the natural human curiosity that would occur if one were to find a "lost" flash drive. It was the above incident that in part, motivated the White House to establish a Cyber Command. Corporations

There also have been well-reported cases of cyber espionage by Chinese and Russian sources that have infected military networks and corporate networks alike. Certain elements in China have targeted military networks in order to gain access to military secrets and information on U.S. operations. Experts are unclear about whether the attackers are officially sanctioned by the Chinese government, but their locations have been traced back

…Brenner, who works for Director of National Intelligence Mike McConnell, looks for vulnerabilities in the government's information networks. He pointed to China as a source of attacks against U.S. interests. 'Some [attacks], we have high confidence, are coming from government-sponsored sites,' Brenner said. 'The Chinese operate both through government agencies, as we do, but they also operate through sponsoring other organizations that are engaging in this kind of international hacking, whether or not under specific direction. It's a kind of cyber-militia.… It's coming in volumes that

Cyber threats from Russia tend to come from organized crime groups that prey on unsuspecting websites or servers and even demand a ransom in order to restore functionality. Russian attackers have also sought to influence political movements through coordinated denial of service attacks that hinder political organizations. In a Wired magazine article, Don Jackson of Internet security firm SecureWorks is quoted as saying:

"… the denial-of-service attacks managed to shut down more than 80 percent of Kyrgyzstan's bandwidth. While both sites now seem to be up and running, several commentators have speculated that the attack is meant to thwart Kyrgyzstan's embattled political opposition — which depends on the Internet to organize — or to pressure Kyrgyzstan's government, which hosts a U.S. airbase outside of the capital,

Another example of governments using cyber tactics to control political events was the recent revolution in Egypt in spring 2011. The Mubarak regime in Egypt essentially "pulled the plug" on the Internet throughout Egypt to control protests and political gatherings. If the Internet can be shut down, or severely disrupted, then most enterprises throughout the entire country will be put at risk. Proactive data back-up, record keeping, and other plans

Identity and personal information theft discussed previously from an internal risk perspective is also a substantial risk from external sources, and poses a growing cyber threat

must be made to mitigate this damage should such an event occur.

should also take note.

to mainland China.

National Journal reported,

are just staggering' (Harris, 2008).

Bishkek"(Hodge, 2009).

identity theft, and two counts of fraudulent use of unauthorized access devices. Her fraudulent activities occurred while employed at the Wells Fargo Bank where she used the identity of a bank customer to obtain a credit card and a debit card and to open bank accounts (Admin 2011). Such employee related cyber risks can pose great financial, as well as and legal problems for employers if not adequately addressed preemptively.

An important internal covariate of internally perpetrated cyber risk is having disgruntled employees. These individuals may be motivated by revenge and will attempt to sabotage or destroy enterprise software or databases, thus depriving the enterprise of their property or costing the enterprise money. This more malevolent form of cyber risk should be addressed proactively by implementing a well-designed corporate security initiative, that includes policies such as, changing passwords prior to termination of employees with Internet access to enterprise computers and enforcing robust password strength requirements. Maintaining a log of user access to all corporate systems can be a preventative measure against cyber crime as well.

Internal data theft could also involve the employee as a victim of data theft. For example, New York Police Department employees became data theft victims in early 2009, when the personal records of approximately 80,000 police officers in a pension fund were stolen when an employee gained entry into a disaster recovery facility in Staten Island (InfoSecurity 2009). Similarly, in 2006 the McCombs School of Business at the University of Texas at Austin experienced a data breach with more than 197,000 personal records of faculty, staff, students, alumni and donors stolen. These examples illustrate the complex nature of cyber crime where inside intrusions include multiple types of data breaches such as customer data, employee data, and sensitive corporate data. Additionally, external components also may impact cyber security risk. We discuss the external components of cyber risk next.

#### **2.2 External cyber risk threats**

As developing nations fight for parity with the United States or other developed nations, American and other enterprises are likely to see an increase in targeted cyber attacks attempting to access their secret information or competitive knowledge (e.g., stealing competitive bids for strategic purposes). However, the risk from cyber threats goes beyond even the private sector into the public and governmental sectors. In 2010, President Obama declared threats to cyber-security a national security issue identifying "America's digital infrastructure [as] a 'strategic national asset' and [appointing] Howard Schmidt, the former head of security at Microsoft, as his cyber-security tsar" (The White House, 2010). In 2010, the President also directed the Pentagon to establish the U.S. military's Cyber Command to utilize a "full-spectrum" of operations in cyberspace (Economist, 2010). Additionally, the White House has directed several studies and initiated a national cyberspace strategy which stipulates the scope, process and development for using cyberspace (The White House, 2010).

The above pronouncement provides a further illustration of how flash drives, discussed previously as a threat in the internal risk section, can also pose cyber risk threats externally, even to the most secured enterprises. Flatley (2010) relates how an infected USB thumb drive was placed by a foreign intelligence agency in the parking lot of a Department of Defense facility in the Middle East. As might be expected by human nature, the person who

identity theft, and two counts of fraudulent use of unauthorized access devices. Her fraudulent activities occurred while employed at the Wells Fargo Bank where she used the identity of a bank customer to obtain a credit card and a debit card and to open bank accounts (Admin 2011). Such employee related cyber risks can pose great financial, as well

An important internal covariate of internally perpetrated cyber risk is having disgruntled employees. These individuals may be motivated by revenge and will attempt to sabotage or destroy enterprise software or databases, thus depriving the enterprise of their property or costing the enterprise money. This more malevolent form of cyber risk should be addressed proactively by implementing a well-designed corporate security initiative, that includes policies such as, changing passwords prior to termination of employees with Internet access to enterprise computers and enforcing robust password strength requirements. Maintaining a log of user access to all corporate systems can be a preventative measure against cyber

Internal data theft could also involve the employee as a victim of data theft. For example, New York Police Department employees became data theft victims in early 2009, when the personal records of approximately 80,000 police officers in a pension fund were stolen when an employee gained entry into a disaster recovery facility in Staten Island (InfoSecurity 2009). Similarly, in 2006 the McCombs School of Business at the University of Texas at Austin experienced a data breach with more than 197,000 personal records of faculty, staff, students, alumni and donors stolen. These examples illustrate the complex nature of cyber crime where inside intrusions include multiple types of data breaches such as customer data, employee data, and sensitive corporate data. Additionally, external components also may impact cyber security risk. We discuss the external components of cyber risk next.

As developing nations fight for parity with the United States or other developed nations, American and other enterprises are likely to see an increase in targeted cyber attacks attempting to access their secret information or competitive knowledge (e.g., stealing competitive bids for strategic purposes). However, the risk from cyber threats goes beyond even the private sector into the public and governmental sectors. In 2010, President Obama declared threats to cyber-security a national security issue identifying "America's digital infrastructure [as] a 'strategic national asset' and [appointing] Howard Schmidt, the former head of security at Microsoft, as his cyber-security tsar" (The White House, 2010). In 2010, the President also directed the Pentagon to establish the U.S. military's Cyber Command to utilize a "full-spectrum" of operations in cyberspace (Economist, 2010). Additionally, the White House has directed several studies and initiated a national cyberspace strategy which stipulates the scope, process and development for using cyberspace (The White House,

The above pronouncement provides a further illustration of how flash drives, discussed previously as a threat in the internal risk section, can also pose cyber risk threats externally, even to the most secured enterprises. Flatley (2010) relates how an infected USB thumb drive was placed by a foreign intelligence agency in the parking lot of a Department of Defense facility in the Middle East. As might be expected by human nature, the person who

as and legal problems for employers if not adequately addressed preemptively.

crime as well.

2010).

**2.2 External cyber risk threats** 

found it put it in their computer. The computer was connected to the US Central Command and, according to Deputy Defense Secretary William J. Lynn in *Foreign Affairs*, the malware that was embedded on the device was able to spread and pass "undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control." The same could occur with corporate or other enterprise computers as it exploits the natural human curiosity that would occur if one were to find a "lost" flash drive. It was the above incident that in part, motivated the White House to establish a Cyber Command. Corporations should also take note.

There also have been well-reported cases of cyber espionage by Chinese and Russian sources that have infected military networks and corporate networks alike. Certain elements in China have targeted military networks in order to gain access to military secrets and information on U.S. operations. Experts are unclear about whether the attackers are officially sanctioned by the Chinese government, but their locations have been traced back to mainland China.

National Journal reported,

…Brenner, who works for Director of National Intelligence Mike McConnell, looks for vulnerabilities in the government's information networks. He pointed to China as a source of attacks against U.S. interests. 'Some [attacks], we have high confidence, are coming from government-sponsored sites,' Brenner said. 'The Chinese operate both through government agencies, as we do, but they also operate through sponsoring other organizations that are engaging in this kind of international hacking, whether or not under specific direction. It's a kind of cyber-militia.… It's coming in volumes that are just staggering' (Harris, 2008).

Cyber threats from Russia tend to come from organized crime groups that prey on unsuspecting websites or servers and even demand a ransom in order to restore functionality. Russian attackers have also sought to influence political movements through coordinated denial of service attacks that hinder political organizations. In a Wired magazine article, Don Jackson of Internet security firm SecureWorks is quoted as saying:

"… the denial-of-service attacks managed to shut down more than 80 percent of Kyrgyzstan's bandwidth. While both sites now seem to be up and running, several commentators have speculated that the attack is meant to thwart Kyrgyzstan's embattled political opposition — which depends on the Internet to organize — or to pressure Kyrgyzstan's government, which hosts a U.S. airbase outside of the capital, Bishkek"(Hodge, 2009).

Another example of governments using cyber tactics to control political events was the recent revolution in Egypt in spring 2011. The Mubarak regime in Egypt essentially "pulled the plug" on the Internet throughout Egypt to control protests and political gatherings. If the Internet can be shut down, or severely disrupted, then most enterprises throughout the entire country will be put at risk. Proactive data back-up, record keeping, and other plans must be made to mitigate this damage should such an event occur.

Identity and personal information theft discussed previously from an internal risk perspective is also a substantial risk from external sources, and poses a growing cyber threat

Enterprise Cyber Risk Management 327

There are, however, important distinctions between the risks associated with mobile Internet access and more familiar e-commerce or cyber risks. There are unique business challenges, cyber threats and data theft vulnerabilities embedded in this new modality. Mobile Internet connectivity uses a different communication channel (wireless) making business interface transactions more accessible at more times and places but also a different physical mode of communication than e-commerce. Due to the mobility of the communication, an interface between the accessing and accessed devises is more anonymous, making it more difficult to validate a transaction, and making it more difficult to secure the Internet transmission (eavesdropping on wireless communications is relatively easy if one is motivated to do so). Thefts are also more difficult to trace back to the

The Brookings Institution report "Online Identity and Consumer Trust: Assessing Online Risk" summarizes the difference in the physical characteristics of cyber risk and how those

Mobile communication differs in the types of devices used, the development languages, communication protocols, and even the technologies used (Coursaris and Hassanein 2002). These differences make mobile communication subject to new threats. A mobile business operating system provides the infrastructure for running smart phone applications and mobile access to company computers but, according to (Ghosh and Swaminatha 2001), the platforms and languages being developed for wireless devices have failed to utilize even the basic security concepts already present in hardwired desktops. Without a secure infrastructure for mobile devices, achieving secure mobile Internet communication or secure employee to employer communication may not be possible. Additionally, the nature of the software applications developed for mobile devices are important to overall security since logical flaws or oversights in these applications can present exploitable security loopholes allowing a point of entry by the malicious hacker, and consequently making enterprises (and individual mobile communication device users) vulnerable. Unfortunately, the devices' physical limitations often force application developers to make security and performance trade-offs. Limited power, processing cycles, memory, and bandwidth can force developers to give up security features like encryption in order to improve online performance (Ghosh and Swaminatha., 2001). The use of lower-level languages for phone communication development, as well as their often lacking built in non-

moderately sophisticated computer user (Friedman *et al*., 2011).

functional security requirements ensures continuation of software vulnerabilities.

When communicating via a wireline, it is intuitive to most that the data traffic is leaving the computer through a data cord to an interface that connects with the Internet Service Provider…. It is quite difficult for a typical cyber criminal to intercept data … that he had not physically tapped. The same cannot be said of wireless network communications. Malicious actors can learn a great deal from unencrypted Wi-Fi links in their vicinity. …if the wireless connection is not itself encrypted using a modern standard …, then any nearby attacker can listen to all unencrypted traffic traveling between the computer and the wireless router. The data are being broadcast to the surrounding area by both the computer and the router in the same way that noise from a conversation is vulnerable to eavesdroppers. Thus, information that is not encrypted at the end points of the transaction can be intercepted. Tools to capture this traffic and reassemble the data packets into web pages are widely available, and usable to any

perpetrator.

threats affect users:

to consumers and retailers using Internet technology. As recently as April 2011, computer database breaches affected millions of people. Epsilon, an online marketer, announced to customers that its email database had been hacked and intruders took millions of email addresses (Spicer & Aspan, 2011). The resulting damage not only affects the online marketer, but also the companies it services and the end users of their services. In the end, costs could grow into the millions if the company is found liable for negligence.

The Brookings Institution recently released a paper discussing the perils of identity theft and the need for consumer trust in online commerce (Friedman *et al.,* 2011). With the growth of social networking, online retail sites, and business services utilizing cyberspace, personal identity protection will continue to play a key role in the future of information technology development. Increasingly, a person's identity is used as the key to unlock various online portals of information, including secured corporate and governmental websites. Social security and bank account numbers are needed for online account creation, as well as government services. The potential for theft and fraud is greatly increased by the numbers of online users and the amount of information stored in electronic databases. Similarly, it is noted that users tend to use the same passwords for multiple Internet accounts, which could cause the risk to spread to other unsuspecting companies. Furthermore, websites are collecting larger amounts of data through "history sniffing" and the identities created from user-specific plug-ins (Friedman *et al*., 2011). This may be especially problematic because using smart phones to conduct business, (mcommerce) is substantially less secure, with employees possibly storing passwords and account numbers on the smart phones, and because smart phones (possibly containing account information and passwords) are lost or stolen at an alarming rate (Brockett *et al* 2011)

Whereas the traditional cyber risk threats discussed previously can be construed as exacerbated extensions of already existing risk control problems (physical risk perimeter securitization, employee theft risk control, corporate spying and intellectual property theft, etc.), the newly developing wireless or mobile technology is creating new (as opposed to merely enhanced) enterprise risk vulnerabilities that need enterprise wide attention. This is discussed in the next section.

#### **3. Emerging cyber risk threats: Mobile Internet access, spear phishing and pharming**

The ability to conduct business wirelessly (known as mobile or m-commerce) is revolutionary and growing in importance. Twenty two percent of consumers in 2010 used smart phones for price checking, 21 percent for doing product research, and 13 percent for making purchases using their phones (Schwartz, 2010), and enterprises including governmental entities, are changing web representations to accommodate this new interface modality. Reportedly 74 percent of online businesses have a mobile commerce strategy in place or are developing one (Marcus 2010 quoting a study by the National Retail Federation). Of those retailers not already involved in mobile commerce, one quarter say that they intend to begin within the next year (Siwicki 2010). Traveling sales people often access corporate data remotely using mobile smart devices, often smart phones, so the newly evolving wireless security risk is important to all enterprises.

to consumers and retailers using Internet technology. As recently as April 2011, computer database breaches affected millions of people. Epsilon, an online marketer, announced to customers that its email database had been hacked and intruders took millions of email addresses (Spicer & Aspan, 2011). The resulting damage not only affects the online marketer, but also the companies it services and the end users of their services. In the end,

The Brookings Institution recently released a paper discussing the perils of identity theft and the need for consumer trust in online commerce (Friedman *et al.,* 2011). With the growth of social networking, online retail sites, and business services utilizing cyberspace, personal identity protection will continue to play a key role in the future of information technology development. Increasingly, a person's identity is used as the key to unlock various online portals of information, including secured corporate and governmental websites. Social security and bank account numbers are needed for online account creation, as well as government services. The potential for theft and fraud is greatly increased by the numbers of online users and the amount of information stored in electronic databases. Similarly, it is noted that users tend to use the same passwords for multiple Internet accounts, which could cause the risk to spread to other unsuspecting companies. Furthermore, websites are collecting larger amounts of data through "history sniffing" and the identities created from user-specific plug-ins (Friedman *et al*., 2011). This may be especially problematic because using smart phones to conduct business, (mcommerce) is substantially less secure, with employees possibly storing passwords and account numbers on the smart phones, and because smart phones (possibly containing account information and passwords) are lost or stolen at an alarming rate (Brockett *et al*

Whereas the traditional cyber risk threats discussed previously can be construed as exacerbated extensions of already existing risk control problems (physical risk perimeter securitization, employee theft risk control, corporate spying and intellectual property theft, etc.), the newly developing wireless or mobile technology is creating new (as opposed to merely enhanced) enterprise risk vulnerabilities that need enterprise wide attention. This is

**3. Emerging cyber risk threats: Mobile Internet access, spear phishing and** 

newly evolving wireless security risk is important to all enterprises.

The ability to conduct business wirelessly (known as mobile or m-commerce) is revolutionary and growing in importance. Twenty two percent of consumers in 2010 used smart phones for price checking, 21 percent for doing product research, and 13 percent for making purchases using their phones (Schwartz, 2010), and enterprises including governmental entities, are changing web representations to accommodate this new interface modality. Reportedly 74 percent of online businesses have a mobile commerce strategy in place or are developing one (Marcus 2010 quoting a study by the National Retail Federation). Of those retailers not already involved in mobile commerce, one quarter say that they intend to begin within the next year (Siwicki 2010). Traveling sales people often access corporate data remotely using mobile smart devices, often smart phones, so the

costs could grow into the millions if the company is found liable for negligence.

2011)

**pharming** 

discussed in the next section.

There are, however, important distinctions between the risks associated with mobile Internet access and more familiar e-commerce or cyber risks. There are unique business challenges, cyber threats and data theft vulnerabilities embedded in this new modality. Mobile Internet connectivity uses a different communication channel (wireless) making business interface transactions more accessible at more times and places but also a different physical mode of communication than e-commerce. Due to the mobility of the communication, an interface between the accessing and accessed devises is more anonymous, making it more difficult to validate a transaction, and making it more difficult to secure the Internet transmission (eavesdropping on wireless communications is relatively easy if one is motivated to do so). Thefts are also more difficult to trace back to the perpetrator.

The Brookings Institution report "Online Identity and Consumer Trust: Assessing Online Risk" summarizes the difference in the physical characteristics of cyber risk and how those threats affect users:

When communicating via a wireline, it is intuitive to most that the data traffic is leaving the computer through a data cord to an interface that connects with the Internet Service Provider…. It is quite difficult for a typical cyber criminal to intercept data … that he had not physically tapped. The same cannot be said of wireless network communications. Malicious actors can learn a great deal from unencrypted Wi-Fi links in their vicinity. …if the wireless connection is not itself encrypted using a modern standard …, then any nearby attacker can listen to all unencrypted traffic traveling between the computer and the wireless router. The data are being broadcast to the surrounding area by both the computer and the router in the same way that noise from a conversation is vulnerable to eavesdroppers. Thus, information that is not encrypted at the end points of the transaction can be intercepted. Tools to capture this traffic and reassemble the data packets into web pages are widely available, and usable to any moderately sophisticated computer user (Friedman *et al*., 2011).

Mobile communication differs in the types of devices used, the development languages, communication protocols, and even the technologies used (Coursaris and Hassanein 2002). These differences make mobile communication subject to new threats. A mobile business operating system provides the infrastructure for running smart phone applications and mobile access to company computers but, according to (Ghosh and Swaminatha 2001), the platforms and languages being developed for wireless devices have failed to utilize even the basic security concepts already present in hardwired desktops. Without a secure infrastructure for mobile devices, achieving secure mobile Internet communication or secure employee to employer communication may not be possible. Additionally, the nature of the software applications developed for mobile devices are important to overall security since logical flaws or oversights in these applications can present exploitable security loopholes allowing a point of entry by the malicious hacker, and consequently making enterprises (and individual mobile communication device users) vulnerable. Unfortunately, the devices' physical limitations often force application developers to make security and performance trade-offs. Limited power, processing cycles, memory, and bandwidth can force developers to give up security features like encryption in order to improve online performance (Ghosh and Swaminatha., 2001). The use of lower-level languages for phone communication development, as well as their often lacking built in nonfunctional security requirements ensures continuation of software vulnerabilities.

Enterprise Cyber Risk Management 329

Pharming is the name given to a different type of technique used to direct the unsuspecting victim to a malicious website where malware can be downloaded or password and account numbers can be harvested in bulk numbers. Unlike phishing where the individual phishing lines (emails) are set out to catch fish, in pharming a network node is hijacked and all traffic going through this node which thinks it is going, for example to CibiBank.com, will instead be directed to another website controlled by the criminal. Essentially the criminal harvests multiple users' information at once, and need never even contact the user or need the user to respond to an email. The way is works is this. On the Internet, the website addresses are a sequence of numbers representing the site (e.g., 123.456.7.8 might represent the web site for XYZCompany.com). There is a translation mechanism built into DNS servers that converts words we write (say XYZCompany.com) into numeric address of the web site we want to access (123.456.7.8). A pharmer hacks into the DNS server and changes the translation book so that when you (or anyone else using this server) types in XYZCompany.com, it automatically sends the communication to another site (say 987.654.3.2) instead of the real site (123.456.7.8). As the phony site looks the same as the original, the unsuspecting user logs in without knowing that their account information and password are compromised. Malware can be downloaded onto the requesting computer, compromising many business activities and trade secrets (Norton 2011). Companies involved in Internet commerce have major concerns with pharming and the consequent fraud as their clients get scammed. Online banking sites are particularity sensitive to this threat. Moreover, adware and spyware removal software and antivirus software is ineffective in protecting against this threat since the hijacking occurs on the DNS server away from the requesting or responding computers, and hence is not detected by either side of the transaction which was hijacked. With the growth of wireless routers (both in businesses and homes) and in public access wifi availability, the potential to hijack data and transactions in mass quantities via pharming is an increasing threat that requires very specific anti-pharming defenses by the enterprises

Having delineated important cyber risks we now turn to an investigation of the financial and economic consequences of such risks. In many ways the development of the Internet (and the consequent development of cyber risk threats) has been generated by economic considerations. Mobile Internet devises are rapidly replacing hard wired desk top computers as the Internet devices of choice, and the economics of this transition is impactful. Additionally, economic theory can alert us to possible ways of handling cyber risk problems, such as the economic research into moral hazard associated with "free goods" or

Motivated by efficient market theory, (Garg *et al*., 2003) used event study methodology to indirectly measure the economic impact of Internet security breaches on stock process of breached firms (and also on Internet security providers). According to the efficient market hypothesis, all information about past and future events within a company (or industry) should be reflected in the stock price, which itself reflects investors' beliefs about future cash flows to investors. A security breach can cause a rethinking about future vulnerability as well as future legal risk, and hence reflect market assessment of impact on cash flows different from the reported financial loss (which may be biased or underreported).

public goods. We shall next discuss the economic aspects of cyber risks.

