ISB: Feb 3
Information Systems Risk
1. Identifying Risk Components
A statement can describe:
A vulnerability
A threat
A likelihood
An impact
OR a full risk statement (includes all of the above)
If a statement:
Does not say who/what causes harm → not a threat
Does not describe consequences → not impact
Does not combine threat + vulnerability + impact → not full risk
Example
Allowing friends to access a company server for gaming:
This is a vulnerability
Opens the network to outside access
Can lead to serious consequences (including getting fired 😬)
2. Vulnerabilities
A vulnerability = a weakness that can be exploited
Examples:
Employees misusing company equipment
Open network ports
Poor access controls
Vulnerabilities by themselves are not full risks
They need a threat + impact
3. Likelihood Statements
Likelihood = probability a threat occurs
Example:
“There is a 40% chance of a power outage”
This is only likelihood, not a full risk statement
4. Threats
Threats = bad things that can happen
Common recurring threats:
Human behavior
Network failures
Electricity / power loss
Natural disasters
5. Threat Classification (Two Dimensions)
A. Internal vs. External
Internal Threats
Come from within the organization
Employees, contractors, insiders
External Threats
Come from outside the organization
Hackers, power outages, construction damage, natural disasters
B. Accidental vs. Malicious
Accidental
No intent to cause harm
Mistakes, misconfigurations, forgetting to log out
Malicious
Intentional harm
Theft, sabotage, data destruction
6. Threat Matrix (Examples)
Internal + Malicious
Disgruntled employee deleting files
Stealing customer data before quitting
IT staff abusing privileged access
Internal + Accidental
Accidentally deleting important data
Software misconfiguration causing outages
External + Malicious
Hackers
Phishing attacks
Ransomware
Data theft
External + Accidental
Power outages
Floods
Earthquakes
Construction cutting cables (backhoes 😐)
Animals damaging infrastructure (squirrels 🐿)
7. Generative AI Risk Example
Employees submitting sensitive healthcare data to third-party AI tools
Classified as:
Internal
Accidental (non-malicious)
Risk comes from lack of training or awareness, not intent
8. Malicious Threat Goals
Malicious actors may aim to:
Destruction
Delete or destroy data
Modification
Alter records (grades, financial data)
Unauthorized Duplication
Copy and steal data for resale
Exposure
Leak sensitive information publicly
9. Why Information Systems Are Targeted
Data can be stolen silently
Theft often detected late—or never
Data can be sold repeatedly
Motivations include:
Money
Espionage
Reputation within hacker communities
10. Cybercrime Economy
Cybercrime is larger than the illegal drug trade
Organized crime involvement (especially internationally)
Scams ≈ $500 billion/year
Victims may unknowingly interact with forced labor scam operations
11. Ransomware
Encrypts files so they cannot be accessed
Victims must pay ransom to decrypt
Shifted from individuals → large organizations
Typical ransom demands:
$9M–$50M+
Modern ransomware:
Encrypts data
Steals data
Threatens to leak data
Key Insight
Hackers usually do decrypt after payment
Reason: trust sustains the ransomware “business model”
12. Scams & Manipulation
Fake job offers
Credit card theft and resale
Data harvesting
Search engine manipulation
Buying fake social media followers
13. High-Impact Example
SEC social media account compromised
Fake announcement caused Bitcoin prices to spike
Likely phishing or weak password
Attackers profited through market manipulation
14. Infrastructure & Physical Threats
Floods can destroy servers
Poor server placement = major outages
Hardware failure is expected (5–10 year lifespan)
Backups are critical
Data centers routinely replace failed drives
Hard drives are physically destroyed after use
15. Big Takeaways
Threats are inevitable
Some risks are predictable
Preparation reduces impact
Organizations must plan for:
Power outages
Ransomware
Human error
Natural disasters