Threats to information security bring an organization to the possibility that their operations would be disrupted and their data compromised. This possibility, also referred to as risk probability, is defined as the probability of incidence of a threat and is different for each threat (Kaplan and Garrick, 1981). In this study risk is defined as the likelihood of a threat occurring (in this case Information security breach) having either a negative or positive impact (Gerber and von Solms, 2005) on a firm or supply chain. For the purpose of clarity, throughout this study, risk is contextualized as the chance that a particular IT-related breach will occur and compromise the security of information which in turn impacts the performance of an organization in a negative way. Each breach is conceptualized as an incidence of each form of threat and represents different risks to an organization. Examples of these are systems failure or data corruption; infection by viruses or malicious software; theft or fraud involving computers; other incidents caused by staff; attacks by unauthorised outsider (including hacking attempts) etc. (Potter and Beard, 2012). In risk management, all risks that the organization potentially faces are identified and assessed, and the appropriate strategy is implemented to manage the incidence of these threats (Stoneburner et al. , 2002). In coping with risks, organizations use all or any combination of the following strategies: risk prevention and deterrence (also
23
called Prevention); risk detection and recovery (also called Mitigation), and risk correction (also called Monitoring and Review) (Ouyang 2012). These strategies involve management or administrative, operational and physical, technical or logical tools. According to Ouyang (2012a), Management or Administrative tools include policies; standards; processes; procedures; and guidelines. Operational and Physical Control tools include execution of policies; standards & process; education and awareness; program security; personnel security; document controls; facility or infrastructure protection etc. Technical or Logical controls include, but are not limited to, access controls; identification and authorization; confidentiality; integrity; availability; non-repudiation.
According to Ouyang (2012), risk prevention deals with protective measures put in place to prevent the occurrence of breach or deter perpetrators from attacking. This is perhaps the first line of defense. An example of this is installing firewall or security software. However this might not be very effective as breaches do still occur. The second strategy which is the mitigation strategy helps to reduce the impact of the incidence of breach when it occurs. A mitigating strategy would entail repair of damaged assets, initiatives to restore integrity and reputation after the incidence of threat, and efforts to bring back lost customers. For instance, backing up data on another system can help an organization retain accessibility to valuable data in the event of a compromise to the current system. It is more or less a recovery contingency plan to keep the business going or to restore the operations of the business to full functionality after severe attack. Choosing one or any combination of these response strategies requires an earlier assessment of the threats an organization is exposed to in terms of occurrence and cost impact (Rees et al 2011). The cost impact is determined a priori and this is poorly estimated as it reflects more direct costs and less indirect costs. The indirect costs such as loss of control are hard to estimate and most studies in literature tend to ignore this when estimating the impact on a business.
2.3.4.1 Risk Assessment
Being proactive requires rigorous risk assessment. However there are some limitations on the components of risk assessment. Reducing vulnerability to threats require the implementation of appropriate risk strategy which is informed by adequate risk assessment. To assess any risk, the probability of incidence (P) is
24
multiplied by the cost impact (I) on the organization if it occurs (Deane et al. 2009, Rees et al. 2011). These two components of risk assessment, P and I, have limitations as estimating P is very difficult due to unpredictability3 and estimating I is also very poorly understood. The inconsistencies in P and I result in poor assessment of risks and could result into a Type-1 error or a Type-2 error (Banerjee 2009). A Type-1 error (false positive) occurs when an insignificant threat is poorly assessed to be a significant one. Here, the organization wastes effort and resources by implementing unnecessary risk management strategy where monitoring alone would have sufficed. The Type-2 error (false negative) on the other hand occurs when a significant threat is seen as an insignificant one. The effect of this is that a less stringent strategy is implemented to manage the threat which would be ineffective and result in an unprecedented impact on the organization. It stands to reason that cost impact represents a higher interest to most organisations than the probability of occurrence. It is logical that if the impact is high and despite the probability of occurrence being very low, then such breach incidence is still a source of concern for the organisation. If, however, the probability of occurrence is high and the cost impact is low, then organisations may decide to forego the cost impact if it is not too significant. Therefore the focus of this study is on the cost impact estimation.
2.3.4.2 Inconsistencies in Estimating Impact, I.
The threat-type incidence, hacking, experienced by Sony’s PlayStation Network (PSN) in 2011 affecting up to 77 million consumers reportedly compromised over ten million customer’s credit card information and was to cost the organization $171 million in remediation. This impact cost has been suggested by experts to be a rather optimistic assessment and that the true impact might be in the region of billions of dollars. Sony’s spokeswoman, Kumie Tanaka, was reported to admit that they could not estimate the true impact of the breach at the time as they were still ‘figuring out’ the impact on its earnings (Osawa, 2011). Further to this, two different experts Mizuho Investors Securities analyst, Nobuo Kurahashi, and Barclays Capital analyst, Yuji Fujimori, reported an impact of $1.25 billion and $2.74 billion respectively (Brightman, 2011). A difference of $1.49 billion in their estimates lends credence to
3 Refers to the changeable nature of the number of times threat incidence occur and the uncertainty of whether or not it will occur.
25
the fact that Impact (I) is poorly understood, even by experts. An even bigger estimate was reported by Forbes Business Magazine in tune of $24 billion impact cost (Phillips, 2011). While it has been difficult to estimate the true impact cost on an organization, it is even more difficult to estimate that for a supply chain. It is therefore crucial to adequately assess each threat to determine the best strategy to manage it. In literature, most IT breach impact studies are qualitative and are restricted to an organizational level (Goel and Shawky, 2009). These qualitative risk assessment studies are subjective and lack consistency. On the other hand, some quantitative studies have looked at the impact of other types of threat (such as natural disasters) to an organization, and some to the supply chain. However, there is no quantitative study in literature that has investigated the impact of IT threat-type incidences on supply chain material flow operations.