**4. The economics of cyber risk** 

involved.

With mobile devices, there is also the potential to remotely access data on "always on" mobile phones, including passwords, contact lists and other information. The phone hacking scandal involving News International's paper *News of the World*, a subsidiary of Rupert Murdoch's international News Corporation organization in the UK in 2011 illustrates this threat is real. These news organizations hacked into the voice mail of such well protected people as members of the Royal Family. They also allegedly hacked into the phones of a murdered English schoolgirl, relatives of British soldiers who had died, and even some of the victims of the terrorist bombings in London on 7/7/2005. The police have a list of approximately 4,000 people they are contacting who may have been hacked, including celebrities, politicians, and sports stars (BBC 2011). This can be a substantial concern for commercial enterprises as well since executives and sales persons use their mobile phones for negotiations, contract bids, and other purposes requiring secrecy.

Given their size and portability, phones are also at risk of physical theft and loss, with an estimated two million phones lost or stolen each year (Siciliano, 2011b). Some of the data stored on such devices may be proprietary business data, and, additionally, there is an increased risk that someone that finds or intentionally steals these smart phones can use the stolen device to access internal corporate systems, including servers and file systems using passwords stored on the smart phone. An estimated 52 percent of smart phone users store passwords on their phones; and 87.5 million people do banking using their phones (Siciliano 2011a). Moreover, since most people (even employees with secured access) do not use PIN codes to lock their cell phones, and since most people use the same password for multiple "secured" sites, a great vulnerability is created by mobile access that is not present in otherwise Internet accessible enterprises. One problem with current mobile phones is there is no readily available mechanism to authenticate that a particular user belongs to phone being used (Ghosh and Swaminatha., 2001), so access to an employee's phone may open the entire enterprise to potential cyber risk.

Two other emerging cyber threats are spear phishing and pharming. Phishing occurs when a potential thief sends emails to people which masquerades as a legitimate request from the organization whose letterhead and logo they have hijacked. They ask the recipient to click on a link to supply information (account number, password, social security number, etc.) in order to verify some aspect of their account. The link (as well as the email) are phony, and once the recipient puts in their information, it is captured and used for accessing bank accounts, credit cards, identify theft, or downloading malware which can take over the computer remotely to access all information on the individual's computer (such as other passwords or corporate information). Spear Phishing is a refinement which is even more difficult counter. Using some inside information gathered by other means (e.g., hacking a corporation's computer, social media sites, etc.) they do a controlled and targeted phishing expedition rather than simply sending random emails. Using information particular relevant to this well defined smaller group of people they construct an email which is more specific and has an enhanced air of being a legitimate request by a supervisor or trusted superior (often it is designed to come from a higher-up in the organization so compliance is enhanced). Again, if any one of the many targeted individuals within the company responds and logs on, security is breached and computer programs can be downloaded that allow full access to company computers for espionage purposes, identity theft, malicious destruction of data, extortion, or financial thievery (FBI 2009).

With mobile devices, there is also the potential to remotely access data on "always on" mobile phones, including passwords, contact lists and other information. The phone hacking scandal involving News International's paper *News of the World*, a subsidiary of Rupert Murdoch's international News Corporation organization in the UK in 2011 illustrates this threat is real. These news organizations hacked into the voice mail of such well protected people as members of the Royal Family. They also allegedly hacked into the phones of a murdered English schoolgirl, relatives of British soldiers who had died, and even some of the victims of the terrorist bombings in London on 7/7/2005. The police have a list of approximately 4,000 people they are contacting who may have been hacked, including celebrities, politicians, and sports stars (BBC 2011). This can be a substantial concern for commercial enterprises as well since executives and sales persons use their

mobile phones for negotiations, contract bids, and other purposes requiring secrecy.

entire enterprise to potential cyber risk.

destruction of data, extortion, or financial thievery (FBI 2009).

Given their size and portability, phones are also at risk of physical theft and loss, with an estimated two million phones lost or stolen each year (Siciliano, 2011b). Some of the data stored on such devices may be proprietary business data, and, additionally, there is an increased risk that someone that finds or intentionally steals these smart phones can use the stolen device to access internal corporate systems, including servers and file systems using passwords stored on the smart phone. An estimated 52 percent of smart phone users store passwords on their phones; and 87.5 million people do banking using their phones (Siciliano 2011a). Moreover, since most people (even employees with secured access) do not use PIN codes to lock their cell phones, and since most people use the same password for multiple "secured" sites, a great vulnerability is created by mobile access that is not present in otherwise Internet accessible enterprises. One problem with current mobile phones is there is no readily available mechanism to authenticate that a particular user belongs to phone being used (Ghosh and Swaminatha., 2001), so access to an employee's phone may open the

Two other emerging cyber threats are spear phishing and pharming. Phishing occurs when a potential thief sends emails to people which masquerades as a legitimate request from the organization whose letterhead and logo they have hijacked. They ask the recipient to click on a link to supply information (account number, password, social security number, etc.) in order to verify some aspect of their account. The link (as well as the email) are phony, and once the recipient puts in their information, it is captured and used for accessing bank accounts, credit cards, identify theft, or downloading malware which can take over the computer remotely to access all information on the individual's computer (such as other passwords or corporate information). Spear Phishing is a refinement which is even more difficult counter. Using some inside information gathered by other means (e.g., hacking a corporation's computer, social media sites, etc.) they do a controlled and targeted phishing expedition rather than simply sending random emails. Using information particular relevant to this well defined smaller group of people they construct an email which is more specific and has an enhanced air of being a legitimate request by a supervisor or trusted superior (often it is designed to come from a higher-up in the organization so compliance is enhanced). Again, if any one of the many targeted individuals within the company responds and logs on, security is breached and computer programs can be downloaded that allow full access to company computers for espionage purposes, identity theft, malicious Pharming is the name given to a different type of technique used to direct the unsuspecting victim to a malicious website where malware can be downloaded or password and account numbers can be harvested in bulk numbers. Unlike phishing where the individual phishing lines (emails) are set out to catch fish, in pharming a network node is hijacked and all traffic going through this node which thinks it is going, for example to CibiBank.com, will instead be directed to another website controlled by the criminal. Essentially the criminal harvests multiple users' information at once, and need never even contact the user or need the user to respond to an email. The way is works is this. On the Internet, the website addresses are a sequence of numbers representing the site (e.g., 123.456.7.8 might represent the web site for XYZCompany.com). There is a translation mechanism built into DNS servers that converts words we write (say XYZCompany.com) into numeric address of the web site we want to access (123.456.7.8). A pharmer hacks into the DNS server and changes the translation book so that when you (or anyone else using this server) types in XYZCompany.com, it automatically sends the communication to another site (say 987.654.3.2) instead of the real site (123.456.7.8). As the phony site looks the same as the original, the unsuspecting user logs in without knowing that their account information and password are compromised. Malware can be downloaded onto the requesting computer, compromising many business activities and trade secrets (Norton 2011). Companies involved in Internet commerce have major concerns with pharming and the consequent fraud as their clients get scammed. Online banking sites are particularity sensitive to this threat. Moreover, adware and spyware removal software and antivirus software is ineffective in protecting against this threat since the hijacking occurs on the DNS server away from the requesting or responding computers, and hence is not detected by either side of the transaction which was hijacked. With the growth of wireless routers (both in businesses and homes) and in public access wifi availability, the potential to hijack data and transactions in mass quantities via pharming is an increasing threat that requires very specific anti-pharming defenses by the enterprises involved.

Having delineated important cyber risks we now turn to an investigation of the financial and economic consequences of such risks. In many ways the development of the Internet (and the consequent development of cyber risk threats) has been generated by economic considerations. Mobile Internet devises are rapidly replacing hard wired desk top computers as the Internet devices of choice, and the economics of this transition is impactful. Additionally, economic theory can alert us to possible ways of handling cyber risk problems, such as the economic research into moral hazard associated with "free goods" or public goods. We shall next discuss the economic aspects of cyber risks.

#### **4. The economics of cyber risk**

Motivated by efficient market theory, (Garg *et al*., 2003) used event study methodology to indirectly measure the economic impact of Internet security breaches on stock process of breached firms (and also on Internet security providers). According to the efficient market hypothesis, all information about past and future events within a company (or industry) should be reflected in the stock price, which itself reflects investors' beliefs about future cash flows to investors. A security breach can cause a rethinking about future vulnerability as well as future legal risk, and hence reflect market assessment of impact on cash flows different from the reported financial loss (which may be biased or underreported).

Enterprise Cyber Risk Management 331

choose between a blanket coverage policy and a more expensive, yet highly customized

Anderson and Moore (2006) argue that cyber insurance is extremely difficult to price given the interconnectedness of the information security infrastructure and the interdependence on one piece of popular software (i.e. Microsoft Windows) whereby a general vulnerability in one product may expose every firm using that software to cyber threats (Anderson and Moore, 2006). Accordingly, an insurer insuring company X for cyber risk is also insuring against another company Y (e.g. Microsoft) who is not a client, and is not paying premiums, having created an exposure to cyber risk. Why should the insurance company pay for damages caused by another firm that infected or caused the infection of the covered firm? It seems that the law of large numbers which is often used to justify insurance company coverage could be defeated by the breadth and scope of the damages (and correlated risks of other insured companies using the same software) thus leading to the insurer's inability to pay claims and insolvency. If one flaw in a very common software system affects millions of users and propagates through several firms, the insurer might have difficulty paying all the resulting correlated damages for the sustained losses. It seems here that the network effect, typically lauded in economics, would have detrimental effects on the insured and insurers alike as it defeats the "independent identically distributed" (or at least uncorrelated) assumption which underlies insurance risk pooling and the general benefits of diversification. As our global interconnectedness grows, we must monitor the potential

ripple effects that common interconnectedness can leverage on the global economy.

asymmetry, and correlations continue to influence the insurance market.

Firms have increasingly externalized the financial consequences of cyber risk by purchasing insurance to transfer that risk outside the company. Initially, insurance companies, given their lack of experience and practice associated with cyber risk insurance, have offered smaller coverage policies and packages. As firms and insurance companies develop more sophisticated analysis of cyber threats, the market for cyber insurance will likely grow. Indeed, many firms are pushing for the development of new markets and products with information security growth as a potential target (Gordon *et. al.*, 2003). As mentioned previously, several aspects of cyber-related insurance including pricing, information

Traditionally, insurance premiums for commercial general liability are based on a firm's general features such as industry area, sales revenues, number of employees, and other similar characteristics (Baranoff *et al*., 2010). Consequently, premiums typically do not reflect the firm's security activities, whether good or bad (Schwartz *et. al.*, 2010). If firms were more likely to demonstrate strict security practices, cyber risk coverage related premiums could be lowered, similar to the effect that a built-in safe or fire sprinkler system would have on a homeowner's policy, or a theft security system for an automobile would have on automobile insurance. For that reason, insurance companies find it necessary to separately assess and monitor these security precautions in order to verify the strength and

Gordon, *et. al*. (2003) discuss their research on three aspects of cyber risk insurance including policy coverage pricing, adverse selection, and moral hazard. Since pricing depends heavily on actuarial estimates and historical data, pricing policies for Internetrelated coverage are more uncertain than conventional insurance where data on claims have

policy tailored to their business needs.

level of protection.

Consequently, they reason, by looking at the abnormal (negative) return of a breached company's stock price, they can get an exogenous estimate of the permanent market assessed financial effect of the breach, different from the stated breach cost information. Moreover, such actual breach cost information, they argue, is not generally available to the market. Expenditures (and capability) in IT are not often reported. Also, most firms tend to underreport negative information containing security breach events simply because there is no incentive to correctly volunteer this information. Companies prefer not to seem vulnerable to their customers and competitors or to other potential predators. Why would these firms give an edge to the competition or a green flag to the cyber criminal if they do not have to? Additionally, in the age of management by stock price, firms also withhold this information to avoid lowering the price of the company's stock and falling out of favor with investors (Garg *et al*., 2003). Another reason for not releasing such information, of course, is pride. No one likes to have their shortcomings and failures broadcast to the media. Once the breach is public, markets can react, and their reaction reflects the decreased valuation of the enterprise. Using their event study methodology applied to 22 cyber security breach events Garg, et al (2003) found the lasting effects on stock prices of security breaches is an order of magnitude larger than other reported loss costs (\$17-28 million as opposed to other reported estimates of \$50K to \$2 million per incident). Thus, the economic effects on breached firms are quite significant.

Economists have also used other microeconomics tools in order to price in certain aspects of information security. Bohme (2005) argues that insecure software technologies such as public access wi-fi availability in some cities are economically underpriced by the market due to costs of their negative externalities not being valued. Thus, public access wi-fi are similar to a public good since insecure nodes not only affect their own systems but those systems and users that are connected to it. This enables viruses and other attacks to proliferate much faster and more freely than other physical attacks. Since responsibility for preventing the attack is uncertain, no one user has an incentive to spend heavily on securing one's own infrastructure (Bohme, 2005) which would also benefit others. Consequently, Internet users are unlikely to procure expensive protection software that protects the next user. This implies that the incentives are misaligned and showcases the risks of these interdependent information networks. Economic theory suggests that the bearer of risk should be the entity that has best control of the risk. In the case of cyber risk, this is often the manufacturer of the devices used (smart phones, for example) and the provider of the free wi-fi. Regulators and governments can assist in this endeavor.

Having investigated the economic aspects of cyber risk, it is natural next to turn to the most common financial mechanism available for indemnifying enterprises against the potentially disastrous financial consequences of a successful cyber crime perpetrated against the enterprise. This mechanism is insurance, and the next section discusses the growing area of cyber risk insurance.

#### **5. Cyber risk insurance**

Once companies evaluate their current conventional insurance coverage, many firms then evaluate and purchase Internet and information security insurance to cover their specific insurable cyber risks. Along with determining their budgets for cyber insurance, firms must

Consequently, they reason, by looking at the abnormal (negative) return of a breached company's stock price, they can get an exogenous estimate of the permanent market assessed financial effect of the breach, different from the stated breach cost information. Moreover, such actual breach cost information, they argue, is not generally available to the market. Expenditures (and capability) in IT are not often reported. Also, most firms tend to underreport negative information containing security breach events simply because there is no incentive to correctly volunteer this information. Companies prefer not to seem vulnerable to their customers and competitors or to other potential predators. Why would these firms give an edge to the competition or a green flag to the cyber criminal if they do not have to? Additionally, in the age of management by stock price, firms also withhold this information to avoid lowering the price of the company's stock and falling out of favor with investors (Garg *et al*., 2003). Another reason for not releasing such information, of course, is pride. No one likes to have their shortcomings and failures broadcast to the media. Once the breach is public, markets can react, and their reaction reflects the decreased valuation of the enterprise. Using their event study methodology applied to 22 cyber security breach events Garg, et al (2003) found the lasting effects on stock prices of security breaches is an order of magnitude larger than other reported loss costs (\$17-28 million as opposed to other reported estimates of \$50K to \$2 million per incident). Thus, the economic effects on

Economists have also used other microeconomics tools in order to price in certain aspects of information security. Bohme (2005) argues that insecure software technologies such as public access wi-fi availability in some cities are economically underpriced by the market due to costs of their negative externalities not being valued. Thus, public access wi-fi are similar to a public good since insecure nodes not only affect their own systems but those systems and users that are connected to it. This enables viruses and other attacks to proliferate much faster and more freely than other physical attacks. Since responsibility for preventing the attack is uncertain, no one user has an incentive to spend heavily on securing one's own infrastructure (Bohme, 2005) which would also benefit others. Consequently, Internet users are unlikely to procure expensive protection software that protects the next user. This implies that the incentives are misaligned and showcases the risks of these interdependent information networks. Economic theory suggests that the bearer of risk should be the entity that has best control of the risk. In the case of cyber risk, this is often the manufacturer of the devices used (smart phones, for example) and the provider of the

Having investigated the economic aspects of cyber risk, it is natural next to turn to the most common financial mechanism available for indemnifying enterprises against the potentially disastrous financial consequences of a successful cyber crime perpetrated against the enterprise. This mechanism is insurance, and the next section discusses the growing area of

Once companies evaluate their current conventional insurance coverage, many firms then evaluate and purchase Internet and information security insurance to cover their specific insurable cyber risks. Along with determining their budgets for cyber insurance, firms must

free wi-fi. Regulators and governments can assist in this endeavor.

breached firms are quite significant.

cyber risk insurance.

**5. Cyber risk insurance** 

choose between a blanket coverage policy and a more expensive, yet highly customized policy tailored to their business needs.

Anderson and Moore (2006) argue that cyber insurance is extremely difficult to price given the interconnectedness of the information security infrastructure and the interdependence on one piece of popular software (i.e. Microsoft Windows) whereby a general vulnerability in one product may expose every firm using that software to cyber threats (Anderson and Moore, 2006). Accordingly, an insurer insuring company X for cyber risk is also insuring against another company Y (e.g. Microsoft) who is not a client, and is not paying premiums, having created an exposure to cyber risk. Why should the insurance company pay for damages caused by another firm that infected or caused the infection of the covered firm? It seems that the law of large numbers which is often used to justify insurance company coverage could be defeated by the breadth and scope of the damages (and correlated risks of other insured companies using the same software) thus leading to the insurer's inability to pay claims and insolvency. If one flaw in a very common software system affects millions of users and propagates through several firms, the insurer might have difficulty paying all the resulting correlated damages for the sustained losses. It seems here that the network effect, typically lauded in economics, would have detrimental effects on the insured and insurers alike as it defeats the "independent identically distributed" (or at least uncorrelated) assumption which underlies insurance risk pooling and the general benefits of diversification. As our global interconnectedness grows, we must monitor the potential ripple effects that common interconnectedness can leverage on the global economy.

Firms have increasingly externalized the financial consequences of cyber risk by purchasing insurance to transfer that risk outside the company. Initially, insurance companies, given their lack of experience and practice associated with cyber risk insurance, have offered smaller coverage policies and packages. As firms and insurance companies develop more sophisticated analysis of cyber threats, the market for cyber insurance will likely grow. Indeed, many firms are pushing for the development of new markets and products with information security growth as a potential target (Gordon *et. al.*, 2003). As mentioned previously, several aspects of cyber-related insurance including pricing, information asymmetry, and correlations continue to influence the insurance market.

Traditionally, insurance premiums for commercial general liability are based on a firm's general features such as industry area, sales revenues, number of employees, and other similar characteristics (Baranoff *et al*., 2010). Consequently, premiums typically do not reflect the firm's security activities, whether good or bad (Schwartz *et. al.*, 2010). If firms were more likely to demonstrate strict security practices, cyber risk coverage related premiums could be lowered, similar to the effect that a built-in safe or fire sprinkler system would have on a homeowner's policy, or a theft security system for an automobile would have on automobile insurance. For that reason, insurance companies find it necessary to separately assess and monitor these security precautions in order to verify the strength and level of protection.

Gordon, *et. al*. (2003) discuss their research on three aspects of cyber risk insurance including policy coverage pricing, adverse selection, and moral hazard. Since pricing depends heavily on actuarial estimates and historical data, pricing policies for Internetrelated coverage are more uncertain than conventional insurance where data on claims have

Enterprise Cyber Risk Management 333

potentially ruinous losses have been incurred. Risk mitigation- or risk prevention techniques can enhance the defenses of enterprises, and lower the cyber risk insurance premiums an enterprise pays to be indemnified after a loss event. In the next two sections,

The adage "An ounce of prevention is worth a pound of cure" is especially true when dealing with cyber threats. If, for example, an enterprise's financial transaction over the Internet is hijacked and funds or information are stolen, it may be quite some time (if at all) before the theft is noticed. Additionally, it is likely that the proceeds will never be recovered nor will the thieves be apprehended (Clarke, 2008). It is much better to prevent the theft or cyber crime in the first place, and the first line of defense is purchasing a good suite of security software including, anti-spyware, adware detection, malware and antivirus protection that has been obtained from a reputable vendor. An automated update feature together with an automated routine scan of the system is also a must, and software patches should be installed when available. It is also good business practice to seek advice from advisors — cyber risk insurers, lawyers, accountants, and risk managers. For example, the cyber risk insurer Crum and Forster makes a private web portal that provides their clients with technical resources geared toward assisting them in preventing both network and private cyber losses, and provides support recovery if a cyber loss should occur. (Insurance

Concerning internal cyber theft of money, there are fundamental sound practices enterprises should follow to reduce the cyber risk associated with financial accounts, including implementing procedures to password protect checking accounts, accounts receivable checks, vendor and payroll checks and credit card receipts. Since many cyber breaches go undetected for long periods of time, there are additional procedures that can prevent ongoing cyber theft including separating the duties of check writing from reconciling checking accounts, as well as performing unannounced periodic audits of accounts payable and checks paid. Over a certain amount, the enterprise should also establish a dual signature requirement for checks made out, and establish limits on the credit card spending on employee credit cards. This prevents (or mitigates) large losses if a cyber thief enters the system as checks or fund transfers cannot be routinely done in secrecy. Similar controls also should be used to protect intellectual property and valuable information such as databases by restricting access or needing verification to obtain copies, or keeping an automated log of who has accessed a particular record or data set. Commercial and non-profit enterprises do not have the same legal protection against cyber thievery of bank accounts that individuals do (the bank must reimburse the individual but not the company) so proactive diligence is especially warranted by enterprises for transactions involving financial transfers over the Internet (Johnson 2011). While cyber theft insurance can provide a loss control mechanism against such risks, it will generally be subject to a deductible and hence still contain a loss

Additionally, many instances of internal cyber (or just plain employee) theft could have been avoided had employees, prospective employees (and even board members and trustees) undergone a criminal background check. Unwillingness to agree to such checks should be a red flag. Also it may be worthwhile to have employees (regardless of their

we discuss several risk prevention and risk mitigation methods for cyber risks.

