ISB: Feb 3

Information Systems Risk

1. Identifying Risk Components

  • A statement can describe:

    • A vulnerability

    • A threat

    • A likelihood

    • An impact

    • OR a full risk statement (includes all of the above)

  • If a statement:

    • Does not say who/what causes harm → not a threat

    • Does not describe consequences → not impact

    • Does not combine threat + vulnerability + impact → not full risk

Example

  • Allowing friends to access a company server for gaming:

    • This is a vulnerability

    • Opens the network to outside access

    • Can lead to serious consequences (including getting fired 😬)


2. Vulnerabilities

  • A vulnerability = a weakness that can be exploited

  • Examples:

    • Employees misusing company equipment

    • Open network ports

    • Poor access controls

  • Vulnerabilities by themselves are not full risks

    • They need a threat + impact


3. Likelihood Statements

  • Likelihood = probability a threat occurs

  • Example:

    • “There is a 40% chance of a power outage”

  • This is only likelihood, not a full risk statement


4. Threats

  • Threats = bad things that can happen

  • Common recurring threats:

    • Human behavior

    • Network failures

    • Electricity / power loss

    • Natural disasters


5. Threat Classification (Two Dimensions)

A. Internal vs. External
  • Internal Threats

    • Come from within the organization

    • Employees, contractors, insiders

  • External Threats

    • Come from outside the organization

    • Hackers, power outages, construction damage, natural disasters

B. Accidental vs. Malicious
  • Accidental

    • No intent to cause harm

    • Mistakes, misconfigurations, forgetting to log out

  • Malicious

    • Intentional harm

    • Theft, sabotage, data destruction


6. Threat Matrix (Examples)

Internal + Malicious

  • Disgruntled employee deleting files

  • Stealing customer data before quitting

  • IT staff abusing privileged access

Internal + Accidental

  • Accidentally deleting important data

  • Software misconfiguration causing outages

External + Malicious

  • Hackers

  • Phishing attacks

  • Ransomware

  • Data theft

External + Accidental

  • Power outages

  • Floods

  • Earthquakes

  • Construction cutting cables (backhoes 😐)

  • Animals damaging infrastructure (squirrels 🐿)


7. Generative AI Risk Example

  • Employees submitting sensitive healthcare data to third-party AI tools

  • Classified as:

    • Internal

    • Accidental (non-malicious)

  • Risk comes from lack of training or awareness, not intent


8. Malicious Threat Goals

Malicious actors may aim to:

  • Destruction

    • Delete or destroy data

  • Modification

    • Alter records (grades, financial data)

  • Unauthorized Duplication

    • Copy and steal data for resale

  • Exposure

    • Leak sensitive information publicly


9. Why Information Systems Are Targeted

  • Data can be stolen silently

  • Theft often detected late—or never

  • Data can be sold repeatedly

  • Motivations include:

    • Money

    • Espionage

    • Reputation within hacker communities


10. Cybercrime Economy

  • Cybercrime is larger than the illegal drug trade

  • Organized crime involvement (especially internationally)

  • Scams ≈ $500 billion/year

  • Victims may unknowingly interact with forced labor scam operations


11. Ransomware

  • Encrypts files so they cannot be accessed

  • Victims must pay ransom to decrypt

  • Shifted from individuals → large organizations

  • Typical ransom demands:

    • $9M–$50M+

  • Modern ransomware:

    • Encrypts data

    • Steals data

    • Threatens to leak data

Key Insight

  • Hackers usually do decrypt after payment

  • Reason: trust sustains the ransomware “business model”


12. Scams & Manipulation

  • Fake job offers

  • Credit card theft and resale

  • Data harvesting

  • Search engine manipulation

  • Buying fake social media followers


13. High-Impact Example

  • SEC social media account compromised

  • Fake announcement caused Bitcoin prices to spike

  • Likely phishing or weak password

  • Attackers profited through market manipulation


14. Infrastructure & Physical Threats

  • Floods can destroy servers

  • Poor server placement = major outages

  • Hardware failure is expected (5–10 year lifespan)

  • Backups are critical

  • Data centers routinely replace failed drives

  • Hard drives are physically destroyed after use


15. Big Takeaways

  • Threats are inevitable

  • Some risks are predictable

  • Preparation reduces impact

  • Organizations must plan for:

    • Power outages

    • Ransomware

    • Human error

    • Natural disasters