**6. Cyber threat risk prevention techniques** 

Journal, 2011).

potential for the enterprise

been gathered by firms such as the Insurance Services Office (ISO) and where coverages are more standardized (and the risks do not change over time) making actuarial loss estimates more credible. However, some insurance firms have established insurance policies and quantified this difficult to assess risk (although critics argue over the accuracy of their projections). Also, (Gordon *et al*. 2003) discuss adverse selection for firms in terms of their "likelihood of a breach." If a firm has a higher likelihood of facing cyber threats, that firm may have an increased likelihood of purchasing insurance to transfer this risk, similar to a smoker or someone in poor health that would buy more health insurance because they know that they have a higher than average (for their risk pool) chance of loss, but are being charged the average risk pool premium. When someone else is paying part of the risk cost, it is economically rational to buy more insurance. Insurance companies can mitigate the risks associated with the above mentioned adverse selection by requiring a security audit of the firm.They might also be able to differentiate premiums based on a firm's current security profile (creating a separating equilibrium solution to the adverse selection problem).

Moral hazard is another economic problem that occurs with cyber insurance products. Moral hazard occurs when the actions the firm takes are different simply because they have insurance indemnification. Why spend money on cyber security when losses are (in large part) indemnified by the insurer and hence shared by the risk pool ex ante, but premium savings are entirely captured by the owners? Gordon *et al*. (2003) argue that the moral hazard problem faced by insurance companies offering cyber risk policies could be eased by offering premium reductions to firms that take appropriate security measures on their own. The firm should be given financial incentives that influence its decisions to mitigate the risk on its own (similar to what occurs in workers compensation and other insurance). The firm's expense on risk reducing processes and behavior would help the firm mitigate cyber risk and would potentially reduce the impact of a cyber event, thus lowering premiums. Additionally, deductibles, policy limits, and coinsurance are standard tools used by insurance companies when information asymmetry is present (Schwartz *et al*., 2010). This puts a higher financial burden on the insured party to mitigate the effects of adverse selection resulting from information asymmetry, and inaction caused by the insurer being unable to adequately monitor behavior (moral hazard).

Cyber insurance coverage typically involves both first party and third party coverage for potential damages from Internet-related activities. Retail names in the cyber insurance market include Chubb's Cyber Security, Lloyd's e-Comprehensive, and Marsh's NetSecure. As described previously, however, insurance companies are often reluctant to underwrite large amounts of damages due to the relative newness of this specific type of insurance, the degree to which the insured has control over the frequency and severity of losses, and the lack of well verified loss data upon which to make actuarial estimates (and the potential sizes of risk and correlation with other risks). Lloyd's of London, however, offers a \$50,000,000 limit under its e-Comprehensive policy but will write a custom policy for up to \$200,000,000 (Gordon *et. al.*, 2003). As more actuarial and damages data becomes available and cyber risk protection protocols become more standardized, it is likely that firms will be able to compete more broadly on coverage and premiums.

In all risk situations, even including potentially catastrophic risk scenarios, the best (and most cost effective) approach is to act to avoid the risk (risk prevention) or to reduce the consequences (risk mitigation) of the risk even before the risk has been materialized and

been gathered by firms such as the Insurance Services Office (ISO) and where coverages are more standardized (and the risks do not change over time) making actuarial loss estimates more credible. However, some insurance firms have established insurance policies and quantified this difficult to assess risk (although critics argue over the accuracy of their projections). Also, (Gordon *et al*. 2003) discuss adverse selection for firms in terms of their "likelihood of a breach." If a firm has a higher likelihood of facing cyber threats, that firm may have an increased likelihood of purchasing insurance to transfer this risk, similar to a smoker or someone in poor health that would buy more health insurance because they know that they have a higher than average (for their risk pool) chance of loss, but are being charged the average risk pool premium. When someone else is paying part of the risk cost, it is economically rational to buy more insurance. Insurance companies can mitigate the risks associated with the above mentioned adverse selection by requiring a security audit of the firm.They might also be able to differentiate premiums based on a firm's current security

profile (creating a separating equilibrium solution to the adverse selection problem).

unable to adequately monitor behavior (moral hazard).

able to compete more broadly on coverage and premiums.

Moral hazard is another economic problem that occurs with cyber insurance products. Moral hazard occurs when the actions the firm takes are different simply because they have insurance indemnification. Why spend money on cyber security when losses are (in large part) indemnified by the insurer and hence shared by the risk pool ex ante, but premium savings are entirely captured by the owners? Gordon *et al*. (2003) argue that the moral hazard problem faced by insurance companies offering cyber risk policies could be eased by offering premium reductions to firms that take appropriate security measures on their own. The firm should be given financial incentives that influence its decisions to mitigate the risk on its own (similar to what occurs in workers compensation and other insurance). The firm's expense on risk reducing processes and behavior would help the firm mitigate cyber risk and would potentially reduce the impact of a cyber event, thus lowering premiums. Additionally, deductibles, policy limits, and coinsurance are standard tools used by insurance companies when information asymmetry is present (Schwartz *et al*., 2010). This puts a higher financial burden on the insured party to mitigate the effects of adverse selection resulting from information asymmetry, and inaction caused by the insurer being

Cyber insurance coverage typically involves both first party and third party coverage for potential damages from Internet-related activities. Retail names in the cyber insurance market include Chubb's Cyber Security, Lloyd's e-Comprehensive, and Marsh's NetSecure. As described previously, however, insurance companies are often reluctant to underwrite large amounts of damages due to the relative newness of this specific type of insurance, the degree to which the insured has control over the frequency and severity of losses, and the lack of well verified loss data upon which to make actuarial estimates (and the potential sizes of risk and correlation with other risks). Lloyd's of London, however, offers a \$50,000,000 limit under its e-Comprehensive policy but will write a custom policy for up to \$200,000,000 (Gordon *et. al.*, 2003). As more actuarial and damages data becomes available and cyber risk protection protocols become more standardized, it is likely that firms will be

In all risk situations, even including potentially catastrophic risk scenarios, the best (and most cost effective) approach is to act to avoid the risk (risk prevention) or to reduce the consequences (risk mitigation) of the risk even before the risk has been materialized and potentially ruinous losses have been incurred. Risk mitigation- or risk prevention techniques can enhance the defenses of enterprises, and lower the cyber risk insurance premiums an enterprise pays to be indemnified after a loss event. In the next two sections, we discuss several risk prevention and risk mitigation methods for cyber risks.

#### **6. Cyber threat risk prevention techniques**

The adage "An ounce of prevention is worth a pound of cure" is especially true when dealing with cyber threats. If, for example, an enterprise's financial transaction over the Internet is hijacked and funds or information are stolen, it may be quite some time (if at all) before the theft is noticed. Additionally, it is likely that the proceeds will never be recovered nor will the thieves be apprehended (Clarke, 2008). It is much better to prevent the theft or cyber crime in the first place, and the first line of defense is purchasing a good suite of security software including, anti-spyware, adware detection, malware and antivirus protection that has been obtained from a reputable vendor. An automated update feature together with an automated routine scan of the system is also a must, and software patches should be installed when available. It is also good business practice to seek advice from advisors — cyber risk insurers, lawyers, accountants, and risk managers. For example, the cyber risk insurer Crum and Forster makes a private web portal that provides their clients with technical resources geared toward assisting them in preventing both network and private cyber losses, and provides support recovery if a cyber loss should occur. (Insurance Journal, 2011).

Concerning internal cyber theft of money, there are fundamental sound practices enterprises should follow to reduce the cyber risk associated with financial accounts, including implementing procedures to password protect checking accounts, accounts receivable checks, vendor and payroll checks and credit card receipts. Since many cyber breaches go undetected for long periods of time, there are additional procedures that can prevent ongoing cyber theft including separating the duties of check writing from reconciling checking accounts, as well as performing unannounced periodic audits of accounts payable and checks paid. Over a certain amount, the enterprise should also establish a dual signature requirement for checks made out, and establish limits on the credit card spending on employee credit cards. This prevents (or mitigates) large losses if a cyber thief enters the system as checks or fund transfers cannot be routinely done in secrecy. Similar controls also should be used to protect intellectual property and valuable information such as databases by restricting access or needing verification to obtain copies, or keeping an automated log of who has accessed a particular record or data set. Commercial and non-profit enterprises do not have the same legal protection against cyber thievery of bank accounts that individuals do (the bank must reimburse the individual but not the company) so proactive diligence is especially warranted by enterprises for transactions involving financial transfers over the Internet (Johnson 2011). While cyber theft insurance can provide a loss control mechanism against such risks, it will generally be subject to a deductible and hence still contain a loss potential for the enterprise

Additionally, many instances of internal cyber (or just plain employee) theft could have been avoided had employees, prospective employees (and even board members and trustees) undergone a criminal background check. Unwillingness to agree to such checks should be a red flag. Also it may be worthwhile to have employees (regardless of their

Enterprise Cyber Risk Management 335

is commonly used for wireless communications. Alternatively, block ciphers encrypt one

Public key cryptography involves the use of two distinct but related keys: a public key and a private key. The public key can be shared with anyone and is used to encrypt data meant for the holder of the private key. The private key cannot be shared and is used to decrypt any data encrypted by the public key. Public key cryptography is primarily used for e-mail messages, file attachments, digital signatures and other transaction-related processes

Monitoring and detection is also a critical step in avoiding cyber risk. Many times firms are unaware of, or provide an inadequate response to, a possible breach that could have been thwarted. If the threatened firms used updated monitoring and intrusion techniques to detect attacks or threats in real-time, their performance rate would increase significantly. Security consultants can help both in delineating risk, outlining risk mitigation techniques, assessing the financial consequences of such risks, and performing and monitoring (as the

Regulation and controls in cyber technology have developed at a much slower pace than actual growth and progress in the technology itself, thereby causing a lag in enforcement and justice. As mentioned previously, many of the cyber risk threats originate from countries different from the host country, and regulating or enforcing laws against such trans-border criminals can be difficult or even impossible. Governments and international regulatory bodies, such as the United Nations, are now trying to develop stricter regulations in order to deter these types of illicit cross national cyber risk threat activities. However, until there is broad consensus on enforcement and retribution, companies will be forced to tackle these risks on their own. Any risk manager looking into the future must be able to plan for these unique threats and their growing sophistication. Since the Internet allows potential access from anywhere, firms and governmental enterprises must be prepared to

Proactively, regulators and governments can also intervene to help reduce the risk of cyber theft or crime. As mentioned previously, currently software makers for mobile Internet devices (smart phones, iPads, etc.) do not adhere to security requirements that hardwired, Internet-connected computers use due to tradeoffs between security and the storage size, and speed of performing tasks on these devices. Security has taken a back seat in this tradeoff, and most users are unaware. Regulators can impose standards, which make cyber theft via such mobile devices more difficult and have mobile Internet device manufacturers make software patches available as vulnerabilities become known. The exact form of such

The rather rapid emergence of the Internet and information technology over the last decade has contributed to more efficient communication, which has allowed companies to reach broader markets in the new global economy. As companies and organizations continue to rely increasingly on cyberspace for communications, on-line services, and electronic databases, and as employees continue their trend toward mobile or remote access to enterprise infrastructure

environment is constantly changing) risk audits and assessing cyber vulnerabilities.

**8. Some comments about future trends and research** 

address both internal and external cyber risk threats.

regulations is an important topic for future research.

block of data at a time and are used mainly for data encryption (Ohlhorst 2010).

(Ohlhorst 2010).

tenure), undergo a criminal background and credit check every five years or so, especially if they have access to financial accounts or check signing authority. As mentioned previously, disgruntled employees should be particularly scrutinized if they have sensitive information access. According to the 2012 Global State of Information Security Survey by Pricewaterhouse Cooper (PwC 2012), 15 percent of respondents (from over 9,600 CEOs, CFOs, CISOs, CIOs, CSOs, VPs and directors of IT and information security from 138 countries.) strongly agreed that the risks to company data had increased due to employee layoffs.

Additional prevention measures can include encrypting signals at both ends of the communication channel, and higher level authentication of identity before allowing entrance into cyber locations having potential for breach and information loss. Some banks, for example will, each time, use a secondary verification method before allowing access to accounts. In this process the individual is sent a text or email message with a specialized code which must be entered along with the password when attempting to log in to the account. Similar methods can prevent many forms of unauthorized access into enterprise computer systems, and thus prevent losses before they occur.

### **7. Cyber risk mitigation techniques**

While not all risks can be prevented, the damaging effects can be mitigated by judicious planning. Typically, firms that are looking to counter their cyber risk will utilize risk management frameworks and techniques that identify information security vulnerabilities. The first step is a security audit performed by the firm (or a third party) which identifies risks and vulnerabilities within the company's systems. This step usually involves inspecting the physical computing environment for external risk threats, as well as examining electronic networks (including offsite access by employees and customers). Additionally, companies gather information on current risk profiles by interviewing IT managers and determining the financial costs of the risk management process. In many cases, firms take the recommended steps to coordinate their own in-house response by setting up access controls and enabling firewalls before they consult externally with insurers or security experts (Siegel *et. al.*, 2002).

A very important risk mitigation technique for enterprises to implement is the use of data encryption, essentially coding each document so that it cannot be read, even if stolen or hijacked in mobile transmission. Encrypting transmission and/or documents makes it almost impossible for third parties to productively hack into databases or mobile devices (Ohlhorst 2010). There are many ways to use encryption. Single files can be encrypted or entire archives can be encrypted. There are several different types of encryption. The two main leading types of encryption are private key cryptography and public key cryptography.

Private key encryption has a single key that is used for encryption and decryption. According to (Ohlhorst 2010) "Private key algorithms are generally very fast and easily implemented in hardware, so they are commonly used for bulk data encryption." Private key encryption is mainly used for file, directory, and partition encryption that is only known by the owner of the data. There are two general categories of private key algorithms: stream ciphers and block ciphers. A stream cipher individually encrypts every byte of the data and

tenure), undergo a criminal background and credit check every five years or so, especially if they have access to financial accounts or check signing authority. As mentioned previously, disgruntled employees should be particularly scrutinized if they have sensitive information access. According to the 2012 Global State of Information Security Survey by Pricewaterhouse Cooper (PwC 2012), 15 percent of respondents (from over 9,600 CEOs, CFOs, CISOs, CIOs, CSOs, VPs and directors of IT and information security from 138 countries.) strongly agreed that the risks to company data had increased due to employee

Additional prevention measures can include encrypting signals at both ends of the communication channel, and higher level authentication of identity before allowing entrance into cyber locations having potential for breach and information loss. Some banks, for example will, each time, use a secondary verification method before allowing access to accounts. In this process the individual is sent a text or email message with a specialized code which must be entered along with the password when attempting to log in to the account. Similar methods can prevent many forms of unauthorized access into enterprise

While not all risks can be prevented, the damaging effects can be mitigated by judicious planning. Typically, firms that are looking to counter their cyber risk will utilize risk management frameworks and techniques that identify information security vulnerabilities. The first step is a security audit performed by the firm (or a third party) which identifies risks and vulnerabilities within the company's systems. This step usually involves inspecting the physical computing environment for external risk threats, as well as examining electronic networks (including offsite access by employees and customers). Additionally, companies gather information on current risk profiles by interviewing IT managers and determining the financial costs of the risk management process. In many cases, firms take the recommended steps to coordinate their own in-house response by setting up access controls and enabling firewalls before they consult externally with insurers

A very important risk mitigation technique for enterprises to implement is the use of data encryption, essentially coding each document so that it cannot be read, even if stolen or hijacked in mobile transmission. Encrypting transmission and/or documents makes it almost impossible for third parties to productively hack into databases or mobile devices (Ohlhorst 2010). There are many ways to use encryption. Single files can be encrypted or entire archives can be encrypted. There are several different types of encryption. The two main leading types of encryption are private key cryptography and public key

Private key encryption has a single key that is used for encryption and decryption. According to (Ohlhorst 2010) "Private key algorithms are generally very fast and easily implemented in hardware, so they are commonly used for bulk data encryption." Private key encryption is mainly used for file, directory, and partition encryption that is only known by the owner of the data. There are two general categories of private key algorithms: stream ciphers and block ciphers. A stream cipher individually encrypts every byte of the data and

computer systems, and thus prevent losses before they occur.

**7. Cyber risk mitigation techniques** 

or security experts (Siegel *et. al.*, 2002).

cryptography.

layoffs.

is commonly used for wireless communications. Alternatively, block ciphers encrypt one block of data at a time and are used mainly for data encryption (Ohlhorst 2010).

Public key cryptography involves the use of two distinct but related keys: a public key and a private key. The public key can be shared with anyone and is used to encrypt data meant for the holder of the private key. The private key cannot be shared and is used to decrypt any data encrypted by the public key. Public key cryptography is primarily used for e-mail messages, file attachments, digital signatures and other transaction-related processes (Ohlhorst 2010).

Monitoring and detection is also a critical step in avoiding cyber risk. Many times firms are unaware of, or provide an inadequate response to, a possible breach that could have been thwarted. If the threatened firms used updated monitoring and intrusion techniques to detect attacks or threats in real-time, their performance rate would increase significantly. Security consultants can help both in delineating risk, outlining risk mitigation techniques, assessing the financial consequences of such risks, and performing and monitoring (as the environment is constantly changing) risk audits and assessing cyber vulnerabilities.

#### **8. Some comments about future trends and research**

Regulation and controls in cyber technology have developed at a much slower pace than actual growth and progress in the technology itself, thereby causing a lag in enforcement and justice. As mentioned previously, many of the cyber risk threats originate from countries different from the host country, and regulating or enforcing laws against such trans-border criminals can be difficult or even impossible. Governments and international regulatory bodies, such as the United Nations, are now trying to develop stricter regulations in order to deter these types of illicit cross national cyber risk threat activities. However, until there is broad consensus on enforcement and retribution, companies will be forced to tackle these risks on their own. Any risk manager looking into the future must be able to plan for these unique threats and their growing sophistication. Since the Internet allows potential access from anywhere, firms and governmental enterprises must be prepared to address both internal and external cyber risk threats.

Proactively, regulators and governments can also intervene to help reduce the risk of cyber theft or crime. As mentioned previously, currently software makers for mobile Internet devices (smart phones, iPads, etc.) do not adhere to security requirements that hardwired, Internet-connected computers use due to tradeoffs between security and the storage size, and speed of performing tasks on these devices. Security has taken a back seat in this tradeoff, and most users are unaware. Regulators can impose standards, which make cyber theft via such mobile devices more difficult and have mobile Internet device manufacturers make software patches available as vulnerabilities become known. The exact form of such regulations is an important topic for future research.

The rather rapid emergence of the Internet and information technology over the last decade has contributed to more efficient communication, which has allowed companies to reach broader markets in the new global economy. As companies and organizations continue to rely increasingly on cyberspace for communications, on-line services, and electronic databases, and as employees continue their trend toward mobile or remote access to enterprise infrastructure

Enterprise Cyber Risk Management 337

Cyber risk considerations should rise to the level of Boards of Directors in the near future as

Admin[at]databreaches.net. (April 2011). Former Wells Fargo employee sentenced for ID

Anderson, R., & Moore, T. (2006). The Economics of Information Security, *Science,* Vol. 314,

Baranoff, E., Brockett, P., & Kahane, Y. (June 2009). Risk Management for Enterprises and

BBC News. (2011). *Q&A: News of the World phone-hacking scandal, BBC Mobile News UK,*  (August 4, 2011), Available from http://www.bbc.co.uk/news/uk-11195407 Bohme, R. (2005). Cyber-Insurance Revisited, *Proceedings of the Workshop on the Economics of* 

Brockett, P. Golden, L., Manika, D & Song, A. (2011). Developments in Mobile Commerce:

Clarke, R. (June 15-18, 2008). A Risk Assessment Framework for Mobile Payments, *21st Bled* 

Coursaris, C. & Hassanein, K. (2002). Understanding M-commerce - A consumer centric model, *Quarterly Journal of Electronic Commerce,* Vol. 3, No. 3 pp. 247-271 FBI (2009). Spear Phishers: Angling to Steal Your Financial Info, (April 1, 2009), *The FBI,* 

http://www.fbi.gov/news/stories/2009/april/spearphishing\_040109 Feig, N. (2007). Banks Aren't Securing USB Ports, Study Reports, In: *Bank Systems and* 

Flatley, J. (2010). Thumb drive-based malware attack led to formation of US Cyber

Friedman, A., Crowley, P., & West, D. (2011). Online Identity and Consumer Trust:

http://www.brookings.edu/papers/2011/0111\_online\_identity\_trust.aspx

*Information,* The Heartland Institute, Policy Documents, Chicago, Illinois, USA January 1, 2005, Available from http://heartland.org/policy-documents/cyber-

Economic Opportunities, Risk Analysis and Risk Management, *Working paper*, Center for Risk Management and Insurance, University of Texas at Austin, USA Burke, R. & Cooper, C. (2010). *Risky Business, Psychological, Physical and Financial Costs of* 

*High Risk Behavior in Organizations,* p.433, Gower Publishing, Ltd., ISBN 978-0-566-

*eConference e Collaboration: Overcoming Boundaries through Multi-Channel Interaction* Bled, Slovenia, April 29, 2011, Available from http://domino.fov.unimb.si/proceedings.nsf/Proceedings/FC5AA5C853A1CF3DC1257481003D0293/\$Fi

*Technology,* June 17, 2007, Available from http://www.banktech.com/risk-

Command, *Engadget, AOL Tech*, August 26, 2010, Available from http://www.engadget.com/2010/08/26/thumb-drive-based-malware-attack-led-

Assessing Online Risk, *The Brookings Institution,* January 11, 2011, Available from

theft, In: *Office of Inadequate Security,* September 19, 2011, Available from

the consequences of failure are simply too large to ignore or do otherwise.

http://www.databreaches.net/?p=17654

insurance-revisited

08915-2, Surrey, England.

management/201000516

to-formation-of-us-cyber-co/

*Federal Bureau of Investigation,* Available from

le/06Clarke.pdf

No. 5799 October 2006 pp. 610-613, Available from

Individuals, In: *Flatworld Knowledge,* Available from

http://www.sciencemag.org/content/314/5799/610.full.pdf

http://www.flatworldknowledge.com/printed-book/1635

**9. References** 

and assets, the importance of mitigating cyber risk for enterprises will continue to rise. Insurers have already begun to offer cyber-related coverage but what remains to be seen is how effective those policies will be in transferring the risk. Insurers will be concerned about moral hazard problems wherein an enterprise, which has cyber risk insurance takes less protective action because they have insurance and do not bear the entire risk costs.

Currently, individual firms are able to mitigate their risks through risk management processes tailored to mitigate or control cyber threats. If firms utilize firewalls, pin and password access systems, encryption, and secure ids, they have a greater (but non-zero) chance of avoiding a large-scale Internet-related attack and financial losses. As a result of such proactive policies, they are also likely to obtain lower premiums for cyber risk insurance coverage, and better security audits by insurers, which can reduce insurance costs. Never-the-less, the potentially widespread impact of an organized or coordinated cyber attack or information security breach could overwhelm any insurer with claims (and a cyber attack on infrastructure could also overwhelm governmental enterprises as well). Therefore, it is critical that enterprises establish policies that aid in pre-loss financing of these potential damages in ways that avoid insolvency.

It is clear that public and private institutions will increasingly feel the effects of cyber risk from their own actions or those of a connected supplier, distributor, or end user. And, as developing countries push for greater access to the global market, competing companies may see cyber information control as a means of accomplishing that goal (e.g., cyber information theft of such things as intellectual property, competitive bids, etc.). This vulnerability may be especially pertinent to those companies who engage in outsourcing in a manner that necessitates data access by foreign companies to host company computers. Even while the host country firm may have installed cyber threat protection the outsourced foreign firm may not have equivalent cyber protection, and their access vulnerability together with their permitted access to host computers may pose risks for the host enterprise. Due to substantial interconnectedness, enterprises must be cognizant of cyber risk management plans of their suppliers and their downstream distributors who have access to the enterprise's computer accounts.

As information technology evolves, enabling enterprises to utilize the benefits advancing technology provides, from enhanced marketing facilitation, to enhanced employee access to important enterprise information during negotiation processes, and to allowing customers to access personal records from anywhere, any time, we must remain vigilant and protect our enterprises from the cyber vulnerabilities that this new technology brings. As Dr. Martin Luther King, Jr. (1963) said, "All progress is precarious, and the solution of one problem brings us face to face with another problem." Even as new technology is creating opportunities for enhanced efficiency in enterprise activities via such advances as immediate employee access, targeted marketing ability, better customer service, and enhanced governmental transparency, Internet users should be aware that these advances create the new problem of enterprises becoming increasingly susceptible to cyber threats.

An important area of future research is how to enjoy the benefits of the information explosion without succumbing to the perils of cyber risk from inside and outside the organization. Benchmarking, state-of-the-art risk mitigation techniques, and proactive management will be necessities in the forthcoming world of interconnected commerce. Cyber risk considerations should rise to the level of Boards of Directors in the near future as the consequences of failure are simply too large to ignore or do otherwise.

#### **9. References**

336 Risk Management for the Future – Theory and Cases

and assets, the importance of mitigating cyber risk for enterprises will continue to rise. Insurers have already begun to offer cyber-related coverage but what remains to be seen is how effective those policies will be in transferring the risk. Insurers will be concerned about moral hazard problems wherein an enterprise, which has cyber risk insurance takes less

Currently, individual firms are able to mitigate their risks through risk management processes tailored to mitigate or control cyber threats. If firms utilize firewalls, pin and password access systems, encryption, and secure ids, they have a greater (but non-zero) chance of avoiding a large-scale Internet-related attack and financial losses. As a result of such proactive policies, they are also likely to obtain lower premiums for cyber risk insurance coverage, and better security audits by insurers, which can reduce insurance costs. Never-the-less, the potentially widespread impact of an organized or coordinated cyber attack or information security breach could overwhelm any insurer with claims (and a cyber attack on infrastructure could also overwhelm governmental enterprises as well). Therefore, it is critical that enterprises establish policies that aid in pre-loss financing of

It is clear that public and private institutions will increasingly feel the effects of cyber risk from their own actions or those of a connected supplier, distributor, or end user. And, as developing countries push for greater access to the global market, competing companies may see cyber information control as a means of accomplishing that goal (e.g., cyber information theft of such things as intellectual property, competitive bids, etc.). This vulnerability may be especially pertinent to those companies who engage in outsourcing in a manner that necessitates data access by foreign companies to host company computers. Even while the host country firm may have installed cyber threat protection the outsourced foreign firm may not have equivalent cyber protection, and their access vulnerability together with their permitted access to host computers may pose risks for the host enterprise. Due to substantial interconnectedness, enterprises must be cognizant of cyber risk management plans of their suppliers and their downstream distributors who have

As information technology evolves, enabling enterprises to utilize the benefits advancing technology provides, from enhanced marketing facilitation, to enhanced employee access to important enterprise information during negotiation processes, and to allowing customers to access personal records from anywhere, any time, we must remain vigilant and protect our enterprises from the cyber vulnerabilities that this new technology brings. As Dr. Martin Luther King, Jr. (1963) said, "All progress is precarious, and the solution of one problem brings us face to face with another problem." Even as new technology is creating opportunities for enhanced efficiency in enterprise activities via such advances as immediate employee access, targeted marketing ability, better customer service, and enhanced governmental transparency, Internet users should be aware that these advances create the new problem of enterprises becoming increasingly susceptible to cyber threats.

An important area of future research is how to enjoy the benefits of the information explosion without succumbing to the perils of cyber risk from inside and outside the organization. Benchmarking, state-of-the-art risk mitigation techniques, and proactive management will be necessities in the forthcoming world of interconnected commerce.

protective action because they have insurance and do not bear the entire risk costs.

these potential damages in ways that avoid insolvency.

access to the enterprise's computer accounts.


http://www.sciencemag.org/content/314/5799/610.full.pdf

	- http://www.flatworldknowledge.com/printed-book/1635

http://www.fbi.gov/news/stories/2009/april/spearphishing\_040109


Enterprise Cyber Risk Management 339

http://www.csoonline.com/article/492427/johns-hopkins-tells-patients-

Marcus, S. (July 22, 2010). Top 5 Mobile Commerce Trends for 2010, April 30, 2011,

Maillart, T., Sornette, D. (2010). Heavy-tailed distribution of cyber-risks, *European Physical* 

http://www.springerlink.com/content/866j4814v275r582/fulltext.pdf Mello, J. (September 29, 2005) Pod Slurping: Threat or Hype? In: *Welcome to TechNewsWorld,* 

http://www.technewsworld.com/story/46417.html?wlc=1302480778 Miller, M. (June 30, 2008). Data Theft: How Big a Problem? In: *informIT,* Pearson Education,

Ohlhorst, F. (February 10, 2010). Three encryption apps to keep your data safe - data

Patel, H., Morrison, D. & Mischon De Reya, M. (n.d.). Information Theft: Are nervous

PwC (2012). 2012 Global State of Information Security Survey, September 18, 2011, Available

Rhemann, M. (2011). "Cyber Trends" In: *Trends Digest,* September 11, 2011, Available from

Richardson, R. (2008).CSI Computer Crime and Security Survey, *Computer Security* 

Schwartz, M. (2010). The Mall in Your Pocket, *Gifts & Decorative Accessories Vol.* 111, No. 10

Schwartz, G., Shetty, N., & Walrand, J. (2010). Cyber-Insurance: Missing Market Driven by

Siciliano, R. (February 15, 2011). Lost or stolen mobile devices can lead to identity theft, In:

Siciliano, R. (April 18, 2011). The Rise of Smartphones and Related Security Issues, In: *Infosec* 

User Heterogeneity, *Submission to Workshop on the Economics of Information Security* 

*McAfee Blog Central*, April 30, 2011, Available from http://blogs.mcafee.com/consumer/identity-theft/lost-or-stolen-mobile-devices-

https://www.infosecisland.com/blogview/13078-The-Rise-of-Smartphones-and-

2011), Available from http://www.datalossbarometer.com/14737.htm Power, R. (2002). CSI/FBI computer crime and security survey. *Computer Security Journal,* 

encryption - PC World Business, In: *PC World Australia,* April 12, 2011, Available

http://www.pcworld.idg.com.au/article/335681/three\_encryption\_apps\_keep\_yo

employees sizing up your data? In: *KPMG: Cutting Through Complexity*. March 20,

from http://www.pwc.com/gx/en/information-security-survey/key-

Available from http://mashable.com/2010/07/22/2010-mobile-commerce-trends/

*Journal B,* Vol. 75, No. 3 (June 2010), pp. 357–364, Available from

employee-stole-data-for-fraud

March 27, 2011, Available from

March 21, 2011, Available from .

Vol. 18, No. 2 (2002), pp. 7-30

from

ur\_ data\_safe/

findings.jhtml

(2010) pp. 54-58

can-lead-to-identity-theft

Related-Security-Issues.html

www.informit.com/articles/article.aspx?p=1220308

http://trendsdigeststore.com/CyberTrends.aspx

*(WEIS),* February 2010, Available from

*Island,* April 30, 2011, Available from

*Institute/Federal Bureau of Investigation* 2008, Available from

http://www.eecs.berkeley.edu/~schwartz/missm2010.pdf

http://gocsi.com/sites/default/files/uploads/CSIsurvey2008.pdf

Garg, A., Curtis, J., & Halper, H. (2003). Quantifying the financial impact of IT security breaches, *Information Management and Computer Security,* Vol. 11, No. 2 pp. 74-83, Available from

http://www.emeraldinsight.com/journals.htm?articleid=862842&show=abstract

	- http://www.nationaljournal.com/magazine/china-s-cyber-militia-20080531

Garg, A., Curtis, J., & Halper, H. (2003). Quantifying the financial impact of IT security

 http://www.emeraldinsight.com/journals.htm?articleid=862842&show=abstract Ghosh, A. & Swaminatha, T. (2011). Software Security and Privacy Risks in Mobile-Commerce, *Communications of the ACM,* Vol. 44, No. 2 (2001), pp. 51-57 Giannoulis, P. (2011). Pod slurping: The latest data threat, In, *SearchMidmarketSecurity.com*.

http://www.searchmidmarketsecurity.techtarget.com/tip/Pod-slurping-The-

Management, *Communications of the Association of Computing Machinery,* Vol*.* 46, No.

Culture, In: *CSO Online-Security and Risk*, September, 11 2011, Available from http://www.csoonline.com/article/217058/famous-for-fifteen-minutes-a-history-

2009), Available from http://www.wired.com/dangerroom/2009/01/cyber-

http://www.idtheftcenter.org/artman2/publish/lib\_survey/ITRC\_2008\_Breach\_L

2011, Available from http://www.infosecurity-us.com/view/555/nypd-victim-of-

Cyber Risk, *Insurance Journal* August 17, 2011, Available from http://www.insurancejournal.com/news/national/2011/06/08/201793.htm Johnson, S. (2011). Cyber-theft bedevils businesses: Commercial enterprises don't enjoy the

same protections as consumers from online bank heists, In:The Miami Herald, Business technology section, September 17, 2011, Available from

*Online - Security and Risk* . CXO Media Inc., April 12, 2011, Available from

Gordon, L., Loeb, M., & Sohail, T. (2003). A Framework for Using Insurance for Cyber Risk

Hallam-Baker, P. (February 21, 2008). Famous for Fifteen Minutes: A History of Hacking

Harris, S. (2008). China's Cyber-Militia, *National Journal,* May 31, 2008, National Journal

http://www.nationaljournal.com/magazine/china-s-cyber-militia-20080531 Hodge, N. (2009). Russian 'Cyber Militia' Takes Kyrgyzstan Offline? *Wired, (*January 28,

Hughes, G. & Allard, T. (2005). Fresh from the Secret Force, a spy downloads on China, *The* 

Identity Theft Resource Center. (2011). *Identity Theft Resource Center A Nonprofit Organization,*

InfoSecurity. (March 5, 2009). NYPD victim of data theft, In: *infoSecurity.com,* March 30,

Insurance Journal. (June 8, 2011). Crum & Forster Launches New Service to Protect against

http://www.miamiherald.com/2011/04/04/2150009/cyber-theft-bedevils-

MacMillan, J. (2009). Johns Hopkins Tells Patients: Employee Stole Data for Fraud, In: *CSO* 

http://www.smh.com.au/news/National/Fresh-from-the-Secret-Force-a-spy-

3, (March 2003), pp. 81-85, ISSN 0001-0782, Available from

*Sydney Morning Herald*, (June 9, 2005), Available from

King, Martin Luther, Jr. (1963). Quote taken from *Strength to Love* 

downloads-on-China/2005/06/08/1118123901298.html

http://portal.acm.org/citation.cfm?id=636774

Available from

latest-data-threat

of-hacking-culture

militia-t/

ist.shtml

data-theft-/

businesses.html

Group, Inc. 2011, Available from

March 21, 2011, Available from

April 11, 2011, Available from

breaches, *Information Management and Computer Security,* Vol. 11, No. 2 pp. 74-83,

http://www.csoonline.com/article/492427/johns-hopkins-tells-patientsemployee-stole-data-for-fraud


http://www.technewsworld.com/story/46417.html?wlc=1302480778

Miller, M. (June 30, 2008). Data Theft: How Big a Problem? In: *informIT,* Pearson Education, March 21, 2011, Available from .

www.informit.com/articles/article.aspx?p=1220308

Ohlhorst, F. (February 10, 2010). Three encryption apps to keep your data safe - data encryption - PC World Business, In: *PC World Australia,* April 12, 2011, Available from

http://www.pcworld.idg.com.au/article/335681/three\_encryption\_apps\_keep\_yo ur\_ data\_safe/


http://gocsi.com/sites/default/files/uploads/CSIsurvey2008.pdf


http://www.eecs.berkeley.edu/~schwartz/missm2010.pdf


https://www.infosecisland.com/blogview/13078-The-Rise-of-Smartphones-and-Related-Security-Issues.html

**15** 

Dragutin Vuković

*INKUS Ltd. Croatia* 

**Trust in an Asynchronous World:** 

**Can We Build More Secure Infrastructure?** 

Through history, many methods were designed and used for secure transfer of confidential information. During the WWII Allied Forces developed a method for securing phone conversation which included a pair of synchronized phonographs playing identical copies of white noise records. This method, called SIGSALLY, a.k.a. X System, Project X, Ciphony I or Green Hornet, used as secure speech system for the highest-level Allied voice communications (Fagen, 1978), is a very literal example of synchronicity because it would not work at all if there was no perfect synchronism maintained between phonographs at both ends of a voice channel. Other methods were devised for military communication by all participants, to mention only the famous German Enigma machine (Winkel, 2005). The common denominator of these historic methods is that all of them need a synchronicity in one way or another – synchronous keys, one-time-pads, etc. Therefore, when collaborating on matters that include a risk of information abuse, traditional approach calls for a synchronous procedure, that is, if there is a need to transfer some confidential information from one person to another, both persons will agree to meet at the same place, at agreed time. They will meet and authenticate each other by agreed procedure; third party may be involved to secure authentication. Information will be exchanged on agreed medium and participants will part assured that information is exchanged in a secure manner. This is an example of synchronous procedure, meaning that all participants have to be in contact at the same agreed time and the information is under control of a trusted party during the whole transaction. Synchronicity of the procedure is historically a prerequisite for establishing the

Procedures to transfer and store information in a secure manner are deployed in computing and communication networks in various forms and technologies, but they are basically all drawing on the same principle of synchronicity. With the development of Internet technologies, transfer and storage procedures are becoming more asynchronous. This means that not all parties involved are in contact at the same time, information could be, for a period of time, left into the custody of a party whose trust, and even authenticity, is not

From this, we are witnessing many problems with exposed personal information such as stolen identity abuse, credit card fraud, not to mention the confidential information leakages

trust relationship between participants of information exchange.

**1. Introduction** 

completely assured.


http://news.yahoo.com/s/nm/20110403/bs\_nm/us\_citi\_capitalone\_data


## **Trust in an Asynchronous World: Can We Build More Secure Infrastructure?**

Dragutin Vuković *INKUS Ltd. Croatia* 

#### **1. Introduction**

340 Risk Management for the Future – Theory and Cases

Siegel, C., Sagalow, T., & Serritella, P. (2002). Cyber-Risk Management: Technical and

http://www.Internetretailer.com/2010/09/28/mobile-raises-new-fraud-risks-

Spicer, J., Aspan, M. (2011). More customers exposed as big data breach grows, *Reuters*, 3

http://news.yahoo.com/s/nm/20110403/bs\_nm/us\_citi\_capitalone\_data Stroup, J. (n.d.). Business Identity Theft: Your Risks from Employees, In: *Identity Theft - What* 

The White House. (2010). Fact Sheet for National Strategy for Trusted Identities in

http://www.whitehouse.gov/the-press-office/fact-sheet-national-strategy-

Walsh, J. (n.d.) What is data theft? In: *article pros*. March 20, 2011, Available from http://www.articlepros.com/computers\_and\_Internet/data\_recovery/article-

from http://idtheft.about.com/od/businessidtheft/a/IDT\_EEs.htm The Economist. (2010). War in the fifth domain: Are the mouse and keyboard the new

from http://www.economist.com/node/16478792

*You Need to Know to Protect Yourself from Identity Theft,* March 21, 2011, Available

weapons of conflict? *The Economist Newspaper Limited, London,* July1, 2010, Available

Cyberspace, *Office of the Press Secretary,* June 25, 2010, Available from

Available from http://www.eprivacy.com/lectures/cyber-risk.pdf Siwicki, B. (September 28, 2010). Mobile raises new fraud risks for merchants, In: *Internet* 

*Retailer,* April 10, 2011, Available from

April 2011, Available from

trusted-identities-cyberspace

merchants

131141.html

Insurance Controls for Enterprise-Level Security, *CRC Press, (*March 4, 2002),

Through history, many methods were designed and used for secure transfer of confidential information. During the WWII Allied Forces developed a method for securing phone conversation which included a pair of synchronized phonographs playing identical copies of white noise records. This method, called SIGSALLY, a.k.a. X System, Project X, Ciphony I or Green Hornet, used as secure speech system for the highest-level Allied voice communications (Fagen, 1978), is a very literal example of synchronicity because it would not work at all if there was no perfect synchronism maintained between phonographs at both ends of a voice channel. Other methods were devised for military communication by all participants, to mention only the famous German Enigma machine (Winkel, 2005). The common denominator of these historic methods is that all of them need a synchronicity in one way or another – synchronous keys, one-time-pads, etc. Therefore, when collaborating on matters that include a risk of information abuse, traditional approach calls for a synchronous procedure, that is, if there is a need to transfer some confidential information from one person to another, both persons will agree to meet at the same place, at agreed time. They will meet and authenticate each other by agreed procedure; third party may be involved to secure authentication. Information will be exchanged on agreed medium and participants will part assured that information is exchanged in a secure manner. This is an example of synchronous procedure, meaning that all participants have to be in contact at the same agreed time and the information is under control of a trusted party during the whole transaction. Synchronicity of the procedure is historically a prerequisite for establishing the trust relationship between participants of information exchange.

Procedures to transfer and store information in a secure manner are deployed in computing and communication networks in various forms and technologies, but they are basically all drawing on the same principle of synchronicity. With the development of Internet technologies, transfer and storage procedures are becoming more asynchronous. This means that not all parties involved are in contact at the same time, information could be, for a period of time, left into the custody of a party whose trust, and even authenticity, is not completely assured.

From this, we are witnessing many problems with exposed personal information such as stolen identity abuse, credit card fraud, not to mention the confidential information leakages

Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 343




These findings led us to the research question addressed in this chapter – could we envision a model for distributed computer system which would foster sociological notions of trust and confidence within the infrastructure? Model implementations would then utilize existing technologies and solutions in a systemic way to enforce establishment of stronger trust relationships between virtual digital entities, promoting confidence in on-line services

In this chapter we first discuss, in Section 2, the flow of information on the Internet and how it becomes more and more asynchronous with the proliferation of advanced technologies. Then we give an overview of risks involved due to asynchronous nature of data storage, transfer and processing in contemporary Internet technologies, in Section 3. Section 4 provides some insight about the notion of trust, its relation to confidence and its role in distributed computer systems. New and enhanced architecture of distributed computer systems, named *multilevel cell distributed computer system architecture*, to be utilized through the internet, is proposed in Section 5. Section 6 discusses, using trust-confidence-cooperation (TCC) model, how the cell architecture can provide enhancements to cooperation in on-line

We infer from Section 1 that synchronicity is the underlying principle of security procedures in various areas, including information transfer and storage which is of main interest to us. Then, with new technologies in the IT age, synchronicity was sacrificed to achieve customer friendliness via speed, but this introduced asynchronous solutions, which is expanded on

Problem with synchronous procedures is that they spend time waiting for synchronization events to co-occur, adding to the overall length of the procedure. This was not the problem while the information transfer itself was comparably slow, so that overhead incurred by synchronization took only a small fraction of message duration. Shape of things has changed with the emergence of Internet. Nowadays, when high speed wired and wireless communication is omnipresent, everything is happening much quicker than before. Every part of world is accessible and digital information can be transferred with incredible speed. These speeds are made possible both by pure technological advances in electronic communication circuitry and by the fact that most data transfer technologies at physical,

represented by their identities (Benantar, 2005), (Six, 2005).

security (Smith, 2005), (Serpanos, 2011).

regarding information security and enabling cooperation.

business. Some closing afterthoughts are given in Section 7.

**2. Asynchronicity in modern communications** 

data link layers are asynchronous.

(Mather, 2009).

next.

from stolen computers and media not properly protected. Consequently, there is a diminution of customers' confidence in IT services and especially when provided through public network. Users want to be assured that their data are safe and secure with service provider. On the other side, service providers want to be assured that theirs services will be properly paid for. Some other confidence issues can be identified as well. Service providers are increasingly worried about risks their businesses are exposed in such environment, and they are building layer upon layer of information security technology to protect their customers' information as well as their shareholder value.

To illustrate this lack of confidence on the service providers' side, we will present recent 'tweets' by Cory Doctorow – famous writer, blogger and activist (see Figures 1 and 2).

Fig. 1. Cory Doctorow's tweet on 2011-06-06T13:00

Fig. 2. Cory Doctorow's tweet on 2011-08-06T19:00

Cory Doctorow is a citizen of United Kingdom, born in Canada. During his travel to the USA, he wanted to buy some music from Amazon US, but Amazon US did not have confidence in Doctorow's UK credit cards. He then tried to buy music from Amazon UK, but Amazon UK did not have confidence in Doctorow's current location (i.e.: IP address) which happen to be in USA at the moment. Similar lack of confidence is observed again by Doctorow shortly later as he travelled to Canada.

Such lack of confidence, albeit frequent at current level of Internet technology development, is hindering further proliferation of on-line services, causing dissatisfaction of all parties involved, customers and service providers – customers because of inability to access services they are willing to consume and spend for, and providers because of potential markets being unutilised.

It is our belief that the cooperative behaviour in on-line services can be greatly improved by utilizing appropriate functions in the underlying infrastructure to foster trust and confidence between customers and on-line services providers. This belief is based on our conclusions inferred from the research in several fields spanning sociology (confidence, trust), technology (networking, communication, Internet technologies), and management (identity, information security):

from stolen computers and media not properly protected. Consequently, there is a diminution of customers' confidence in IT services and especially when provided through public network. Users want to be assured that their data are safe and secure with service provider. On the other side, service providers want to be assured that theirs services will be properly paid for. Some other confidence issues can be identified as well. Service providers are increasingly worried about risks their businesses are exposed in such environment, and they are building layer upon layer of information security technology to protect their

To illustrate this lack of confidence on the service providers' side, we will present recent 'tweets' by Cory Doctorow – famous writer, blogger and activist (see Figures 1 and 2).

Cory Doctorow is a citizen of United Kingdom, born in Canada. During his travel to the USA, he wanted to buy some music from Amazon US, but Amazon US did not have confidence in Doctorow's UK credit cards. He then tried to buy music from Amazon UK, but Amazon UK did not have confidence in Doctorow's current location (i.e.: IP address) which happen to be in USA at the moment. Similar lack of confidence is observed again by

Such lack of confidence, albeit frequent at current level of Internet technology development, is hindering further proliferation of on-line services, causing dissatisfaction of all parties involved, customers and service providers – customers because of inability to access services they are willing to consume and spend for, and providers because of potential markets

It is our belief that the cooperative behaviour in on-line services can be greatly improved by utilizing appropriate functions in the underlying infrastructure to foster trust and confidence between customers and on-line services providers. This belief is based on our conclusions inferred from the research in several fields spanning sociology (confidence, trust), technology (networking, communication, Internet technologies), and management

customers' information as well as their shareholder value.

Fig. 1. Cory Doctorow's tweet on 2011-06-06T13:00

Fig. 2. Cory Doctorow's tweet on 2011-08-06T19:00

Doctorow shortly later as he travelled to Canada.

being unutilised.

(identity, information security):


These findings led us to the research question addressed in this chapter – could we envision a model for distributed computer system which would foster sociological notions of trust and confidence within the infrastructure? Model implementations would then utilize existing technologies and solutions in a systemic way to enforce establishment of stronger trust relationships between virtual digital entities, promoting confidence in on-line services regarding information security and enabling cooperation.

In this chapter we first discuss, in Section 2, the flow of information on the Internet and how it becomes more and more asynchronous with the proliferation of advanced technologies. Then we give an overview of risks involved due to asynchronous nature of data storage, transfer and processing in contemporary Internet technologies, in Section 3. Section 4 provides some insight about the notion of trust, its relation to confidence and its role in distributed computer systems. New and enhanced architecture of distributed computer systems, named *multilevel cell distributed computer system architecture*, to be utilized through the internet, is proposed in Section 5. Section 6 discusses, using trust-confidence-cooperation (TCC) model, how the cell architecture can provide enhancements to cooperation in on-line business. Some closing afterthoughts are given in Section 7.

### **2. Asynchronicity in modern communications**

We infer from Section 1 that synchronicity is the underlying principle of security procedures in various areas, including information transfer and storage which is of main interest to us. Then, with new technologies in the IT age, synchronicity was sacrificed to achieve customer friendliness via speed, but this introduced asynchronous solutions, which is expanded on next.

Problem with synchronous procedures is that they spend time waiting for synchronization events to co-occur, adding to the overall length of the procedure. This was not the problem while the information transfer itself was comparably slow, so that overhead incurred by synchronization took only a small fraction of message duration. Shape of things has changed with the emergence of Internet. Nowadays, when high speed wired and wireless communication is omnipresent, everything is happening much quicker than before. Every part of world is accessible and digital information can be transferred with incredible speed. These speeds are made possible both by pure technological advances in electronic communication circuitry and by the fact that most data transfer technologies at physical, data link layers are asynchronous.

Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 345

Catteddu, 2009). The estimation for 2013 amounts to \$44.2bn, with the European market ranging from €971m in 2008 to €6,005m in 2013 (Bradshaw 2009, as cited in Catteddu, 2009). There is probably no other field of research with as huge amount of literature than the field of modern data communication and Internet, especially when looking in publishing rate terms (number of titles per unit of time). Therefore it would be quite unwieldy to produce a thorough overview of literature in this field. Here are some pointers to titles that could

 Data transfer and communication technologies as building substance of Internet: (Lerner *et al.*, 2002), (Governor, 2009), (Sobh *et al.*, 2010), (Sorensen, 2010), (Preve, 2011),

Middleware and Internet: (Lerner *et al.*, 2002), (Puder *et al.*, 2006), (Toninelli *et al.*, 2011),

 Contemporary technologies and paradigms in Internet – Web 2.0, grid and pervasive computing, cloud computing: (Mattern, 2006), (Puder *et al.*, 2006), (Reese, 2009), (Governor, 2009), (Rittinghouse and Ransome, 2010), (Zheng, 2010), (Zagalo *et al.*, 2011). Identity and privacy in distributed systems: (Benantar, 2005), (Windley, 2005), (Waldo

With this in mind, we are ready to probe the risks in the asynchronous world, which is done

According to analyst firm Gartner, cloud computing is fraught with security risks (Brodkin, 2008). Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor. Cloud computing has "unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory

According to Gartner, before selecting a cloud vendor, customer should raise seven specific

1. **Privileged user access.** Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the physical, logical and personnel controls IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. Ask providers to supply specific information on the hiring, oversight of privileged administrators, and the controls over their access. 2. **Regulatory compliance.** Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are signalling that customers

3. **Data location.** When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on

provide good starting point for interested readers to investigate further in the field:

*et al.*, 2007), (Nin and Herranz, 2010), (Sileo, 2010), (Papacharissi, 2011).

(Serpanos and Wolf, 2011).

**3. Risks in an asynchronous world** 

compliance, and auditing," Gartner says.

can only use them for the most trivial functions.

security issues (Brodkin, 2008):

behalf of their customers.

(Georgantas *et al.*, 2011).

next in Section 3.

Our way of life changed accordingly. We learned to exchange large amount of information on a regular basis and we expect it to happen almost in real time. That is why we can send photos to our friends right from the field, and we expect their comments to come back to our smartphones in minutes. This can also be achieved despite geographical dispersion of people and varying frequency of when we meet. In order to enjoy this convenience we are ready to loosen our expectations regarding confidentiality and privacy of our information. Thus we entered asynchronous mode of operation, letting things happen more quickly, on the expense of some security issues.

On the other hand, when we come to information whose confidential nature we want to maintain during transfer and storage, we still at present stick to synchronous methods, having them proved successful before (perceived performance) and finding them acceptable among methods offered (value similarity). We will use cryptographic methods synchronized by exchanging keys, secure services bound by strong contracts, enforced by law. Or we may simply fall back to old-fashioned method of delivering information personally, possibly having it written only in messenger's memory, a communication channel with small bandwidth and large delay, having unreliable information storage.

Special category of information that we are interested in securing, are bound to transfer of financial value, such as electronic funds transfer, electronic money, credit cards, or anonymous debit cards (Androulaki, 2009), but this is a whole area on its own, which will not be discussed here although this area may also benefit from confidence and trust enhancements provided by architectural concepts discussed.

Reality is that we want more and more information to be transferred at higher and higher bandwidths, having smaller and smaller delays, with more and more confidence. The emergence of Web 2.0 applications and proliferation of cloud computing paradigm made our expectations only bigger, and asynchronicity more certain.

Cloud computing appears to have emerged very recently as a subject of substantial industrial and academic interest, though its meaning and scope, fit with respect to other paradigms is hotly debated. For some researchers, clouds are a natural evolution towards full commercialisation of grid systems, while for others they may be dismissed as a mere rebranding of the existing pay-per-use or pay-as-you-go technologies. From either perspective, it appears that 'cloud' has become the label of choice for accountable pay-peruse access to a wide variety of third-party applications and computational resources on a massive scale. Clouds are now supporting patterns of less-predictable resource use for applications, services across the IT spectrum, from online office applications to highthroughput transactional services and high-performance computations involving substantial quantities of processing cycles and storage. The current notion of clouds seems to blur the distinctions between grid services, web services, and data centres, amongst others, and brings considerations of lowering the cost for relatively bursty applications to the fore.

Cloud computing is a new way of delivering computing resources, not a new technology. Computing services ranging from data storage and processing to software, such as email handling, are now available instantly, commitment-free and on-demand. Since we are in a time of belt-tightening, this new economic model for computing has found fertile ground and is seeing massive global investment. According to IDC's analysis, the worldwide forecast for cloud services in 2009 will be in the order of \$17.4bn (IDC 2009, as cited in

Our way of life changed accordingly. We learned to exchange large amount of information on a regular basis and we expect it to happen almost in real time. That is why we can send photos to our friends right from the field, and we expect their comments to come back to our smartphones in minutes. This can also be achieved despite geographical dispersion of people and varying frequency of when we meet. In order to enjoy this convenience we are ready to loosen our expectations regarding confidentiality and privacy of our information. Thus we entered asynchronous mode of operation, letting things happen more quickly, on

On the other hand, when we come to information whose confidential nature we want to maintain during transfer and storage, we still at present stick to synchronous methods, having them proved successful before (perceived performance) and finding them acceptable among methods offered (value similarity). We will use cryptographic methods synchronized by exchanging keys, secure services bound by strong contracts, enforced by law. Or we may simply fall back to old-fashioned method of delivering information personally, possibly having it written only in messenger's memory, a communication channel with small bandwidth and large delay, having unreliable information storage.

Special category of information that we are interested in securing, are bound to transfer of financial value, such as electronic funds transfer, electronic money, credit cards, or anonymous debit cards (Androulaki, 2009), but this is a whole area on its own, which will not be discussed here although this area may also benefit from confidence and trust

Reality is that we want more and more information to be transferred at higher and higher bandwidths, having smaller and smaller delays, with more and more confidence. The emergence of Web 2.0 applications and proliferation of cloud computing paradigm made

Cloud computing appears to have emerged very recently as a subject of substantial industrial and academic interest, though its meaning and scope, fit with respect to other paradigms is hotly debated. For some researchers, clouds are a natural evolution towards full commercialisation of grid systems, while for others they may be dismissed as a mere rebranding of the existing pay-per-use or pay-as-you-go technologies. From either perspective, it appears that 'cloud' has become the label of choice for accountable pay-peruse access to a wide variety of third-party applications and computational resources on a massive scale. Clouds are now supporting patterns of less-predictable resource use for applications, services across the IT spectrum, from online office applications to highthroughput transactional services and high-performance computations involving substantial quantities of processing cycles and storage. The current notion of clouds seems to blur the distinctions between grid services, web services, and data centres, amongst others, and brings considerations of lowering the cost for relatively bursty applications to the fore.

Cloud computing is a new way of delivering computing resources, not a new technology. Computing services ranging from data storage and processing to software, such as email handling, are now available instantly, commitment-free and on-demand. Since we are in a time of belt-tightening, this new economic model for computing has found fertile ground and is seeing massive global investment. According to IDC's analysis, the worldwide forecast for cloud services in 2009 will be in the order of \$17.4bn (IDC 2009, as cited in

enhancements provided by architectural concepts discussed.

our expectations only bigger, and asynchronicity more certain.

the expense of some security issues.

Catteddu, 2009). The estimation for 2013 amounts to \$44.2bn, with the European market ranging from €971m in 2008 to €6,005m in 2013 (Bradshaw 2009, as cited in Catteddu, 2009).

There is probably no other field of research with as huge amount of literature than the field of modern data communication and Internet, especially when looking in publishing rate terms (number of titles per unit of time). Therefore it would be quite unwieldy to produce a thorough overview of literature in this field. Here are some pointers to titles that could provide good starting point for interested readers to investigate further in the field:


With this in mind, we are ready to probe the risks in the asynchronous world, which is done next in Section 3.

### **3. Risks in an asynchronous world**

According to analyst firm Gartner, cloud computing is fraught with security risks (Brodkin, 2008). Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor. Cloud computing has "unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing," Gartner says.

According to Gartner, before selecting a cloud vendor, customer should raise seven specific security issues (Brodkin, 2008):


Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 347

4. **Compliance risks.** Investment in achieving certification (e.g., industry standard or

a. if the cloud provider cannot provide evidence of their own compliance with the

In certain cases, it also means that using a public cloud infrastructure implies that

5. **Management interface compromise.** Customer management interfaces of a public cloud provider are accessible through the Internet, mediate access to larger sets of resources (than traditional hosting providers), therefore pose an increased risk,

7. **Insecure or incomplete data deletion.** When a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancies, the reuse of hardware resources, this represents a higher risk

8. **Malicious insider.** While usually less likely, the damage which may be caused by malicious insiders is often far greater. Cloud architectures necessitate certain roles which are extremely high-risk. Examples include cloud provider system administrators

The risks listed above do not follow any specific order; they are just some of the most important cloud computing specific risks identified during the assessment. ENISA's report delves further into a more detailed analysis of specific risks in several categories such as policy, organizational risks, technical risks, legal risks and some risks not specific to the

ENISA's and Gartner's reports, while partly overlapping, also complement each other and together give a fair overview of risks that both, cloud service users and cloud service

Ironically, books on security sell poorly, whereas books on hacking into systems sell much better, a trend that is worrying when taking into account the increasing magnitude of these problems. Here is a sampling of titles that can be of use to interested reader who wants to extend his knowledge into the field of information security, especialy in areas discussed

providers, may expect to face in the course of building a cloud economy.

especially when combined with remote access and web browser vulnerabilities. 6. **Data protection.** Cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider, thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities, the data controls they have in place, e.g.,

regulatory requirements) may be put at risk by migration to the cloud:

b. if the cloud provider does not permit audit by the cloud customer.

relevant requirements

SAS70 certification.

cloud.

here:

certain kinds of compliance cannot be achieved.

to the customer than with dedicated hardware.

and managed security service providers.


In the paper edited by Daniele Catteddu and Giles Hogben, (Catteddu, 2009) published by The European Network and Information Security Agency (ENISA) in the context of ENISA's Emerging and Future Risk programme, a group of selected industry, academic and government experts in the subject area, expressed their opinions about benefits, risks and recommendations for information security in cloud computing. Experts identified a number of cloud specific risks, the most important of which we will enumerate here:


4. **Data segregation**. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. Find out what is done to segregate data at rest. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. Encryption accidents can make data totally unusable, and even normal encryption can complicate

5. **Recovery.** Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure. Ask your provider if it has the ability to do a complete restoration, and

6. **Investigative support.** Investigating inappropriate or illegal activity may be impossible in cloud computing. Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located, may also be spread across an ever-changing set of hosts and data centres. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be

7. **Long-term viability.** Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. Ask potential providers how you would get your data back, if it would be in a format that you could import into a replacement

In the paper edited by Daniele Catteddu and Giles Hogben, (Catteddu, 2009) published by The European Network and Information Security Agency (ENISA) in the context of ENISA's Emerging and Future Risk programme, a group of selected industry, academic and government experts in the subject area, expressed their opinions about benefits, risks and recommendations for information security in cloud computing. Experts identified a number

1. **Loss of governance.** In using cloud infrastructures, the client necessarily cedes control to the cloud provider on a number of issues which may affect security. At the same time, service level agreements may not offer a commitment to provide such services on

2. **Lock-in.** There is currently little on offer in the way of tools and procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another, or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular cloud provider for service provision, especially

3. **Isolation failure.** Multi-tenancy, shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing, even reputation between different tenants (e.g., so-called guesthopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g., against hypervisors) are still less numerous and much more difficult

of cloud specific risks, the most important of which we will enumerate here:

the part of the cloud provider, thus leaving a gap in security defences.

if data portability, as the most fundamental aspect, is not enabled.

for an attacker to put in practice compared to attacks on traditional OSs.

availability.

impossible.

application.

how long it will take.

	- a. if the cloud provider cannot provide evidence of their own compliance with the relevant requirements
	- b. if the cloud provider does not permit audit by the cloud customer.

In certain cases, it also means that using a public cloud infrastructure implies that certain kinds of compliance cannot be achieved.


The risks listed above do not follow any specific order; they are just some of the most important cloud computing specific risks identified during the assessment. ENISA's report delves further into a more detailed analysis of specific risks in several categories such as policy, organizational risks, technical risks, legal risks and some risks not specific to the cloud.

ENISA's and Gartner's reports, while partly overlapping, also complement each other and together give a fair overview of risks that both, cloud service users and cloud service providers, may expect to face in the course of building a cloud economy.

Ironically, books on security sell poorly, whereas books on hacking into systems sell much better, a trend that is worrying when taking into account the increasing magnitude of these problems. Here is a sampling of titles that can be of use to interested reader who wants to extend his knowledge into the field of information security, especialy in areas discussed here:

Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 349

dimension of relations that is valued for itself, as part of a broader notion of well-being or the quality of life. People may prefer, as an end in itself, to deal with each other on the basis

We define trust as the willingness, in expectation of beneficial outcomes, to make one vulnerable to another based on a judgement of similarity of intentions or values, but here we want to emphasize that trust is based on social relations, group membership and shared values. Confidence is defined as the belief, based on experience or evidence, that certain future events will occur as expected. Both trust and confidence support cooperation. But whereas confidence has a specific performance criterion, trust is placed in the freedom of the other. In the case of trust, the other is free to act in ways that indicate shared values, regardless of whether specific acts are expected or not. In the case of confidence, the other

The crucial point that is generally overlooked is the dependence of confidence on trust (O'Neill, 2004 as cited in Siegrist, 2007). We all describe within communities; we can't do otherwise. However, since our descriptions are linked to our communities, and accepted as justified only within them, we normally are not made aware of the dependence of the one upon the other – and the potential rejection of our descriptions within other communities. To take a very simple example, one might claim that one's confidence that the Earth will circle the sun is not based on a relation of trust. But one only has the idea of 'the Earth circling the sun' as a consequence of one's membership in a particular community. There is nothing given about that or any other description. This, of course, can become a serious matter when the descriptions one makes provoke more variable, contested effects on others

Within the realm of technology, trust and control have usually been associated with reliability, integrity (Smith, 2005) and correctness (Jayaswal and Patton, 2006) and were not seen as a separate issue until the arrival of complex computer-controlled systems. Computer science had initially approached trust, control from the perspective of security. Recognising that trust is not controllable, the security developed an elaborate structure of control, in an attempt to minimise elements of trust. However, more recently, the recognition of the fundamental nature of trust has been addressed in initiatives such as trusted computing, where individual devices are given assurance in their own conguration on the basis of a hardware-based root of trust. The need for a portable root of trust has also fuelled the

In data communication, the understanding that trust precedes meaningful and secure communication has eventually led to the concept of trust management, the separate layer of interactions that lead to the creation and maintenance of trust relationships between communicating nodes, following e.g. business agreements, contractual dependence, personal relationship, etc. Pretty Good Privacy (PGP) has been exploring the area of peer-topeer trust while Public Key Infrastructure (PKI) proposed the multi-stage model of trust (Biskup, 2009). More recently, Web Services Trust language (WS-Trust) has established itself

of trust. One motive for doing this is to build confidence, which is discussed next.

**4.2 Trust and confidence** 

must act in specifically expected ways.

than a description of the Earth's relation to the sun.

creation and popularity of smart cards (Cofta, 2007).

**4.3 Trust and distributed computer system architecture** 


While being aware of risks in itself is pointless unless we can do something about it, it follows that we must manage these risks. However, due to the asynchronous nature of the problem at hand we not only have to manage the risks, but we also have to build confidence in that the risks *are* being managed and that the transaction is trustworthy in itself if we follow certain rules including risk management. This, and more, is discussed in Section 4.

#### **4. Trust and risk management**

In his influential book (Fukuyama, 1995), Francis Fukuyama argued that public values, especially trust, shape the direction of national economies. Among other things, Fukuyama shows how trust reduces transactions costs, and ultimately, economic friction. Here, we will first give a brief overview of trust and its relation to confidence as it is seen from sociological standpoint. Then we will proceed to discuss the ways trust is seen in the realm of information technology. This would establish a background for thinking about a better use of trust and confidence concept to mitigate some risks in distributed computer architecture.

#### **4.1 The importance of trust**

Many authors have emphasized the importance of trust for achieving organizational success. The overview presented in (Six, 2005) shows that many see trust as necessary in contexts of high ambiguity and uncertainty, as well as in contexts of high complexity. Trust, on the one hand, can provide a sense of security that will help survival in these contexts, and on the other, it can help with the risk taking necessary for survival in complex environments. Trust, when present, is said to enhance the ability to change and to support, potentially radical, change. This is because trust is said to assist in learning, creativity and innovation. Furthermore, it is a lubricant for social relations which improves efficiency or, as John Locke declared, trust is 'the bond of society', the *vinculum societatis*.

Trust is also seen to foster and maintain cooperation, as it encourages information sharing, enriches relationships, increases openness and mutual acceptance, and enhances conflict resolution and integrative problem solving. The presence of trust, it has been argued, reduces the need for detailed contractual and monitoring devices, is thus important in governance and taking it one step further, in complex environments, detailed contracting and monitoring are often undesirable since they may constrain the scope and motivation for quality, for innovation based on individual variety and initiative. Trust can have extrinsic value, as a means to achieve social or economic goals, and it can have intrinsic value, as a dimension of relations that is valued for itself, as part of a broader notion of well-being or the quality of life. People may prefer, as an end in itself, to deal with each other on the basis of trust. One motive for doing this is to build confidence, which is discussed next.

#### **4.2 Trust and confidence**

348 Risk Management for the Future – Theory and Cases

 Challenges, approaches and solutions to risks of information security in computing systems: (Fagen, 1978), (Lerner *et al.*, 2002), (Cranor, 2005), (Winkel *et al.*, 2005), (Biskup, 2009), (Viega, 2009), (Wong and Yeung, 2009), (Arata, 2010), (Graham *et al.*, 2011),

 Information security issues in contemporary distributed computing systems – Web 2.0., grid, cloud: (Mather, 2009), (Rittinghouse and Ransome, 2010), (Thuraisingham, 2011). Managing information security and associated risks: (Broder, 2006), (Tipton and Krause, 2008), (Arata, 2010), (Aven and Renn, 2010), (Vladimirov *et al.*, 2010), (Brotby, 2009),

 Identity, privacy and access control: (Benantar, 2005), (Windley, 2005), (Waldo *et al.*, 2007), (Mather, 2009), (Arata, 2010), (Nin, 2010), (Sileo, 2010), (Papacharissi, 2011). While being aware of risks in itself is pointless unless we can do something about it, it follows that we must manage these risks. However, due to the asynchronous nature of the problem at hand we not only have to manage the risks, but we also have to build confidence in that the risks *are* being managed and that the transaction is trustworthy in itself if we follow certain rules including risk management. This, and more, is discussed in Section 4.

In his influential book (Fukuyama, 1995), Francis Fukuyama argued that public values, especially trust, shape the direction of national economies. Among other things, Fukuyama shows how trust reduces transactions costs, and ultimately, economic friction. Here, we will first give a brief overview of trust and its relation to confidence as it is seen from sociological standpoint. Then we will proceed to discuss the ways trust is seen in the realm of information technology. This would establish a background for thinking about a better use of trust and confidence concept to mitigate some risks in distributed computer architecture.

Many authors have emphasized the importance of trust for achieving organizational success. The overview presented in (Six, 2005) shows that many see trust as necessary in contexts of high ambiguity and uncertainty, as well as in contexts of high complexity. Trust, on the one hand, can provide a sense of security that will help survival in these contexts, and on the other, it can help with the risk taking necessary for survival in complex environments. Trust, when present, is said to enhance the ability to change and to support, potentially radical, change. This is because trust is said to assist in learning, creativity and innovation. Furthermore, it is a lubricant for social relations which improves efficiency or, as

Trust is also seen to foster and maintain cooperation, as it encourages information sharing, enriches relationships, increases openness and mutual acceptance, and enhances conflict resolution and integrative problem solving. The presence of trust, it has been argued, reduces the need for detailed contractual and monitoring devices, is thus important in governance and taking it one step further, in complex environments, detailed contracting and monitoring are often undesirable since they may constrain the scope and motivation for quality, for innovation based on individual variety and initiative. Trust can have extrinsic value, as a means to achieve social or economic goals, and it can have intrinsic value, as a

John Locke declared, trust is 'the bond of society', the *vinculum societatis*.

(Andress, 2011).

(Tiller, 2011).

**4. Trust and risk management** 

**4.1 The importance of trust** 

We define trust as the willingness, in expectation of beneficial outcomes, to make one vulnerable to another based on a judgement of similarity of intentions or values, but here we want to emphasize that trust is based on social relations, group membership and shared values. Confidence is defined as the belief, based on experience or evidence, that certain future events will occur as expected. Both trust and confidence support cooperation. But whereas confidence has a specific performance criterion, trust is placed in the freedom of the other. In the case of trust, the other is free to act in ways that indicate shared values, regardless of whether specific acts are expected or not. In the case of confidence, the other must act in specifically expected ways.

The crucial point that is generally overlooked is the dependence of confidence on trust (O'Neill, 2004 as cited in Siegrist, 2007). We all describe within communities; we can't do otherwise. However, since our descriptions are linked to our communities, and accepted as justified only within them, we normally are not made aware of the dependence of the one upon the other – and the potential rejection of our descriptions within other communities. To take a very simple example, one might claim that one's confidence that the Earth will circle the sun is not based on a relation of trust. But one only has the idea of 'the Earth circling the sun' as a consequence of one's membership in a particular community. There is nothing given about that or any other description. This, of course, can become a serious matter when the descriptions one makes provoke more variable, contested effects on others than a description of the Earth's relation to the sun.

#### **4.3 Trust and distributed computer system architecture**

Within the realm of technology, trust and control have usually been associated with reliability, integrity (Smith, 2005) and correctness (Jayaswal and Patton, 2006) and were not seen as a separate issue until the arrival of complex computer-controlled systems. Computer science had initially approached trust, control from the perspective of security. Recognising that trust is not controllable, the security developed an elaborate structure of control, in an attempt to minimise elements of trust. However, more recently, the recognition of the fundamental nature of trust has been addressed in initiatives such as trusted computing, where individual devices are given assurance in their own conguration on the basis of a hardware-based root of trust. The need for a portable root of trust has also fuelled the creation and popularity of smart cards (Cofta, 2007).

In data communication, the understanding that trust precedes meaningful and secure communication has eventually led to the concept of trust management, the separate layer of interactions that lead to the creation and maintenance of trust relationships between communicating nodes, following e.g. business agreements, contractual dependence, personal relationship, etc. Pretty Good Privacy (PGP) has been exploring the area of peer-topeer trust while Public Key Infrastructure (PKI) proposed the multi-stage model of trust (Biskup, 2009). More recently, Web Services Trust language (WS-Trust) has established itself

Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 351

network, which we will call 'cell', an organized collection of networked computers. By authenticating itself to the network and continually validating its authenticated status, this cell may become a trusted member of a network, which is also a cell, built on the

Interested readers can find additional insight into the area of trust and confidence in the

 Intrinsic value of trust: (Blau, 1964), (Bradach, Eccles, 1989), (Gulati, 1995), (Nooteboom, 1996), (Powell, 1996), (Ryan, Oestreich, 1998), (Sako, 1998), (Marek,

 Trust is necessary in contexts of high ambiguity, uncertainty, and in contexts of high complexity: (Lewis, Weigert, 1985), (Shapiro, 1987), (Nooteboom, 1996), (Shaw, 1997), (Deering, Murphy, 1998), (Lane, 1998), (Nahapiet, Ghoshal, 1998), (Rousseau *et al.* ,

 How trust can provide a sense of security which will help survival in contexts of high ambiguity, uncertainty, and in contexts of high complexity: (McAllister, 1995), (Ellinor,

 How trust enhances ability to change, supports radical change: (Argyris, 1970), (Katzenbach et al., 1995), (Shaw, 1997), (de Geus, 1997), (Deering, Murphy, 1998), (Ellinor, Gerard, 1998), (Ryan, Oestreich, 1998), (Reina, Reina, 1999), (Senge *et al.*, 1999),

 How trust assists in learning, creativity, innovation: (McAllister, 1997), (Shaw, 1997), (Zand, 1997), (Deering, Murphy, 1998), (Lane, 1998), (Lazaric, Lorenz, 1998), (Nahapiet, Ghoshal, 1998), (Rousseau *et al.*, 1998), (Ryan, Oestreich, 1998), (Sako, 1998), (Ghoshal, Bartlett, 1999), (Lewis, 1999), (Reina, Reina, 1999), (Senge *et al.*, 1999), (Costa, 2000),

Trust as a lubricant for social relations which improves efficiency: (Blau, 1964),

 Trust fosters, maintains cooperation, as it encourages information sharing, enriches relationships, increases openness, mutual acceptance, enhances conflict resolution, integrative problem solving: (Shapiro, 1987), (Katzenbach *et al.*, 1995), (Mayer *et al.*, 1995), (Ross, LaCroix, 1996), (Wheatley, Kellner-Rogers, 1996), (Shaw, 1997), (Zand, 1997), (Deering, Murphy, 1998), (Elangovan, Shapirio, 1998), (Lane, 1998), (Rousseau *et al.*, 1998), (Ryan, Oestreich, 1998), (Tsai, Ghoshal, 1998), (Whitener *et al.*, 1998), (Zaheer *et al.*, 1998), (Ghoshal, Bartlett, 1999), (Lewis, 1999), (Reina, Reina, 1999), (Senge *et al.*,

 Trust applied to data transfer, storage in public networks and information systems: (Robinson *et al.*, 2005), (Lu and Tsudik, 2010), (Dong and Dulay, 2010), (Kellermann *et* 

 Trust, information security and risk management: (Benantar, 2005), (Siegrist, 2005), (Veeningen *et al.,* 2010), (Muller, 2010), (Khoury and Tawbi, 2010), (Crampton, 2010),

(Fukuyama, 1995), (Hosmer, 1995), (Deering, Murphy, 1998), (Hollis, 1998).

1999), (Costa, 2000), (Marek, 2008), (Cofta, 2007).

*al.*, 2010), (Ma *et al.*, 2010), (Cornelis and De Cock, 2011).

(Ballardin and Merro, 2010), (Kamil and Lowe, 2010).

Gerard, 1998), (Ryan, Oestreich, 1998), (Reina, Reina, 1999), (Senge *et al.*, 1999). How trust can help with risk taking necessary for survival in contexts of high ambiguity, uncertainty, and in contexts of high complexity: (Katzenbach *et al.*, 1995), (Shaw, 1997), (Lewis, 1999), (Reina, Reina, 1999), (Senge *et al.*, 1999), (Costa, 2000),

1998), (Sako, 1998), (Senge *et al.*, 1999), (Costa, 2000), (Marek, 2008).

same blueprint as the lower level cell.

following literature:

2008), (Briggs, 2010).

(Marek, 2008).

(Marek, 2008).

(Costa, 2000), (Marek, 2008).

as a standard within Service-Oriented Architecture (SOA), the potential foundation of Web 2.0 (Thuraisingham, 2010). Grid computing and pervasive computing environment have brought different challenges to trust management.

The need to effectively manage distributed computing systems has led to constructs such as trusted domains (several computers trusting each other's authentication capabilities) (Rittinghouse, 2010), trusted credentials (others' identities accepted without any further proof), trusted storage (storage space accessible only to selected users), trusted zones (privileged Internet address space) etc. In all these cases there is a notion of trust as essential yet different from actual cooperation or communication, something that requires special management practices. Usually, the ability to manage trust is granted to system administrators or users, in the expectation that the technical structure of trust will reect trust in respective social relationships. Research on autonomous agents has liberated trust management from the need for an *a priori* trust, managed by the user or the administrator. Agents were vested with the ability to make and break the trust relationship (that can be more correctly called 'the relationship of condence'), usually on the basis of past experience and through the process of learning, whether from direct interactions or from others' experience. Autonomous agents have brought the notion of imperfect trust (where trust is no longer a binary proposition), the problem of trust propagation and reasoning. The new approach to trust has also, unfortunately, revealed new threats to trust, usually in the form of attacks on reputation.

Interest in large systems, whether created by autonomous agents, *ad-hoc* networks or in any other way, required more specic instruments to discuss the reasoning about trust. Formalisation of trust proposes logical primitives, schemes that can be used in reasoning about trust. The formalisation of reasoning has led to the creation of several formal systems and supporting tools. Both reasoning and transitivity require trust and condence to be qualied. The desire to measure trust and condence generated signicant amount of research.

From a more application-specic perspective, electronic commerce has used various metrics of trust to develop risk assessment, both for the seller, for the buyer. The commercial value of eBay's reputation system is widely known, and similar rating systems are used by other e-commerce sites. Collaborative ltering has been used to aid information search following the concept that trust is a qualied reliance on information, but as more automated systems moved into the area, collaborative ltering became the preferred solution for the recommendation. The needs of electronic commerce have stimulated the interdisciplinary approach to trust.

Another effect of the introduction of electronically mediated communication is the development of research in user trust in digital devices, e.g. in a form of web features that facilitate the creation of perceived trust, trust in information systems or in improvements of trust between people while communicating through a digital channel.

In a distributed computer system the establishment of trust typically includes specific administrative permissions and leverages cryptographically secure methods. These methods can establish identities, and provide various secure services to managed users. The full use of network services is reserved for managed users. These users have an identity on the network and are therefore trusted to interact with their piece of the

as a standard within Service-Oriented Architecture (SOA), the potential foundation of Web 2.0 (Thuraisingham, 2010). Grid computing and pervasive computing environment have

The need to effectively manage distributed computing systems has led to constructs such as trusted domains (several computers trusting each other's authentication capabilities) (Rittinghouse, 2010), trusted credentials (others' identities accepted without any further proof), trusted storage (storage space accessible only to selected users), trusted zones (privileged Internet address space) etc. In all these cases there is a notion of trust as essential yet different from actual cooperation or communication, something that requires special management practices. Usually, the ability to manage trust is granted to system administrators or users, in the expectation that the technical structure of trust will reect trust in respective social relationships. Research on autonomous agents has liberated trust management from the need for an *a priori* trust, managed by the user or the administrator. Agents were vested with the ability to make and break the trust relationship (that can be more correctly called 'the relationship of condence'), usually on the basis of past experience and through the process of learning, whether from direct interactions or from others' experience. Autonomous agents have brought the notion of imperfect trust (where trust is no longer a binary proposition), the problem of trust propagation and reasoning. The new approach to trust has also, unfortunately, revealed new threats to trust, usually in the

Interest in large systems, whether created by autonomous agents, *ad-hoc* networks or in any other way, required more specic instruments to discuss the reasoning about trust. Formalisation of trust proposes logical primitives, schemes that can be used in reasoning about trust. The formalisation of reasoning has led to the creation of several formal systems and supporting tools. Both reasoning and transitivity require trust and condence to be qualied. The desire to measure trust and condence generated signicant amount of

From a more application-specic perspective, electronic commerce has used various metrics of trust to develop risk assessment, both for the seller, for the buyer. The commercial value of eBay's reputation system is widely known, and similar rating systems are used by other e-commerce sites. Collaborative ltering has been used to aid information search following the concept that trust is a qualied reliance on information, but as more automated systems moved into the area, collaborative ltering became the preferred solution for the recommendation. The needs of electronic commerce have stimulated the interdisciplinary

Another effect of the introduction of electronically mediated communication is the development of research in user trust in digital devices, e.g. in a form of web features that facilitate the creation of perceived trust, trust in information systems or in improvements of

In a distributed computer system the establishment of trust typically includes specific administrative permissions and leverages cryptographically secure methods. These methods can establish identities, and provide various secure services to managed users. The full use of network services is reserved for managed users. These users have an identity on the network and are therefore trusted to interact with their piece of the

trust between people while communicating through a digital channel.

brought different challenges to trust management.

form of attacks on reputation.

research.

approach to trust.

network, which we will call 'cell', an organized collection of networked computers. By authenticating itself to the network and continually validating its authenticated status, this cell may become a trusted member of a network, which is also a cell, built on the same blueprint as the lower level cell.

Interested readers can find additional insight into the area of trust and confidence in the following literature:


Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 353

*Interconnection computers* enable communication with other networks and provide security boundary for the cell. They also run several other security related tasks such as registration,

*Service computers* are, by their functions, general servers. They provide services to other computers, internal or external to the cell. Service computer can be connected to the cell

*Access computers* are, by their function, proxy computers with some extended functionality. They are characterized by having at least two network interfaces. One interface connects access computer into the protected network that enables them to communicate with each other. Other interfaces connect access computers with external computers (clients, servers or

*Storage computers* are essentially database servers. They provide services, related to databases stored on them, to other cell computers, but only through access computers.

Internally, cell has two networks: *cell network* and *protected network*. Cell network is semipublic network into which external computers (clients, servers or other cells) can enter through interconnection computer, so as to gain access to service computer or access computer. Interconnection computers and cell's security services protect this network from

Protected network is unreachable for external computers, and only access computers can connect into it, in order to access the cell's data contained there on the storage computers which are also attached to the protected network. No traffic generated externally to the cell

Therefore data stored in the cell are not directly reachable by the external computers.

identification, authentication, accreditation, encryption/decryption, etc.

other cells) through the cell network and interconnection computer.

Fig. 3. Basic cell architecture

network or directly to access computer.

unauthorized access by external systems.

is allowed into this network.

Next, we propose a concept of *multilevel cell distributed computer system* architecture capable of providing enhanced trust services and increased confidence to both cloud providers and cloud consumers, thus providing a foundation for future development of cooperation on global network, with better management and mitigation of risks.

### **5. Multilevel cell distributed computer system architecture**

In the realm of distributed computer systems, such as Internet, trust and confidence are relations that could be established between digital, virtual entities inhabiting this realm. Virtual entities could represent real persons as well as technical resources (services). In order to make use of trust and confidence to promote better cooperation, we need a reliable identity management system capable of collecting, interpreting and representing social information about virtual entities, among other things. Social networks are building on this idea but they tend to centralize information. Every network builds its own set of information about entities, which gives rise to the kind of problems explained in the introduction of this chapter. Also, they lack appropriate interpreting functions that could provide measures of social trust needed to establish confidence.

To address such issues we devised a *cell* as a basic building block of distributed computer systems infrastructure. Cell is a self-contained computer system with clearly established boundaries, capable of communicating with other such systems. The smallest cell could be a single physical computer, although it can host several virtual entities, persons or services. A cell can be built from several computers dedicated to various cell functions. Several cells can be connected together to form a larger entity which represents itself as a cell to outer world, providing the same cell functions. It is thus possible to build a *multilevel cell distributed computer system*.

Cells need to provide many functions for their operation and cooperation within a distributed system. These functions have to be built upon certain design principles we established as a foundation to proposed architecture. We will here mention only those principles (Lerner *et al*., 2002) that support our discussion regarding trust and confidence:


Cell-based distributed system architecture is a development from the architectural concept based on communicating proxies, as described by (Lerner *et al*., 2002). This is expanded on next.

#### **5.1 Physical cell architecture**

Although all functions can be implemented in single computer, it is recommended to implement different functional elements into different computers. Having this in mind we will call these computers, similarly: *access computer*, *interconnection computer*, *storage computer* and *service computer*. These computers comprise building blocks of the cell's internal architecture, as shown by Figure 3.

Fig. 3. Basic cell architecture

Next, we propose a concept of *multilevel cell distributed computer system* architecture capable of providing enhanced trust services and increased confidence to both cloud providers and cloud consumers, thus providing a foundation for future development of cooperation on

In the realm of distributed computer systems, such as Internet, trust and confidence are relations that could be established between digital, virtual entities inhabiting this realm. Virtual entities could represent real persons as well as technical resources (services). In order to make use of trust and confidence to promote better cooperation, we need a reliable identity management system capable of collecting, interpreting and representing social information about virtual entities, among other things. Social networks are building on this idea but they tend to centralize information. Every network builds its own set of information about entities, which gives rise to the kind of problems explained in the introduction of this chapter. Also, they lack appropriate interpreting functions that could

To address such issues we devised a *cell* as a basic building block of distributed computer systems infrastructure. Cell is a self-contained computer system with clearly established boundaries, capable of communicating with other such systems. The smallest cell could be a single physical computer, although it can host several virtual entities, persons or services. A cell can be built from several computers dedicated to various cell functions. Several cells can be connected together to form a larger entity which represents itself as a cell to outer world, providing the same cell functions. It is thus possible to build a *multilevel cell distributed* 

Cells need to provide many functions for their operation and cooperation within a distributed system. These functions have to be built upon certain design principles we established as a foundation to proposed architecture. We will here mention only those principles (Lerner *et al*., 2002) that support our discussion regarding trust and


Cell-based distributed system architecture is a development from the architectural concept based on communicating proxies, as described by (Lerner *et al*., 2002). This is expanded on next.

Although all functions can be implemented in single computer, it is recommended to implement different functional elements into different computers. Having this in mind we will call these computers, similarly: *access computer*, *interconnection computer*, *storage computer* and *service computer*. These computers comprise building blocks of the cell's internal

unconditionally through its edge gateways (interconnection computers); - all entities that establish a relationship with a cell must register with the cell;



**5.1 Physical cell architecture** 

architecture, as shown by Figure 3.

global network, with better management and mitigation of risks.

provide measures of social trust needed to establish confidence.

*computer system*.

confidence:

**5. Multilevel cell distributed computer system architecture** 

*Interconnection computers* enable communication with other networks and provide security boundary for the cell. They also run several other security related tasks such as registration, identification, authentication, accreditation, encryption/decryption, etc.

*Service computers* are, by their functions, general servers. They provide services to other computers, internal or external to the cell. Service computer can be connected to the cell network or directly to access computer.

*Access computers* are, by their function, proxy computers with some extended functionality. They are characterized by having at least two network interfaces. One interface connects access computer into the protected network that enables them to communicate with each other. Other interfaces connect access computers with external computers (clients, servers or other cells) through the cell network and interconnection computer.

*Storage computers* are essentially database servers. They provide services, related to databases stored on them, to other cell computers, but only through access computers. Therefore data stored in the cell are not directly reachable by the external computers.

Internally, cell has two networks: *cell network* and *protected network*. Cell network is semipublic network into which external computers (clients, servers or other cells) can enter through interconnection computer, so as to gain access to service computer or access computer. Interconnection computers and cell's security services protect this network from unauthorized access by external systems.

Protected network is unreachable for external computers, and only access computers can connect into it, in order to access the cell's data contained there on the storage computers which are also attached to the protected network. No traffic generated externally to the cell is allowed into this network.

Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 355

Knowledge abstraction supposes construction of abstract model for unified representation of servers and clients in our computer system. In the first step, the notion of server (physical entity providing a certain service) is replaced by more abstract term service (service itself) which cloaks physical characteristics of server computer. Thus, instead of client/server architecture, we are considering client/service architecture. This abstraction is especially convenient in modelling of distributed systems based on non-connection protocols. In such systems a client addresses a service, not a physical object. It has to be noted also that distinction between client and service is temporary and lasts only through single transaction. In the very next transaction roles could be reversed. Using knowledge

Lazy calculation of object characteristics supposes that neither all objects, nor all their attributes, are at every moment present locally in all cells of distributed architecture. Only when objects' characteristic is explicitly referenced the system will contact other cells to retrieve the needed information. This principle is supported by institution of global

Multiplication of data about clients and servers is achieved by partitioning and replicating objects into other cells. Replication topology and schedule should be designed carefully to

Cell architecture also supports efficient network traffic management, based on data replication as well as multiplication and distribution of functions. Network cell manages and monitors traffic, sends massages to computers or group of computers, measures and allocates bandwidth, etc. System cell replicates system and server data, and distributes control and administrative jobs. Business cell redirects network traffic, based on information

While majority of connection, traffic management functions are performed by network and system cells, fundamental business cell purpose is to provide support to information system By executing many of monitoring, security and administrative functions, business cell

A cell is a fundamental building block of a distributed computer system. Single cell by itself also represents a distributed computer system, so it has to contain all functionalities of a whole distributed system. Thus by describing single cell functionality we are describing the

Cell's basic functional structure is shown by Figure 5. In relation to Figure 3, showing types of networks and computers comprising a cell, Figure 5 emphasizes systems and services that implement cell functionality. Functions and services can be situated on one or more computers shown on Figure 3, and vice versa – several functions can be provided by single computer. Typical function and computer mapping between Figure 3 and Figure 5 might be


abstraction we are able to disregard this difference at the model level.

catalogue which collects all objects but only with some subset of attributes.

simplifies server and client operation and makes their connection efficient.

in registration databases, internally or towards other cells.

functionality of the whole proposed distributed system.

optimize network traffic.

**5.3 Functional cell architecture** 

essentially firewalls);

as follows:

We can also look at the physical cell architecture from a functional point of view. This view will show us four functional elements: interconnection, access, storage and service. Remember that a cell could be hosted on the single computer so these functional elements need not be implemented on physically different devices.

Functionally, we can have more views of the cell. Let's look at the cells placed at various levels of the distributed computer system hierarchy. Depending of their functional level, a cell will have different emphasis on various functions within it, as discussed in the next section.

#### **5.2 Functional cell levels**

Basic functional cell level is network. Cell in this level is called *network cell*. Network cell is based on locality of computers which constitute the cell. It is supposed that computers in the network cell all are contained in single building or several closely placed buildings, interconnected by private, physically secured network. Network cell centralizes functions such as traffic management, network management, quality of service management, messaging, etc.

Fig. 4. User query traversing a multilevel cell distributed computer system

Network cells are being connected together to form a *system cell*. If communication between network cells is not local, protected, there should be encryption/decryption function built into interconnecting computers. System cell centralizes functions of user identification, authentication, and accreditation.

To implement connection function efficiently, it should be founded on three general principles: *knowledge abstraction*, *lazy calculation*, and *multiplication of data about clients and servers*. All three principles are supported by cell architecture described here.

We can also look at the physical cell architecture from a functional point of view. This view will show us four functional elements: interconnection, access, storage and service. Remember that a cell could be hosted on the single computer so these functional elements

Functionally, we can have more views of the cell. Let's look at the cells placed at various levels of the distributed computer system hierarchy. Depending of their functional level, a cell will have different emphasis on various functions within it, as discussed in the next

Basic functional cell level is network. Cell in this level is called *network cell*. Network cell is based on locality of computers which constitute the cell. It is supposed that computers in the network cell all are contained in single building or several closely placed buildings, interconnected by private, physically secured network. Network cell centralizes functions such as traffic management, network management, quality of service management,

Fig. 4. User query traversing a multilevel cell distributed computer system

*servers*. All three principles are supported by cell architecture described here.

Network cells are being connected together to form a *system cell*. If communication between network cells is not local, protected, there should be encryption/decryption function built into interconnecting computers. System cell centralizes functions of user identification,

To implement connection function efficiently, it should be founded on three general principles: *knowledge abstraction*, *lazy calculation*, and *multiplication of data about clients and* 

need not be implemented on physically different devices.

section.

messaging, etc.

**5.2 Functional cell levels** 

authentication, and accreditation.

Knowledge abstraction supposes construction of abstract model for unified representation of servers and clients in our computer system. In the first step, the notion of server (physical entity providing a certain service) is replaced by more abstract term service (service itself) which cloaks physical characteristics of server computer. Thus, instead of client/server architecture, we are considering client/service architecture. This abstraction is especially convenient in modelling of distributed systems based on non-connection protocols. In such systems a client addresses a service, not a physical object. It has to be noted also that distinction between client and service is temporary and lasts only through single transaction. In the very next transaction roles could be reversed. Using knowledge abstraction we are able to disregard this difference at the model level.

Lazy calculation of object characteristics supposes that neither all objects, nor all their attributes, are at every moment present locally in all cells of distributed architecture. Only when objects' characteristic is explicitly referenced the system will contact other cells to retrieve the needed information. This principle is supported by institution of global catalogue which collects all objects but only with some subset of attributes.

Multiplication of data about clients and servers is achieved by partitioning and replicating objects into other cells. Replication topology and schedule should be designed carefully to optimize network traffic.

Cell architecture also supports efficient network traffic management, based on data replication as well as multiplication and distribution of functions. Network cell manages and monitors traffic, sends massages to computers or group of computers, measures and allocates bandwidth, etc. System cell replicates system and server data, and distributes control and administrative jobs. Business cell redirects network traffic, based on information in registration databases, internally or towards other cells.

While majority of connection, traffic management functions are performed by network and system cells, fundamental business cell purpose is to provide support to information system By executing many of monitoring, security and administrative functions, business cell simplifies server and client operation and makes their connection efficient.

#### **5.3 Functional cell architecture**

A cell is a fundamental building block of a distributed computer system. Single cell by itself also represents a distributed computer system, so it has to contain all functionalities of a whole distributed system. Thus by describing single cell functionality we are describing the functionality of the whole proposed distributed system.

Cell's basic functional structure is shown by Figure 5. In relation to Figure 3, showing types of networks and computers comprising a cell, Figure 5 emphasizes systems and services that implement cell functionality. Functions and services can be situated on one or more computers shown on Figure 3, and vice versa – several functions can be provided by single computer. Typical function and computer mapping between Figure 3 and Figure 5 might be as follows:


Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 357

Besides basic data necessary for addressing (location and identification) identity can encompass data for other purposes such as authentication, accreditation, administration, brokerage, certification, provisioning, etc. In our model, identity data also include

Cell's identity management is a framework within which digital identities are managed in the distributed computer system. Digital identity management comprises two parts: a) digital identity repository (directory) implemented as distributed, partitioned and replicated database, and b) set of operations on identity data. Full set of digital identity data is situated in a cell where there is an ownership relation on them, either original cell where identity

Identity management subsystem is a hierarchical set of functions (Vukovic, 2011), consisting of: **Identity administration** – establishes digital identity's compliance with business









Subset of digital identity data is available to other cells, depending on a level of trust needed for a digital identity to interact with cell's services. This subset of data is a digital identity's *virtual presentation*. Cell's identity management function keeps this subset at a necessary

In this section we will discuss the idea, stated in the introduction, that multilevel cell architecture can leverage trust relationship building between virtual entities on Internet,

**6. Cooperation in multilevel cell distributed computer systems** 

**Identity integration** – makes a holistic view of identity data and establishes a consistent

services; uses trust related data to determine level of confidence;

identities based on calculated trust and confidence information.

**Community management** – promotes cooperation between various groups of digital

components that collect trust related information.

to it through its life cycle.

identities, i.e. digital communities:

privacy and confidentiality;

digital identity representation for other cells:

under sole control of primary owner;

trust related data when applicable;

minimum to optimize privacy and minimize traffic.

exchange.

processes:

was created or a cell where identity ownership was transferred.


collection of trust related information belongs here;


Fig. 5. Functional cell architecture

The key cell function providing support to promote trust in our proposed architecture is *identity management*. In a 'real world' an identity is any subset of attribute values of an individual person which sufficiently identifies this individual person within any set of persons. In cell architecture term 'identity' is extended to every identifiable object within distributed computer system, which may include persons as well as services. *Digital identity* is a digital representation of a 'real world' object. Digital identity is implemented as data structure characterizing the entity.



The key cell function providing support to promote trust in our proposed architecture is *identity management*. In a 'real world' an identity is any subset of attribute values of an individual person which sufficiently identifies this individual person within any set of persons. In cell architecture term 'identity' is extended to every identifiable object within distributed computer system, which may include persons as well as services. *Digital identity* is a digital representation of a 'real world' object. Digital identity is implemented as data

*management, documents transfer, management, mobile services, cell management;* 


appropriate.

Fig. 5. Functional cell architecture

structure characterizing the entity.

Besides basic data necessary for addressing (location and identification) identity can encompass data for other purposes such as authentication, accreditation, administration, brokerage, certification, provisioning, etc. In our model, identity data also include components that collect trust related information.

Cell's identity management is a framework within which digital identities are managed in the distributed computer system. Digital identity management comprises two parts: a) digital identity repository (directory) implemented as distributed, partitioned and replicated database, and b) set of operations on identity data. Full set of digital identity data is situated in a cell where there is an ownership relation on them, either original cell where identity was created or a cell where identity ownership was transferred.

Identity management subsystem is a hierarchical set of functions (Vukovic, 2011), consisting of:

	- *Existence* digital identity establishment within the cell;
	- *Context* managing information about digital identity's working environment; collection of trust related information belongs here;
	- *Provisioning* connects digital identity dynamically with various tools administered to it through its life cycle.
	- *Authentication* checks and confirms authenticity of digital identity's data, supports privacy and confidentiality;
	- *Authorization* gives permission to access and utilize distributed resources and services; uses trust related data to determine level of confidence;
	- *Rendezvous* establishes an appropriate level of cooperation between digital identities based on calculated trust and confidence information.
	- *Ownership* while subsets of identity data may be replicated throughout distributed system, ownership of original data must be maintained and remain under sole control of primary owner;
	- *Brokerage* exchanges information about digital identities between cells; collects trust related data when applicable;
	- *Connection* establishes connections between cells for the purpose of identity data exchange.

Subset of digital identity data is available to other cells, depending on a level of trust needed for a digital identity to interact with cell's services. This subset of data is a digital identity's *virtual presentation*. Cell's identity management function keeps this subset at a necessary minimum to optimize privacy and minimize traffic.

#### **6. Cooperation in multilevel cell distributed computer systems**

In this section we will discuss the idea, stated in the introduction, that multilevel cell architecture can leverage trust relationship building between virtual entities on Internet,

Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 359

The application of the TCC model to evaluate the ability of cell architecture to enhance cooperation by utilizing trust and confidence information into identity management, is shown in Figure 6. The elements of the TCC model are aligned in parallel pairs for trust and confidence. Upper row of elements deals with trust, and lower row of elements deal with confidence. Both rows are combined at the right to produce a cooperation of a certain level.

Fig. 6. TCC model of cooperation in multilevel cell distributed system

corresponding social trust level in a domain of application.

specific resources.

Client's real world identity, client's physical and social 'self', is attributed with perceived valence and amplitude of morality information. These attributes represent client's morality as viewed by the community, and attributed values are maintained within client's digital identity, where they are combined with active values and general trust, to obtain a trust measure of digital identity. Based on the value similarity, depending on specific application needs, cell's identity management function will establish client's virtual presentation with

At the service (server) cell there is an object called client account, a set of data containing information about client identity, as well as perceived valence and amplitude of performance information. This means that service provider is collecting past performance data about client as a basis of confidence, thus obtaining attributed performance info to the client context where it is combined with general confidence, social trust and active performance history. Resulting measure of perceived performance is fed to the client authorization where the appropriate level of confidence is established to the client to utilize

thus raising the level of confidence, resulting in more cooperation (i.e. business). For this purpose we will use the Trust, Confidence and Cooperation (TCC) model, described in (Siegrist, 2007).

The TCC model is designed to serve several useful purposes. The first is unification. It provides a framework within which all expressions of trust and confidence can be interpreted, related to one another. The second is specification. To a greater extent than available alternatives, it identifies the basic psychological processes involved in judgements of trust and confidence. The third is clarification. At the centre of the TCC model is an explicit account of the interaction between trust and confidence, a major source of confusion in other approaches. The final purpose is generation of new insights. By unifying and bringing more specificity and clarity to the understanding of trust and confidence, the TCC model points to potentially fruitful connections with other areas of social, psychological and applied research, and suggests novel research hypotheses.

The TCC model of cooperation postulates that trust is based on social relations and on shared values. Shared values can be measured in many different ways. In empirical studies, trust can be indicated variously by measures of in-group membership, morality, benevolence, integrity, inferred traits, intentions, fairness and caring. All of these, we will argue, can be taken to mean good intentions relative to those of the trusting person shared values.

As defined in (Siegrist, 2007) the model identifies constituent (in-coming) and product (outgoing) elements, but does not specify how the former are combined to produce the latter. This allows for model to be mapped to functions of various systems, provide a basis for evaluation of how these functions contribute to cooperation. Elements of TCC model, as described in (Siegrist, 2007) are the following:


thus raising the level of confidence, resulting in more cooperation (i.e. business). For this purpose we will use the Trust, Confidence and Cooperation (TCC) model, described in

The TCC model is designed to serve several useful purposes. The first is unification. It provides a framework within which all expressions of trust and confidence can be interpreted, related to one another. The second is specification. To a greater extent than available alternatives, it identifies the basic psychological processes involved in judgements of trust and confidence. The third is clarification. At the centre of the TCC model is an explicit account of the interaction between trust and confidence, a major source of confusion in other approaches. The final purpose is generation of new insights. By unifying and bringing more specificity and clarity to the understanding of trust and confidence, the TCC model points to potentially fruitful connections with other areas of social, psychological and

The TCC model of cooperation postulates that trust is based on social relations and on shared values. Shared values can be measured in many different ways. In empirical studies, trust can be indicated variously by measures of in-group membership, morality, benevolence, integrity, inferred traits, intentions, fairness and caring. All of these, we will argue, can be taken to mean good intentions relative to those of the trusting person shared

As defined in (Siegrist, 2007) the model identifies constituent (in-coming) and product (outgoing) elements, but does not specify how the former are combined to produce the latter. This allows for model to be mapped to functions of various systems, provide a basis for evaluation of how these functions contribute to cooperation. Elements of TCC model, as

1. *Perceived amplitude of morality/performance information*: the judged degree to which the

2. *Perceived valence of morality/performance information*: the judged degree of positivity/

3. *Attributed values/performance*: the values/performance attributed by the observer to the

4. *Active values/active performance history*: in the case of values, these are the values that are currently active for the observer – which may be the product of existing social trust relations. In the case of performance, this is whatever history of relevant performance

5. *General trust/general confidence*: general trust is defined and discussed in previous sections. General confidence is the performance-based counterpart of the values-based general trust: the belief that things, in general, are under control, uncertainty is low and

6. *Value similarity/perceived performance*: value similarity is the judged similarity between the observer's currently active values and the values attributed to the other. Perceived

7. *Social trust/confidence*: these elements are defined and discussed in previous sections. 8. *Cooperation*: any form of cooperative behaviour between a object and another object or

performance is the observer's interpretation of the other's performance.

applied research, and suggests novel research hypotheses.

described in (Siegrist, 2007) are the following:

negativity of the given information.

that is currently active for the observer.

events will occur as expected.

group of objects.

given information has morality/performance implications.

(Siegrist, 2007).

values.

other.

The application of the TCC model to evaluate the ability of cell architecture to enhance cooperation by utilizing trust and confidence information into identity management, is shown in Figure 6. The elements of the TCC model are aligned in parallel pairs for trust and confidence. Upper row of elements deals with trust, and lower row of elements deal with confidence. Both rows are combined at the right to produce a cooperation of a certain level.

Fig. 6. TCC model of cooperation in multilevel cell distributed system

Client's real world identity, client's physical and social 'self', is attributed with perceived valence and amplitude of morality information. These attributes represent client's morality as viewed by the community, and attributed values are maintained within client's digital identity, where they are combined with active values and general trust, to obtain a trust measure of digital identity. Based on the value similarity, depending on specific application needs, cell's identity management function will establish client's virtual presentation with corresponding social trust level in a domain of application.

At the service (server) cell there is an object called client account, a set of data containing information about client identity, as well as perceived valence and amplitude of performance information. This means that service provider is collecting past performance data about client as a basis of confidence, thus obtaining attributed performance info to the client context where it is combined with general confidence, social trust and active performance history. Resulting measure of perceived performance is fed to the client authorization where the appropriate level of confidence is established to the client to utilize specific resources.

Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 361

To enable cooperation of different components in a distributed computer system, unified interface between these components should be devised and implemented. Unified interface defines common data transfer formats and commands, using standardized protocols to achieve data independence. To support the asynchronous nature of the cell architecture, use

Multilevel cell distributed computer system architecture has many implications to various technological and social aspects of distributed systems, especially Internet, which are not discussed here. We have discussed here only the ability of multilevel cell distributed architecture to leverage cooperation in on-line economy by including trust and confidence information into its identity management system. We do believe that cell based architecture, implemented into Internet, may offer an increased control over user identities yet support their mobility, thus reducing the risks of identity theft and related frauds, securing service

With cell architecture, network service providers can reduce cost, ease the entry into new markets, and be the vehicle for key partnerships with software vendors, content providers, and other businesses. But, the main development here is the ability to establish trust relationships not only among people represented by their digital identities, but also among digitally identified computing services in a distributed system. This could lead to a whole new practice of doing business online. We could envisage digital services trusted to negotiate with each other with confidence to reach the optimal agreement for all parties involved. For example, internet service provider infrastructure cells could negotiate optimal cost of bandwidth with cells holding long-haul data services. This could be done in seconds thus providing a very effective response to system dynamics, reducing risks due to

Of course, this kind of infrastructure behaviour is yet to be extensively researched. Nevertheless, the interaction dynamics in presence of cells that intentionally change their behaviour based on trust relationship does appear as a promising and interesting research

This work has been supported, in more ways than just financially, by KING ICT Ltd.,

Androulaki, E., Bellovin, S. (2009). *An Anonymous Credit Card System, in Trust, Privacy and* 

Andress, J. (Ed.). (2011). *The Basics of Information Security: Understanding the Fundamentals of* 

Arata Jr., M. J. (2010). *Identity Theft For Dummies*, Wiley Publishing Inc., ISBN: 978-0-470-

Aven, T., Renn, O. (2010). *Risk Management and Governance: Concepts, Guidelines and Applications*, Springer-Verlag, ISBN 978-3-642-13925-3, Berlin, Germany

ISBN 978-3-642-03747-4, Linz, Austria, September 2009

*Security in Digital Business, Proceedings of 6th International Conference, TrustBus 2009*,

*InfoSec in Theory and Practice*, Syngress, ISBN 978-1-59749-653-7, Waltham MA, USA

providers against loss of confidential data, financial risks that may follow.

of connectionless protocols is preferred.

interruptions of long-haul services.

**8. Acknowledgment** 

**9. References** 

Croatia, http://www.king-ict.hr

direction and worthy of further development.

56521-6, Hoboken NJ, USA

At far right, value of social trust presented by client's virtual presentation and service provider's confidence expressed in client authorization are fed to rendezvous function to enable cooperative behaviour between client and service. Rendezvous function also checks the authenticity of cooperating parties.

Let's illustrate this process with the case of Cory Doctorow's inability to buy some music from Amazon, described in the introduction.

Trust: Cory Doctorow is a public person, known worldwide by his writing, public addresses, activism, etc. His morality information perceived valence is positive with quite high amplitude, though we will not try to give any exact measures here and now. From this information we can derive attributed values and input them into Doctorow's digital identity. Based on a value similarity between the cell's currently active values and the values attributed to the Doctorow's digital identity, system is able to create virtual presentation of Doctorow's digital identity, for this application of buying online music, as a man who will most likely pay all his expenses in time.

Confidence: Amazon's web shop keeps information about Doctorow's digital identity in form of a client account record. There it keeps various information about Doctorow's performance perceived by observing his digital identity's behaviour on Amazon web site, creating attributed performance as an input to the client context. Here the attributed performance data will be combined with Amazon's active performance history, general confidence and Doctorow's social trust level (according to lazy calculation principle, social trust will be included into calculation only when needed and available, e.g. when Doctorow signs into Amazon web shop). This yields the perceived performance information which will serve as a basis to authorize Doctorow to use certain resources, in this case to buy some music, thus expressing confidence that Doctorow's credit card information is valid and there is no risk of fraud.

Rendezvous: when Doctorow actually signs into the Amazon web shop and successfully authenticates his digital identity, rendezvous function combines his virtual presentation social trust information with confidence information on Amazon web site and enables transaction to proceed – Doctorow to download some music, and Amazon to charge his credit card with the proper amount.

Because the trust-confidence relation is established on the basis of perceived morality and performance information, instead of locality information (origin of credit card, IP address, etc.) cooperation may be independent of client or service location, i.e. Mr. Doctorow could buy music from any location on the planet, equally successfully from Amazon US, Amazon UK, or any other Amazon store.

#### **7. Closure**

Most of the functions of cells can be implemented with ready available software, although some adaptations may be needed such as, for example, inclusion of trust and confidence data with appropriate calculations into the identity management solution.

Conceptually, cell based architecture requires a global set of standards and compliance. Compliant and certified applications will enable network operators to achieve better account control and increased network traffic.

To enable cooperation of different components in a distributed computer system, unified interface between these components should be devised and implemented. Unified interface defines common data transfer formats and commands, using standardized protocols to achieve data independence. To support the asynchronous nature of the cell architecture, use of connectionless protocols is preferred.

Multilevel cell distributed computer system architecture has many implications to various technological and social aspects of distributed systems, especially Internet, which are not discussed here. We have discussed here only the ability of multilevel cell distributed architecture to leverage cooperation in on-line economy by including trust and confidence information into its identity management system. We do believe that cell based architecture, implemented into Internet, may offer an increased control over user identities yet support their mobility, thus reducing the risks of identity theft and related frauds, securing service providers against loss of confidential data, financial risks that may follow.

With cell architecture, network service providers can reduce cost, ease the entry into new markets, and be the vehicle for key partnerships with software vendors, content providers, and other businesses. But, the main development here is the ability to establish trust relationships not only among people represented by their digital identities, but also among digitally identified computing services in a distributed system. This could lead to a whole new practice of doing business online. We could envisage digital services trusted to negotiate with each other with confidence to reach the optimal agreement for all parties involved. For example, internet service provider infrastructure cells could negotiate optimal cost of bandwidth with cells holding long-haul data services. This could be done in seconds thus providing a very effective response to system dynamics, reducing risks due to interruptions of long-haul services.

Of course, this kind of infrastructure behaviour is yet to be extensively researched. Nevertheless, the interaction dynamics in presence of cells that intentionally change their behaviour based on trust relationship does appear as a promising and interesting research direction and worthy of further development.

### **8. Acknowledgment**

This work has been supported, in more ways than just financially, by KING ICT Ltd., Croatia, http://www.king-ict.hr

#### **9. References**

360 Risk Management for the Future – Theory and Cases

At far right, value of social trust presented by client's virtual presentation and service provider's confidence expressed in client authorization are fed to rendezvous function to enable cooperative behaviour between client and service. Rendezvous function also checks

Let's illustrate this process with the case of Cory Doctorow's inability to buy some music

Trust: Cory Doctorow is a public person, known worldwide by his writing, public addresses, activism, etc. His morality information perceived valence is positive with quite high amplitude, though we will not try to give any exact measures here and now. From this information we can derive attributed values and input them into Doctorow's digital identity. Based on a value similarity between the cell's currently active values and the values attributed to the Doctorow's digital identity, system is able to create virtual presentation of Doctorow's digital identity, for this application of buying online music, as a

Confidence: Amazon's web shop keeps information about Doctorow's digital identity in form of a client account record. There it keeps various information about Doctorow's performance perceived by observing his digital identity's behaviour on Amazon web site, creating attributed performance as an input to the client context. Here the attributed performance data will be combined with Amazon's active performance history, general confidence and Doctorow's social trust level (according to lazy calculation principle, social trust will be included into calculation only when needed and available, e.g. when Doctorow signs into Amazon web shop). This yields the perceived performance information which will serve as a basis to authorize Doctorow to use certain resources, in this case to buy some music, thus expressing confidence that

Rendezvous: when Doctorow actually signs into the Amazon web shop and successfully authenticates his digital identity, rendezvous function combines his virtual presentation social trust information with confidence information on Amazon web site and enables transaction to proceed – Doctorow to download some music, and Amazon to charge his

Because the trust-confidence relation is established on the basis of perceived morality and performance information, instead of locality information (origin of credit card, IP address, etc.) cooperation may be independent of client or service location, i.e. Mr. Doctorow could buy music from any location on the planet, equally successfully from Amazon US, Amazon

Most of the functions of cells can be implemented with ready available software, although some adaptations may be needed such as, for example, inclusion of trust and confidence

Conceptually, cell based architecture requires a global set of standards and compliance. Compliant and certified applications will enable network operators to achieve better

data with appropriate calculations into the identity management solution.

the authenticity of cooperating parties.

credit card with the proper amount.

UK, or any other Amazon store.

account control and increased network traffic.

**7. Closure** 

from Amazon, described in the introduction.

man who will most likely pay all his expenses in time.

Doctorow's credit card information is valid and there is no risk of fraud.


Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 363

Fagen, M. D. (Ed.). (1978). *A History of engineering and science in the Bell System: National* 

Fukuyama, F. (1995). *Trust: The Social Virtues and the Creation of Prosperity*, Free Press, ISBN

Georgantas, N. et al. (2010). *A Coordination Middleware for Orchestrating Heterogeneous* 

Geus, A. de (1997). *The Living Company: Habits for Survival in a Turbulent Business* 

Ghoshal, S., Bartlett, C.A. (1999). *The Individualized Corporation: A Fundamentally New* 

Governor, J., Hinchcliffe, D., Nickull, D. (2009). *Web 2.0 Architectures*, O'Reilly Media, ISBN

Graham, J., Howard, R., Olson, R. (2011). *Cyber Security Essentials*, Auerbach Publications,

Gulati, R. (1995). Does familiarity breed trust? The implications of repeated ties for

Hollis, M. (1998). *Trust within Reason*, Cambridge University Press, ISBN 978-0-521-58681-8,

Hosmer, L.T. (1995). Trust: the connecting link between organizational theory and

Jayaswal, B. K., Patton, P. C. (2006). *Design for Trustworthy Software: Tools, Techniques, and* 

Kamil, A., Lowe, G. (2010). *Understanding Abstractions of Secure Channels*, in *Formal Aspects of* 

Katzenbach, J.R. (1995). *Real Change Leaders*, Crown Business, ISBN 978-0-812-92923-2, New

Kellermann, B., Potzsch, S., Steinbrecher, S. (2010). *Privacy-Respecting Reputation for Wiki* 

Khoury, R., Tawbi, N. (2010). *Corrective Enforcement of Security Policies*, in *Formal Aspects of* 

Lane, D., Maxfield, R. (1995). *Foresight, complexity and strategy*, Santa Fe Institute, Working

Lazaric, N., Lorenz, E. (1998). The learning dynamics of trust, reputation and confidence, in

ISBN 978-3-642-19751-2, Pisa, Italy, September 16-17, 2010

Advances in Information, Communication Technology)

ISBN 978-3-642-19751-2, Pisa, Italy, September 16-17, 2010

Publishing, ISBN 978-1-858-98460-5, Cheltenham, UK

Paper 95-12-106, Dec 1995, Sante Fe NM, USA

76400-3, New York NY, USA

13, 2011

USA

NY, USA

1995, pp. 85–112.

Cambridge, UK

York NY, USA

Upper Saddle River NJ, USA

379–403,

978-0-684-82525-0, New York NY, USA

978-0-596-51443-3, Sebastopol CA, USA

ISBN 978-1-4398-5126-5, Boca Raton FL, USA

*Service in War, Peace (1925 - 1975)*, Bell Telephone Laboratories, ISBN 978-0-932-

*Distributed Systems*, in *Advances in Grid and Pervasive Computing, Proceedings of 6th International Conference, GPC 2011*, ISBN 978-3-642-20753-2, Oulu, Finland, May 11-

*Environment*, Harvard Business Press, ISBN-13: 978-1-578-51820-3, Cambridge MA,

*Approach to Management*, Harper Paperbacks, ISBN 978-088-7-30831-4, New York

contractual choice in alliances, *Academy of Management Journal*, Vol. 38, No. 1, Feb

philosophical ethics, *Academy of Management Review*, Vol. 20, No. 2, Apr 1995, pp.

*Methodology of Developing Robust Software*, Prentice Hall, ISBN 978-0-13-187250-9,

*Security and Trust, Revised selected papers of 7th International Workshop, FAST 2010*,

*Users*, in *Trust Management V, Proceedings of 5th IFIP WG 11.11 International Conference, IFIPTM 2011*, ISBN , Copenhagen, Denmark, June 29 - July 1, 2011, (IFIP

*Security and Trust, Revised selected papers of 7th International Workshop, FAST 2010*,

*Trust and Economic Learning*, Lazaric, N., Lorenz, E. (Eds.). pp. 1–20, Edward Elgar


Ballardin, F., Merro, M. (2010). *A Calculus for the Analysis of Wireless Network Security* 

Benantar, M. (2005). *Access Control Systems: Security, Identity Management and Trust Models*, Springer Science + Business Media, ISBN 978-0-387-27716-5, New York NY, USA Biskup, J. (2009). *Security in Computing Systems: Challenges, Approaches and Solutions*, Springer

Blau, P.M. (1964). *Exchange, Power in Social Life*, Transaction Publishers, ISBN 978-0-887-

Bradach, J.L., Eccles, R. G. (1989). Price, authority, trust: from ideal types to plural forms, *Annual Review of Sociology*, Vol. 15, Aug 1989, pp. 97–118, ISSN 0360-0572 Briggs, P., (2010). *The Evolution of Trust*, in *Trust Management V, Proceedings of 5th IFIP WG* 

July 1, 2011, (IFIP Advances in Information, Communication Technology) Broder, J. F. (2006). *Risk Analysis, the Security Survey*, Butterworth-Heinemann, ISBN 978-0-

Brodkin, J. (2008). *Gartner: Seven cloud-computing security risks*, In: InfoWorld, 2011-08-16,

Brotby, W. K. (2009). *Information security governance: a practical development and implementation approach*, John Wiley & Sons, ISBN 978-0-470-13118-3, Hoboken NJ, USA Catteddu, D., Hogben, G. (Eds.). (2009). *Cloud Computing: Benefits, risks and recommendations* 

Cofta, P. (2007). *Trust, Complexity and Control: Confidence in a Convergent World*, John Wiley &

Costa, A.C. (2000). *A Matter of Trust: Effects on the Performance, Effectiveness of Teams in* 

Crampton, J. (2010). *Cryptographic Enforcement of Role-Based Access Control*, in *Formal Aspects* 

Cranor, L. F., Garfinkel S. (2005). *Security and Usability: Designing Secure Systems That People* 

Deering, A., Murphy, A. (1998). *The Difference Engine: Achieving Powerful and Sustainable* 

Denison, D. R. (1996). What is the difference between organizational culture, organizational

Elangovan, A.R., Shapiro, D.L. (1998). Betrayal of trust in organizations, *Academy of Management Review*, Vol. 23, No. 3, Jul 1998, pp. 547–566, ISSN 0363-7425 Ellinor, L., Gerard, G. (1998). *Dialogue: Rediscover the Transforming Power of Conversation*, John

*Management Review*, Vol. 21, No. 3, Oct 1996, pp. 619–54, ISSN 0363-7425 Dong, C., Dulay, N. (2010). *Longitude: A Privacy-Preserving Location Sharing Protocol for Mobile* 

*Can Use*, O'Reilly Media, ISBN 0-596-00827-9, Sebastopol CA, USA

*Partnering*, Gower, ISBN-13: 978-0-566-08048-7, Aldershot, England

*11.11 International Conference, IFIPTM 2011*, ISBN , Copenhagen, Denmark, June 29 -

Available from http://www.infoworld.com/d/security-central/gartner-seven-

*for information security*, European Network, Information Security Agency (ENISA), Retrieved from http://www.enisa.europa.eu/act/rm/ files/deliverables/cloud-

Sons Ltd, ISBN 978-0-470-06130-5, The Atrium, Southern Gate, Chichester, England

*of Security and Trust, Revised selected papers of 7th International Workshop, FAST 2010*,

climate? A native's point of view on a decade of paradigm wars, *Academy of* 

*Applications*, in *Trust Management V, Proceedings of 5th IFIP WG 11.11 International Conference, IFIPTM 2011*, ISBN , Copenhagen, Denmark, June 29 - July 1, 2011, (IFIP

Verlag, ISBN 978-3-540-78441-8, Berlin, Germany

cloud-computing-security-risks-853?page=0,1

computing-risk-assessment/at\_download/fullReport

ISBN 978-3-642-19751-2, Pisa, Italy, September 16-17, 2010

Advances in Information, Communication Technology)

Wiley, ISBN 978-0-471-17466-0, New York NY, USA

*Organizations,* dissertation, University of Tilburg

38628-2, New York NY, USA

7506-7922-0, Oxford, UK

16-17, 2010

*Protocols*, in *Formal Aspects of Security and Trust, Revised selected papers of 7th International Workshop, FAST 2010*, ISBN 978-3-642-19751-2, Pisa, Italy, September


Trust in an Asynchronous World: Can We Build More Secure Infrastructure? 365

Reese, G. (2009). *Cloud Application Architectures: Building Applications, Infrastructure in the Cloud*, O'Reilly Media, ISBN 978-0-596-15636-7, Sebastopol CA, USA Reina, D. S., Reina, M.L. (1999). *Trust, Betrayal in the Workplace: Building Effective Relationships in Your Organization*, Berrett-Koehler, ISBN 1-57675-377-8, San Francisco CA, USA Rittinghouse, J. W., Ransome, J. F. (2010). *Cloud Computing: Implementation, Management, and* 

Robinson, P., Vogt, H., Wagealla, W. (Eds.). (2005). *Privacy, security and trust within the* 

Rousseau, D. M., Sitkin, S. B., Burt, R. S., Camerer, C. (1998). Not so different after all: a

Ryan, K., D.K. Oestreich (1998). *Driving Fear out of the Workplace: Creating the High-trust,* 

Sako, M. (1998). Does trust improve business performance?, in *Trust within and between* 

(Eds.). pp. 88–117, Oxford University Press, ISBN 978-0-199-24044-9, USA. Senge, P. M., Kleiner, A., Roberts, C., Ross, R., Roth, G., Smith, B. (1999). *The Dance of Change*,

Serpanos, D., Wolf, T. (2011). *Architecture of Network Systems*, Morgan Kaufmann, ISBN 978-

Shapiro, S. P. (1987). The social control of impersonal trust, *American Journal of Sociology*, Vol.

Shaw, R. B. (1997). *Trust in the Balance: Building Successful Organizations on Results, Integrity, and Concern*, Jossey-Bass, ISBN 978-0-787-90286-5, San Francisco CA, USA Siegrist, M., Earle, T. C. & Gutscher, H. (Eds.). (2007). *Trust in Cooperative Risk Management:* 

Sileo, J. (2010). *Privacy Means Profit: Prevent Identity Theft and Secure You and Your Bottom Line*,

Six, F. (2005). *The Trouble with Trust: The Dynamics of Interpersonal Trust Building*, Edward

Smith, S. W. (2005). *Trusted Computing Platforms: Design And Applications*, Springer Science +

Sobh, T., Eleithy, K., Mahmood, A. (Eds.). (2010). *Novel Algorithms and Techniques in* 

Sorensen, S. (2010). *The Sustainable Network: The Accidental Answer for a Troubled Planet*,

Thuraisingham, B. (2011). *Secure Semantic Service-Oriented Systems*, Auerbach Publications,

Tiller, J. S. (2011). *Adaptive Security Management Architecture*, Auerbach Publications, ISBN

Tipton, H. F., Krause, M. (2008). *Information Security Management Handbook, 6th Edition*,

*Telecommunications, Networking*, Springer Science+Business Media, ISBN 978-90-

*Uncertainty and Scepticism in the Public Mind*, Earthscan, ISBN 978-1-84971-106-7,

Crown Business, ISBN 978-0-385-49322-2, New York NY, USA

John Wiley & Sons, ISBN 978-0-470-58389-0, Hoboken NJ, USA

Elgar Publishing Limited, ISBN 1-84542-290-2, Cheltenham, UK

O'Reilly Media, ISBN 978-0-596-15703-6, Sebastopol CA, USA

Auerbach Publications, ISBN 1-4200-6708-7, Boca Raton FL, USA

Business Media, Inc, ISBN 0-387-23916-2, Boston, USA

*context of pervasive computing*, Springer Science + Business Media, ISBN 0-387-23462-

cross-discipline view of trust, *Academy of Management Review*, Vol. 23, No. 3, Sep

*High-performance Organization*, Jossey-Bass, ISBN 978-0-787-93968-7, San Francisco

*Organizations: Conceptual Issues, Empirical Applications*, Lane, C., Bachmann, R.

*Security*, CRC Press, ISBN 978-1-4398-0680-7, Boca Raton FL, USA

4, Boston, USA

CA, USA

London, UK

1998). pp. 393–404.

0-12-374494-4, Burlington MA, USA

481-3661-2, Heidelberg, Germany

ISBN 978-1-4200-7332-4, Boca Raton FL, USA

978-0-8493-7052-6, Boca Raton FL, USA

93, No. 3, pp. 623–658, ISSN 0002-9602


Lerner, M.; Vanecek, G. ; Vidovic, N. & Vrsalovic, D. (2002). *Middleware Networks: Concept,* 

Lewis, J.D., Weigert, A. (1985). Trust as a social reality, *Social Forces*, Vol. 63, No. 4, June

Lu, Y., Tsudik, G. (2010). *Enhancing Data Privacy in the Cloud*, in *Trust Management V,* 

Ma, Y., Abie, H., Skramstad, T., Nygard, M. (2010). *Assessment of the Trustworthiness of Digital* 

Marek, K. (2008). *Trust: Self-Interest and the Common Good*, Oxford University Press, ISBN

Mather, T., Kumaraswamy, S., Latif, S. (2009). *Cloud Security and Privacy*, O'Reilly Media,

Mattern, T., Woods, D. (2006). *Enterprise SOA: Designing IT for Business Innovation*, O'Reilly

Mayer, R. C., Davis, J. H., Schoorman, F. D. (1995). An integrative model of organizational

McAllister, D. J. (1995). Affect- and cognition-based trust as foundations for interpersonal

McAllister, D. J. (1997). The second face of trust: reflections on the dark side of interpersonal

Muller, T., (2010). *Semantics of Trust*, in *Formal Aspects of Security and Trust, Revised selected* 

Nahapiet, J., Ghoshal, S. (1998). Social capital, intellectual capital, the organizational

Nin, J., Herranz, J. (Eds.). (2010). *Privacy and Anonymity in Information Management Systems*,

Nooteboom, B. (1996). Trust, opportunism and governance: a process, control model, *Organization Studies*, Vol. 17, No. 6, Nov 1996, pp. 985–1010, ISSN 0170-8406 Papacharissi, Z., (Ed.). (2011). *A Networked Self: Identity, Community and Culture on Social Network Sites*, Routledge, ISBN13: 978-0-415-80180-5, New York NY NY, USA Powell, W. W. (1996). Trust-based forms of governance, in *Trust in Organizations: Frontiers of* 

Preve, N. P. (Ed.). (2011). *Grid Computing: Towards a Global Interconnected Infrastructure*,

Puder, A., Römer, K., Pilhofer, F. (2006). Distributed systems architecture: a middleware approach, Morgan Kaufmann, ISBN 978-1-55860-648-7, San Francisco CA, USA

trust, *Academy of Management Review*, Vol. 20, No. 3, Aug 1995, pp. 703–34, ISSN

cooperation in organizations, *Academy of Management Journal*, Vol. 38, No. 1, 1995,

trust in organizations, *Research on Negotiation in Organizations*, Vol. 6, (Jan 1997). pp.

*papers of 7th International Workshop, FAST 2010*, ISBN 978-3-642-19751-2, Pisa, Italy,

advantage, *Academy of Management Review*, Vol. 23, No. 2., May 1998, pp. 242–66,

*Theory, Research*, Kramer, R.M., Tyler, T.R. (Eds.). pp. 51–67, Sage Publications,

Advances in Information, Communication Technology)

978–0–19–921791–5, New York NY, USA

ISBN 978-0-596-80276-9, Sebastopol CA, USA

Media, ISBN 0-596-10238-0, Sebastopol CA, USA

Springer, ISBN 978-1-84996-237-7, London, UK

ISBN 978-0 803-95740-4, Thousand Oaks CA, USA

Springer-Verlag, ISBN 978-0-85729-675-7, London, UK

0-792-3784-7, New York NY, USA

1985, pp. 967–984, ISSN 0037-7732

Communication Technology)

0363-7425

pp: 24–59, ISSN 0001-4273

87–111, ISSN 1040-9556

September 16-17, 2010

ISSN 0363-7425

*Design and Deployment of Internet Infrastructure,* Kluwer Academic publishers, ISBN

*Proceedings of 5th IFIP WG 11.11 International Conference, IFIPTM 2011*, ISBN , Copenhagen, Denmark, June 29 - July 1, 2011, (IFIP Advances in Information,

*Records*, in *Trust Management V, Proceedings of 5th IFIP WG 11.11 International Conference, IFIPTM 2011*, ISBN , Copenhagen, Denmark, June 29 - July 1, 2011, (IFIP


**16** 

 *Malaysia* 

**Adopting and Adapting Medical Approach in** 

Risk management process is defined as a systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk (AS/NZS ISO 31000:2009, 2009). In addition, precise security risk analysis method should provide two key advantages (Kim *et al*., 2007). Firstly, effective monitoring of information security policies by protecting organisations critical assets and secondly, capacity to provide appropriate information for the purpose of future prediction and for the development secured information management. However in the real world, most of the organisations do not have proper data about security breaches because they typically fail to document and systematically record the threats incidents (Bojanc and Jerman-Blazic, 2008). According to (Baker *et al*., 2007) stated that the lack of real data on risk factors is considered as one of the main problem in information security research. Therefore, most of the existing methods intended to estimate probability of an identified vulnerability of security breach is largely relied on guesswork or rough

Moreover, the existing information security risk analysis methods have several shortcomings. First, only capable to identify specific threats such as a malicious attacks rather than various types of information security threats concurrency as stated in (Badr and Stephan, 2007; Kim *et al*., 2007). Second, it is more focus on technology rather than emphasis on the people and process aspects of information systems (Spears, 2006). Third, lack of systematic methods to measure the value of information systems assets from the viewpoint of operational continuity (Suh and Han, 2003). The following limitation of the traditional method is the time-consuming factor and higher cost involved in conducting such analysis especially in medium to large organisations (Spears, 2006). The next limitation is that most of existing methods depends largely on IT professionals or risk analysis experts to conduct the risk analysis. Finally, an IT-centric approach to information security risk analysis indicated it does not involve business users or variety of field managers to understand the risks and threats in promoting security awareness throughout an organisation (Spears,

estimation (Baker *et al*., 2007; Ekelhart *et al*., 2009; Spears, 2006).

**1. Introduction** 

2006).

**Risk Management Process for Analysing** 

Ganthan Narayana Samy1, Rabiah Ahmad2 and Zuraini Ismail1

**Information Security Risk** 

*1Universiti Teknologi Malaysia (UTM), 2Universiti Teknikal Malaysia Melaka (UTeM)* 

